Office 365

All posts relating to Office 365 including tenant setup and administration as well as products and services including Exchange Online, SharePoint Online, Lync Online and more as I delve further into Office 365.

Yammer Enterprise for Office 365

If you have an Office 365 subscription on any plan Small Business Essentials or above, you will be entitled to Yammer Enterprise. Yammer, if you are unaware is an enterprise social networking product that Microsoft acquired a while back and is billed to replace the social features in SharePoint Online over time. Enterprise social networking I think is like marmite and some companies promote the idea whilst others shy away from it which I think has held back adoption and therefore, Yammer isn’t as widely used as you would think, especially for a free service as part of your existing Office 365 license.

Regardless of this, in this post, I will walk you through the very simply steps to activate your Yammer Enterprise network for your Office 365 Tenant and explain some of the next steps you can take to make Yammer more integrated into your business functions and make it more functional for end-users.

Activate Your Yammer Enterprise Network

Activating the Yammer Enterprise Network is actually very simple. First, login to your Office 365 Admin Center as a Global Admin.

Office 365 Dashboard Activate Yammer

From the Dashboard presented when you login, you will have an option for Activate Yammer Enterprise under the Manage Your Organisation heading. Once you have selected this, you will be taken to the domain selection page.

Yammer Enterprise Domain Selection

On this page, you must select which of your verified Office 365 domains you want to activate Yammer for.

Yammer is designed primarily for single domain use so if you work at an organisation which has multiple domain names such as regional domains for each country or territory that you operate in then you will need to activate your Yammer Enterprise network for one domain initially. Once you have your network setup with a single domain, you can follow the instructions on the TechNet article Combine Multiple Yammer Networks ( to contact Yammer Technical Support to add the secondary domains.

Once you have selected your domain and you select the Activate Yammer Enterprise button, after a few minutes your new Yammer network will be created.

By design, Office 365 Global Admins will automatically be provisioned as Network Admins in Yammer to administer your network however I found this didn’t work as it should and I had to follow a fix I found on the Office 365 Community by adding a new Global Admin afer the network creation which did get added to Yammer and then I logged in as that user and re-added my other Global Admins manually.

Syncing Domain Users to Yammer with DSync

Whilst Yammer Enterprise is made available via your Office 365 Tenant and allows your users to use their Office 365 credentials for logging in to Yammer Enterprise (be it as a cloud user, an on-premise AD user via DirSync or AADSync or whether you have ADFS setup and configured), the user on-boarding and off-boarding processes for Yammer are distinct. What this means for your end-users is that whilst they can visit and try and login using their Office 365 credentials, they actually need to be registered in your network first.

Microsoft provides a tool called Yammer Directory Sync or DSync which functions in a similar fashion to the DirSync or AADSync tools for Azure Active Directory. The DSync tool doesn’t sync any passwords because those are provided via Office 365 and Azure Active Directory however DSync will sync the Name, Job Title, Office, Telephone and Mobile fields of an AD object to Yammer and will provision an account for the user. Setting up Yammer DSync is outside of the scope of this post but you can find out more from the TechNet article Install Yammer Directory Sync (

Yammer Directory Sync will automatically create Yammer users in your network as new AD users are created and it will also remove users when they are deleted from AD covering off the provision and deprovision processes. As you would expect, the tool updates user attributes as they are changed in AD.

If you don’t setup Yammer Directory Sync then each of your users will need to manually register for Yammer the first time they visit the site and accounts will not be automatically deprovisioned when you remove an AD user account.

Replacing the SharePoint Newsfeed with Yammer

SharePoint Online as with all versions of SharePoint 2010 and 2013 provides the Newsfeed functionality which is designed to be your timeline of information for your companies collaboration world. The Newsfeed in SharePoint is part of a users’ My Site area however Yammer being an enterprise social network provides a better capability for newsfeed and maintaining two systems for one function is redundant. Luckily, there is an option we can change that will replace the native SharePoint Newsfeed with the Yammer service.

As a Global Admin, login to the Office 365 Admin Center and browse to your SharePoint Admin Center. From the SharePoint Admin Center, among the options, you will find a setting titled Enterprise Social Collaboration. Under this heading, change the setting from Use SharePoint Newsfeed (Default) to Use Service. As per the description for this setting, it can take up to 30 minutes for the setting to propagate all of the Office 365 servers so for a short period of time, some users may still be directed to their Newsfeed after this is changed.

