Profile photo of Ingólfur Arnar Stangeland

How to administer AzureAD, O365 and Skype for Business using PowerShell and Multi-Factor Authentication

Azure Active DirectoryPreviously, support for MFA in O365/AzureAD/Skype/Sharepoint was limited to Office applications that supported it and browser-based administration of O365/Azure.

This changes with version 1.1 of the Azure AD PowerShell module released earlier this month which provides support for MFA.


The steps to enable it are as follows:

  1. Enable MFA on the various tenants ()
  2. Download the latest AzureAD PowerShell modules that provide support for MFA (v 1.1 released 15. August 2016)
  3. Make sure you have the correct mobile phone number, alternate email and/or authenticator app installed (you typically want to have more than one MFA option available)
  4. Enable MFA on the user you want to protect with MFA
  5. Instruct the user to go to to verify their MFA settings (and SSPR if applicable)

Note: There are still some aspects in the Windows OS that are still not really aware of MFA, particulartly the Domain Join functionality.  If have enabled MFA on the account you’re using for the domain join operation and you receive an erroneous “Incorrect Password” error (i.e. code 0x52e in the NetSetup.log debug log)  during a domain join (and assuming you are actually typing in the correct password) then you may need to revert back to using a separate non-MFA account – at least for the domain join operation.

Default MFA settings:

The Office 365 tenant/resource host (Exchange Online, SharePoint Online and Skype for Business Online) will need to be configured to accept a modern authentication connection.
Here is the per service state of modern authentication by default :

  • Exchange Online – OFF by default.
  • SharePoint Online – ON by default.
  • Skype for Business Online – OFF by default.

Once you have MFA enabled and the new version of the AAD PS module installed you should be able to go through the additional MFA verification steps after logon:MFA


Azure Active Directory PowerShell with Modern Authentication

Download Details: Azure Active Directory Connection

Azure AD PowerShell: Public Preview of support for Azure MFA + new Device Management Commands

Azure AD PowerShell: Public Preview of support for Azure MFA + new Device Management Commands

How to install and configure Azure PowerShell

Skype for Business Online: Enable your tenant for modern authentication

Exchange Online: How to enable your tenant for modern authentication

The sign in experience with Azure Multi-Factor Authentication

Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS

What are App Passwords in Azure Multi-Factor Authentication?


Profile photo of Ingólfur Arnar Stangeland

Integrating SAP Web Services with MIM – part1


I recently finished a successful integration project for a customer where they were moving from FIM 2010 to MIM 2016 and from the legacy SAP Management Agent to the current SAP Web Services Management Agent – the following are observations from the journey.

The default projects published for the SAP Web Services Connector contain VB for Workflows code, rehosted so you don’t need Visual Studio to edit it but the drawback is that you’re limited to editing it inside the accompanying Web Services Configuration Tool (which is a bit….dated, frankly).  Documentation for it is also very limited and hasn’t been updated since the original release of the client.

The files discovery.xml and generated.config (or cfg.config in the older version) inside the .wsconfig project can be edited using 7-Zip or similar if you need to tweak settings that currently can’t be configured inside the WSConfig tool, such as increasing the HTTP timeout value of the Web Services Connector, the default timeout being 60 seconds (standard Caveat Emptor warnings apply to modifying the content).

Note that the generated.dll file inside the .wsconfig project is re-compiled when you make changes to the Discovery settings inside the WSCONFIG tool, which in turn overwrites any manual changes made to the generated.config file so you’ll need to redo the manual changes whenever a change to the Discovery settings in the project is made.

Also, make sure you have downloaded the latest SAP Web Services Connector from Microsoft, see the Wiki on MIM Management Agents.

Be aware that since the latest versions of the Web Services connector changed build numbers from 5.3.x.x to 1.x.x.x you may need to uninstall older versions of the SAP Web Services Connector since the Windows Installer logic will reject the lower build version numbers as it (quite logically) believes it to be an older version of the connector.

For the Employee object in SAP, the following Standard SAP BAPI functions are being referenced in the pseudo-VB code and the generated.dll file that live inside the .wsconfig project that comes with the SAP Web Services Connector:


Full Import:


The latest SAP Web Services Connector template (2016-03-02) expands the number of SAP object types to also include pseudo-VB code for the following object types:

 _OrganizationUnit ()

Full Import:

PrimaryGroup ()

Full Import:

Export Replace:

 SecondaryGroup ()
Full Import:

Export Replace:

Profile ()
Full Import:

Export Replace:

Role ()
Full Import:

Export Replace:

User ()
Full Import:

Export Add:

Export Delete:

Export Replace:



Importing using the Standard BAPI calls from SAP and the default project from Microsoft turned out to be quite slow as we discovered after the initial deployment.  The default project is using the standard BAPI calls to parse through a list of all users in the alphabet to import one entry from SAP at a time – which is probably part of the performance issue.

