How To Integrate Microsoft Azure Active Directory to Authenticate SharePoint 2013 for External Users

A few days ago I was designing a new Extranet solution for one of our clients.

The customer had the following requirements for the extranet with regard to authentication of external users.

– Manage external users and groups is an easy to use interface

– Users can manage their passwords themselves

– 2-factor authentication

– No access to other resources

Our first idea was to implement external access using ADFS with the federated parties, although it will work great for other extranet scenario’s, it did not met all of our requirements.

The second idea was to use Azure with WAAD (Windows Azure Active Directory) and ACS (Access Control Services) to met our goals. The WAAD would provide identities for our environment, supports multifactor authentication and users can reset their passwords themselves!

Get Started

So lets gets started with our Proof-of-Concept! The first hit on google regarding this scenario is a great blog post from Steve Pescka ( He wrote several blog items about this topics which was really supporting the configuration.


– Azure account ( to sign up)

– SharePoint 2013 Environment

Create Azure Active Directory

– Login to

– Go to Active Directory

– Press Add

– If you want to use an existing Azure Active Directory (like the one you use for Office 365), choose for Existing Directory. You will be asked to re-signin with an global administrator of the Office 365 tenant, after this process the Azure Active Directory is connected to you Azure account.

– For a new directory, fill in your directory details, if you want to use a custom domain you can add this afterwards.

– The Directory is ready to use. To use the features, password reset and groups you also need to Enable Active Directory Premium

– Click on Add a user

– Fill in the wizard and choose the role “Global Administrator”

– Download the Windows Azure Active Directory Shell

Create ACS Service in Azure

If you have already setup a ACS namespace you can skip this step.

– Go to

– Press New, and add a new Access Control namespace

– Fill in a name and region and proceed

– Your ACS namespace will now be created

Configure Identity Provider in ACS

Configure the WAAD as an identity provider in ACS

– Go to

– Go to Active Directory

– Go to Access Control Namespaces and select your newly created namespace

– Go to Manage

– Go to Trust relationshops > Identity Providers

– Click on Add Identity Provider

– Choose a WS Federation provider

– Fill in a Descriptive Name and use<waad-name>/FederationMetadata/2007-06/FederationMetadata.xml as WS metadata URL. Provide your own WAAD or use a more general approach to allow multiple WAAD’s to sign in to your SharePoint 2013 environment using the federation url

Configure Relying Party Trust in ACS

Now we need to configure the on-premises SharePoint 2013 environment as the relying party

– Go to relying party applications

– Click on Add, choose to enter settings manually.

– Fill in a realm, in this example urn:sharepoint:acs, but it can be any realm (and take note of this, we need this later on)

– Select Token form SAML 1.1. (unfortunately SharePoint 2013 (and 2010) do not support SAML 2.0)

– Select the identity provider selected earlier

– Press Save

Configure Group Rules

Now we need to generate and configure the claim translation from the WAAD claim to an workable claim for SharePoint 2013.

– Go to Group Rules

– Click on Add, fill in a Group name “AAD Rules” and click Save

– Click on Generate

– Select the IdP created earlier and click Generate

– Select the Output claim UPN

– Set the input claim type to instead of upn, because this input claim is empty. The name claim will contain the upn.

– Set the output claim type to , which will be accepted by the STS of SharePoint.

– Click on Save

Enabled Application for WAAD to authenticate

– Execute the following Powershell


$replyUrl = New-MsolServicePrincipalAddresses –Address “https://<youracs>”

New-MsolServicePrincipal –ServicePrincipalNames @(“https://<youracs>”) -DisplayName “Joran Markx Tenant” -Addresses $replyUrl


Configure SharePoint to use ACS

– Go to Development -> Application integration

– Copy and paste the WS-Federation Metadata into the internet browser

– Copy and paste the base64 code in EntityDescriptor>RoleDescriptor>KeyDescriptor>..>X509Certificate to a notepad and save as .cer file (Certificate)

– Open the certificate to check if it is working great! If it does not, please check if you copied the whole X509Certificate and the file is saved with ANSII.

