- Tutorial
It's always difficult to start somewhere. After much thought, I decided to devote my first article on Habré to the topic that I am currently working on - Office 365 in all its manifestations.
The site already had several articles describing certain components of this service. We’ve written about and, but in addition to practice, a little theory wouldn’t hurt. Of course, it’s impossible to tell everything, and it’s not interesting, but in my opinion, important points are worth noting.
From my own experience, I can say that authentication in Office 365 is a rather complex topic, the apparent simplicity and obviousness of which often hides subtle nuances, the knowledge of which allows you to better deploy the system and reduce the time required to localize the problem. These are the nuances I would like to talk about today.
In Office 365, there are three types of identities used to authenticate your users to Exchange Online, Sharepoint Online, Lync Online, and even Office Pro Plus.
- Microsoft Online ID is a regular account in Windows Azure Active Directory. This is an analogue of the Active Directory we are all familiar with, but adapted to work with Microsoft cloud products (for example, in addition to Office 365, it is also used for MS Dynamics CRM Online). Users are created manually using the admin portal or in bulk via a CSV file.
- Microsoft Online ID + DirSync - the same “cloud” users, but they represent a copy of accounts from your AD, created using the Microsoft Directory Synchronization utility, or DirSync for short. Almost all basic attributes are transferred from local AD, but user passwords are not transferred. User management is done partly through AD and partly through the portal.
- Federated ID + DirSync - the system is based on the same principle of copying accounts from your AD, with the only difference being that Active Directory Federation Service 2.0 is used for authorization. Users are managed through local AD.
Comparison of identifier types
| Microsoft Online ID | Microsoft Online ID + DirSync | Federated ID + DirSync |
Audience
|
Audience
|
Audience
|
"Behind"
|
"Behind"
|
"Behind"
|
"Against"
|
"Against"
|
"Against"
|
In practice, most often the third option is chosen because This allows you to achieve account consistency and simplify user management while maintaining full control over access rights and password policies.
If with the first two options, in technical terms, everything is quite obvious, then when implementing authentication using ADFS, difficulties arise.
Before I talk about the authentication mechanism, I’ll give a real life situation: a company with 1000+ users used Office 365 with authentication via ADFS. One not-so-great morning, users began to complain that their Outlook could not connect to their mail, but they still had access to Outlook Web Access, SharePoint or Lync. The cause of the failure was a change in server policies and, as a result, the ADFS Proxy service crashed. Several hours were spent locating this problem, which could have been saved by understanding a few simple things about authentication in Office 365.
So, Office 365 uses two main authentication mechanisms (sometimes called profiles):
Passive mechanism- used for authorization in Office 365 services using a browser or single sign-on service.
The operating principle of this mechanism can be illustrated by the following diagram: 
- The user, using a browser or Lync client, requests information from the SharePoint Online service, Exchange OWA or Lync server and receives a response asking him to log in to the Authentication Platform.
- After receiving the request, the Authentication Platform determines that a federated identifier is being used and requires you to provide a User Source Id confirming the user’s validity in the local Active Directory), for which it redirects the request to the ADFS server URL.
- The ADFS server authenticates the user in local AD and issues him a signed User Source ID
- Armed with a kind of “passport,” the user once again turns to the Authentication Platform, from which this time he receives a “cloud identity” NET ID.
- This identity is subsequently used to work with services.
Active mechanism- used for authorization in the email service using Outlook or when using the ActiveSync, IMAP, POP3 protocols.
The scheme is very similar to the previous version: 
The principle of operation of this authorization mechanism repeats all the steps, with the exception of one important detail - the user sends his credentials to the Exchange Online service in explicit form (naturally protected via the HTTPS protocol). Exchange Online, using the personalization mechanism, goes through all further stages on behalf of the user, including communicating with the ADFS server and obtaining the User Source ID.
Therefore, there are a few key points to consider - DNS, certificates, publishing and fault tolerance.
DNS
If problems arise, you must always remember which DNS server the user is currently using when authorizing a specific service.