Fortunately, the local SAP-consultant I was working with on this project had written a custom BAPI which was collecting the users being imported into a table of rows and then sending it over the wire in one batch – we ended up dumping all the VB-code from Microsoft from the original default Web Services project and only using it for reference in a new web service project I wrote specifically to use the new custom BAPI.

In short; The performance boost from using the custom BAPI to communicate with SAP Web Services was staggering – an Import operation from SAP Web Services to the MIM Connector Space that took 6 hours with the standard BAPI calls now takes ~3 minutes using the custom BAPI.  I’ll go further into this in part 2 of this series.


Further details:

BAPIs – Definition

MIM and SAP Web Service Connector Timeouts

Integrate SAP HR and Active Directory using Forefront Identity Manager (FIM) SAP Connector for WS


Profile photo of Ingólfur Arnar Stangeland

ADFS SSO Primers

AD FSCloud, Office 365
SSO means different things to different people – make sure you’re talking about the same thing (i.e. Single Sign-On, Simple Sign-On or Same Sign-On)
In order to transparently obtain a claim from ADFS the following must be present:
  1. Your browser or client application needs to support WIA and claims
    IE/Edge support WIA out of the box, Firefox can reportedly be configured to support it (Chrome and others possibly as well using the same steps)
  2. Your browser must be talking to the intranet ADFS servers (as talking to the ADFS proxies takes you through forms-based authentication)
    This is frequently done through either a split-brain DNS setup or a network device that routes internal claim requests directly to the internal ADFS servers and external claim requests to the ADFS proxies
  3. Your browser must trust that the ADFS farm is an intranet web site that (the site should be in the Local Intranet sites in Internet Settings)
    Adding a GPO setting to include the ADFS farm name will work, targeting the GPO at the Computer gives the User the flexibility to add any required additional entries as the user settings inherit any sites added at the computer settings level.
  4. You must be logged on to a domain-joined machine as the user you expect SSO to be provided for
    Note that a cached logon doesn’t really count as a proper logon (you’re simply being allowed access to local resources on the workstation based on a previously successful logon)
  5. The Relying Party application should redirect you to the ADFS farm when it detects you are attempting to log on using an account beloging to a domain suffix that their IDP is responsible for
    This should preferably done immediately upon entering the account name when switching focus to the password field, entering the password at the RP side shouldn’t be required at all (f.x. an onFocus event targeting the password field, similar to what does).



Support for Windows Integrated Authentication in Firefox

Configuring Chrome and Firefox for Windows Integrated Authentication

onFocus event

Split-Brain DNS

A faulty split-brain DNS configuration can prevent a seamless SSO sign-in experience

Office 365 Single Sign-On with AD FS 2.0 whitepaper

A federated user is prompted unexpectedly to enter their credentials when they access an Office 365 resource

A federated user is repeatedly prompted for credentials when he or she connects to the AD FS 2.0 service endpoint during Office 365 sign-in

Profile photo of Ingólfur Arnar Stangeland

Quickly undeleting users, groups or Organizational Units using the AD Recycle Bin feature

Note: if the AD Recycle Bin isn’t already enabled in your forest then you need to dig out your last system state backup and go through the restore process – enabling the ADRB does not help with recovering any objects deleted prior to it being enabled.  See this article for enabling it. 

A VM snapshot can potentially be used to restore from for DR purposes but only if *both* the virtualization host platform and the underlying guest OS supports it (W2k12 or later for the guest OS and Hyper-V W2k12 or vSphere/ESXi 5.0 Update 2 for the virtualization hosts). 

If your VM snapshot doesn’t fulfil the minimum OS and virtualization requirements then you may still be able to use it as a last resort but the operation will be a lengthy process if the snapshot DC was brought online before manually setting the “Database Restored from Backup” registry key on it to force it to generate a new invocation ID.

From the VMware article on VM-GenerationID support:

VM-Generation ID functionality requires the hypervisor vendor to create the virtual machine identifier and expose it to the guest. VMware has provided this functionality in the following releases of vSphere:

  • VMware vSphere 5.0 Update 2 (vCenter Server and ESXi must both be at 5.0 Update 2)
  • VMware vSphere 5.1 (ESXi must be at least 5.0 Update 2)

From the Technet article on Safe Domain Controller Virtualization:
Beginning with Windows Server 2012, AD DS virtual domain controllers hosted on hypervisor platforms that expose an identifier called VM-Generation ID can detect and employ necessary safety measures to protect the AD DS environment if the virtual machine is rolled back in time by the application of a VM snapshot. The VM-GenerationID design uses a hypervisor-vendor independent mechanism to expose this identifier in the address space of the guest virtual machine, so the safe virtualization experience is consistently available of any hypervisor that supports VM-GenerationID. This identifier can be sampled by services and applications running inside the virtual machine to detect if a virtual machine has been rolled back in time.
Virtualized domain controller cloning relies on the hypervisor platform to expose an identifier called VM-Generation ID to detect creation of a virtual machine. AD DS initially stores the value of this identifier in its database (NTDS.DIT) during domain controller promotion. When the virtual machine boots up, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different, the domain controller resets the Invocation ID and discards the RID pool, thereby preventing USN re-use or the potential creation of duplicate security-principals.


