Update on Microsoft Azure Data Center Locations

Updated 12-oct-2015
Microsoft has now a quality website about the current datacenter regions https://azure.microsoft.com/en-us/regions

In 2012 I’ve posted a blog post with a map of the Azure Datacenter Locations at that moment. A lot of changes has taken place since that time!

In this post an updated map, thanks to William Zack (Microsoft). With new datacenters in Brazil and Japan, and planned datacenters in Australia.




How To Integrate Microsoft Azure Active Directory to Authenticate SharePoint 2013 for External Users

A few days ago I was designing a new Extranet solution for one of our clients.

The customer had the following requirements for the extranet with regard to authentication of external users.

– Manage external users and groups is an easy to use interface

– Users can manage their passwords themselves

– 2-factor authentication

– No access to other resources

Our first idea was to implement external access using ADFS with the federated parties, although it will work great for other extranet scenario’s, it did not met all of our requirements.

The second idea was to use Azure with WAAD (Windows Azure Active Directory) and ACS (Access Control Services) to met our goals. The WAAD would provide identities for our environment, supports multifactor authentication and users can reset their passwords themselves!

Get Started

So lets gets started with our Proof-of-Concept! The first hit on google regarding this scenario is a great blog post from Steve Pescka (http://blogs.technet.com/b/speschka/archive/2013/05/10/integrating-sharepoint-2013-with-azure-active-directory-part-1-configuration.aspx). He wrote several blog items about this topics which was really supporting the configuration.


– Azure account (https://account.windowsazure.com/signup?offer=ms-azr-0044p to sign up)

– SharePoint 2013 Environment

Create Azure Active Directory

– Login to https://manage.windowsazure.com

– Go to Active Directory

– Press Add

– If you want to use an existing Azure Active Directory (like the one you use for Office 365), choose for Existing Directory. You will be asked to re-signin with an global administrator of the Office 365 tenant, after this process the Azure Active Directory is connected to you Azure account.

– For a new directory, fill in your directory details, if you want to use a custom domain you can add this afterwards.

– The Directory is ready to use. To use the features, password reset and groups you also need to Enable Active Directory Premium

– Click on Add a user

– Fill in the wizard and choose the role “Global Administrator”

– Download the Windows Azure Active Directory Shell

Create ACS Service in Azure

If you have already setup a ACS namespace you can skip this step.

– Go to https://manage.windowsazure.com

– Press New, and add a new Access Control namespace

– Fill in a name and region and proceed

– Your ACS namespace will now be created

Configure Identity Provider in ACS

Configure the WAAD as an identity provider in ACS

– Go to https://manage.windowsazure.com

– Go to Active Directory

– Go to Access Control Namespaces and select your newly created namespace

– Go to Manage

– Go to Trust relationshops > Identity Providers

– Click on Add Identity Provider

– Choose a WS Federation provider

– Fill in a Descriptive Name and use https://accounts.accesscontrol.windows.net/<waad-name>/FederationMetadata/2007-06/FederationMetadata.xml as WS metadata URL. Provide your own WAAD or use a more general approach to allow multiple WAAD’s to sign in to your SharePoint 2013 environment using the federation url https://login.windows.net/common/FederationMetadata/2007-06/FederationMetadata.xml

Configure Relying Party Trust in ACS

Now we need to configure the on-premises SharePoint 2013 environment as the relying party

– Go to relying party applications

– Click on Add, choose to enter settings manually.

– Fill in a realm, in this example urn:sharepoint:acs, but it can be any realm (and take note of this, we need this later on)

– Select Token form SAML 1.1. (unfortunately SharePoint 2013 (and 2010) do not support SAML 2.0)

– Select the identity provider selected earlier

– Press Save

Configure Group Rules

Now we need to generate and configure the claim translation from the WAAD claim to an workable claim for SharePoint 2013.

– Go to Group Rules

– Click on Add, fill in a Group name “AAD Rules” and click Save

– Click on Generate

– Select the IdP created earlier and click Generate

– Select the Output claim UPN

– Set the input claim type to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name instead of upn, because this input claim is empty. The name claim will contain the upn.

– Set the output claim type to http://schemas.microsoft.com/ws/2008/05/identity/claims/upn , which will be accepted by the STS of SharePoint.

– Click on Save

Enabled Application for WAAD to authenticate

– Execute the following Powershell


$replyUrl = New-MsolServicePrincipalAddresses –Address “https://<youracs>.accesscontrol.windows.net/v2/wsfederation”

New-MsolServicePrincipal –ServicePrincipalNames @(“https://<youracs>.accesscontrol.windows.net/”) -DisplayName “Joran Markx Tenant” -Addresses $replyUrl


Configure SharePoint to use ACS

– Go to Development -> Application integration

– Copy and paste the WS-Federation Metadata into the internet browser

– Copy and paste the base64 code in EntityDescriptor>RoleDescriptor>KeyDescriptor>..>X509Certificate to a notepad and save as .cer file (Certificate)

– Open the certificate to check if it is working great! If it does not, please check if you copied the whole X509Certificate and the file is saved with ANSII.