Certificates
If all your users are on the corporate network and use only a browser and Lync client to work with Office 365, then you can forget about this point and feel free to use your CA’s self-signed certificate. But as soon as you have external users or want to configure your favorite phone to receive corporate email, you will need a valid certificate issued by a trusted certificate authority. As a best practice, even at the stage of transition to Office 365, you should immediately plan to purchase, if not a wildcard, then at least a regular one with a pair of SANs, without hoping that you have a unique situation and external users will never appear.
fault tolerance
It seems that the most obvious thing in any IT system, in practice, turns out to be the most painful. Ensuring ADFS server resiliency is a critical and often overlooked step when setting up federated authentication. Increasing the reliability of ADFS is quite a simple task, which consists in using either a third-party NLB or a standard Windows Load Balancer (WNLNB). I understand that I’m talking about obvious things, but, unfortunately, many administrators do not pay attention to the topic of fault tolerance, trying to “someday later” deliver another server. Without going into too much detail, in practice, lack of ADFS balancing is the most common cause of problems with Office 365.
Publication
Once Outlook or ActiveSync becomes part of your Office 365 use case, the question becomes how to properly publish ADFS to the outside world. There are several possibilities for this:
- Exposing the ADFS server outside is the worst and most unsafe option, used by administrators not out of luck.
- Deploy ADFS Proxy - you will need two additional servers and load balancing between them (again using a third-party NLB or WNLB). Among the advantages, it is worth noting the ease of setup and administration. There is almost nothing to break there.
- Publishing through Forefront TMG/UAG is more difficult to configure and support, but much more functional. Allows you to expand the functionality of ADFS for external users and implement more complex Office 365 authorization scenarios. Some administrators manage to use TMG publishing and ADFS Proxy, which, in principle, is possible, but is fraught with many complexities and instabilities that are difficult to localize.
- External Reverse Proxy - can be any solution/device that does not modify SAML requests/responses, such as Citrix NetScaler or even a simple stunnel. Requirements for reverse proxy can be found here
Office 365 for Education gives students, teachers, and school staff the ability to freely use email, create websites, edit and store documents online, instant messaging, web conferencing, and access a wide range of collaboration services .
For a complete list of all Office 365 Education features, see link.
In this article, we'll take a detailed look at the entire process of registering your school for Office 365, as well as connecting it to the free Office 365 Education plan.
As part of this process, at the first stage, a version with an expanded set of services, Office 365 for Education E5, is provided for free access for 30 days. After 30 days, Office 365 Education licenses must be purchased at zero cost. The sequence of actions is described in more detail below.
- Go to the Office 365 Education website here.
2. On this page, follow the link “Institutional Leaders and IT Professionals: Register Your Institution" and click the green "Free Trial" button to go to the registration form.
My organization doesn't have access to Office 365. How do I get it?
To gain access to Office 365 Education services, you first need to create a tenant. Tenant is your Office 365 workspace where you can work with licenses, configure services, etc.
- Go to the Office 365 Education website here.
2. On the page that opens, follow the “Free trial” link to go to the registration form.
3. Fill out all the required registration form data in Latin letters (Microsoft O365 Support)
Please note that by completing this form you will receive access to a 30-day free version of the E5 plan in Microsoft Office 365 Education.
The E5 plan is not free. Once your organization is verified as a school organization, you will be given the opportunity to assign free licenses.
4. In the “Create a new user ID” section of the registration form, enter the required information.
Create and enter in field 1 (see Figure 6) a user ID to access Office 365 services.
The user ID can be your last name and first name in Latin (for example, fedorov_sergey or fedorovsv, etc.) or any other name that you will not forget (for example, “administrator”, “adminOffice365”, etc.).
In field 2 (see Figure 6) you need to enter a unique value by which your educational institution will be registered in Office 365.
For example, if you enter " myschool1254", then your initial email address will end with "@ myschool1254.onmicrosoft.com".
If the value in field 2 is not unique, the system will ask you to change this value.
If all values are unique, then field 3 (see Figure 6) the system will show your new user ID.
Create and enter in field 4 (see Figure 6.) a password to access Office 365 services.
5. In the next section, you need to verify your phone number.
To do this, give your phone number and choose how to receive the code:
- Send a text message
A text message (SMS) with a confirmation code will be sent to your mobile phone.
