When you move Microsoft Advanced Threat Analytics to a new location, your IP will possibly change. After the IP change the ATA Console is not available anymore. When you take a look at the Windows Services you will notice that the “Microsoft Advanced Threat Analytics Center” service is in “Starting” state or does not run. To make the ATA Console accessible you will need to update the configuration, which resides in the underlying Mongo DB. Luckily enough there is an easy way to get this done!

1. Login to your ATA Console server
2. Go to “C:\Program Files\Microsoft Advanced Threat Analytics\Center\Backup” and copy the latest version to a known location
3. Open the backup file with notepad and search and replace the old IP with the new IP
4. Save the configuration backup file
5. Open a command prompt
6. Go to “C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin”
7. And execute ‘mongoimport.exe –db ATA –collection SystemProfile –file “h:\SystemProfile_newip.json” –upsert’, where h:\SystemProfile_newip.json is the location of the updated configuration backup file
8. Now you will notice that the service will be back up-and-running within 5 minutes

But now we are halfway… all ATA (lightweight) gateways need to be updated too.

1. Go to”C:\Program Files\Microsoft Advanced Threat Analytics\Gateway”
2. Open the GatewayConfiguration.json file
3. Replace the old IP for the new IP
4. Restart the “Microsoft Advanced Threat Analytics Gateway” service using the Service Manager

So what have we learned. Read the manual before moving Microsoft ATA to a new IP. An outlined plan can be found at https://docs.microsoft.com/en-us/advanced-threat-analytics/modifying-ata-center-configuration

The script below updates all calendars (multilingual) to give Reviewer permissions to all mailboxes.

#Set default as reviewer for all calendars. 
foreach($mbx in Get-Mailbox -ResultSize Unlimited | where-object {$_.displayname -notmatch "discovery"}) {
    $calendars = (Get-MailboxFolderStatistics $mbx.Identity -FolderScope Calendar).Identity -replace "\\", ":\"
    foreach($calendar in $calendars) {
        $allset = Get-MailboxFolderPermission $calendar -User Default | Where { $_.AccessRights -eq "Reviewer" }
        if ($allset -eq $null) {
            Set-MailboxFolderPermission -Identity $calendar -User Default -AccessRights Reviewer
        }
    }
}

In 2012 I’ve posted a blog post with a map of the Azure Datacenter Locations at that moment. A lot of changes has taken place since that time!

In this post an updated map, thanks to William Zack (Microsoft). With new datacenters in Brazil and Japan, and planned datacenters in Australia.

– Multi-forest implementation of Office 365
– Multi-forest / multi exchange organization hybrid
– Resource and accounts forest

You can now start directly with this new “version” of DirSync.

There is only one item which can be found in DirSync and AAD Sync has not, it is password hash sync. All other, and a lot more features are there!

Download Azure Active Directory Sync Tool here: http://go.microsoft.com/fwlink/?LinkID=511690
Documentation can be found here: http://go.microsoft.com/fwlink/?LinkID=393942

Thanks to a very nice OneDrive CodePlex project (http://office365drivemap.codeplex.com/), which you should visit too, I was able to write the following PowerShell script which you can use to preauthenticate Office 365 when you use ADFS.

Run the following powershell script after login (see http://msdn.microsoft.com/en-us/library/jj130675.aspx to configure the script to run after login)

$domain = "contoso.com"; # your Federated domain
$ie = new-object -com InternetExplorer.Application
$ie.navigate("https://login.microsoftonline.com/login.srf")
$ie.visible = $true #Uncomment this for debugging

# Wait for the page to finish loading
do {sleep 1} until (-not ($ie.Busy))
# We have to click the remember me checkbox before logging in, we also have to have IE be automated for this to work
try {
  $ie.document.GetElementById("_link").click()
  do {sleep 1} until (-not ($ie.Busy))
} catch {$null}

try {
  $ie.document.GetElementById("cred_userid_inputtext").value = "dummy@"+$domain
  $ie.document.GetElementById("cred_keep_me_signed_in_checkbox").click()
  do {sleep 1} until (-not ($ie.Busy))
  $ie.document.GetElementById("cred_sign_in_button").click()
  do {sleep 1} until (-not ($ie.Busy))
}catch {$null}

sleep -seconds 15 # give plenty of time to redirect
$ie.Quit()