– Copy the .cer to the SharePoint 2013 Server

Create and configure STS in SharePoint

Now we need to create a new Trusted Root Authority and configure the Trusted Identity Token Issues.

– Open the SharePoint Management Shell (as Administrator)

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“c:aadcert.cer”)

New-SPTrustedRootAuthority -Name “ACS Token Signing Certificate” -Certificate $cert

$map = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

$map3 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

$map4 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” -IncomingClaimTypeDisplayName “GivenName” -SameAsIncoming

$map5 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname” -IncomingClaimTypeDisplayName “SurName” -SameAsIncoming

$map6 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/jobtitle” -IncomingClaimTypeDisplayName “JobTitle” -SameAsIncoming

$map7 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/office” -IncomingClaimTypeDisplayName “Office” -SameAsIncoming

$realm = “urn:sharepoint:acs”

$ap = New-SPTrustedIdentityTokenIssuer -Name “AAD” -Description “ACS” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4,$map5,$map6,$map7 -SignInUrl “https://litware.accesscontrol.windows.net:443/v2/wsfederation” -IdentifierClaim http://schemas.microsoft.com/ws/2008/05/identity/claims/upn

– Create or configure a webapplication in SharePoint with Claims Authentication and select the new TrustedIdentityToken Issuer

– Authorize add at least one user from the WAAD to the a site in the webapplication

– You’re ready to go!

Test the solution

– Fire up a browser and go to your SharePoint site

– Select AAD, you will not get this screen if you disable Windows Authentication (and have only one authentication provider)

– Then select one of the IdP in ACS, you will not see this screen if you only have one IdP configured.

– You will now get the Azure Active Directory Login screen

– After entering your username and password, you will be redirected to SharePoint 2013 and will be logged in!

Known issues

– People picker will not find people in the directory

Download SharePoint 2013 SP1 now! It has been released!

With the realase of Service pack 1 for SharePoint and all other Office products some new features are availlable!

New in SP1

  • Compatibility fixes for Windows 8.1 and Internet Explorer 11.
  • Better support for modern hardware, such as high DPI devices and the precision touchpad.
  • New apps for Office capabilities and APIs for developers.
  • Power Map for Excel, a 3D visualization tool for mapping, exploring, and interacting with geographical and temporal data in Excel, is now available to Office 365 ProPlus subscription customers. You can learn more about Power Map general availability on the Power BI Blog.
  • Improvements to the Click-to-Run virtualization technology that installs and updates Office 365 desktop applications.
  • SkyDrive Pro is now OneDrive for Business. You can now integrate OneDrive Office 365 with your Onpremise SharePoint 2013.
  •  Replace Newsfeed with Yammer, to use the best social collaboration tools for your organisation

