Category Archives: MVP

Setup and Enable Office 365 Message Encryption

thThe process to setup and enable Office 365 Message Encryption is really easy. There are three main steps that need to be followed

  1. Activate Azure Rights Management
  2. Setup Azure Rights Management for Exchange Online
  3. Setup transport rules to enforce message encryption in Exchange Online

 

The following Microsoft TechNet article details the process, I have a step-by-step below.

https://technet.microsoft.com/en-us/library/dn569291.aspx

 

Office 365 Message Encryption Mail Flow

 

 

Activate Azure Rights Management for Office 365 Message Encryption

 

Login to Microsoft Online Portal with a Global Admin Account

Open the App Launcher (waffle)

Select Admin

 

Select SERVICE SETTINGS from the left pane

Click Rights Management

 

From within RIGHTS MANAGEMENT click Manage

 

 

You’ll be redirected to the management page

Click Activate

Click Activate again on the popup asking if you are sure you want to activate Rights Management

 

 

Set up Azure Rights Management for Office 365 Message Encryption

 

Connect to Exchange Online with PowerShell

Open PowerShell as Administrator

Enter the following commands to connect and import the session

  • Set-ExecutionPolicy RemoteSigned

     

  • $cred = Get-Credential

     

  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic –AllowRedirection

 

  • Import-PSSession $Session

 


 

Verify your IRM isn’t configured already

  • Get-IRMConfiguration

 

Configure RMS with the online key-sharing location for Exchange Online with PowerShell (locations below). For my example I am using North America, but the table below shows all the locations

 

Location

RMS key sharing location

North America https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
European Union https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
Asia https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc
South America https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc
Office 365 for Government https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc1

 

Import the Trusted Publishing Domain (TPD) from RMS Online

  • Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

 

Verify successful setup of IRM in Exchange Online

  • Test-IRMConfiguration –sender admin@domain.com

 

Disable IRM templates in OWA and Outlook

  • Set-IRMConfiguration -ClientAccessServerEnabled $false

 

Enable IRM for Office 365 Message Encryption

  • Set-IRMConfiguration -InternalLicensingEnabled $true


*Note – You shouldn’t see that warning, but if you do it’s safe to ignore. I got it because I ran the command and forgot to grab the screen shot before clearing the screen, thus I had to run the command again.

 

View the IRM Configuration

  • Get-IRMConfiguration


 

Create Transport Rules to Encrypt Messages

Open the Office 365 Admin Portal (https://portal.microsoftonline.com)

Open Exchange Admin Center


 

Click Mail Flow


 

 

Click the + and create your transport rule. I have created two simple rules.

This rule will encrypt anything that is sent external with an attachment larger than 1MB


This rule will encrypt the email if the word ‘Encrypt’ is in the subject line of the email. This will give the users (once trained) the flexibility to encrypt emails they deem sensitive.


 

Make sure the rules are active and test


 

 

Testing that the transport rule apply Office 365 Message Encryption

Testing Transport Rule 1


 

Testing Transport Rule 2


 

 

When the user gets the email, this is how its presented to them


 One thing to note is that after you go through the setup process, it may take some time to replicate across the Microsoft back end servers. So if you test and it doesn’t work, give it some more time. I have see this process take up to 2 hours to replicate.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

In the previous post we setup two WAP servers that will act as the AD FS proxy role for our internal AD FS servers. Now that the servers are setup, we need to add an end point so that the servers are accessible from the internet and we also need to load balance the end point across the two WAP servers.

 

Configure a Load Balanced End Point on the first Web Application Proxy Server

 

Open the Azure Management Portal

Select the first WAP Server

 

Select Endpoints

Click + Add

 

Select Add a Stand-Alone Endpoint

Click Next Arrow

 

Select HTTPS

Verify TCP

Verify Public Port 443

Verify Private Port 443

Select Create a Load-balanced set

Click Next Arrow

 

Name the load-balanced Set

Verify Protocol – TCP

Verify Probe Port – 443

Verify Probe Interval – 15

Verify Number of Probes – 2

Click the complete check mark

 

Load balanced endpoint is added

 

Add the Second Web Application Proxy Server to the WAP Load Balanced Set

 

Now that we have the load balanced endpoint setup on the first server, we now need to add the second server to this set.