– Copy the .cer to the SharePoint 2013 Server

Create and configure STS in SharePoint

Now we need to create a new Trusted Root Authority and configure the Trusted Identity Token Issues.

– Open the SharePoint Management Shell (as Administrator)

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“c:aadcert.cer”)

New-SPTrustedRootAuthority -Name “ACS Token Signing Certificate” -Certificate $cert

$map = New-SPClaimTypeMapping -IncomingClaimType “” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType “” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

$map3 = New-SPClaimTypeMapping -IncomingClaimType “” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

$map4 = New-SPClaimTypeMapping -IncomingClaimType “” -IncomingClaimTypeDisplayName “GivenName” -SameAsIncoming

$map5 = New-SPClaimTypeMapping -IncomingClaimType “” -IncomingClaimTypeDisplayName “SurName” -SameAsIncoming

$map6 = New-SPClaimTypeMapping -IncomingClaimType “” -IncomingClaimTypeDisplayName “JobTitle” -SameAsIncoming

$map7 = New-SPClaimTypeMapping -IncomingClaimType “” -IncomingClaimTypeDisplayName “Office” -SameAsIncoming

$realm = “urn:sharepoint:acs”

$ap = New-SPTrustedIdentityTokenIssuer -Name “AAD” -Description “ACS” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4,$map5,$map6,$map7 -SignInUrl “” -IdentifierClaim

– Create or configure a webapplication in SharePoint with Claims Authentication and select the new TrustedIdentityToken Issuer

– Authorize add at least one user from the WAAD to the a site in the webapplication

– You’re ready to go!

Test the solution

– Fire up a browser and go to your SharePoint site

– Select AAD, you will not get this screen if you disable Windows Authentication (and have only one authentication provider)

– Then select one of the IdP in ACS, you will not see this screen if you only have one IdP configured.

– You will now get the Azure Active Directory Login screen

– After entering your username and password, you will be redirected to SharePoint 2013 and will be logged in!

Known issues

– People picker will not find people in the directory


Download SharePoint 2013 SP1 now! It has been released!

With the realase of Service pack 1 for SharePoint and all other Office products some new features are availlable!

New in SP1

  • Compatibility fixes for Windows 8.1 and Internet Explorer 11.
  • Better support for modern hardware, such as high DPI devices and the precision touchpad.
  • New apps for Office capabilities and APIs for developers.
  • Power Map for Excel, a 3D visualization tool for mapping, exploring, and interacting with geographical and temporal data in Excel, is now available to Office 365 ProPlus subscription customers. You can learn more about Power Map general availability on the Power BI Blog.
  • Improvements to the Click-to-Run virtualization technology that installs and updates Office 365 desktop applications.
  • SkyDrive Pro is now OneDrive for Business. You can now integrate OneDrive Office 365 with your Onpremise SharePoint 2013.
  •  Replace Newsfeed with Yammer, to use the best social collaboration tools for your organisation