- Call me
The system will call the phone number you specified and dictate a confirmation code to you.
After receiving the verification code, enter it in the “Verification code” field.
If the SMS confirmation does not arrive, try entering a different phone number.
6. Once you have completed all fields on the registration form and verified your phone number, save your information and password.
Your school section will be created in Office 365.
7. The Setup Wizard will help you verify your eligibility to use Microsoft Office 365 Education.
To access Microsoft Office 365 Education plans, you'll need to provide and verify your school's domain.
A domain (or domain name) is the identity of your school (for example, school1254.ru) in Internet. It can be used for your school website (for example, www.school1254.ru) or email addresses for teachers and students (for example, [email protected]).
If your school already has a domain, then click the “Add Domain” button to complete the verification.
If your educational institution has not yet purchased a domain, then you can skip and immediately start using the trial version, returning to this menu later.
If you want to purchase a domain, click the “Buy Domain” button.
Once you purchase your domain, you can return to this check and verify your domain ownership to access Microsoft Office 365 Education plans.
To add a new domain, go to https://portal.office.com/ in Administration Center your Office 365 under your user ID (for example, fedorodsv@myschool1254.onmicrosoft.com).
Log in to the “Administrator” tab
Select the menu item "Options", "Domains".
On the Domains page, click the Add Domain button.
Follow the instructions to create a verification record with your DNS hosting provider.
After making the necessary changes to DNS, wait at least 15 minutes and click the “Record added” button
8. A pop-up window will appear asking you to enter your organization's website URL.
A website URL is an entry like " www.your domain". In our example the URL would be " www.school1254.ru».
After entering the URL, click the Continue button.
If the system was unable to verify your domain, you will see the following message.
In this case, double-check that the DNS check records are entered correctly and check again later.
9. If you successfully pass the domain ownership verification check, the system will inform you about this with the following message.
Once the Office 365 tenant is deployed, you can move on to working with user accounts. In Office 365, you can create users in the cloud, or you can sync user accounts with users in your organization. Below is an option that uses the personal database required to identify users, hosted locally on your server.
The Office 365 tenant has been deployed. How do I sync user accounts from my directory service?
Now we need to synchronize user accounts from your organization with the Office 365 cloud. To synchronize accounts in your on-premises organization personal database, you need to install the Azure AD connect utility.
Azure AD Connect is a tool for integrating an on-premises identity system, such as Windows Server Active Directory, with Office 365. You can download it here:
https://www.microsoft.com/en-us/download/details.aspx?id=47594
Please note that installing Azure AD connect requires Windows Server 2012 R2 with an external static IP address.
After downloading Azure AD Connect, follow these steps:
- Sign in to the server where you want to install Azure AD Connect as a local administrator. This should be the server that you want to be the sync server.
2. Navigate to the AzureADConnect.msi file and double-click it.
3. On the Welcome screen, select the checkbox indicating that you agree to the terms of the license agreement and click Continue.
4. On the Standard Settings screen, click Use Standard Settings.
5. On the Connect to Azure AD screen, enter the username and password for your Office 365 global administrator account. Click Next.
6. On the Connect to AD DS screen, enter the username and password for your Enterprise Administrator account. Click "Next.
7. On the Ready to Setup screen, click Install
8. If necessary, you can clear the "Start synchronization immediately after setup is complete" checkbox on the "Ready to setup" page. In this case, the wizard will configure synchronization, but the task will be disabled until you manually activate it in the task scheduler. Once the task is activated, synchronization will occur every three hours.
9. Once installation is complete, click Exit.
10. Make sure there are no errors, and after a while, go to your tenant and make sure that user accounts appear in your tenant.
To do this, you need to go to your Office 365 admin panel.
I want to get free Office 365 Education licenses. How can I do it?
Once you've set up your tenant and verified domain ownership, Office 365 will automatically generate and send a request to the Office 365 support team to review your domain against Microsoft's educational requirements.
The Office 365 support team will review your request within 3-5 days and decide whether your organization is eligible for Office 365 Education plans.
After the review period has passed, you will be notified of your decision by email.