Embedding Yammer Feeds into SharePoint

SharePoint is where your company stores its documents and data so it makes sense to have related comments and social interaction from staff in the same place. On the Yammer site, you can find out how to use Yammer Embed to incorporate Yammer Feeds and Pages into your SharePoint sites or even any HTML web site your company may have. You can find out more about Yammer Embed at

It’s worth noting here that there is currently, a Yammer Web App for SharePoint however this is being discontinued later this year therefore there is no point building a system using the Web App now as you will have to re-create it before not too long and it makes better sense to develop using the long-term solution now.

I hope this post sheds a bit more light on what Yammer is, how to get it and how to start using it.

Administering Sway in the Office 365 Admin Center

With the release of Sway as I discussed in my earlier post today, Sway for Office 365 and What It Means for PowerPoint there is another application in Office 365 than now can be managed by tenant administrators.

For some organisations, they may want to stop users from using Sway or they may be happy for people to use Sway but don’t want anything authored in it to be shared outside of their organisation. To this end, we have some new administrative controls in the Office 365 Admin Center for managing Sway.

After logging in to the Office 365 Admin Center as a Global Administrator, expand the Service Settings node in the menu and then select the Sway option.

Office 365 Sway Admin

As you can see in the screenshot above, we don’t have many options right now but remember that Sway is a preview product and with more features destined for the product there I suspect will be more options for management over time also.

As of today, we have two management options. Firstly, we can completely disable Sway if we don’t want users to be able to access it. Changing this setting does not remove the Sway icon from the Office 365 App Launcher.

As you can see from the first screenshot below, when the Let people in your organisation use Sway option is disabled, users can still log in to Sway however if they try to access the My Sways menu or do anything, they will be shown the accounts are not yet supported error message.

The second option we have is to disable sharing outside of the organisation. When this option is selected, users will still be able to login to Sway and they will still be able to select the share with public option on their Sways however trying to access a Sway link as a user outside of the organisation, you will be shown an unauthorised access page as shown in the second image below.

Office 365 Sway Disabled  Office 365 Sway Unauthorised

Sway for Office 365 and What It Means for PowerPoint

This week, the newest product for Office 365, Sway has been made public and is rolling its way out to Office 365 Tenants around the world.

I first noticed Sway had appeared in my tenant last night although it could have been earlier. Users can access Sway from their Office 365 Apps with the green Sway icon as shown below and they can login using their normal Office 365 credentials.

Office 365 Apps with Sway

In addition to the web interface for Sway, there are currently Sway apps available for iOS and Android and in typical Microsoft fashion of late, not for Windows Phone, something that continues to frustrate me that Microsoft leave their own platform to last to get access to apps and features.

So What is Sway?

Well that is a good question and in reality, it is a bit of whatever you really want it to be. I think of Sway as a modern cross-over between OneNote and PowerPoint, allowing you to record and collate information from various sources such as images and text, social links to Twitter, Facebook or YouTube like you can use OneNote for casual note taking and collation of text and images however with Sway, it presents it in a beautiful reflowing format that makes your content look great across a multitude of devices and form factors including the ability to automatically reflow the content for the screen resolution and orientation for you. This is where I liken it to PowerPoint in the sense that it is designed to present and portray your content in a way that people will be drawn to it and want to read it or at least that is the intention with slide decks right?

Sway has been designed for a mobile and cloud first world such that you can not only view but also author a Sway using just your web browser making it ubiquitous across platforms. The mobile apps are there in order to enhance the experience and make it easier to author Sways from portable devices.

I haven’t really played with it myself much right now but I’ve watched a few videos on it over on Channel 9 and it certainly does produce nice aesthetically pleasing output but I think that the usual rule of garbage in, garbage out will still apply. Yes, if you provide Sway with garbage input it will make that garbage look nice but it will still be garbage. I think that Sways will be best suited to those who can make the most of a host of information be it text, images or multimedia from a range of sources because Sways consisting of just plain text won’t be very engaging.

The PowerPoint Replacement

What interests me with Sway is how it could potentially be used? We’ve all seen far too many dull PowerPoint decks that make us want to either play Candy Crush on our phones instead or simply roll over and sleep so I would be interested to see how in the real world, with real information to convey, Sway could be used as a replacement to PowerPoint to deliver an engaging presentation.

I tested this theory earlier today using my Logitech R400 slide clicker that I bought for driving PowerPoint decks hands-off and to my surprise, it works really well with Sway, advancing through the Sway as you would expect it to so Microsoft have done a great job of linking Sway controls to the mouse click events that the clickers commonly use for advancing and rewinding PowerPoint slides. If we could just bring some of the multi-authoring capabilities from Office to Sway so that multiple people in an organisation could work on a Sway together that for me would seal the deal.