For exchange it is quite easy to create a auto-login just with some DNS modification. You just need to create a CNAME to outlook.com.

e.g. webmail.contoso.com => outlook.com

Version 16.0.0.2621 (march 2014)
-SkyDrive becomes OneDrive
-OneDrive storage up to
-Office Web Apps gets updated with enhanced features
-Office Web Apps has new names Word App becomes Word Online etc|
-Content Search Web Part availlable
-Several DIV ID’s renamed

Version 16.0.x.x (september 2013)
– Maximum upload size to 2Gb
– Maximum number of sitecollections from 2.000 to 10.000

Version 16.0.1922.1200 (august 2013)
– SkyDrive Pro; personal space to 25Gb
– SkyDrive Pro; Shared with Me features, to show all documents shared with you (on SkyDrive)

Version 15.0.0.4420.1017 (february 2013)
– Initial SharePoint Online 2013 release

Version 14
– Initial SharePoint Online 2010 release

The information published on this blog is not verified by Microsoft and can contain incorrect information.

The customer had the following requirements for the extranet with regard to authentication of external users.

– Manage external users and groups is an easy to use interface

– Users can manage their passwords themselves

– 2-factor authentication

– No access to other resources

Our first idea was to implement external access using ADFS with the federated parties, although it will work great for other extranet scenario’s, it did not met all of our requirements.

The second idea was to use Azure with WAAD (Windows Azure Active Directory) and ACS (Access Control Services) to met our goals. The WAAD would provide identities for our environment, supports multifactor authentication and users can reset their passwords themselves!

Get Started

So lets gets started with our Proof-of-Concept! The first hit on google regarding this scenario is a great blog post from Steve Pescka (http://blogs.technet.com/b/speschka/archive/2013/05/10/integrating-sharepoint-2013-with-azure-active-directory-part-1-configuration.aspx). He wrote several blog items about this topics which was really supporting the configuration.

Prerequisities

– Azure account (https://account.windowsazure.com/signup?offer=ms-azr-0044p to sign up)

– SharePoint 2013 Environment

Create Azure Active Directory

– Login to https://manage.windowsazure.com

– Go to Active Directory

– Press Add

– If you want to use an existing Azure Active Directory (like the one you use for Office 365), choose for Existing Directory. You will be asked to re-signin with an global administrator of the Office 365 tenant, after this process the Azure Active Directory is connected to you Azure account.

– For a new directory, fill in your directory details, if you want to use a custom domain you can add this afterwards.

– The Directory is ready to use. To use the features, password reset and groups you also need to Enable Active Directory Premium

– Click on Add a user

– Fill in the wizard and choose the role “Global Administrator”

– Download the Windows Azure Active Directory Shell
http://technet.microsoft.com/en-us/library/jj151815.aspx#bkmk_installmodule

Create ACS Service in Azure

If you have already setup a ACS namespace you can skip this step.

– Go to https://manage.windowsazure.com

– Press New, and add a new Access Control namespace

– Fill in a name and region and proceed

– Your ACS namespace will now be created

Configure Identity Provider in ACS

Configure the WAAD as an identity provider in ACS

– Go to https://manage.windowsazure.com

– Go to Active Directory

– Go to Access Control Namespaces and select your newly created namespace

– Go to Manage

– Go to Trust relationshops > Identity Providers

– Click on Add Identity Provider

– Choose a WS Federation provider

– Fill in a Descriptive Name and use https://accounts.accesscontrol.windows.net/<waad-name>/FederationMetadata/2007-06/FederationMetadata.xml as WS metadata URL. Provide your own WAAD or use a more general approach to allow multiple WAAD’s to sign in to your SharePoint 2013 environment using the federation url https://login.windows.net/common/FederationMetadata/2007-06/FederationMetadata.xml

Configure Relying Party Trust in ACS

Now we need to configure the on-premises SharePoint 2013 environment as the relying party

– Go to relying party applications

– Click on Add, choose to enter settings manually.

– Fill in a realm, in this example urn:sharepoint:acs, but it can be any realm (and take note of this, we need this later on)

– Select Token form SAML 1.1. (unfortunately SharePoint 2013 (and 2010) do not support SAML 2.0)

– Select the identity provider selected earlier

– Press Save

Configure Group Rules

Now we need to generate and configure the claim translation from the WAAD claim to an workable claim for SharePoint 2013.