- IN Office 365 admin center go to the “Billing” menu item and the Subscriptions submenu. Select “Add subscriptions”
- Select the Office 365 Education (Teacher) plan and click Add to add the required number of Office 365 Education (Teacher) plan licenses.
After that, select the Office 365 education plan (student) and click “Add” to add the required number of plan licenses for students (in our case, “student” should be understood as for any students in general)
Once added, licenses can be assigned to users.
I want to receive the free Office 365 Education Plus licenses included in the agreement. How can I do it?
To obtain licenses, you must have a configured tenant with a verified domain.
To speed up the process of obtaining Office 365 Pro Plus Education licenses, email your list of added domains to: [email protected] or a partner with whom an agreement has been concluded under the First Aid program (“Agreements”) for the right to use Microsoft software in institutions of primary and secondary education in the Russian Federation
The letter must indicate the agreement and enrollment number, the full name of the customer’s organization, registration name and domain.
After confirmation and inclusion in the list (about a week), you will need to perform the following actions (2 options):
Option 1.
Register/create two users without licenses: Teacher and Student/Apprentice
Fill in Student/Teacher details
We choose for a Student - Student, for a Teacher - Teacher
Next - further, further, further.....
Everything is ready, exit.
We go back to Tenant - PLUS licenses should appear in subscriptions.
Option 2.
Once your listing is confirmed (approximately a week), you will need to do the following (if necessary, use the help of a technical specialist):
- On a machine with the Azure AD powershell module installed, run the following scripts (in the authorization window, enter the username and password for the tenant):
Import-Module MSOnline
Connect-MsolService
Set-MsolCompanySettings -AllowAdHocSubscriptions $true
Set-MsolCompanySettings -AllowEmailVerifiedUsers $true
- Next, go to the website https://products.office.com/ru-ru/student/office-in-education?tab=teachers
and enter the login of a user who is located in your tenant, created in a verified domain and does not have assigned licenses.
Select “I’m a student”
Next, log in using the login and password of the entered account and wait for the setup to complete.
After this, log out of the account you are using and repeat these steps for another account, only select “I’m a teacher”
Licenses for students and teachers should be in your tenant.
- Lastly, run the scripts below to prevent users from automatically adding licenses:
Import-Module MSOnline
Connect-MsolService
Set-MsolCompanySettings -AllowAdHocSubscriptions $false
Set-MsolCompanySettings -AllowEmailVerifiedUsers $false
After these steps, the licenses will appear in the tenant and will be available for assignment. If you encounter any problems related to this process, you can contact [email protected].
Please note that these licenses include both Cloud Services and applications for installation on your devices. When you assign Office 365 Education Plus licenses, you must either replace the entire Office 365 Education license or remove duplicate products from one of the licenses.
The licenses are already present in my tenant and the users are synchronized. How can I assign licenses to users?
After confirming the domain as belonging to the educational institution, synchronizing, and obtaining licenses, we can assign them to users.
To do this, go to “users”, “Active users” and select a specific user or several.
In the menu, click on the “Edit”, “add…” button
Repeat this operation for other users.
If you have a large number of users in your organization, you can use the PowerShell console to assign licenses in bulk: https://community.office365.com/ru-ru/w/sso/3293
After assigning licenses, users can use their Office 365 account. To log in to the office portal (www.portal.office.com), they can use their organization login and password.
If you have any technical questions or problems, please contact us by email:
In continuation of the series of articles about Microsoft Office 365, we will consider the main points in user management provided by the administration portal. In June 2011, Microsoft released a new cloud product called Microsoft Office 365 in 40 global regions. This software product represents a truly new high-quality level of a set of business applications under the commercial name Microsoft Office,
Representing a symbiosis of a set of standard applications installed on the client’s workstation and the Microsoft Online Services cloud service.
Now that beta testing is over, there can only be limited access to the trial version of the product. In the trial version, all functionality is available. The time of use is limited to 30 calendar days. So how can you access Microsoft Office 365? Instructions are provided below.