What I would like to see though, to make this truly possible for a mass market is two things. Firstly, I think that there needs to be some kind of offline mode for Sway so that I can download a Sway that I have created into a single file package or a HTML5 local cache so that I can launch from my laptop without connectivity because we all know that when delivering customer or board room presentations, you can’t always be sure that there will be internet connectivity to access Sway online.

Secondly, there needs to be some kind of presentation mode in Sway.

Right now, we have an option in the toolbar at the top for Preview which puts the Sway into a chromeless view port and I can hit F11 in Internet Explorer to make that full screen which gives the impression of a presentation however there are a few problems I see with Preview mode like this today. For one, the Sway logo is shown in the upper left corner when you are at the start of the Sway which I don’t want to see on my slide decks along with the fact that the forward and back controls are permanently visible in the lower right corner. The biggest problem though is that most users won’t know that F11 is the full-screen view shortcut for Internet Explorer and Project Spartan or Microsoft Edge as we should call it doesn’t even have a proper full-screen mode right now and I definitely don’t want to see a presentation within the Internet Explorer or Microsoft Edge window.

I genuinely think that with the right introduction of multi-authoring tools and a fully fledged presentation mode, Sway could be the death of PowerPoint as we know it. I think Sway has a lot of potential and I really look forward to seeing what Microsoft do with it once it’s an official product and out of preview.

Managing the Skype for Business User Experience

Yesterday, Microsoft rolled out the April 2015 update for Lync 2013 which replaces Lync 2013 with the Skype for Business user experience. I tried out Skype for Business with the Office 2016 Technical Preview a few weeks ago and although it’s early doors, I’m liking the coming together of the two product families thus far.

In this post, I am going to cover off the prerequisites for client and server and also the configuration settings for managing the end-user experience as already, there seems to be a wave of confusion online about it.

Client Prerequisites

In order for your clients to receive the new Skype for Business user experience, there are some prerequisities that apply. Firstly, you must be running Office 2013 with Service Pack 1 (KB2817430). If you don’t have Service Pack 1, you can download it from here for 32-bit and here for 64-bit installations.

With Service Pack 1 applied, you then must have the March 2014 Update for Lync 2013 (KB2863908) applied which you can obtain from here for 32-bit and here for 64-bit installations. There are many updates for Office 2013 post-SP1 which apply not only to Lync but to the whole suite so I would recommend updating all the other products too, not just Lync but for the purposes of this post, this is the update that is critical.

With both the Office 2013 Service Pack 1 applied and the March 2014 update for Lync applied, you are ready to install the Skype for Business update. This update is the April 2015 Update for Skype for Business (KB2889853) and you can download the 32-bit version here or the 64-bit version from here.

Update for Skype for Business

Once you have installed Skype for Business from KB2889853 above, you will want to get another update which is KB2889923 which is a post-April 2015 update for Skype for Business which addresses known issues with the original release. Hard to believe that such an update already exists but it sure does. You can download this update, KB2889923 for 32-bit here and for 64-bit here. Don’t be alarmed that the download page for this update still reports Lync 2013 as the effected product as this is a known thing.

Client Experience

Once you have the updates above installed, you will be running Skype for Business however for many users, you will be prompted at first login that your administrator doesn’t want to run this version of Skype for Business and that you need to revert to Lync.

Restart Skype for Business Dialog

This is caused by server-side settings and depending on your environment whether you are on-premise Lync Server or Office 365 will effect how you resolve it. If you want to control this behavior manually for testing purposes then you can edit the registry key which governs the client experience at HKCU\SOFTWARE\Microsoft\Office\Lync where you can edit the value of the EnableSkypeUI binary value accordingly. 00 00 00 00 denotes that the classic Lync user interface is used and 00 00 00 01 denotes that the Skype for Business UI is used.

EnableSkypeUI Registry

Managing Office 365 Client Experience

If you are using Office 365 then one of the benefits of the service is that Microsoft keep your platform up to date for you so you can go right ahead and configure the server-side policy.

In order to connect to Lync Online via PowerShell, you need to have the Microsoft Online Services Sign-In Assistant installed which you can obtain from and you will need to have the updated version of the Lync Online Connector Module installed in order to access the Skype for Business parameters. You can download the Lync Online Connector Module from If you have managed your Lync Online tenant from PowerShell before you will already have the sign-in assistant so just grab the updated Lync module.

