Configuring Office 365 Preferred Language Settings

Introduction

Office 365 empower organizations to use cloud based services for their business to ensure anytime anywhere access to corporate information. When you setup Office 365 tenant for an organization with offices in different regions then you’re also required to empower your end users to setup up their own preferred language settings in Office 365. For example, if you have a user in Japan then his preference will be to use Japanese language for his Office 365 portal instead of using English. In Office 365 you can set up language settings for users based on how you setup identities in Office 365. You can easily update language settings for users using PowerShell. Preferred language settings depends on how user identity is provisioned. If you have cloud based identities then you need to use Azure AD to modify the user account properties in Office 365. If you are using Azure AD Connect to sync on-premises active directory accounts with Office 365, then you have to update the settings in local active directory.

Configuring Office 365 Preferred Language Settings for Cloud Identities

Configuring Office 365 language settings for cloud based identities requires you to connect with Azure AD powershell. Perform the following steps to configure these settings.

  • Connect with Azure AD powershell using global admin credentials

C:\> Connect-MsolService

Configuring Office 365 Preferred Language Settings

  • Run the following cmdlet to configure the preferred language settings for user pgarcia@msexperttalk.com to Urdu

PS C:\> Set-MsolUser -UserPrincipalName pgarcia@msexperttalk.com -PreferredLanguage “ur-PK”

  • To verify the language settings for the user account, run the following PS cmdlet

PS C:\> Get-MsolUser -UserPrincipalName pgarcia@msexperttalk.com | fl PreferredLanguage

Configuring Office 365 Preferred Language Settings

Configuring Office 365 Preferred Language Settings for Synced Identities

When you are using synced identities with Office 365, you need to modify the on-premises user attribute in Active Directory to setup preferred language in Office 365. To modify the preferred language in Office 365 to Urdu for a user Phil, you need to set the “PreferredLanguage” attribute in user account properties in Active Directory. By default, this attribute does not contain any value and set to use English as default language.

  • To modify the individual user account properties, you can run the following PowerShell cmdlet.

Set-ADUser pgarcia@msexperttalk.com -Replace @{‘PreferredLanguage’=”ur-PK”}

  • To update the preferred language attribute in a specific OU, run the following cmdlet.

Get-ADUser SearchBase “OU=Test,OU=IT, DC=msexperttalk,DC=com” Filter * Properties PreferredLanguage | ForEach-Object {Set-ADUser $_.SAMAccountName –replace @{PreferredLanguage=“ur-PK”}}

  • To update the preferred language attribute of users in a specific domain, run the following cmdlet. Following cmdlet will set the attribute for those users who do not have any this attribute setup.

Set-AdServerSettings -RecipientViewRoot “msexperttalk.com”
#Change language to ur-PK for all users with a setting of NULL in the MSExpertTalk.com domain
Get-ADUser -SearchBase “DC=msexperttalk,DC=com” -Filter * -Properties PreferredLanguage | where {$_.PreferredLanguage -eq $null} | Select SAMAccountName | ForEach-Object {Set-ADUser $_.SAMAccountName –replace @{PreferredLanguage=”ur-PK”}}

Preferred Language attribute settings will update the language for the following in Office 365.

  • Office 365 Default Landing page
  • General settings and menu
  • Office 365 Management portal
  • Video
  • Groups
  • OneDrive for Business
  • Delve
  • Office Online
  • Planner

To review a complete list of available language codes, please visit the Microsoft TechNet site.

Configuring Azure AD Connect to use specific Domain Controller

Introduction

Microsoft Azure AD Connect (AAD Connect) tool replicates your on-premises Active Directory with Office 365. Configuring Azure AD Connect to use specific domain controller can help expedite the process of replicating the changes to Office 365. I have seen scenario’s where on-premises Active Directory changes have not been replicated to Office 365 after 30minutes and Azure AD Connect shows a successful Delta Sync status in MIIS client. The fact why it happens is because Azure AD Connect is replicating the changes to Office 365 from a domain controller which doesn’t have your latest updates.

How Azure AD Connect locate a Domain Controller?

When you deploy Azure AD Connect tool in Active Directory forest, Azure AD Connect leverage DNS to locate a domain controller. Once Azure AD connect has a domain controller information, it connects with the same domain controller every time until the domain controller is not reachable and than Azure AD Connect tries to connect to another domain controller.

Why we need to Configure Azure AD Connect to use specific Domain Controller?

Configuring Azure AD Connect to use specific domain controller is required when you are implementing directory synchronization with Office 35 for multi-site active directory infrastructure where users are in multiple active directory sites across the globe.If you are modifying active directory changes and need to have them replicated to Office 365 quickly than we have 2 options, option 1 is to modify the changes to the domain controller from where Azure AD Connect is replicating the changes to Office 365. Downside of option 1 is that, you have to check the domain controller information from where the changes were being replicated during the last sync cycle. Option 2 is to configure the AAD Connect tool to use specific domain controllers. It’s much easy to configure the list of domain controllers in directory sync tool than to wait for replication changes to happen across active directory sites.