– Go to Group Rules

– Click on Add, fill in a Group name “AAD Rules” and click Save

– Click on Generate

– Select the IdP created earlier and click Generate

– Select the Output claim UPN

– Set the input claim type to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name instead of upn, because this input claim is empty. The name claim will contain the upn.

– Set the output claim type to http://schemas.microsoft.com/ws/2008/05/identity/claims/upn , which will be accepted by the STS of SharePoint.

– Click on Save

Enabled Application for WAAD to authenticate

– Execute the following Powershell

<code>

$replyUrl = New-MsolServicePrincipalAddresses –Address “https://<youracs>.accesscontrol.windows.net/v2/wsfederation”

New-MsolServicePrincipal –ServicePrincipalNames @(“https://<youracs>.accesscontrol.windows.net/”) -DisplayName “Joran Markx Tenant” -Addresses $replyUrl

</code>

Configure SharePoint to use ACS

– Go to Development -> Application integration

– Copy and paste the WS-Federation Metadata into the internet browser

– Copy and paste the base64 code in EntityDescriptor>RoleDescriptor>KeyDescriptor>..>X509Certificate to a notepad and save as .cer file (Certificate)

– Open the certificate to check if it is working great! If it does not, please check if you copied the whole X509Certificate and the file is saved with ANSII.

– Copy the .cer to the SharePoint 2013 Server

Create and configure STS in SharePoint

Now we need to create a new Trusted Root Authority and configure the Trusted Identity Token Issues.

– Open the SharePoint Management Shell (as Administrator)

<code>
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“c:aadcert.cer”)

New-SPTrustedRootAuthority -Name “ACS Token Signing Certificate” -Certificate $cert

$map = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

$map3 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

$map4 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” -IncomingClaimTypeDisplayName “GivenName” -SameAsIncoming

$map5 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname” -IncomingClaimTypeDisplayName “SurName” -SameAsIncoming

$map6 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/jobtitle” -IncomingClaimTypeDisplayName “JobTitle” -SameAsIncoming

$map7 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/office” -IncomingClaimTypeDisplayName “Office” -SameAsIncoming

$realm = “urn:sharepoint:acs”

$ap = New-SPTrustedIdentityTokenIssuer -Name “AAD” -Description “ACS” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4,$map5,$map6,$map7 -SignInUrl “https://litware.accesscontrol.windows.net:443/v2/wsfederation” -IdentifierClaim http://schemas.microsoft.com/ws/2008/05/identity/claims/upn
</code>

– Create or configure a webapplication in SharePoint with Claims Authentication and select the new TrustedIdentityToken Issuer

– Authorize add at least one user from the WAAD to the a site in the webapplication

– You’re ready to go!

Test the solution

– Fire up a browser and go to your SharePoint site

– Select AAD, you will not get this screen if you disable Windows Authentication (and have only one authentication provider)

– Then select one of the IdP in ACS, you will not see this screen if you only have one IdP configured.

– You will now get the Azure Active Directory Login screen

– After entering your username and password, you will be redirected to SharePoint 2013 and will be logged in!

Known issues

– People picker will not find people in the directory
http://blogs.technet.com/b/speschka/archive/2013/05/12/integrating-sharepoint-2013-with-azure-active-directory-part-2-the-custom-claims-provider.aspx

New in SP1

• Compatibility fixes for Windows 8.1 and Internet Explorer 11.
• Better support for modern hardware, such as high DPI devices and the precision touchpad.
• New apps for Office capabilities and APIs for developers.
• Power Map for Excel, a 3D visualization tool for mapping, exploring, and interacting with geographical and temporal data in Excel, is now available to Office 365 ProPlus subscription customers. You can learn more about Power Map general availability on the Power BI Blog.
• Improvements to the Click-to-Run virtualization technology that installs and updates Office 365 desktop applications.
• SkyDrive Pro is now OneDrive for Business. You can now integrate OneDrive Office 365 with your Onpremise SharePoint 2013.
  