With the two installed, you can download the file from Microsoft at This .zip file includes three PowerShell scripts.
DisableSkypeUIGlobal.ps1 will disable the Skype for Business UI for all of your users and force them to use the Lync UI.
EnableSkypeUIGlobal.ps1 will enable the Skype for Business UI for all users and if they have the relevant updates installed will be forced to use the Skype UI.
EnableSkypeUIForUsers.ps1 will enable the Skype UI for a specific set of users. The script accepts pipeline input to the $users variable for your users.

If you run any of these scripts you will be prompted to enter your Office 365 Global Administrator credentials to perform the operation. If you run the selective users script then you will need to provide the users in UPN format such as

Managing Lync Server On-Premise Client Experience

If you are using Lync Server in an on-premise or hosted environment then the work may potentially be a little more consuming. In order to access the Skype for Business parameters in the Lync PowerShell Module, you must be running at least the December 2014 Cumulative Update for Lync Server 2013. You can obtain this update from and this updates carries a version number of 5.0.8308.857 if you want to check your current versions.

If you don’t have this update installed then you are going to first need to plan the deployment of it throughout your Lync topology. If you are in a hosted environment, check with your service provider whether the update has been applied.

With the update applied, we expose a new parameter for the CsClientPolicy Cmdlets in PowerShell to configure the Skype for Business user experience.

Either from a Lync Server or from a client with the Lync PowerShell Module installed, you can use the following commands to configure the client experience.

To disable the Skype for Business experience for all users, enter the Cmdlet Set-CsClientPolicy -Identity Global -EnableSkypeUI $False. If you want to enable the experience for everyone then you can use the Cmdlet Set-CsClientPolicy -Identity Global -EnableSkypeUI $True.

If you want to configure the experience to be enabled only for a subset of users such as a test group then you can apply the parameter to a specific Client Policy such as Set-CsClientPolicy -Identity CustomPolicyName -EnableSkypeUI $True.

Access Office 365 with Azure ExpressRoute

Azure ExpressRoute when it launched back in 2014 was for me, one of the most exciting propositions with Azure. The ability to rapidly provision, scale and consume PaaS and IaaS resources in the Microsoft Cloud however it lacked one thing and that was Office 365. Whilst many, many customers are adopting Office 365, having that traffic routed out over your internet connection for some people is seen as a security concern and for others it’s a bandwidth problem they just don’t want to deal with.

Earlier this week, the Office Team has posted a blog at that Office 365 over Azure ExpressRoute is on the way although sadly not until Q3 2015.

The wait aside, this is great news both for customers seeking the maximum performance for their Office 365 deployments and their on-premise users and great news because it is another string in the public cloud productivity suites’ bow. I look forward to seeing that make it to the mainstream and seeing it in action.

Company Branding for Office 365 Apps

In the last two posts, I’ve explained and demonstrated the process for configuring customized branding for your Office 365 and Azure Active Directory login experience to give users a company branded experience when accessing Office 365 applications and extending that experience for international non-English users. Once the user is logged in, we want to ensure that, that company consistent branding identity resumes so in this post, I will be covering just that in how to brand your Office 365 Tenant Portal and Apps and just to reiterate, this is free for all Office 365 Tenants and you don’t need to be on a particular plan or SKU to access this.

To start, we need to login to the Office 365 Admin Center as a Global Administrator. You can access the Admin Center at If you haven’t ever applied any branding to your Office 365 Tenant, then it will probably look something like the following image.

Office 365 Admin Center Home

The default branding uses a blue accent colour which is used for the clickable App shortcut button in the top-left corner and is used to colour the page body text. The default header colour is black. To change the branding, click the Company Profile link in the left navigation bar in the portal. This will take you to the page where you configure your company name and address etc. Once on this page, there is a link in the left navigation for Custom Theming which you want to click.

Office 365 Admin Center Custom Theming

On the Custom Theming page, you can see there are several options for applying your branding to the portals and apps in Office 365. Custom Logo does what you would expect by allowing you to add your company logo to the pages. URL for Clickable Logo allows you to add a hyperlink to the company logo perhaps to direct people to your SharePoint Online intranet site or to your public website.

Background Image allows you to apply an image to the background of the header. If you use a gradient effect header or a patterned image on your public website,  you could apply this here to give a consistent look and feel across your internal and external facing portals.

To the right, we have options for Accent Colour, Nav Bar Background Colour, Text and Icons and App Menu Icon colours.