The first thing you need to do is subscribe to one of the offers available for the region in which your organization is registered. You can do this on the home page (http://www.microsoft.com/ru-ru/office365/online-software.aspx ) Microsoft Office 365. After completing your subscription to the offer, an email will be sent to the email specified in the subscription form, which will contain your username and password (Microsoft Online Services ID or MOSID), as well as a link to the Microsoft Office 365 portal. Account MOSID looks like email, a string like<Администратор>@<домен организации>. onmicrosoft.com. The email will also indicate your subscription plan. Subscription plans will be discussed in a separate article.
So, after receiving the activation letter and MOSID, go to the Microsoft Office 365 administration portal (Figure 1).
Figure 1. Microsoft Office 365 admin portal.
To go to tasks related to user administration on the left side of the portal, in the “Management” section, click on the “Users” link (Figure 2).
Figure 2. Microsoft Office 365 administration portal - user administration.
Figure 2a. Mass addition of users.
Before adding a user, you might want to think about the possibility of adding users all at once - the “Bulk addition of users” button (Figure 2). In this case, a migration plan for existing users is drawn up, information about which must be generated in a text file. The migration plan will be discussed in more detail in a separate article.
On the “Users” page that opens, you can pay attention to the fact that before moving on to administration, you need to familiarize yourself with the tasks that may be associated, in this case, with user administration. For example, information is available on the following tasks:
1. Single sign-on - organizing a single sign-on on the Microsoft Office 365 client workstation.
2. Active Directory synchronization - the task of synchronizing the cloud service with the existing Active Directory environment.
3. Managing external contacts in Exchange Online - methods of administration in Exchange Online. Contact as a special case.
Also, tasks are available for administering the user accounts themselves:
1. Creation.
2. Adding users.
3. Editing.
4. Password reset.
5. Removal.
6. Activation of synchronized users.
So, proceed to create a new user account. To perform this action, sequentially click on the links “Create” - “User”. The “New User” Addition Wizard page will open (Figure 3).
Figure 3. New User Wizard - Properties Page.
In the “New User” wizard that opens, on the properties page, fill in the required “Display name” and “User name” fields. Opposite the username, there is the option to select a domain name, in case of multiple domain name registrations in an organization. The “First Name” and “Last Name” fields can be left blank; their completion must be regulated by the local regulations of the organization itself. Also, on this page you can enter additional information. To perform this action, click on the “Additional properties” button (Figure 4)
Figure 4. New User Wizard - Advanced Properties Page.
In the “New User” wizard, on the additional properties page, there are no required fields; their completion must be regulated by the local regulations of the organization itself. The fields are as follows: “Position”, “Department”, “Office number”, “Work telephone”, “Mobile telephone”, “Fax number”, “Street, house”, “City”, “Region, territory”, “Postal code” ", "Country or region". When filling out such data, you need to remember that they fall under the law on personal data and you need to provide only that information for which the user must sign consent to the processing in advance with the organization. For example, the “Mobile phone” field, if it is a business phone, then yes, you can write it. If personal is indicated, then an additional agreement must be taken.
Having filled in all the data required by the organization’s policy, click the “Next” button to continue the “New User” wizard. To cancel the operation of creating a new user, click on the “Cancel” button (Figure 5).
Figure 5. New User Wizard - role assignment page.
On the next page of the New User wizard, the Role Assignment page, you must determine whether the user will be granted extended administrator rights. By default, only limited rights are granted. To grant extended administrator rights, select “Yes”. In the drop-down list of available roles, select the one corresponding to the user’s job responsibilities (Figure 6).
Figure 6. “New User” Wizard - Role Selection.
So, you need to select one of the provided built-in administrative roles (from the official website):
1. Billing Administrator: Makes purchases, manages subscriptions and support requests, and monitors service performance.
2. Global Administrator: The top level administrator in the organization. When you sign up to purchase Office 365, you become a global administrator. Global admins have access to all features in the admin center, and only they can assign other admin roles. An organization can have multiple global administrators.
3. A password administrator resets passwords, manages service requests, and monitors the health of services. Password administrators can only reset passwords for users and other password administrators.
4. Service Administrator: This role allows you to manage service requests and monitor the health of services.
5. User Management Administrator: Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. User management administrator permissions are somewhat limited. For example, they cannot delete global admins or create new admins. Additionally, they cannot reset passwords for billing administrators, global administrators, or service administrators.