Fixed in SP1

  • Metadata is lost when documents that use a custom content type with a “Description” field are opened for editing.
  • When an item is deleted, restored from recycle bin, and then deleted again, there is a primary key constraint error.
  • An error occurs when files are moved between document libraries and the web time zone is behind that of the server.
  • Metadata filtering at list level always lists all metadata terms.
  • The hyperlink popup window drops the selected word to be linked when there is a delay of more than one second in opening the window.
  • Multiple-column, SummaryLinkWebParts with a group heading style of “Separator” are rendered incorrectly.
  • A hash tag that contains a full width space does not get created successfully.
  • Search schema compression is now enabled by default to allow larger search schemas.
  • Highlighting for FQL queries is now enabled for FQL as well as KQL.
  • Opening a custom SharePoint list in datasheet view and applying multiple custom filters, where each filter has more than one condition, can result in an incomplete set of list items.
  • When the “Export to Excel” button is clicked in a SharePoint document library that has the Content Type field displayed, the Content Type field does not appear in the Excel workbook.
  • An error occurs after changing the “Manager” property in EditProfile.aspx page when the My Sites WebApp is not in the same farm as the UPA.
  • SharePoint REST API does not return a well-defined error response for a duplicate key exception.
  • Developers are unable to specify a Content Type ID when creating Content Types in the client object model.
  • On list views in SharePoint sites, the Connect to Outlook button in the ribbon may be erroneously disabled.
  • In some non-English languages of SharePoint, the text displayed in the callout UI for a document or list item, describing who last edited the item, may not be grammatically correct.
  • Copy and Paste in a datasheet does not work correctly with Internet Explorer 11.
  • Pages do not render in Safari for iPad when private browsing mode is used.
  • When editing rich text fields in SharePoint, if the editing session exceeds 30 minutes, the edits may not be saved.
  • An error that says “SCRIPT12004: An internal error occurred in the Microsoft Internet extensions” may occur intermittently when users visit their SkyDrive Pro or other pages on their personal site.
  • InfoPath may crash when a form that points to a SharePoint list, with a lookup to another SharePoint list, is opened.
  • An InfoPath form with extended characters in its name fails to open.
  • An error that says “Security Validation for the form has timed out” may occur when an InfoPath form is digitally signed and hosted in a SharePoint site collection that uses the SharePoint version 2010 user experience.
  • “Show document icon” remains unchecked and the document icon does not show in Edit Properties for a list item.
  • A “Failed tagging this page” error occurs when the “I like it” button is clicked.
  • The wrong term is removed when manually editing a multi-valued taxonomy field.
  • When tagging list items using a language that is different from the term store default language, suggestions for labels are offered in multiple languages. The suggestions appear confusing because both language
  • suggestions are listed without any identification of the language.
  • An error that says “There was an error processing this request” may appear when editing the user profile.
  • Times are missing from Date/Time results in certain filtered list web service calls.
  • Minimal and no metadata are now enabled as supported JSON formats.
  • Actions4 schema workflow actions can’t be deployed to SharePoint.
  • Using Client Object Model, Stream.Seek() to seek to a particular position doesn’t seek at the proper offset.
  • Refreshing a workflow status page generates the following error: “System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.”
  • Setting custom, non-English outcomes in web pages on tasks in a workflow fails to set the value.
  • Configurations of SharePoint using Azure Hybrid mode and Workflow Manager together can cause workflow callbacks to fail.
  • Workflow task processes on wiki pages won’t start.
  • Workflows won’t wait for changes to content approval status fields.
  • E-mails generated by workflow cannot be disabled for approvals in SharePoint workflows.
  • Workflows may fail to send an e-mail or send too many e-mails.
  • Association variables do not update correctly for auto-start workflows.
  • A KeyNotFoundException error may occur in a workflow when the associated task list uses unique permissions.
  • Incomplete tasks are deleted when workflow task activities complete.
  • Task activity is suspended when the task is completed using app-only credentials.
  • An error that says “This task could not be updated at this time” occurs when trying to complete a workflow task using the “Open this task” button in Outlook.
  • A workflow doesn’t respond properly when waiting for changes in specific types of list columns, such as Boolean, Date Time, and User.

Check here for the KB and download

Show Upcomming Birthdays Based on SharePoint 2013 User Profiles with Search (Office 365)

A lot of customers like to have some kind of anniversary webpart on their corporate intranet. In SharePoint 2013 and Office365 you can provide this functionality using the SharePoint User Profile and Search (and some Javascript).


In the SharePoint User Profile, users are able to provide their birthday by default. These values are automaticly crawled but you will not be able to apply filters using search. In this blog post I will describe the configuration steps for Office365.

> Go to the Site Settings -> Site Collection Administration -> Search Schema (you can also configure this in the SharePoint Admin level)
> Search for RefinableDate00, Edit the mapping (for SharePoint Onpremise, you are able to add a new one with type Date)
> Give it an alias like Birthday01
> Add “People:SPS-Birthday” as crawled field mapping


> Be sure you have some people filled in their birthday on their profile
> You are done, o365 will need to wait at most 1 week (yes, you are reading it right). Full crawls are now performed once a week, if you need it by tomorrow you can submit a support ticket to MS support, they will initiate a full crawl on request. Onpremise users just fire off a full crawl.

