A second look at Azure AD Connect Public Preview 2

Before viewing this post please refer back to my following articles if you require a base understanding of Microsoft Azure ADConnect and the features available.

  • I first posted on AADConnect and AADSync back in August last year.
  • I also presented on Cloud Identities at TechEd Melbourne and Sydney last year here.

This post will focus on what is new and what has changed.

As posted by Alex Simons (Azure AD Director) the Microsoft Azure ADConnect preview 2 was released earlier this year. I downloaded Azure AD Connect Public Preview Download from here. I started the installer and was presented with the screen to install the services. Note: I could have specified a SQL server if my Domain was large enough to warrant this (Microsoft recommends this for over 50,000 + users). I could specift a Service Account if that was a company requirement. I could also select import settings if I had a previous configuration that I wanted to apply to this ADSync server.  I left all options unselected and selected install.


The next option was to specifiy what I wanted to install, ADSync or SSO. I selected ADSync.


I then entered my Azure Global Admin credentials. The installer now creates and assigns a service account within Azure AD with the minimum permissions that it requires, which is a great improvement. I then entered my On-Premises credentials (this also creates a service account).


The following option allows for Group Based filtering.  I noted that you can only specify 1 group here which may suit some customers who do not wish to use OU based filtering. Microsoft added this option with the intention of pilot and evaluations of Azure AD and Office 365.  I selected ‘Synchronise all users and devices’.


Here I specify that a user is represented only once across all directories.


Here you can change your user attribute mappings.  This may be required if you are using for example Shibboleth for SSO or if you have some other customised requirements.


Optional features can be modified later, so don’t be overwhelmed by the amount of options.  You can re-run the wizard to make changes later if you need.

  • Exchange Hybrid- For an Exchange Hybrid migration to Office 365.
  • Azure AD attributes- if you only want to sync a smaller set of user attributes.
  • Password writeback- change a password in Azure AD and it writes back to On-Premises and verifies the On-Premises password policy.
  • User writeback- A user created in Azure AD is created in On-Premises AD.
  • Group writeback- Groups in Office 365 will be written back to your On-Premises Exchange forest.
  • Device Sync- Allows for Windows 10 computers enrolled with Intune or directly with Azure AD to sync to On-Premises AD. (we are seeing the start of managing a Windows-as-a-Service subscription model). This is called ‘Cloud registered Devices’. NOTE: This requires a 2012 R2 schema.
  • Directory extension- Use this if you want to sync a unique attribute to Azure AD, eg. a custom Linux attribute, or an Employee ID (currently limitations apply to certian values and characters).


The screenshot below is for Azure AD attributes.  So in my example I will not be using CRM so I remove the syncing of these attributes.


Below we have the option to remove attributes from being Synced.  Eg. An organisation may have extended their schema and used “extensionAttribute’s”. Perhaps these contain sensitive information, the administrator can simply uncheck these attributes so they are not synced.


Here we confirm which On-Premise destination we want to use for User writeback. Select the Users OU. Note: you can add/merge many domains to the one Azure AD subscription, so Write-Back destination is required. 


Here I ticked the box to start a sync after install.


Here you can see I have run the miisclient and can see that 60 objects have been synced automatically.


Here was can easily see errors. My user account had an error because AD and AAD had the exact same display name of aaron.whittaker. For this test environment I will ignore this error.


Next in Azure AD I create a new user called CloudUser1


Back on my Sync server I selected connectors at the top, then selected my Azure AD and run a ‘Full Synchronization’.


Below you can see the event for the CloudUser1 being synced to On-Premises.


Here we can verify that the user has been synced.  You can see I have applied an On-Premises group membership permission to a Cloud User.


To view my post on upgrading to AADConnect GA from Beta see my post here.

To get started refer to the following articles:

Post by Alex Simons

And follow these twitter handles:

@askariel  @Alex_A_Simons

To start planning for your business transformation you can deploy and test these features all from within your Microsoft Azure subscription.  If you don’t have a Microsoft Azure subscription you can take a trial here.

Aaron Whittaker

profile pic


Road Testing Microsoft’s (Acompli) new Outlook app on iOS and Android

Outlook app on iOS and Android

Late last year Microsoft bought Acompli to bolster its mobile app offerings now ranging all main mobile platforms.

I thought I would install and test both on my Samsung Galaxy S4 and my iPhone 5s.

Outlook app on Android:

The current Android offering is rather limited compared to the iOS version.  Connecting to On Premise exchange, Office 365 and Yahoo all passed.

Default Inbox ‘Focused’ (unread emails) view.



Default Inbox ‘Other’ view.



Settings options.


Outlook app on IOS:

Connecting to On Premise exchange, Office 365 and Yahoo all passed.

I was trying to get used to the Focused and Other views of my messages.  To change these settings under settings, badge count, all.