•  Replace Newsfeed with Yammer, to use the best social collaboration tools for your organisation

Fixed in SP1

• Metadata is lost when documents that use a custom content type with a “Description” field are opened for editing.
• When an item is deleted, restored from recycle bin, and then deleted again, there is a primary key constraint error.
• An error occurs when files are moved between document libraries and the web time zone is behind that of the server.
• Metadata filtering at list level always lists all metadata terms.
• The hyperlink popup window drops the selected word to be linked when there is a delay of more than one second in opening the window.
• Multiple-column, SummaryLinkWebParts with a group heading style of “Separator” are rendered incorrectly.
• A hash tag that contains a full width space does not get created successfully.
• Search schema compression is now enabled by default to allow larger search schemas.
• Highlighting for FQL queries is now enabled for FQL as well as KQL.
• Opening a custom SharePoint list in datasheet view and applying multiple custom filters, where each filter has more than one condition, can result in an incomplete set of list items.
• When the “Export to Excel” button is clicked in a SharePoint document library that has the Content Type field displayed, the Content Type field does not appear in the Excel workbook.
• An error occurs after changing the “Manager” property in EditProfile.aspx page when the My Sites WebApp is not in the same farm as the UPA.
• SharePoint REST API does not return a well-defined error response for a duplicate key exception.
• Developers are unable to specify a Content Type ID when creating Content Types in the client object model.
• On list views in SharePoint sites, the Connect to Outlook button in the ribbon may be erroneously disabled.
• In some non-English languages of SharePoint, the text displayed in the callout UI for a document or list item, describing who last edited the item, may not be grammatically correct.
• Copy and Paste in a datasheet does not work correctly with Internet Explorer 11.
• Pages do not render in Safari for iPad when private browsing mode is used.
• When editing rich text fields in SharePoint, if the editing session exceeds 30 minutes, the edits may not be saved.
• An error that says “SCRIPT12004: An internal error occurred in the Microsoft Internet extensions” may occur intermittently when users visit their SkyDrive Pro or other pages on their personal site.
• InfoPath may crash when a form that points to a SharePoint list, with a lookup to another SharePoint list, is opened.
• An InfoPath form with extended characters in its name fails to open.
• An error that says “Security Validation for the form has timed out” may occur when an InfoPath form is digitally signed and hosted in a SharePoint site collection that uses the SharePoint version 2010 user experience.
• “Show document icon” remains unchecked and the document icon does not show in Edit Properties for a list item.
• A “Failed tagging this page” error occurs when the “I like it” button is clicked.
• The wrong term is removed when manually editing a multi-valued taxonomy field.
• When tagging list items using a language that is different from the term store default language, suggestions for labels are offered in multiple languages. The suggestions appear confusing because both language
• suggestions are listed without any identification of the language.
• An error that says “There was an error processing this request” may appear when editing the user profile.
• Times are missing from Date/Time results in certain filtered list web service calls.
• Minimal and no metadata are now enabled as supported JSON formats.
• Actions4 schema workflow actions can’t be deployed to SharePoint.
• Using Client Object Model, Stream.Seek() to seek to a particular position doesn’t seek at the proper offset.
• Refreshing a workflow status page generates the following error: “System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.”
• Setting custom, non-English outcomes in web pages on tasks in a workflow fails to set the value.
• Configurations of SharePoint using Azure Hybrid mode and Workflow Manager together can cause workflow callbacks to fail.
• Workflow task processes on wiki pages won’t start.
• Workflows won’t wait for changes to content approval status fields.
• E-mails generated by workflow cannot be disabled for approvals in SharePoint workflows.
• Workflows may fail to send an e-mail or send too many e-mails.
• Association variables do not update correctly for auto-start workflows.
• A KeyNotFoundException error may occur in a workflow when the associated task list uses unique permissions.
• Incomplete tasks are deleted when workflow task activities complete.
• Task activity is suspended when the task is completed using app-only credentials.
• An error that says “This task could not be updated at this time” occurs when trying to complete a workflow task using the “Open this task” button in Outlook.
• A workflow doesn’t respond properly when waiting for changes in specific types of list columns, such as Boolean, Date Time, and User.

Check here for the KB and download
http://support.microsoft.com/kb/2817429
http://www.microsoft.com/en-us/download/details.aspx?id=42008

In the SharePoint User Profile, users are able to provide their birthday by default. These values are automaticly crawled but you will not be able to apply filters using search. In this blog post I will describe the configuration steps for Office365.