Configuring Azure AD Connect to use specific Domain Controller

Once the directory synchronization tool is installed. Follow the steps mentioned below to configure the list of domain controllers to which Azure AD Connect tool will connect.

  • Login to Azure AD Connect server and run the miis client

if you have installed the tool on default location, than Miis client can be located from C:\Program Files\Microsoft Azure AD Sync\UIShell

Configuring Azure AD Connect to use specific Domain Controller

  • Navigate to connectors and go to the properties of your connector

Configuring Azure AD Connect to use specific Domain Controller

  • In properties windows, select Configure Directory Partition and click on Configure to define your prefer domain controllers

Configuring Azure AD Connect to use specific Domain Controller

  • Enter the FQDN of your preferred domain controllers and click on Add

Configuring Azure AD Connect to use specific Domain Controller

 

  • Once you have defined the preferred domain controllers, make sure you have mark the checkbox next to Only use preferred Domain Controllers

Configuring Azure AD Connect to use specific Domain Controller

  • Click OK button to complete the configuration of preferred domain controller in Azure AD Connect tool

Azure AD connect tool is now configured to use preferred domain controllers only. Azure AD Connect will always check the preferred domain controllers for any modification in Active Directory to replicate with Office 365. More information on Azure AD Connect tool can be found here

 

Upgrade Azure AD Sync to Azure AD Connect

As Azure AD Connect is now generally available to replace AAD Sync for synchronize on prem active directory to Azure Active Directory. Now, It’s time to think about upgrading your existing deployment of Azure AD Sync tool and use the latest and greatest code from Microsoft. With Azure AD Connect we can perform an in-place upgrade from Azure ADSync to Azure AD Connect.

You can download Azure AD Connect tool from Microsoft website. Once you download the Azure AD connect tool, perform the following steps to perform an in place upgrade of Azure AD Sync to Azure AD Connect tool.

  • Run Azure AD Connect setup files on Azure AD Sync server.
  • Azure AD Connect setup will automatically detect the existing install of AAD Sync.
  • Accept the license agreement and click on Continue.

Upgrade Azure AD Sync to Azure AD Connect

Make sure that you’ve stopped the synchronization of Azure AD Sync tool during the upgrade. This will not impact your existing configuration/synchronization of AAD Sync tool.

2

  • Provide your Azure Active Directory admin credentials to connect with Azure AD. This account must be a global administrator. Click on Next

3

  • Select if you would like to immediately synchronize your identities with office 365 after the tool is deployed. If you have filtering requirements then uncheck this option. Click on Upgrade

4

  • Once the configuration is completed you’ll see a tip for syncing Windows 10 domain joined computers to Azure AD as registered devices. Click on Exit.

5

  • After you click on Exit, you’ll see an Azure AD connect icon on your desktop. You can perform limited administrative tasks by double clicking on that. You can view current configuration, customization options and configure staging mode for Azure AD Connect.

6

7

  • In windows server start menu, search for Synchronization Rules and you will notice utilities such as the Synchronization Rules Editor, Synchronization Service, and the Azure AD PowerShell etc for advanced filtering and administration of the tool.

8

Single Sign on with Office 365

Single Sign on with Office 365

Single Sign on with office 365 is mostly used by organization to provide seamless experience to their end users. This article will help you setting up Single Sign on with office 365 using ADFS 3.0. Before we start setting up Single Sign on with office 365 using ADFS 3.0, let’s review few important per-requisites for SSO.

You can also download the complete guide on Setting up Single Sign on with office 365 from Technet

  1. You need internet route-able domain name to setup SSO. e.g. contoso.com, mstechtalk.com etc
  2. SSL Certificate from public certificate authorities like GoDaddy
  3. Office 365 global admin permission
  4. Service account for ADFS 3.0
  5. Web Application Proxy
  6. AAD Sync tool to synchronize identities with Office 365

If you have a internal domain name which is not routeable to the internet then you will have to add a custom UPN suffix that matches external name space. You can add UPN Suffix to your forest by following the instructions provided on Microsoft Knowledge Base.

Lab Details

Currently i’ve the following infrastructure in my lab for setting up Single Sign on with Office 365.

  • 2 x Windows Server 2012 R2 Domain controller (Domain Name: enpointelab.net)
  • 1 x Azure AD Sync tool
  • 1 x Windows 2012 R2 servers for ADFS 3.0 in production zone
  • 1 x windows 2012 R2 servers in DMZ for Web Application Proxy

Let’s get started with the lab and setup Single Sign on with office 365.

Activate Single Sign on

Before we start installing ADFS 3.0, we need to first enable Single Sign on in office 365. To activate single sign on in office 365 follow the steps as shown below.