 

Select the second WAP server

Click Endpoints

Click + Add

 

Select Add an endpoint to an existing load-balanced set

Select the load-balanced set you created in the step above

Click Next Arrow

 

Name the endpoint for this server

Verify the protocol – TCP

Click the complete checkmark

 

At this point the servers are both added to the load balanced end point and are live on the internet.

 

Collect the External IP Address of the WAP Cloud Service

 

Now that the WAP servers are load balanced, we will need to update our public DNS so that the Public Virtual IP (VIP) Address for the WAP cloud service is resolving to the AD FS farm name (in my case it’s sts.office365supportlab.com)

Click on the WAP Cloud Service – On the main page the Public Virtual IP (VIP) Address will be displayed

 

 

Update Public DNS

 

Before you complete this step, please note that this could have an impact if you are already in production. Don’t update this record if you don’t know what you are doing.

Since we all use different DNS hosts, I’ll leave this one up to you. Here is a screen shot of my GoDaddy DNS zone for reference.

 

Testing AD FS from External

 

 

Browse to the URL – https://sts.domain.com/adfs/ls/IdpInitiatedSignon.aspx
Make sure to modify the hostname and domain for your own domain.

Enter credentials

Click Sign in

 

 

Testing Access from Office365

Navigate to https://portal.office.com

 

Enter your UserID

Hit Tab

 

Redirecting to the WAP servers

 

The user name should be populated with the value entered on Office365 sign-in page

Enter Password

Click Sign-in

 

Credentials are verified and you are re-directed to Office365

 

This completes the series for Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365.

 

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Setting up the Second Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On

In the previous post, we created the first of two WAP servers. This is the continuation of the series.

Create the Virtual Machine

Click New

Select Compute -> Virtual Machine -> From Gallery

 

Select Windows Server 2012 R2

Click Next arrow

 

Enter a virtual machine name, tier, size, username and password

Click Next arrow

 

Select the cloud service you created when creating the first WAP server

Verify Virtual Network

Select an Availability Set that you created when creating the first WAP server

Click Next arrow

 

Click the complete checkmark

 

 

Let the process configure the virtual machine. Once completed, log into the server and continue with the next steps.

 

 

Configure the Primary DNS Suffix

 

Open Server Manager

Click the Computer Name

 

Click Change

 

Click More…

 

 

Enter your public domain as the Primary DNS suffix of this computer

Click OK

 

Click OK

Reboot

 

 

Install the Web Application Proxy Role

 

Open Server Manager

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Remote Access

Click Next

 

Click Next

 

Click Next

 

Select Web Application Proxy

Click Next

 

Click Add Features

 

Click Next

 

Click Install

 

Installing

 

Click Close

 

Import the SSL Certificate

AD FS uses certificate to secure the connection from AD FS to Office365. For this reason, we need a valid SSL certificate. I choose to use GoDaddy, as I find they are a one stop shop for all my domain needs. It’s a personal choice, so use whoever you feel comfortable with. For the purposes of this BLOG post, I will use a multi-name certificate; I DON’T recommend this for a production environment. A couple reasons are that I like to keep things simple and if we have multiple names on the certificate, it starts to get complicated (not technically, but management of the certificate). Secondly, I don’t like to share certificates across services. This cuts down on the cross contamination from the support teams at larger companies. If you lump the AD FS services with the Exchange certificate, AD FS usually gets left in the dust and forgot about when it comes time to renew.

 

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Edit HOSTS File

Because we need to make contact back to the AD FS servers, we need to tell the WAP servers how to get to them. The simplest way of doing this (and not opening more FW ports) is to edit the local HOSTS file on the WAP server. Keep in mind that we don’t have connectivity or the ability to route to the internal IP address, so we need to route to the external IP of the Cloud Service that holds the AD FS servers.

