Todd's Blog

Todd's Tips for System Adminstrators

Scripting Office 365 Tasks with PowerShell – Auto Logon

by

I’ve been spending most of my summer in what I like to affectionately call “Email Hell”. We moved 80,000 student mailboxes from Live@Edu to Office 365. We implemented Active Directory Synchronization and implemented a non-standard ADFS deployment to provide better service to BYOD laptops then you would get with a standard ADFS deployment. I’ll post about this on its own post. It’s a deep solution will probably be two posts.

One of my tasks is to automate the creation of new users to Office 365. We use Forefront Identity Manager to provision new AD accounts from our student information system. Once they are in AD and are an active user, DirSync is configured to pick up these new accounts and create a Office 365 accounts. Works slick, but you then have to license up the account before it can be used. This you do not want to have to do manually, especially when you add several thousand students at school start-up. You also don’t want to have to remember everyday to go in and check for new students. We needed a script and it had to be hands off.  Lets look at what we need to do so the script can logon without end user intervention. I gathered this information from various blogs and TechNet articles. I’ll add links to those sites and as I come across them.

Normally one would run this set of commands to start working in Office 365:

$cred = Get-Credential 
Connect-MsolService -Credential $cred
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 
https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
Import-PSSession $session

If it was the first time logging in, you would have to run:

Set-ExecutionPolicy Remote

First thing we need to is to store the password.

read-host -prompt "Enter password to be encrypted in mypassword.txt " 
-assecurestring | convertfrom-securestring | out-file C:\passwd\O365Passwd.txt

This will create a file that is encrypted and contains the password for your Office 365 account you entered the password for above. Please, minimum requirements to do what you need to do on this account! Do not give this  full admin rights. Next as part of the PowerShell script, add these lines to the top:

$mypass = cat C:\passwd\O365Passwd.txt | convertto-securestring
$mycreds = new-object -typename System.Management.Automation.PSCredential 
-argumentlist "PowershellAcct@yourdomain.onmicrosoft.com",$mypass
Import-Module MSOnline
Connect-MsolService -Credential $mycreds
$O365Session = New-PSSession -ConfigurationName Microsoft.Exchange 
-ConnectionUri https://ps.outlook.com/powershell -Authentication Basic 
-AllowRedirection -Credential $mycreds
Import-PSSession $O365Session

Below this, add whatever code you want. Typically you will want to set usage location, set licenses and timezone and language.

We also turn off ActiveSync and Mobile OWA by default so we can enforce our MDM policy.

This gets you on the road to automating your Office 365 scripts.

Publishing ADFS – Comparing ADFS Proxy vs TMG

by

If you have deployed Office 365 or are planning to and are looking to publish your ADFS to external users, for example, workers from a remote location like Starbucks or for mobile devices then you have a couple of choices.

You can chose to deploy an ADFS proxy. This is pretty simple and is really just a role service of ADFS.

Instructions on how to setup ADFS can be found on Kelsey Epp’s blog.

The one drawback of using ADFS Proxy is that you can’t logon to Office365 if the Active Directory (AD) account is expired or has been marked “User Must Change Password on Next Logon” If you have a lot of users who are using a web browser or mobile devices and they don’t come into the office much, this could be a problem.

The alternative is to use Microsoft Forefront Threat Management Gateway 2010. The drawback here is the product is being slated for retirement and it has a cost. But with it you can have users directed to a page where they can reset the password if it is expired.  The link to set up TMG for ADFS.

Following these instructions for TMG 2010 I did run into an issue where I was getting error 8004789A. The issue was I had to uncheck Link Translation. I found this on Risual Blogs.

TMG Link Translation

I am hoping over the next little bit that we will see Microsoft give us something that will allow us to change passwords remotely like TMG but make it free like ADFS Proxy.