To test if your managed property is working you can perform a query to your search center.>”01-01-2000&#8243;

Our prerequisities are met, and we are able to query for a birthday. So why should we need any code…
As you can see in the “test” query above, we are using the year 2000 to query, this is not just a coincidence. SharePoint stores the Date no Year fields using the year 2000, and SharePoint Online is not different on this one. Unfortunately this makes our Search Results webpart unusefull because you can only use keywords like today-5, yesterday, last week, last month and last year.

The javascript below will perform a restcall to the search service to retrieve the birthdays which are in range (30 days in this example).

(note: jquery is required)

<div id="resultsDiv"></div>
<script type="text/javascript">// <![CDATA[
$(document).ready(function () {
    var e = ExecuteOrDelayUntilScriptLoaded(executeQuery(), "sp.js");

	this.setDate(this.getDate() + days);
	return this;

function executeQuery() {

    Results = {
        element: '',
        url: '',

        init: function (element) {
            Results.element = element;

	    var birthday = 'Birthday01';
	    var space = '%20'; var colon = '%3A'; var quote = '%22'; var gt = '%3E'; var lt = '%3C'; var amp = '&';

            // Get current date
            var currentTime = new Date();
	    var startMonth = currentTime.getMonth()+1;
	    var day = currentTime.getDate();

            // Get current date + 30
	    var endTime = new Date();
            var endTime = currentTime.AddDays(30);
	    var endMonth = endTime.getMonth()+1;
            var endDay = endTime.getDate();

            var querytext = "";

	    // build query with the magic 2000 year
		querytext += birthday + gt + quote + day + '-' + startMonth + '-' + '2000' + quote + space + 'AND' + space + birthday + lt + quote + endDay + '-' + endMonth + '-' + '2000' + quote;
		querytext += birthday + gt + quote + day + '-' + startMonth + '-' + '2000' + quote + space + 'OR' + space + birthday + lt + quote + endDay + '-' + endMonth + '-' + '2000' + quote;
            Results.url = _spPageContextInfo.webAbsoluteUrl + "/_api/search/query?querytext=%27" + querytext + "%27&sourceid=%27B09A7990-05EA-4AF9-81EF-EDFAB16C4E31%27&selectproperties=%27Title,"+ birthday +",Path%27&sortlist=%27"+ birthday +":ascending%27";

        load: function () {
                        url: Results.url,
                        method: "GET",
                        headers: {
                           "accept": "application/json; odata=verbose",
                        success: Results.onSuccess,
                        error: Results.onError

        onSuccess: function (data) {
            var results = data.d.query.PrimaryQueryResult.RelevantResults.Table.Rows.results;
	    var months = [ "januari", "februari", "maart", "april", "mei", "june", "juli", "augustus", "september", "oktober", "november", "december" ];
            var html = "<div class='birthday'>";

            for (var i = 0; i < results.length; i++) {
		var name = results[i].Cells.results[2].Value;
		var date = new Date(Date.parse(results[i].Cells.results[3].Value));
                var link = results[i].Cells.results[4].Value

                html += "<span>";
                html += "<a href='"+link+"'>" + name + "</a>";
                html += " "
                html += date.getDate() + " "+ months[date.getMonth()];
                html += " ";

	    if (results.length == 0)
              html += "Er zijn geen verjaardagen (bekend).";

            html += "</div>";

        onError: function (err) {



// ]]></script>

How to Apply a Custom Web Template Using JSOM (Javascript SharePoint Object Model)

When you’re creating a SPWeb from JSOM and want to apply a webtemplate, you would probably want to use the method Web.ApplyWebTemplate. Unfortunately this method is not really helpful in the Javascript Object Model because the provisioning of the SPWeb allready applies a template (by default) and applying a template is not applicable anymore. Even if you leave the WebTemplate empty or null in the WebCreationInformation object.