Email Thread view.  Note the colored icons for people. eg. AW = Aaron Whittaker.  The default view shows the last email from the thread “Will do in 25 mins”.


Great Calendar view from within the app.


Add your files through your choice of online storage accounts.


Again the contacts show up with a colored icon under people, also from with the same app.


iOS app settings options.


Having used both for a week now I can say that there are no issues with either, but the iOS version definitely has more features.  I found Outlook to be more customisable than the built-in mail apps or the Yahoo app in either platform (Android or iOS).  I like having the Mail, Calendar, Files and People buttons all within the one app.  Hopefully Microsoft will bring these missing features to Android with an update soon.


Additionally just today there was the announcement that Microsoft bought iOS, Android calendar vendor Sunrise for $100 million, definitely not the old Microsoft or climate that we were accustomed to.  Perhaps this will replace the existing Acompli calendar?


*** Update 16/02/2015 – Any emails with an attachment sent from either application did not get delivered.


profile picAaronW @aaronw2003

@MSAU Azure Active Directory password Write-Back is GA.

Alex and the Azure AD team have been hard at work for the last year creating AADConnect.  AD password write-back is now GA which is great news.

Generally available (GA) as of today (11-12-14):

  • Password write-back in Azure AD Sync: Users can now change their passwords in the cloud and have the change flow all the way back to your on-premises AD.
  • The Azure AD App Proxy: This proxy makes it easy to give your employees secure access to on-premises applications like SharePoint and Exchange/OWA from the cloud without having to muck around with your DMZ.


Aaron @aaronw2003

Identity: Office 365 SMTP softmatch in action

Created by Aaron Whittaker.  Not to be reproduced without prior permission.

What do you do if you have ‘In Cloud’ identities that you wish to link to a managed Active Directory user accounts?  You can perform a smtp softmatch as described in this Microsoft article here.

Before we give this a go, let’s look at why you need to be a Domain Administrator and a Schema admin.

The installer affects these security groups:

  • Schema Admins
  • Enterprise Admins
  • Cert Publishers
  • Domain Admins
  • Account Operators
  • Print Operators
  • Administrators (domain local)
  • Server Operators
  • Backup Operators

DC: It installs an Active Directory Group called MSOL_AD_Sync_RichCoexistence.  Inside the group it adds a user that it creates called MSOL_XXXX. (I have 2 as i didn’t uninstall a previous DirSync install, it can be deleted)

MSOL properties

DirSync: After opening the Miisclient, to change the OU filters, select the Management Agents, right click Active Directory Connector, properties, Configure Directory Partitions, Containers, remove the MSOL user account and enter your own FIMAdmin credentials (these are not replacing the MSOL account).  You can see here that I have filtered out unnecessary OU’s from my Active Directory syncing (only selecting the test OU).


Let’s look at my new ‘In Cloud’ user in Bruce Wayne in Office 365.



Here you can see his email address of Bruce@bnehyperv.onmicrosoft.com.

email address

DC: Back in Active Directory I have a new user.  I want this Active Directory password and UPN to be the same in Office 365 linking the 2 accounts.

New User

DC: After the user account is created, add the email address to the mail properties (username/email address from Office 365) Active Directory User object (exchange does not need to be installed and no schema extensions are required).

add email

Now we are set up and ready for a sync.


DirSync: This error shouldn’t be ignored as the sync did fail.  There are 2 reasons a manual sync would be failing.  You turned the DirSync services off, or you are not in the FIMAdmins group.  Also I could not open the miisclient as below.


DirSync: After adding my user to the FIMAdmins group, and logging off and on I could proceed with the sync.

local admin

DirSync: Here you can see the successful ‘1 Add’, and you can drill down and see the synced user that was written (Bruce Wayne).


Now let’s check the user in Office 365.


We can see the user is now ‘Synced with Active Directory’.  Bruce’s username and password is now exactly the same as On Prem (you may need to change your AD UPN’s to a publicly routable domain name, i skipped this step in my lab).

This should be implemented with caution and after testing.  Doubling the identities in Office 365 would not be a good situation to be in.


“That’s great but my ‘In Cloud’ identities are completely different to my Active Directory user accounts.”

Let’s link 2 different user accounts together.  My new ‘In Cloud’ user is Able Alf.  He has an email address of able@bnehyperv.onmicrosoft.com.


I have added a new user called Barry Black.  I have added the email address able@bnehyperv.onmicrosoft.com to Barry’s Active Directory user account.


Here you can see Barry’s user accounts UPN.  This is different to Able’s Office 365 UPN.


I started another sync.  Now you can see that the Office 365 user account has changed display names and password.  The username is the only thing that remains the same.  This can also be verified through PowerShell.



Any comments are welcome!


