Three significant Office 365 updates were announced in Microsoft’s latest revision notice released on Wednesday of last week. If you don’t receive the update, one of the items is pretty exciting… something that people have been asking for for a very long time…
Update #1: Password Policies!
You can now set your password expiration policy for Office 365 through the web admin portal!
As you can see in the screenshot above, a new option has appeared on the Office 365 Users management page. When you click the link a new window pops up:
Update #2: Third Party Single Sign On
Another important but slightly less exciting feature was released this cycle as well: interoperability with third-party identity providers for single sign-on. Yes, that’s right, there’s an alternative to Active Directory Federation Services!
For larger enterprises ADFS 2.0 is still far and away the best solution. It gives you identity federation using your own Active Directory and will work with many services, internal, external, custom and box solutions. This is possible due to Microsoft’s WS-Federation and WS-Trust protocols and the recent SAML & Shibboleth authentication support.
Microsoft announced two initial solutions and tested federation with them successfully:
I’ve been tracking a couple other identity management solutions that promise SSO functionality for Office 365 as well:
I have not tried any of these solutions as of yet but may evaluate each and come up with a comparison – time permitting. Most of these hosted identity management providers use a web page for initial login to their account and then their account is federated with the services of your choice. In addition, some of the providers will synchronize your Active Directory objects (using a locally installed agent generally) to their service. Some will even let you use your Active Directory password to log in to their service.
What I haven’t verified is whether any of the solutions have a locally installed program that provides single-sign on across multiple applications (or just with your network login). When I have more information I will report back.
By the way… none of these is supported by Microsoft really… they’re just officially allowing the integration. You’ll need to work with the provider for any assistance.
Update #3: Directory Synchronization Scoping & Filtering
You could do this before… it was unsupported though. Maybe that has changed? They announced this like it was a new feature, but the link provided in the announcement didn’t work for me.
To make these changes now requires a dive in to the DirSync back-end, Federated Identify Management (FIM).
I’m hoping this update means that the actual DirSync tool is getting an update or that Office 365 will have a configuration option in the web interface to scope and filter objects. If this is just Microsoft acknowledging that we can use the FIM tools I’m going to be disappointed.
I’ll post an update when I learn more.
If you’ve ever connected a workstation to Office 365 and then been constantly prompted for your credentials you know how frustrating it can be. Have you ever checked that box in Outlook to “Remember Password” and then screamed in frustration as yet another logon prompt came up?
We’re with you… lots of us! I’ve had a look around at the various resources for troubleshooting these issues and brought them together. This is by no means an exhaustive list, just some links that I’ve found useful. If you have suggestions to add I’m all ears. I hope the list helps!
- ADFS / SSO issues:
- Troubleshoot federated users being prompted at http://support.microsoft.com/kb/2461628
- Autodiscover issues:
- Troubleshoot: Looping Credential Prompts When Signing In to Office 365 Using ADFS at http://www.youtube.com/watch?v=cfEQFK1SgU8
- Coming from Exchange environments: make sure your Autodiscover DNS records (internal and external both) point to the correct place. See also the Troubleshooting Autodiscover video.
- Coming from BPOS (and possibly other Exchange systems) follow the instructions at http://support.microsoft.com/kb/2644437 to remove registry entries on clients that stubbornly don’t update their Autodiscover.
- Missing Updates:
- Manually push out the updates using the instructions at http://community.office365.com/en-us/w/administration/manually-install-office-365-desktop-updates.aspx. SCCM, WSUS and other configuration management systems will work just fine also. There are download links of the bits for each package. Make sure you get at least these three:
- Microsoft Online Services Sign-In Assistant (IDCRL7)
- Microsoft Office 2010 Update (KB2435954) – ALSO change the registry key noted in the link
- Microsoft Outlook 2010 Update (KB2597011)
- Outlook Issues:
- Uncheck “Always prompt for logon credentials” in Outlook (see http://community.office365.com/en-us/f/172/t/15620.aspxfor details)
- Recreate your Outlook profile – good steps at http://community.office365.com/en-us/f/170/t/22353.aspx
- If Outlook discovers the wrong (old) Exchange system you have problems. Use “outlook /rpcdiag” to ensure Outlook is connecting to Office 365. You can also control-right-click on your Outlook icon in your system tray and choose the option for “Connection Status.” You should see connections to the cloud-based e-mail servers, not legacy servers. Good steps at http://www.petri.co.il/testing_rpc_over_http_connection.htm.
- Outlook prompts for credentials when Exchange 2003 mailboxes access Free/Busy information for Office 365 mailboxes – http://community.office365.com/en-us/forums/162/t/3567.aspx
AppDataLocalMicrosoftSign InConfig Autodiscovery.xml.old not updating – rename or delete it as per http://www.brucebnews.com/2012/01/persistent-outlook-password-prompts-from-office-365/
- Windows, Networking & General:
- Good Basic Troubleshooting: follow the instructions for Rich Authentication at http://support.microsoft.com/kb/2637629
- Run (or reboot and rerun) the desktop setup wizard – steps at http://onlinehelp.microsoft.com/en-us/office365-smallbusinesses/ff637537.aspx
- Change Internet Explorer security settings for Trusted sites & Windows Firewall to allow the sites listed at http://support.microsoft.com/kb/2637629
- Windows Stored Credential Conflicts & Issues:
- Clearing out the Windows stored passwords for the user account under Control Panel – Users – Advanced or in the Credential Manager (depending on Windows version) – good troubleshooting at http://community.office365.com/en-us/f/172/p/52489/188561.aspx