Good practices for implementing a healthy Azure Active Directory identity foundation

Originally posted on Lucian.Blog. Follow Lucian on Twitter @LucianFrango for daily doses of cloud.


This is part frustrated (mild) rant, part helpful hint and like the title says: part public service announcement. While I am most definitely a glass is half full kind of person, and I don’t get stressed out much or phased by pressure much, I, like anyone, do get annoyed with certain things. Let’s start with a quick vent before continuing on with the public service announcement.

Rather then just have a rant or a whinge, let me explain the situation and by doing so I’ll most likely vent some frustration.

Deploying a Hybrid Exchange environment to integrate with Exchange Online in Office 365 can be a behemoth of a task if you lack certain things. While anyone can say any number of criteria or list off important considerations, pre-requisites or requirements, I feel that there is only one thing that needs to be addressed. One thing that sticks in my mind as being the foundation of the endeavour.

Just like the old saying goes “you can’t build a strong house on weak foundations”; the same applies to that initial journey to the cloud.

I say initial journey, as for many organisations that first step after setting up a website, which can be the beginning to being a cloud-focused organisation, Office 365 is truly the first step to move infrastructure, process and systems to the cloud that I see happen the most.

Importantly though is to realise that as amazing and full of features as Office 365 is, deploying a Hybrid environment to leverage what I consider the best of both worlds, a hybrid identity, all that matters is the existing Active Directory Domain Services (ADDS) environment. That is ALL THAT MATTERS.

Step aside Active Directory Federation Services (ADFS) and Azure AD Connect (AADConnect) or even Hybrid Exchange Server 2016 itself. All those components sit on top of the foundation of the existing identity and directory services that is the ADDS environment.

ADDS is so crucial as it key link in the chain, so much so that if it has issues, the entire project can easily and quickly run into trouble and delays. Delays lead to cost. Delays lead to unhappy management. Delays lead to unhappy users. Delays lead to the people working on the project going grey.

I remember a time when I had blonde curly hair. I grew out of that and as I got older my hair darkened to a rich, chocolate (at least 70% cocoa) brown. Now, as each project gets notched on my belt, slowly, the slick chocolate locks are giving way to the odd silky, white sign that there’s not enough emphasis on a well-managed and organised ADDS.

Read More

Using powershell to add users to an Exchange Online in-place hold

Originally blogged @ Lucian.Blog. Follow Lucian on Twitter @LucianFrango.


A month ago I wrote a quick post (available here) on removing users from large in-place hold polices in Exchange Online. At the time I wasn’t that familiar with the process and documentation online was limited. After sharing is caring that process I had a deeper look into the in-place hold policies for a client I’m consultant at. There was some cleanup that was required and this post explains that process as well as a streamlined way via powershell to add users to an in-place hold policy.

The problem

Over the course of any large-scale migration to Exchange Online, managed services and project resource teams coordinate to successfully migrate users and apply policies and post migration tasks. In-place hold policies and governance around storing email data for compliance and legal purposes is key for certain organisations. The larger the organisation though, the more tricky the task. The GUI or web console just isn’t enough to cater for thousands of users. Insert powershell!- it is your friend.

The solution

Overall the process to add users to an in-place hold isn’t that much different from the process of removing users from a policy. Like the previous post (available here), I’ll keep the process short and sweet to outline the steps required:

Read More

Implementing Application with Office 365 Graph API in App-only Mode

Microsoft has recently release Microsoft Graph to easily integrate Office 365 resources with applications. Graph API basically provides one single endpoint to call bunch of Web APIs to get access Office 365 resources.

In order to use Graph API from another application, the application must be registered in Azure Active Directory (AAD) first. When the application is registered, we can choose how the application is permitted to use resources – application permissions or delegate permissions. The latter one typically requires users to provide user credentials like username and password to get a proper access token.… [Keep reading] “Implementing Application with Office 365 Graph API in App-only Mode”

Connected data source error code: 8344: insufficient access rights to perform the operation.

Originally blogged @ Lucian.Blog. Follow Lucian on Twitter @LucianFrango.


I’m in the final stages of a long running Exchange migration from two on-premises ADDS forests and Exchange organisations to Exchange Online. The infrastructure foundations were laid out by some Kloudie colleagues some time ago. The environment has been running great for a while now, however, recently when trying to do some remote move migration batches to Exchange Online, I’ve been running into failures.

A few months ago I had the same issue and at that time I quickly found it to be related to DirSync. This project has an older deployment of DirSync with some customisation specific to this environment. That time I managed to find some duplicate attributes between the DirSync metaverse and Active Directory on-premises for the problematic users, which for the most part, was the cause of the problems. Fast forward and this week and I’m again running into some migration failures.

Read More

Using PowerShell to remove users from an Exchange Online in-place hold policy

Originally blogged @ Lucian.Blog. Follow Lucian on Twitter @lucianfrango.