****Before we start this step i assume you’ve already setup your office 365 tenant and configured your custom domain in office 365******

To activate Single Sign on, Go to Office 365 portal –> Active Users –> Click on Set Up as shown below

Single Sign on with office 365 Single Sign on with Office 365

Once you’re done with your planning & preparation for single sign on, move on to 2nd Step and deploy your ADFS servers.

Create SSL Certificate Request for AD FS 3.0

Before we start installing and configuring AD FS 3.0 for Single Sign on, Let’s first create the SSL certificate request to procure a SSL certificate from public authority like GoDaddy.

****I’ve procured my SSL certificate from GoDaddy for this lab****

To create a SSL certificate request, Go to MMC Console

1

Click on Add/Remove Snap-in and Select Certificate and click on Add button

 

2

Select Computer Account and click next

3

Right click on Personal –> All Tasks –> Advanced Options –> Create Custom Request

4

Certificate enrollment wizard will start, click on Next

5

Click Next

6

Click Next

7

Click Next8

Click on Details9

Click on Properties10

Enter friendly name of your certificate.  Click Subject Tab

12

From the drop down menu, select Common name and provide the value and click on Add button

13

Click on Private key tab14

Select Key Size and checkbox for “Make Private Key exportable” and click on Apply and hit OK.

15

Click Next

16

Click Finish. Copy the request file and provide to your SSL certificate provider and procure the certificate. Once procured, complete the certificate request.

Import SSL Certificate

Once you got the certificate from public DNS provider. Go to mmc –> Add/Remove Snap-in –> Certificate –> Computer Certificate –>

Personal –> Right click –> All Tasks –> Import

1

2

3

4

5

6

Installing AD FS 3.0

To install AD FS 3.0, Go to Server Manager –> Add roles and Features

3

4

5

6

7

7

1

2

3

4

We’re done with the installation of our first ADFS 3.0 server.

Configure AD FS 3.0

As we’re done with the installation of AD FS 3.0 on first server, lets follow the steps to configure AD FS 3.0

Go to server Manager –> Click Configure the Federation Service on this Server

1

2

3

4

5

6

We’re using Windows Internal Database for AD FS deployment, WID can support up to 5 AD FS servers in AD FS server farm and use SQL Express 2012 with a limitation of 10 GB database size.

7

8

9

10

Your ADFS 3.0 server is installed and configured now. To test your ADFS deployment, please go to https://fs.mydomain.com/adfs/ls/IdpInitiatedSignon.aspx. I’ve created “A” record in my DNS for “FS” pointing to ADFS server. After installing the 2nd ADFS server, I’ll add that server to my load balancer as well.

1 Read more

Azure AD Sync “Permissions-Issue” Error Code-8344

Azure AD Sync “Permissions-Issue”

Today i have been working on troubleshooting Azure AD Sync tool for one of my customer where they were having issues with the tool. MIIS client was reporting export errors for all the users in the organization and the error was “Permissions-Issue”. It was one of the interesting errors to work on and it took me a day to resolve the issue and i thought to share the remedy with all of you so that you should be able to resolve this issue within an hour.

Azure AD Sync Export Error

Whenever AAD Sync perform synchronization with office 365, evertime we were getting the error message on “Export”. If we look at the error message it says “Permissions-issue” and we verified that our on prem service account and Office 365 service account has all the required permission for AAD Sync tool. At one stage we thought it’s a false error but No it’s not a false error and it does have a solution. Below is the screenshot of error message that we were getting.

Azure AD Sync error When you click on permission-issue you’ll see the following screenshot which is giving us the details of error message along with error code.

AAD Sync permission error details

Let’s get started to resolve this error and below are the steps that we need to perform to resolve this issue.

Resolve AAD Sync Export Error

If you click on Permission-Issue to see the detail you’ll see that Connected date source error code is 8344. To resolve this issue, perform the following steps

1. Run Active Directory Inheritance script to get a list of users on which inheritance is blocked. Once you’ve the list pls make sure that you allow inheritance on those users/groups.

To allow inheritance, Make sure Advance Features are enabled in View then go to user properties –> Security –> Advanced –> Select the check box “to include inheritable permissions from this object’s parent”

2. Make sure you’ve the required on prem permissions assigned to Azure AD Sync tool service account. You can assign the appropriate permissions to Azure AD Sync tool by following this article.

3. Once you’ve check the inheritance and required permissions. Make sure that the service account is a part of AAD Sync security group in active directory. The name of security group is MSOL_AD_Sync_RichCoexistence. After you add the service account to the group, re-run the full synchronization and you will see that all permission-issue errors are gone.

In my case, customer was using AAD Sync along with password sync and they had Exchange 2010 SP3 hybrid configured.

Hope this article will help you resolve your issue with Azure AD Sync tool. Please feel free to ask us in case you have other issues. Thanks.

1 2