Let´s look at the AD Recycle Bin in action in a lab:

First, we check whether the AD Recycle Bin feature is enabled in my lab forest using the following Powershell command:

get-ADOptionalFeature “Recycle Bin Feature”


If the EnabledScopes part is empty it means the AD Recycle Bin still hasn’t been enabled in your AD forest, luckily I already have it enabled in my lab.

Now, I just deleted a few items from my AD lab, some of which shouldn’t have been deleted and now need to be restored quickly.  I know all the deleted objects had ‘Test’ in the name so let’s see what shows up in the AD Recycle Bin when searching for objects with the isDeleted AD attribute set to ‘true’ and that include Test somewhere in the name and then sorting the list by the AD attributes msds-lastKnownRdn and lastknownParent to see where they were originally deleted from:


Of these 6 items, I’m only interested in restoring the group objects (the other ones were intentionally deleted).  I’ll add a filter to only target groups and then pipe it to the Restore-ADObject Powershell command with the -WhatIf switch appended to determine what action would be performed on which objects without actually performing the restore:


Great, the -WhatIf option shows me the command would restore only the two groups that I want to restore and leave everything else we don’t want to restore still in a deleted state in the AD Recycle Bin.  We can now confidently run the same command again without the -WhatIf switch (Adding the -Verbose option instead to report the status for each restore):


Excellent! The two groups and their pre-deletion membership state are now back in business without having to bother with a lengthy restore process!  Let’s confirm the groups are really back in the correct OU in AD by running Get-ADObject again without the ‘isDeleted’ filter option:

The undeleted groups are back where they belong in AD with the correct membership in the minimum amount of time required to recover from the original error.

This will of course *not* replace your regular backup procedures but it should really be considered a mandatory precaution to enable it in any AD environment running Windows 2008 R2 DC’s as it really cuts down the time required to recover from accidental deletion of objects in AD.

In W2k12 R2 there is now also the option of using the Active Directory Administrative Center to undelete objects if you want a more graphical way of doing things:
Additional links:

AD Recycle Bin Best Practices

AD Recycle Bin behaviour

Safe virtualization of Domain Controllers

vSphere versions required for VM-Generation ID support

Fixing When Your Domain Traveled Back In Time, the Great System Time Rollback to the Year 2000

Virtualized Domain Controller Architecture

Profile photo of Ingólfur Arnar Stangeland

Things to consider when enabling the AD Recycle Bin

Recycle Bin

#1 check if you have any applications that use the DirSync control and make sure you have applied the NTDS hotfix from KB979214 to Domain Controllers (if you are running Windows 2008 R2 DC’s) as this changes the default behaviour of the relevant LDAP search control when returning values for objects that reference recycled (soft deleted) objects.

#2 read the ASKDS article on best practices for implementing the AD Recycle Bin.

#3 figure out if you have any critical applications using the DirSync control that can’t handle the isRecycled attribute state for objects that have been soft deleted.


ILM 2007 will unfortunately not be able to handle the AD Recycle Bin but FIM 2010 with Update 1 will (ILM 2007 being out of support for more than a few years now should also really be reason enough to upgrade to at least FIM 2010 R2 or MIM 2016).

Applications that have the potential to be impacted negatively by enabling the AD Recycle Bin are most likely going to be older product versions that focus on directory synchronization or monitoring using the Dirsync control.  Those will either need to be retired or updated to a newer version (older GALSync and MIIS instances probably fall under the same unsupportable hat as ILM 2007).


Additional links:

Polling for AD Changes using the DirSync control

FIM 2010 Update 1

The DirSync control search does not return the deactivated linked attributes from a modified object in a Windows Server 2008 R2-based domain

Using the DirSync Control

PowerShell DirSync Sample

Profile photo of Ingólfur Arnar Stangeland

Working simultaneously with multiple user accounts in O365


When you have Windows Integrated Authentication (WIA) turned on for the ADFS server and it is included in the Local Intranet site in IE settings you will always get automatically logged on as the currently logged on user regardless of who you attempt to log on as.