Fixed in SP1

  • Metadata is lost when documents that use a custom content type with a “Description” field are opened for editing.
  • When an item is deleted, restored from recycle bin, and then deleted again, there is a primary key constraint error.
  • An error occurs when files are moved between document libraries and the web time zone is behind that of the server.
  • Metadata filtering at list level always lists all metadata terms.
  • The hyperlink popup window drops the selected word to be linked when there is a delay of more than one second in opening the window.
  • Multiple-column, SummaryLinkWebParts with a group heading style of “Separator” are rendered incorrectly.
  • A hash tag that contains a full width space does not get created successfully.
  • Search schema compression is now enabled by default to allow larger search schemas.
  • Highlighting for FQL queries is now enabled for FQL as well as KQL.
  • Opening a custom SharePoint list in datasheet view and applying multiple custom filters, where each filter has more than one condition, can result in an incomplete set of list items.
  • When the “Export to Excel” button is clicked in a SharePoint document library that has the Content Type field displayed, the Content Type field does not appear in the Excel workbook.
  • An error occurs after changing the “Manager” property in EditProfile.aspx page when the My Sites WebApp is not in the same farm as the UPA.
  • SharePoint REST API does not return a well-defined error response for a duplicate key exception.
  • Developers are unable to specify a Content Type ID when creating Content Types in the client object model.
  • On list views in SharePoint sites, the Connect to Outlook button in the ribbon may be erroneously disabled.
  • In some non-English languages of SharePoint, the text displayed in the callout UI for a document or list item, describing who last edited the item, may not be grammatically correct.
  • Copy and Paste in a datasheet does not work correctly with Internet Explorer 11.
  • Pages do not render in Safari for iPad when private browsing mode is used.
  • When editing rich text fields in SharePoint, if the editing session exceeds 30 minutes, the edits may not be saved.
  • An error that says “SCRIPT12004: An internal error occurred in the Microsoft Internet extensions” may occur intermittently when users visit their SkyDrive Pro or other pages on their personal site.
  • InfoPath may crash when a form that points to a SharePoint list, with a lookup to another SharePoint list, is opened.
  • An InfoPath form with extended characters in its name fails to open.
  • An error that says “Security Validation for the form has timed out” may occur when an InfoPath form is digitally signed and hosted in a SharePoint site collection that uses the SharePoint version 2010 user experience.
  • “Show document icon” remains unchecked and the document icon does not show in Edit Properties for a list item.
  • A “Failed tagging this page” error occurs when the “I like it” button is clicked.
  • The wrong term is removed when manually editing a multi-valued taxonomy field.
  • When tagging list items using a language that is different from the term store default language, suggestions for labels are offered in multiple languages. The suggestions appear confusing because both language
  • suggestions are listed without any identification of the language.
  • An error that says “There was an error processing this request” may appear when editing the user profile.
  • Times are missing from Date/Time results in certain filtered list web service calls.
  • Minimal and no metadata are now enabled as supported JSON formats.
  • Actions4 schema workflow actions can’t be deployed to SharePoint.
  • Using Client Object Model, Stream.Seek() to seek to a particular position doesn’t seek at the proper offset.
  • Refreshing a workflow status page generates the following error: “System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.”
  • Setting custom, non-English outcomes in web pages on tasks in a workflow fails to set the value.
  • Configurations of SharePoint using Azure Hybrid mode and Workflow Manager together can cause workflow callbacks to fail.
  • Workflow task processes on wiki pages won’t start.
  • Workflows won’t wait for changes to content approval status fields.
  • E-mails generated by workflow cannot be disabled for approvals in SharePoint workflows.
  • Workflows may fail to send an e-mail or send too many e-mails.
  • Association variables do not update correctly for auto-start workflows.
  • A KeyNotFoundException error may occur in a workflow when the associated task list uses unique permissions.
  • Incomplete tasks are deleted when workflow task activities complete.
  • Task activity is suspended when the task is completed using app-only credentials.
  • An error that says “This task could not be updated at this time” occurs when trying to complete a workflow task using the “Open this task” button in Outlook.
  • A workflow doesn’t respond properly when waiting for changes in specific types of list columns, such as Boolean, Date Time, and User.

Check here for the KB and download

Change Error Report Email Destination for DirSync

For several customers we have configured the Directory Synchronization for Offcice365.

In most situations DirSync reports some Active Directory issues during synchronization, which is delivered by e-mail.

Although most error report and notification are sent to the Global Administrators, the DirSync error will only be delivered to the Technical Contact email address. To configure the technical contact for your tenant you can perform the following steps.

1. Open the Office365 Management Portal

2. Click on the name of your Company (in the upper right for O365 new-style, in the upper left for O365 old-style)

3. Update the technical contant e-mail address and press Save

Convert-MsolDomainToFederated in Office365 returns the error Service not available

While configuring ADFS 2.0 for Office365 we experienced an issue converting the domain to federated.

PS C:\> Convert-MsolDomainToFederated -DomainName contoso.com -SupportMultipleDomain
Convert-MsolDomainToFederated : Service not available
At line:1 char:30
+ Convert-MsolDomainToFederated <<<< -DomainName contoso.com -SupportMultipleDomain
+ CategoryInfo : InvalidOperation: (:) [Convert-MsolDomainToFederated], FederationException
+ FullyQualifiedErrorId : InternalError,Microsoft.Online.Identity.Federation.Powershell.ConvertDomainToFederated

Unfortunately googling (or bing-in) does not give a direct hit, so we have contact MS Support to help us out!


Reported cause
The Default password policy was modified.
The Default Password policy is “ValidityPeriod 90 -NotificationDays 14”
Customer had the PasswordValidityPeriod set to 730

Issue resolution

Change the password policy back to default by executing the following Powershell command

Start the Windows Azure Active Directory PowerShell module.
To do this, click Start, point to All Programs, click Microsoft Online Services, right-click Windows Azure Active Directory PowerShell module, and then click Run as administrator.

$cred = Get-Credential
Connect-MsolService –Credential $cred
Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 14 -DomainName contoso.com

#after this, the convert MSOLDomainToFederated works perfectly!
Convert-MsolDomainToFederated -DomainName contoso.com -SupportMultipleDomain

Hopefully it works for you!

How to Migrate Virtual Machine to Windows Azure

To migrate a virtual machine to Windows Azure from you on-premise datacenter you don’t need CSUpload anymore. With the new Windows Azure SDK there is a new cmdlet available to upload your local VHD’s to Windows Azure using Powershell.

Add-AzureVhd -LocalFilePath $sourceosvhd -Destination $destosvhd 

A complete example script can be found here

Signs of Office 365 Preview ( 2013 ) getting to General Availability (GA)

Today I’ve noticed a slight change in our Office 365 Preview which seems to be a preparation step of Microsoft to get ready for general availability (release) of Office 365 version 2013.

In the top left corner we were used to see , but from the 23th January we have

It looks like we are moving from preview to production.

Although Outlook Web App and management portal still shows Office 365 Preview