The good news is the solution is really simple. To apply your custom webtemplate you can just use the {FEATUREID}#WebTemplateName in the WebCreationInformation Object.

function onQuerySucceeded(sender, args) {
  alert('Title: ' + this.oNewWebsite.get_title() + ' Decription: ' + this.oNewWebsite.get_description());

function onQueryFailed(sender, args) {
  alert('request failed ' + args.get_message() + '\n' + args.get_stackTrace());

function createWebSite() {
  var webDescription = 'A new site from custom web template';
  var webLanguage = 1043;
  var webTitle = 'Test Web Site';
  var webUrl = 'testwebsite';
  var webPermissions = false;
  // Just insert your reference to your feature and webtemplate here
  var webTemplate = '{4a110786-9683-4734-97ca-f2eca95ca377}#WTProject';
  var siteUrl = '/sites/pr01';
  var clientContext = new SP.ClientContext(siteUrl);
  this.oWebsite = clientContext.get_web();
  var webCreateInfo = new SP.WebCreationInformation();
  this.oNewWebsite = this.oWebsite.get_webs().add(webCreateInfo);
  // This is not working, because a webtemplate is applied by default.
  // this.oNewWebsite.applyWebTemplate("{4a110786-9683-4734-97ca-f2eca95ca377}#WTProject");
  clientContext.executeQueryAsync(Function.createDelegate(this, this.onQuerySucceeded), Function.createDelegate(this, this.onQueryFailed));
SP.SOD.executeFunc('core.js', 'SP.ClientContext', createWebSite);

Change Error Report Email Destination for DirSync

For several customers we have configured the Directory Synchronization for Offcice365.

In most situations DirSync reports some Active Directory issues during synchronization, which is delivered by e-mail.

Although most error report and notification are sent to the Global Administrators, the DirSync error will only be delivered to the Technical Contact email address. To configure the technical contact for your tenant you can perform the following steps.

1. Open the Office365 Management Portal

2. Click on the name of your Company (in the upper right for O365 new-style, in the upper left for O365 old-style)

3. Update the technical contant e-mail address and press Save

Convert-MsolDomainToFederated in Office365 returns the error Service not available

While configuring ADFS 2.0 for Office365 we experienced an issue converting the domain to federated.

PS C:\> Convert-MsolDomainToFederated -DomainName -SupportMultipleDomain
Convert-MsolDomainToFederated : Service not available
At line:1 char:30
+ Convert-MsolDomainToFederated <<<< -DomainName -SupportMultipleDomain
+ CategoryInfo : InvalidOperation: (:) [Convert-MsolDomainToFederated], FederationException
+ FullyQualifiedErrorId : InternalError,Microsoft.Online.Identity.Federation.Powershell.ConvertDomainToFederated

Unfortunately googling (or bing-in) does not give a direct hit, so we have contact MS Support to help us out!


Reported cause
The Default password policy was modified.
The Default Password policy is “ValidityPeriod 90 -NotificationDays 14”
Customer had the PasswordValidityPeriod set to 730

Issue resolution

Change the password policy back to default by executing the following Powershell command

Start the Windows Azure Active Directory PowerShell module.
To do this, click Start, point to All Programs, click Microsoft Online Services, right-click Windows Azure Active Directory PowerShell module, and then click Run as administrator.

$cred = Get-Credential
Connect-MsolService –Credential $cred
Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 14 -DomainName

#after this, the convert MSOLDomainToFederated works perfectly!
Convert-MsolDomainToFederated -DomainName -SupportMultipleDomain

Hopefully it works for you!

How to Migrate Virtual Machine to Windows Azure

To migrate a virtual machine to Windows Azure from you on-premise datacenter you don’t need CSUpload anymore. With the new Windows Azure SDK there is a new cmdlet available to upload your local VHD’s to Windows Azure using Powershell.

Add-AzureVhd -LocalFilePath $sourceosvhd -Destination $destosvhd 

A complete example script can be found here