> Go to the Site Settings -> Site Collection Administration -> Search Schema (you can also configure this in the SharePoint Admin level)
> Search for RefinableDate00, Edit the mapping (for SharePoint Onpremise, you are able to add a new one with type Date)
> Give it an alias like Birthday01
> Add “People:SPS-Birthday” as crawled field mapping

> Be sure you have some people filled in their birthday on their profile
> You are done, o365 will need to wait at most 1 week (yes, you are reading it right). Full crawls are now performed once a week, if you need it by tomorrow you can submit a support ticket to MS support, they will initiate a full crawl on request. Onpremise users just fire off a full crawl.

To test if your managed property is working you can perform a query to your search center.
https://tenantname.sharepoint.com/search/Pages/peopleresults.aspx?k=Birthday01>”01-01-2000&#8243;

Our prerequisities are met, and we are able to query for a birthday. So why should we need any code…
As you can see in the “test” query above, we are using the year 2000 to query, this is not just a coincidence. SharePoint stores the Date no Year fields using the year 2000, and SharePoint Online is not different on this one. Unfortunately this makes our Search Results webpart unusefull because you can only use keywords like today-5, yesterday, last week, last month and last year.

The javascript below will perform a restcall to the search service to retrieve the birthdays which are in range (30 days in this example).

(note: jquery is required)

<div id="resultsDiv"></div>
<script type="text/javascript">// <![CDATA[
$(document).ready(function () {
    var e = ExecuteOrDelayUntilScriptLoaded(executeQuery(), "sp.js");
});

Date.prototype.AddDays=function(days)
{
	this.setDate(this.getDate() + days);
	return this;
}

function executeQuery() {

    Results = {
        element: '',
        url: '',

        init: function (element) {
            Results.element = element;

	    var birthday = 'Birthday01';
	    var space = '%20'; var colon = '%3A'; var quote = '%22'; var gt = '%3E'; var lt = '%3C'; var amp = '&';

            // Get current date
            var currentTime = new Date();
	    var startMonth = currentTime.getMonth()+1;
	    var day = currentTime.getDate();

            // Get current date + 30
	    var endTime = new Date();
            var endTime = currentTime.AddDays(30);
	    var endMonth = endTime.getMonth()+1;
            var endDay = endTime.getDate();

            var querytext = "";

	    // build query with the magic 2000 year
            if(startMonth!='12')
	    {
		querytext += birthday + gt + quote + day + '-' + startMonth + '-' + '2000' + quote + space + 'AND' + space + birthday + lt + quote + endDay + '-' + endMonth + '-' + '2000' + quote;
	    }
	    else
	    {
		querytext += birthday + gt + quote + day + '-' + startMonth + '-' + '2000' + quote + space + 'OR' + space + birthday + lt + quote + endDay + '-' + endMonth + '-' + '2000' + quote;
	    }
            Results.url = _spPageContextInfo.webAbsoluteUrl + "/_api/search/query?querytext=%27" + querytext + "%27&sourceid=%27B09A7990-05EA-4AF9-81EF-EDFAB16C4E31%27&selectproperties=%27Title,"+ birthday +",Path%27&sortlist=%27"+ birthday +":ascending%27";
        },

        load: function () {
            $.ajax(
                    {
                        url: Results.url,
                        method: "GET",
                        headers: {
                           "accept": "application/json; odata=verbose",
                        },
                        success: Results.onSuccess,
                        error: Results.onError
                    }
                );
        },

        onSuccess: function (data) {
            var results = data.d.query.PrimaryQueryResult.RelevantResults.Table.Rows.results;
	    var months = [ "januari", "februari", "maart", "april", "mei", "june", "juli", "augustus", "september", "oktober", "november", "december" ];
            var html = "<div class='birthday'>";

            for (var i = 0; i < results.length; i++) {
		var name = results[i].Cells.results[2].Value;
		var date = new Date(Date.parse(results[i].Cells.results[3].Value));
                var link = results[i].Cells.results[4].Value

                html += "<span>";
                html += "<a href='"+link+"'>" + name + "</a>";
                html += " "
                html += date.getDate() + " "+ months[date.getMonth()];
                html += " ";
            }

	    if (results.length == 0)
            {
              html += "Er zijn geen verjaardagen (bekend).";
            }

            html += "</div>";
            Results.element.html(html);
        },

        onError: function (err) {
            alert(JSON.stringify(err));
        }
    }

    Results.init($('#resultsDiv'));
    Results.load();

}

// ]]></script>