Accent colour is the colour used for the app shortcut icon in the upper left corner of the Office 365 sites and apps and is also used to colour hyperlinks and buttons on the pages. Nav Bar Background Colour applies to the Nav Bar if you have not applied a background image and applies to the whole bar except for the shortcut icon in the left corner. The Text and Icons colour applies to the title shown in the navigation bar along with the buttons in the upper right corner of the portal next to the user profile picture. Lastly, App Menu Icon applies to the tile like icon used in the upper left shortcut. If you use a light accent colour then you many want use the black option for this icon, otherwise the other option is white.

Office 365 Admin Center Custom Theming Applied

One you have applied your colour and icon selections, click the Save button to apply the changes. The changes will be visible in the Admin Center straight away but they will take a little time to appear in other Office 365 sites and apps. I had to wait about 15 minutes for my Tenant sites and apps to reflect the changes.

One observation I made is the placement of the company logo in the navigation bar appears to be dead centre. To me this looks very odd and in other blogs and instructions I have seen online showing this process, their logos appear in the left corner. Suspecting it to be IE in Windows 10 Technical Preview at fault, I tried a Windows 8.1 machine using IE and Chrome with the same results. I’m not sure when this changed or why but needless to say, it looks odd to me so I’ve opted to remove the logo from my final implementation for my tenant but your results will vary.

One you have given it some time for the changes to be applied across Office 365, here is how is looks in some of the user facing sites.

Office 365 Calendar Themed  Office 365 OneDrive Business Themed

Language Support for Office 365 and AAD Login

In my previous post, Company Branding for Office 365 and AAD Login, I showed you the steps to implement a company branded and customized login experience for Office 365 and Azure Active Directory. This post centred around using the default branding settings which for most organisations will probably be just fine but if you have employees in non-English speaking or English as a second language countries, you may want to provide them with a more regionalised experience using another language.

Luckily, Azure Active Directory allows us to do this with ease. Firstly, you need to configure the default settings so if you haven’t already, follow the steps in my previous post Company Branding for Office 365 and AAD Login to get that setup and working. Once you have it working and tested, you can head back to the Azure management portal at and login as a Global Administrator role user.

Once logged in, go to the Active Directory section from the left navigation pane and select the same directory that you customized previously. Once you are viewing the directory, click the Configure tab in from the top of the page and once again, select the green Customize Branding button.

Last time, you were taken immediately into the Customize Default Branding settings however on this second occasion, you will be shown an option first.

AAD Customize Branding Specific Language

The portal prompts you if you want to Edit Existing Branding Settings or Add Branding for a Specific Language. In this example, I want to add branding for my French users so I select the Add Branding Settings for a Specific Language option and select France from the drop-down language selection. Once you have selected your language, you are prompted to provide the same logos and text as previous for the default branding.

This is especially useful if you have provided the Sign In Page Text as you will likely want to provide this text in a non-English language. It could also be useful if your company trades under a different name or uses a different logo in another region to identify your brand better for those customers.

You can repeat this process as many times as you like for as many languages as you need however it’s worth noting that because each language uses different images and text, if you ever need to update the logos and text, you will need to update them for each language you have specified and configured. You can use this same options page to come back and edit your customizations at a later time also by select the Edit Existing Branding Settings option which is where you can also delete any customizations to return them to the Azure Active Directory defaults if you decide you no longer want to customize a specific language or the defaults at all.

Company Branding Office 365 and AAD Login

Last week, Microsoft announced via a blog post on the Office Blogs site at that they were moving the ability to add company branding to the Azure Active Directory and Office 365 login pages from the Azure Active Directory Basic and Premium tiers down into the Free tier making this feature available to everyone.

This great news as for a lot of customers, Azure Active Directory Free provides all the service they are looking for and being able to have this fit into your corporate identity and branding makes users more comfortable that they are signing into a company authorised login portal.

In order to brand your corporate Azure Active Directory instance and your Office 365 login pages, login to the Azure Management Portal as a user with the Global Administrator role. For now, this needs to be managed via the legacy Azure portal at Once you are logged into the portal, you need to head to the Active Directory node from the left navigation area.

Azure Portal

Once on the Active Directory page, select your Azure Active Directory instance. If you have more than one instance, select the instance which is responsible for the domains that you want to be branded with your corporate identity for Azure Active Directory and Office 365 sign-in.

Azure Portal AAD

On the properties for your Azure Active Directory instance, you will notice the green button Customize Branding which you would not have seen in the portal previously if you are an Azure Active Directory Free customer. Click the button to open the properties for branding and customization. Assuming this is the first time that your settings have been customized, you will be taken to the Customize Default Branding properties.

