The hosting venue has changed to serve you better.
On the recommendation of my good friend Darryl, I’ve added some things to my AAD Connect permissions tool:
I have created a more detailed example of how to do this here: https://bhr.62e.myftpupload.com/2018/09/14/fixing-office-365-anonymous-group-write-back-and-external-delivery/
Office 365 Groups are glorious creations. There are, however, some instances where they don’t work as you anticipate (or hope). One of those scenarios is when you are configured in hybrid coexistence with the following scenario:
In this scenario, external emails sent to Office 365 groups (via your organization’s MX record pointing on-premises) will be returned with one of our favorite NDRs:
“You do not have permission to send to this recipient.”… [ Continue reading ]
Since its initial creation, I’ve made a few updates to the Advanced AAD Connect permissions tool. The most recent updates:
These two updates should allow for a more complete AAD Connect permissions delegation experience. … [ Continue reading ]
This week, I received an email from a colleague asking if there was a way to work around the default behavior described in https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization:
Password expiration policy
If a user is in the scope of password synchronization, the cloud account password is set to Never Expire.… [ Continue reading ]
Updated with additional requirements and scenarios, 2017-10-26.
I recently worked with a customer that needed assistance in configuring the additional permissions required for AAD Connect delegation. After chasing down an incredible number of prerequisite information, I decided it would be more helpful to my customer to put together a tool that would help them configure the various permissions delegations.… [ Continue reading ]
From time to time, you may find that you need to selectively filter out users going to Office 365. The easiest way to do it is with a scoping filter. We do have some documents on setting the cloudFiltered attribute in the metaverse to True, but that requires creating new rules. … [ Continue reading ]
This afternoon, I ran into a customer with a very interesting configuration–a 300-user department with 15 domain controllers spread among 6 sites.
Which, given our guidance in the past didn’t seem that out of line (redundant domain controllers at each site to process logons).… [ Continue reading ]
This afternoon, while configuring AAD Connect for a customer, I ran into a new error when I clicked Install at the end of the installation wizard:
An error occurred executing Configure AAD Sync task: Unexpected exception thrown. Action: PingProvisioningServiceEndPoint, Exception: An error occurred.… [ Continue reading ]
For those of you that have embarked upon the trek to Office 365, you’ve undoubtedly run (or at least heard of) IDFix. It detects and fixes a number of conditions that will cause the directory sync to report errors.
Today, I want to focus on a tool I wrote for a customer almost 2 years ago that addresses conditions not yet identified or remedied by IDFix. … [ Continue reading ]
* UPDATE* After doing this originally, I decided to take a different route and write it back to the on-premises AD, so that way, the objects are synchronous. This post now reflects the updated content.
A few weeks ago, I had an issue where I needed to remove a proxy address from the proxyAddresses array of a user being synchronized to Office 365. … [ Continue reading ]
So, a million years and tens of thousands of lines of code ago, I wrote a script for a customer to populate the Office 365 UsageLocation property (Set-MsolUser -UsageLocation) with the ISO country codes from Active Directory. In Office 365, UsageLocation is used to determine what features are available to your users.… [ Continue reading ]
I had an interesting request from a customer the other day where they were synchronizing Active Directory into two disparate environments–Office 365 and another hosted Exchange environment. In their new Office 365 environment, they didn’t want any address proxies matching a particular pattern to be part of a user’s proxyAddress array–BUT–they also didn’t want to remove them from their on-premises accounts since they are being used by their other hosting environment as an application routing address.… [ Continue reading ]
While troubleshooting a Password Hash Sync issue with a customer, I found myself needing to trigger a full password hash sync for various connectors. Password Hash Sync is a separate process from the AADSync process. It’s not a difficult process, but becomes time consuming (especially if you have a lot of connectors from which to choose).… [ Continue reading ]
A few years ago, we released “DirSync with Password Hash Synchronization,” and it was kind of an all-or-nothing choice. You could either have a synchronized account database with synchronized password hashes (so users would authenticate in the cloud), or a federated environment. … [ Continue reading ]