So let’s say you have an admin account in O365 called that you want to use for administering O365 while your normal login name is
You open up an in-private browser window for O365 and enter your login name into the browser window – hoping to get redirected to your ADFS server where you would enter your alternative credentials.
The results: you get redirected to your ADFS server and WIA logs you in as the currently logged on user –
This is just the flipside of SSO – turning this off to cater for the subset of users that want to use multiple accounts in O365 (typically your admin team) will force all your users to enter credentials specifically rather than use SSO from the current logon credentials.
I.e. you can’t have your cake and eat it*
A quick workaround is to create a shortcut on your desktop that launches a browser using RunAs (f.x. if you have adminaccounts prefixed with Super-):
C:\Windows\System32\runas.exe /user:%userdomain%\Super-%username% “%ProgramFiles%\Internet Explorer\iexplore.exe”

*unless you buy two cakes
Profile photo of Ingólfur Arnar Stangeland

Tracing Issued Claims in ADFS

Quick & Dirty scripting tools – the following Powershell script will dump the last X minutes of issued claims on an ADFS server (Assuming Auditing of Issued Claims has been turned on in the AD FS Management MMC).
if($Args.count -gt 0) {$timeView=$args[0]}
$StartTime = (Get-Date).AddMinutes($timeView)
$output=Get-WinEvent -FilterHashtable @{
LogName = “Security”;
StartTime = $StartTime;
ID = 501}
$output |fl
“Total issued claims:$($output.Count)  $($timeView) minute view”
Profile photo of Ingólfur Arnar Stangeland

Sudden Access Denied in Group Join Approval Workflow in MIM 2016

On a Windows Server 2012 R2 server, running latest version of MIM 2016 on SPS Foundation 2013 with roll-ups; after editing the default Owner Approval workflow I started to get the following error when attempting to Join or Leave any groups with Ownership Approval:

JoinError1Error details:

I cried, then I cried some more.  Then I went and visited Mr. Google (What if Google was a Guy?) and stumbled upon this gem from the Technet forums that turned out to be the resolution… yes, it’s a FIM bug that’s still in MIM… not a feature 🙂

Error message from Event ID 3:

Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHost(ResourceManagementWorkflowDefinition workflowDefinition, Boolean suspendWorkflowStartupAndTimerOperations)
at Microsoft.ResourceManagement.Workflow.Hosting.WorkflowManager.StartWorkflowInstance(Guid workflowInstanceIdentifier, KeyValuePair`2[] additionalParameters)


When a new approval workflow is created and approval activity is placed in this workflow it contains the following element in a XOML definition:


xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version= (…)


Above is from the standard approval workflow delivered with FIM that works out of the box, after editing the standard workflow or in any custom authorization workflow you create it changes to the following:


(…) xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version=, (…)



…Editing the XOML in Extended Attributes and changing it back to and saving the workflow resolves the issue.  The bad news is it breaks again the next time you do any editing of the workflow 🙁



Profile photo of Ingólfur Arnar Stangeland

Unexpected timeout issue when updating FIM 2010 to latest roll-up package

ExtensionsCache-Issue2This one came as a surprise – the setup of the latest FIM 2010 roll-up was repeatedly timing out and Event ID: 6311 and 6401 kept popping up in the Application log during the operation.

After a couple of pints of coffee I eventually decided to run Procmon from Sysinternals to peek at what was going on while the setup was apparently sitting around doing nothing.

Turns out there were 521,750 ghost items with names such as Sync Rule Callout <GUID> and Common MA Callout Extension>GUID> hanging around in the hidden ExtensionsCache folder under the Synchronization Service installation directory.

Stopping the FIMSync Service prior to deleting the ghost items not only allowed the update to proceed but also markedly improved performance on the MA’s on the box by at least a factor of ~3.

Profile photo of Ingólfur Arnar Stangeland

Office 365: Using Lync or Skype on Linux

SkypeDebian-openlogo-50 Ubuntu-Logo FreeBSD Logo RedHat-logo

When you have a *nix crowd to cater for in your Office 365 or Lync deployment the following information will be useful:

– You can use the SIPE plugin to enable your *nix users to chat on O365 or Lync servers

– There’s a client-side bug in pidgin-sipe v. 1.18.2 where it used the user’s SIP address entered as the login address being presented to the ADFS server regardless of what was entered into the console

– This was fixed upstream in v 1.18.4

– This bug is invisible when the user has the same UPN and SIP address

– On the AD FS server side a workaround would be to allow extended attribute lookup during logon (f.x. use the ‘mail’ attribute if it matches the SIP address)

Note: The Alternate Login ID feature is not compatible with Exchange Online Hybrid Deployments. Customers that wish to configure Exchange Online Hybrid Deployments with Office 365 must not configure Alternate Login ID.

The Alternate Login ID feature may impact various other Azure AD and Office 365 scenarios including:

  • Office 365 ProPlus activation may require explicit sign-in
  • InTune customers using SCCM connectors may require additional configuration.

Further details:

Configuring Alternate Login ID [for AD FS 3.0]

The SIPE project

Pidgin IM