In-place hold, legal hold, compliance hold, journaling and/or select “D”: all of the above, when it’s simplified down to its simplest form is storing emails for X amount of time in case there’s a problem and these need to be reviewed. What’s great about Office 365 Exchange Online is that there is the ability to store those emails in the cloud for 2,555 days (or roughly speaking 7 years).

Let’s fast forward to having in-place hold enabled for an Exchange Online tenant. In my reference case I have roughly 10,500 users in the tenant and numerous in-place hold policies, with the largest containing 7,500 or so users. I’ve run into a small problem with this Hybrid based environment whereby I need to move a mailbox that is covered by an in-place hold policy (let’s call it “Lucians Mailbox Search Policy”) back to on-premises for a couple of reasons.

The following blog post outlines how to remove users from an in-place hold via PowerShell as the Office 365 / Exchange Online Control Panel may not let you do that when you have thousands of users in a single hold policy.
Read More

Kloud Solutions named as Microsoft Australia Partner Awards finalist in four categories!

MELBOURNE, VICTORIA – 10 August, 2015 – Today, Kloud Solutions proudly announced it has been named a finalistin four categories in the 2015 Microsoft Australian Partner Awards (MAPA):

  • Cloud Productivity
  • Cloud Platform
  • Managed Service
  • Social Enterprise

Earlier this year, Kloud won Cloud Productivity Partner of the Year and was recognised as a finalist for Enterprise Mobility Suite Partner of the Year at Microsoft’s Worldwide Partner Conference in Orlando, Florida.

Kloud’s managing director Nicki Bowers is proud of the recognition, saying it is representative of the way customers entrust Kloud with their journey to the cloud.… [Keep reading] “Kloud Solutions named as Microsoft Australia Partner Awards finalist in four categories!”

Hybrid Exchange Migration: Mailbox to Mail-User Conversion Fails

Occasionally after migrating a mailbox from an on-premises Exchange server to Exchange Online the user is unable access their mailbox using Outlook, however the Office 365 Outlook Web Access (OWA) application is functional. Often (but not always) the migration batch report will contain users that have “Completed with Errors” or “Completed with Warnings”.

Commonly this is caused by the migration process failing to update the on-premises object and convert it into a mail-enabled user, often due to issues with inheritable permissions or unsupported characters.… [Keep reading] “Hybrid Exchange Migration: Mailbox to Mail-User Conversion Fails”

How to implement Multi-Factor Authentication in Office 365 via ADFS, Part 5, the finale!

Originally posted in Lucians blog over @ lucian.blog.


I know what you’re thinking: does Lucian really have to create another part in this long MFA series? In short, probably not, but I’ll have saved your index finger the thousands of years or scrolling you would have done to read the entire brain dump in a one page post.

So to explain this ‘epilogue’, if you will, on MFA, using X.509 SSLs for your second factor of authentication is a powerful means to automate and manage a process for your mobile and external users. This blog post will explain how to leverage an on-prem Microsoft System Centre Configuration Manager (SCCM) 2012 R2 deployment linked to Microsoft InTune to deliver SSL’s to mobile and external devices to use in MFA.

Read More

How to implement Multi-Factor Authentication in Office 365 via ADFS – Part 4

Originally posted in Lucians blog over @ lucian.blog.


The final installment in the long series that’s taken me allot longer to get around to writing then initially I had thought. However, I hope it’s worth the wait and the solution that has been proven works well for you. Before I get into the technical aspects of the final piece of this MFA implementation puzzle, I’d like to make a quick shout out to all the awesome consultants at Kloud Solutions who helped both in the technical implementation but also with the initial design and work required to see this solution through- a big thank you!

In the previous blog post I went through essentially what an internal configuration of MFA would look like with everything ready for the ADAL component that was previously under NDA and preview only availability, is now generally available for testing. So let me quickly delve into that ADAL in Office 2013 and Office 365 component before an in-depth guide on how to utilize Microsoft InTune and System Centre Configuration Manager as a means to deliver SSL certificates to users and use those certificates as your second factor of authentication! Exciting as its been a long build up to get to this point with several moments where I was questioning whether this would work in the real world.. lets start..

Read More

Hybrid Exchange Connectivity with Azure Traffic Manager

Does your exchange hybrid architecture need to have redundancy? How about an active/passive solution using Azure Traffic Manager elimating the need for a HLB device in your DMZ.

Currently there is a few topologies for configuring Hybrid Exchange with Office 365;

  1. Single Hybrid Server
  2. 2+ Hybrid Server behind a load balancer
  3. 2+ Hybrid Server with DNS round robin

A simple solution to make a redundant Hybrid Exchange design without using a HLB is to leverage Azure Traffic Manager to monitor and service the DNS namespace configured in on-premises Exchange and Office 365 configuration.… [Keep reading] “Hybrid Exchange Connectivity with Azure Traffic Manager”