AAD Customize Default Branding

The Banner Logo image is used on all of the various sign-in pages for Azure Active Directory and Office 365 and should contain your company logo. The Tile Logo is to provide a square Modern UI version of your logo. I have yet to actually find anywhere that this Tile Logo is used so if you come across it, do let me know. In either case, the logos can be provided in .png or .jpeg format. I would highly recommend using an image minifier such as TinyPNG to compress your images without distortion with the view to help improve load times of these pages.

Sign In Page Text is displayed on all login pages and is used as a legal disclaimer or login help message. You can use this to display a message to provide help information to end-users such as a service desk phone number or you could use it to show a legal message matching your on-premise Windows server and client logon banner. This is entered as plain text and does not support HTML or other formatting such as hyperlinks.

Sign In Page Illustration allows you to provide a large image that is used prominently on the login pages for Azure Active Directory and Office 365 and it works in partnership with the Sign In Page Background Colour setting. The illustration takes either a .png or a .jpeg file to provide a rich client experience. The background colour is applied to the same container on the login page as the illustration and is used when the user is on a low bandwidth device.

Once you have entered all of the logos and text, click the tick button to save the changes. Once saved, give it a couple of minutes before testing to allow time for the Azure Active Directory instance to replicate throughout Azure and all of the login pages to be updated.

If you visit  you will see the generic login page, however once you enter your email address, the page will update to show your new branding.

AAD Default Login  AAD Branded Full Login

In the two images above, we can see the default login on the left and once I enter my email address, the image on the right shows my branding. The default highway image has been replaced by my Seattle skyline image along with the Office 365 logo replaced by my corporate identity. If I was on a low bandwidth device then instead of the Seattle image, I would be shown this portion of the screen as a solid block of colour using the hexadecimal value I provided on the branding page. The banner message I provided is shown at the bottom of the page in the right third.

If you direct clients to the Office 365 or Azure Active Directory login page from internal sites or a link on your public website then you may be interested in updating those hyperlinks to use the Realm URL. The Realm URL is a query string added to the end of the default URL pre-warning the portal which domain you are going to log in to and as such, the portal is pre-branded meaning that your users will never see the default Office 365 branded page.

To use the Realm URL, you need to update your hyperlinks to replacing the domain name after the ?whr= query string with your own domain name.

AAD Branded Realm URL

As you see on the image above, I have navigated to the Microsoft Online login page using my Ream URL and without entering my email address to provide it with the domain identity for branding, the site is pre-branded for my company.

AAD Branded Compact Login  AAD Branded Mobile Login

In the two images above, you can see how the customized login page scales with the screen real estate. The left image shows a compressed width page on a client with a 4:3 standard aspect ratio. The right portion of the screen remains unchanged but the illustration image on the left is cropped. The crop to the image is applied to the right edge, so when choosing your illustration image, make sure any important parts of the image are on the left as this is the portion which will always be visible regardless of screen size.

The second of the images above shows a mobile device viewing the page. In this view port, the illustration is completely hidden and we see just the login boxes, the corporate banner logo and the message text.

I trust that you will all enjoy seeing a customized login page for your company and enjoy it even more knowing that it’s not freely available for all Azure Active Directory and Office 365 users.

Non-Published Office 365 Directory Sync with Azure ExpressRoute

In one of my recent sessions with a customer, the customer expressed an interest in protecting their communication between Office 365 and their on-premise environment for the purposes of making their directory synchronization server traffic invisible to the outside world. This got me thinking about Azure ExpressRoute which we know can provide very fast connectivity between your on-premise environments and Azure if you are using a supported MPLS network provider.

The customer in question is using Level 3 Networks as their carrier and Level 3 are on the supported carriers list for ExpressRoute on the ExpressRoute Technical Overview page at so I looked into it a little bit further as this was a really interesting proposition – to have Office 365 SaaS managed productivity with Exchange, SharePoint and Lync but to have all of the sync traffic traffic privately routed over ExpressRoute so that you weren’t passing any of that data over the public network (albeit encrypted with HTTPS SSL).

When I looked further, I found that on the ExpressRoute FAQ page at it explicitly defines which Azure services are accessible over an ExpressRoute connection and Azure Active Directory (AAD) is not listed nor is anything in relation to Office 365.