Azure and Office 365- One big ecosystem

Here is my recent article “Azure and Office 365- One big ecosystem” published in the @MSAU Microsoft TechNet newsletter.





How to Migrate a VM from one Azure Subscription to another

Created by Aaron Whittaker.  Not to be reproduced without prior permission.

In Azure On Tenant 1 Power off the VM (this VM was not Sysprep’d or anything else)

Note end points, disks, VM size and any other settings


Download and install Azure Management Studio

Connect to the 2 Azure subscriptions.

In Azure Management Studio Drag and drop the VHD to the new destination.  It says ‘Move’ but the original VHD stayed in my testing.


Back in Azure On Tenant 2, go to Virtual Machines, Disks, and select create

Give the disk/s a name and select the VHD.  Ensure that OS disks have OS checked box selected.


Create a new VM, select from Gallery, select “MY DISKS”, and create the VM as required.

creating vm

I entered a new Username and Password, but the original credentials stayed on the VM (because I didn’t Sysprep the VM).

Attach any additional disks if required.  Ensure that you leave Host Cache Preference to NONE for these additional disks.

Power on the VM.

Download the RDP connection short cut

Log in.

Using a Point-to-Site VPN

The following is the work of Aaron Whittaker and should not be reproduced without prior permission.

Using a Point-to-Site VPN

Do I need a bigger Laptop?

Customers want to use Azure.  There are many different use cases and scenarios.  The following would be a great solution where on premise does not need direct tunnel connectivity to Azure.  The more permanent option is a static Site to Site VPN utilising a hardware device.

Eg. Developers utilizing extra computing power, maintenance on webservers, IT guys that want to get by with a Surface2 and don’t need more than 4 gig or ram.


CA or Windows SDK

Azure subscription, with a running VM to test

Cooking time 35 mins.



To establish a firstly you need create some certs.  You only need a private CA cert if you are running a domain.  An even quicker you can make certs just by using makecert.exe provided free in the Windows SDK

PS C:\Program Files(x86)\Windows Kits\8.1\bin\x86>makecert.exe -r -pe -n CN=AzureCertName -ss my -sr localmachine -eku -len 2048 -e 01/01/2016 AzureCertName.cer


PS C:\Program Files(x86)\Windows Kits\8.1\bin\x86>makecert.exe -n “CN=AzureCertName2” -pe -sky exchange -m 96 -ss My –in “AzureCertName2” -is my -a sha1



Now go to CertMgr.exe to will open the current user certs that you have just created.  Go to personal certificates.

Right Click Certname1, export, select YES to export the private key


Select Next twice, enter a password (mandatory step), next, select a location to save and create PFX.

What have we done?  This cert will now be installed on client pc’s that need to connect to Azure with VPN.

Recommendations are that if you right click and install on client pc it will put it in the correct location (current user).

Browse to Trusted Root Cert Auth, Certificates, right click Import PFX.


Now lets get the cert for Azure.  If you get confused which cert is for which, this below cert cannot be turned into a PFX because you can’t export the private key.  You can only make a CER which is required on Azure.

Go to CertMgr.exe to will open the current user certs that you have just created.  Go to personal certificates.

Right Click AzureCertName, export, select NO to export the private key


Select Next twice, select a location to save and create CER.

We need to put the cert in our Azure Virtual Network.


Now log into Azure, networks, new, select custom create. Enter and Name and select your Affinity Group.



Select the next arrow, enter your tenants DNS server if you have one, if not, this is not needed, Azure will provide DNS for you.  Check the box for Configure Point-to-Site VPN, next arrow twice.


Here you can add your local address space by selecting Add address space, next, wait 2 mins.

Here is the finished product and settings I required.


Next go to the Certificate tab.  Browse and upload your CER.  Here you can’t get it wrong as it won’t allow you to upload the PFX you also made.



Now go to back to your Virtual network dashboard and on the right you will see quick glance, select download client vpn package.


Once downloaded install it, if you get an error like I did simply select more information and force the install.

Then go to the bottom right and select the network icon, select Network VPN (this network name is what you called your Virtual Network), connect.


Now select connect


Are we connected yet? Yes


What can I do now?

RDP to Azure VM, and RDP to local server at the same time.  See my network configurations on my 3 different machines at once.  DC2 (Azure), Win2012r2 (local Hyper-V host), lenovo (my laptop).

See the screenshot below, access to 2 different networks at the same time and yet my local laptop ip address does not change.


Do I need a bigger Laptop? No, I can do everything I need from a Surface2.

Here is the Azure article to follow, minus any screen shots. http://msdn.microsoft.com/en-us/library/windowsazure/dn133792.aspx

Thoughts and comments welcome.

Next time we will extend the Hyper-V datacentre to Azure.

Aaron @AaronW2003