 

Complete in Azure

Click Cloud Services

Click the Cloud Service for your AD FS Servers

Make note of the Public Virtual IP (VIP) Address

 

Complete on WAP Server

Right Click Notepad and Run as Administrator

Navigate to c:\windows\system32\drivers\etc

Switch view to All Files

Open HOSTS

Edit HOSTS file with the AD FS Farm Name and the external IP Address of the AD FS Cloud Service

Click File -> Save

Close Notepad

 

Setup Azure ACLs to Allow the WAP Servers to Communicate with the AD FS Servers

Since we are on separate networks (from the Internal Network) we also need to make sure that we have configured Azure ACLs to allow the WAP servers to communicate to the AD FS serves on the internal network. Please review this BLOG post to complete that task.

Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

 

Configure the Web Application Proxy Role

 

Open Server Manager

Click More… Configuration required for Web Application Proxy

Click Open the Web Application Proxy… under the Action column

 

Click Next

 

Enter the Federation Service Name

Enter Credentials for a local administrator on the AD FS servers

Click Next

 

Select the SSL certificate that you imported earlier

Click Next

 

Click Configure

Success

Click Close

 

At this point the WAP server is functioning. Now all that remains is that we need to do is that we need to add an end point for port 443 and load balance the two servers.

Continue onto the next post in the series to finish the configuration.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On

The Web Application Proxy servers are the new way to publish AD FS to the internet. They replace the old AD FS proxy servers and are new to Windows Server 2012 R2. These servers should be deployed in a DMZ network and are non-domain joined.

Create a New Cloud Service

Because we are going to load balance one or more virtual machines, we need to create a Cloud Service to put them in. Think of it as a bucket to hold your virtual machines and to apply ACLs to secure the virtual machines. You will require one for the AD FS Servers and one for the Web Application Proxies (AD FS Proxy Servers)

 

Click New

Select Compute -> Cloud Service -> Custom Create

 

Enter a URL or Name for the Cloud Service. This name must be unique across the .cloudapp.net name space.

Select your Region or Affinity Group

Click OK

 

Create the Virtual Machine

 

Click New

Select Compute -> Virtual Machine -> From Gallery

 

Select Windows Server 2012 R2

Click Next arrow

 

Enter a virtual machine name, tier, size, username and password

Click Next arrow

 

Select the cloud service you created above

Verify Virtual Network

Create an Availability Set

Click Next arrow

 

Click the complete checkmark

 

Let the process configure the virtual machine. Once completed, log into the server and continue with the next steps.

 

 

Configure the Primary DNS Suffix

 

Open Server Manager

Click the Computer Name

 

Click Change

 

Click More…

 

Enter your public domain as the Primary DNS suffix of this computer

Click OK

 

Click OK

Reboot

 

Install Web Application Proxy Role

 

Open Server Manager

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Remote Access

Click Next

 

Click Next

 

Click Next

 

Select Web Application Proxy

Click Next

 

Click Add Features

 

Click Next

 

Click Install

 

Installing

 

Click Close

 

Import the SSL Certificate

AD FS uses certificate to secure the connection from AD FS to Office365. For this reason, we need a valid SSL certificate. I choose to use GoDaddy, as I find they are a one stop shop for all my domain needs. It’s a personal choice, so use whoever you feel comfortable with. For the purposes of this BLOG post, I will use a multi-name certificate; I DON’T recommend this for a production environment. A couple reasons are that I like to keep things simple and if we have multiple names on the certificate, it starts to get complicated (not technically, but management of the certificate). Secondly, I don’t like to share certificates across services. This cuts down on the cross contamination from the support teams at larger companies. If you lump the AD FS services with the Exchange certificate, AD FS usually gets left in the dust and forgot about when it comes time to renew.

 

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Edit HOSTS File

Because we need to make contact back to the AD FS servers, we need to tell the WAP servers how to get to them. The simplest way of doing this (and not opening more FW ports) is to edit the local HOSTS file on the WAP server. Keep in mind that we don’t have connectivity or the ability to route to the internal IP address, so we need to route to the external IP of the Cloud Service that holds the AD FS servers.