Unfortunately, it seems that this isn’t possible right now but it would be nice to see something added in the future to allow AAD to be access over ExpressRoute to allow us to hide and conceal our ADFS or AADSync traffic as this may well answer a security question that some more conscious customers have. The other reason this would be nice as it means we can have our internal users accessing their mail and SharePoint via the ExpressRoute connection so they will get a faster experience that over the companies internet link. Right now however, the best use case for ExpressRoute in my opnion is Azure RemoteApp, allowing you move some or all of the Remote Desktop Services terminal server farms that you may have to Azure and offload your RemoteApp applications to the cloud.

Deployment Scenarios for Office 365 and AAD Identity

In my previous post from yesterday on understanding Office 365 and AAD federated identity types, I talked about the two methods for allowing our users to sign in to the Microsoft cloud services with our on-premises identity using either DirSync, AADSync or FIM for same sign-on or using ADFS for single sign-on. Now that we understand the products at a high-level, I want to cover off some options for deployment scenarios and specifically, how we can leverage Microsoft Azure to host these services.

Customers are increasingly trying to cut the cord with their on-premise datacenters due to the high cost of running them and are looking for cheaper alternatives to run their services. Moving our email, collaboration and communication productivity tools to Office 365 is one way that we can work towards achieving that however in consuming these Office 365 services, we remove the need for having our on-premises Exchange, SharePoint and Lync servers but we replace them with servers that are used to synchronise our identities to the cloud or provide the authentication tokens. If these servers go down it could actually have a more detremental effect than the loss of an on-premise Lync server so we need to pay close attention.

On-Premise Deployments

DirSync, AADSync and FIM for Same Sign-On

If you have opted for a same sign-on deployment then unless you have a specific need for FIM because you have a complex infrastructure or if you have already deployed FIM and want to leverage that existing investment you will be deploying DirSync or AADSync. DirSync is the incumbant tool and AADSync is its replacement although DirSync is still supported and will continue to be supported for a currently undefined period of time so if you have already deployed DirSync then you don’t need to rush out and upgrade your servers to AADSync.

AADSync On-Premise

None of these products, DirSync, AADSync or FIM support clustering or high availability which means you can deploy only one of them at a time. FIM can be sweet talked into working as a clustered product but the process is unsupported and documented by Damian Flynn at If you want to provide high availability for these applications then you will need to look outside the operating system and look to your hypervisor, assuming you are deploying them as virtual machines.

For DirSync and AADSync, the easiest thing to do will be to have a disaster recovery plan and a build document for the installation so that if you’re server melts, you can deploy a new one from a VM template in short order. If you were extra paranoid, you could have a VM deployed with the DirSync or AADSync binaries on the server ready to install (but not installed) so that if you had a failure you could simply run through the installer following your build document and be up and running in about 15 to 30 minutes.

For FIM, you definately want a backup of this server because a) its not highly available and b) there are complex configurations going on here and tryring to re-create this from scratch as we would likely do with DirSync and AADSync wouldn’t be fun nor quick.

ADFS for Single Sign-On

As we know from my previous article, deploying ADFS is more involved and requires more moving parts howeer luckily, all of these parts can be clustered or load balanced accordingly. The exception to this is the DirSync or AADSync server that you deploy in addition to the ADFS servers to sync the users identities but not the password attribute to go with it.

ADFS On-Premise

ADFS Proxies which reside in your DMZ network segment are essentially web servers which can be load balanced. We only require Port 443 for HTTPS SSL pages to be made publicly accessible and we can use either Windows native NLB or we can use a hardware or software load balancer such as a Citrix Netscaler, KEMP Loadmaster or an A10 Thunder load balancer. As a side note of interest, Citrix and A10 both support integration into VMM so if you are using a Microsoft private cloud with Hyper-V and VMM in your on-premise network then these products can be easily integrated into your deployment approach for new servers.

ADFS servers live in your clean, corporate network and route requests between the proxies in your DMZ to the Active Directory domain controllers to retrieve the authorization for users. The ADFS servers use a Windows Internal Database (WID) as standard which supports farms of up to five ADFS servers however if you need more than five servers, you will need a seperate SQL Server for the database which we can of course cluster.

Azure Deployment

DirSync, AADSync and FIM for Same Sign-On

As I mentioned earlier, companies are interested in cord cutting the on-premise datacenter as we know so moving things into the cloud where it is possible and makes sense helps us to achieve this and more importantly, reduce the dependancy on our internal facilities. With DirSync, AADSync and FIM deployments for same sign-on, we can really easily achieve this with Microsoft Azure.

AADSync Azure

The components that make this design work are the Azure VPN which provides site-to-site connectivity between your on-premises environment and Microsoft Azure. Once you have the Azure VPN configured and working and you have your virtual network segments configured in Microsoft Azure, we need to deploy an Active Directory Domain Controller into Azure using an IaaS VM. This will hold a replica of your Active Directory database from on-premise. We then deploy the DirSync, AADSync or FIM server on an IaaS VM in Azure.

By deploying the synchronisation VM in Azure along with the domain controller, the two servers are within the same AD Site which you will have created for Azure and will allow the synchronisation server to contact AD for the user data it needs and will allow it very fast access to the Azure Active Directory service to sync your objects to the cloud directory.

For high availability in this design, we can deploy multiple Domain Controllers into the Azure AD Site and we can use the Azure VPN service in a point-to-multi-point configuration so that two of your on-premise datacenters have an endpoint for the Azure VPN so that we aren’t dependant on a single site for on-premise connectivity. Remember that with this same sign-on deployment, we can only have a single synchronisation server so it is not possible to make this element highly available. When we deploy multiple Active Directory Domain Controllers into Azure, we need to make sure that these VMs go into an Availability Set together which causes the Azure fabric to place these VMs on seperate hosts and racks in the environment so that they are not effected by maintenance operations.

ADFS for Single Sign-On

Using Azure to deploy our ADFS for single sign-on deployment really is the way to show case the power and ease at wihch we can deploy a complex solution with Microsoft Azure. The building block of this design is the same as that of the DirSync and AADSync in that we start out with configuring Azure VPN in a point-to-point or point-to-multi-point connection to our on-premise environment and we then deploy multiple Active Directory Domain Controllers which provide our authentication source.

ADFS Azure

In deploying SSO with ADFS, we need to configure, deploy and test the ADFS environment before we deploy and configure the DirSync or AADSync server. I must atest to not fully understanding the reason for this but Microsoft recommend it so we do it. As you would do for an on-premise deployment, we deploy two ADFS Proxies which recieve our incoming token requests and we deploy two ADFS Servers which do the back and forth between our ADFS Proxies and the AD Domain Controllers to authorize users.

As we did with our previous same sign-on design for a Microsoft Azure deployment, we need to make sure we place our IaaS VMs into Availability Sets however this time we have three sets: one for our Domain Controllers, one for the ADFS Proxies and one for the ADFS Servers.

With an on-premise deployment, we need to buy and configure a load-balancer to use with the multiple ADFS Proxy servers however in Azure we can simply use the Azure Load Balancer to quickly and easily achieve this.

With the ADFS for single sign-on deployment in Microsoft Azure, if having two VMs running for each service isn’t quite enough availability for you because you are concerned about the resiliency that Microsoft provide within a single Azure datacenter, you could take the deployment to another level and use two datacenters. Using two Microsoft Azure datacenters, we split the services provided by the deployment throughout the Azure environment and use the Azure Traffic Manager to provide Geolocation awareness for users and direct them to the most appropriate ADFS Proxy for authentication. If you are deploying ADFS for single sign-on in an organisation which has users throughout the globe then this could be an ideal deployment to achieve not only your high availability requirements for IT but also to improve the user experience by sending the user to the ADFS Proxy closest to them.

Cost Consideration

All of this talk of Azure deployments is very nice but we need to be aware of our costs. Deploying services on-premises has costs associated and these costs are often a lot higher than people realise because they don’t fully take into account every facet of the infrastructure. When you are costing up an on-premise VM you will likely include the cost of the SAN disk occupation or the percentage of a host it occupies and the host of that virtualization host but are you factoring in the amount of extra power that server will consume as a result of the extra CPU cycles or the fraction of load that adds to your UPS or your network switches?

Implementing a simple deployment of DirSync or AADSync will be very cheap and I would challenge any enterprise to be able to do it themselves cheaper. A single datacenter deployment of ADFS for single sign-on will cost more to implement than same sign-on due to the increased number of servers and the addition of the Azure Load Balancer however that cost will double if you extend that to a dual Azure datacenter deployment not to mention the increased configuration complexity.

To conclude, make sure you consider the cost and complexity of what you are proposing to implement and make sure that what you plan to do is really what you need to do. If all your users are based in the UK then having that all sining, dual datacenter, multi-point Azure VPN deployment split across the UK and East Coast US with Geolocation Traffic Management probably isn’t what you really need and you will be wasting resources in both money to pay for it and time and complexity to manage it.