 

Complete in Azure

 

Click Cloud Services

Click the Cloud Service for your AD FS Servers

Make note of the Public Virtual IP (VIP) Address

 

Complete on WAP Server

 

Right Click Notepad and Run as Administrator

Navigate to c:\windows\system32\drivers\etc

Switch view to All Files

Open HOSTS

Edit HOSTS file with the AD FS Farm Name and the external IP Address of the AD FS Cloud Service

Click File -> Save

Close Notepad

 

Setup Azure ACLs to Allow the WAP Servers to Communicate with the AD FS Servers

Since we are on separate networks (from the Internal Network) we also need to make sure that we have configured Azure ACLs to allow the WAP servers to communicate to the AD FS serves on the internal network. Please review this BLOG post to complete that task.

Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

 

Configure the Web Application Proxy Role

 

Open Server Manager

Click More… Configuration required for Web Application Proxy

 

Click Open the Web Application Proxy… under the Action column

 

Click Next

 

Enter the Federation Service Name

Enter Credentials for a local administrator on the AD FS servers

Click Next

 

Select the SSL certificate that you imported earlier

Click Next

 

Click Configure

 

Setting up the WAP server

 

Success

Click Close

 

At this point the WAP server is functioning. To test the WAP server, you can edit your local workstation hosts file to point at the external IP of the WAP cloud service. This will allow you to test the configuration without editing global DNS.

Continue on to the rest of the series where we will add a second WAP server and then load balance the two.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

If you read the earlier posts in the series, you would have noted that there is two methods to deploy the AD FS server load balancing. Because I am in an all Azure environment, I choose to deploy with method 2, using Azure load balancing on port 443 for AD FS. The following post details how to setup Azure ACLs to allow communication from the DMZ network to the production network and then deny all others.

This post needs the cloud service for the WAP servers created along with at least one WAP server deployed to the cloud service so that we can get the Public Virtual IP. This need to be completed before we can add the WAP servers as proxies for the AD FS servers. There is no real clean way to blog this so you will have to jump back and forth between this post and Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On to complete the task.

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • VPN connection setup from Azure to your on-premise network
  • Primary and Secondary AD FS servers are setup (see previous posts in this series)
  • The cloud service for the WAP servers is created.

 

The first thing that you need to do is gather the Public Virtual IP for the WAP cloud service.


 

 

Change ACLs to allow WAP access

 

Navigate to the Primary AD FS Server

Select Endpoints

Select HTTPS (or whatever you called the endpoint for AD FS)

Click Manage ACL


 

You will notice that the ACL list is not populated, which means that it’s wide open to the internet. We need to secure the AD FS load balanced set, while still giving the WAP servers access. This will allow the WAP servers to talk to the AD FS servers. We are going to create two rules; one permit and one deny.

 

The first rule will grant access from the WAP servers to the AD FS servers

Enter a description of the rule

Select Permit

Enter the IP address of the WAP cloud service in CIDR format. You will notice the /32 at the end, which will limit the rule to that one IP address.


 

Now that we have granted access on port 443 to the WAP servers, we need to deny all others. Keep in mind that this is for external traffic only. Internal users will still be able to access the AD FS servers on the domain network. This is just for the NAT address from external client access in Azure.

 

Enter a description of the rule

Select Deny

Enter the 0.0.0.0/0

This will deny all traffic


 

Click the complete checkmark

Azure will update the rule. There is no need to complete this on the other servers as the rule will apply to the load balanced endpoint.


 

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Microsoft MVP for Office 365

I got a pretty wicked awesome email this morning. Microsoft made me a MVP for Office 365. The first in Canada!

Thanks Microsoft.

http://mvp.microsoft.com/en-us/default.aspx

 

Dear Kelsey Epps,

Congratulations! We are pleased to present you with the 2013 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Office365 technical communities during the past year.

The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say “Thank you for your technical leadership.”

Mike Hickman
Director
Community Engagement
Microsoft

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me