Select, for example, “Service Administrator” and click the “Next” button to continue the “New User” wizard. To cancel the operation of creating a new user, click on the “Cancel” button; to return to the previous page, click the “Back” button (Figure 7).
Figure 7. New User Wizard - License Assignment Page.
On the next page of the New User wizard, on the License Assignment page, provide those licenses based on the plans available for your organization's subscription. For example, in the beta version 2 plans E3 and K2 were available, as well as archiving based on Exchange Online. Brief information on these plans:
1. Microsoft Office 365 Beta (Plan E3) – A plan for large enterprises that provides collaboration and collaboration tools using the Office suite of applications (includes Office Web Apps).
2. Microsoft Office 365 Beta (Plan K2) – a plan for employees of an organization who do not have a dedicated workplace. Work is carried out using the Office Web Apps web application.
3. Archiving based on Exchange Online - the same as the plan that is used in the case of creating a personal email archive for users who have mailboxes on the Exchange Server 2010 server.
More details about licensing plans will be provided in subsequent blog articles.
So, from Figure 7 it is clear that the user can be assigned all the capabilities of the plan, or only partially. For example, if a user account is created for the task of managing only user messages, you need to check the boxes next to the “Lync Online” and “Exchange Online” services. Each plan has a license counter, so if at least one plan option is selected, the counter of available licenses within the plan is reduced.
So, select the licenses required for the user (and in general it’s good if there is an application from the manager indicating what needs to be selected), click the “Next” button to continue the work of the “New User” wizard. To cancel the operation of creating a new user, click on the “Cancel” button; to return to the previous page, click the “Back” button (Figure 8).
Figure 8. New User Wizard - Email Send Page.
On the fourth page of the New User wizard, on the Send Results by Email page, you need to decide whether the temporary password for the newly created user account will be sent to the administrator's mailbox or not. By default, this action is performed automatically; to cancel this option, uncheck the “Send message by email” checkbox. It should be noted that the password will be sent in clear text, so it is recommended to change the password as soon as possible if the administrator does not use security measures when accessing the email account.
On this page it is also possible to specify the user administrator's mailbox, to which the task of communicating the temporary password to the end user will be delegated .
The continuation of the article will describe subsequent operations with user accounts.
1. Assigning administrator roles
The Office 365 platform includes a PowerShell module that helps you set up and manage user accounts. PowerShell allows you to automate many processes. In any case, the functionality of PowerShell will depend on the type of deployment you are using.
Let's say you are currently using cmdlets Active Directory Quest, Active Directory PowerShell module or even ADSI to automate the setup of user accounts locally. When migrating to Office 365 cloud services, you can either change this process or leave it unchanged. For example, you want to set up single sign-on, or deploy a hybrid version of Exchange. In this case, you can, as before, set up local user accounts on the server; subsequently, they are automatically synchronized with the cloud using DirSync.
If you do not plan to use DirSync, then in this case you can automate user licensing using the module Microsoft Online Services for Windows PowerShell.
Installing the Microsoft Online Services Module
Before you download and install the module Microsoft Online Services for PowerShell, read the requirements:
- Operating system: Windows 7,Windows Server 2008 R2
- .NET Framework no lower than version 3.5.1
- Microsoft Online Services Sign-In Assistant-registers in the Office 365 portal and cloud services.
- You must also install and configure the Office desktop apps (at the bottom of the screen, select the "Install and configure Office desktop apps" option)
When all the requirements are met, you can proceed to download and install the module. The current version of the module is always available on the following resources:
Establishing a connection
If you did not change the default options when installing the module, a shortcut will appear on your desktop Microsoft Online Services Module for Windows PowerShell. You can get started using this shortcut. You can also manually import the module into the standard PowerShell console using the cmdlet Import-Module MSOnline.
Once the module is imported, you can connect to your Office 365 tenant and start working with accounts.
First, you need to create an accounting object using the cmdlet Get-Credential, in which the credentials of the Office 365 tenant administrator are saved (a PSCredential object is created):
PS> Connect-MsolService -Credential $cred
Once the command completes, a connection to the Office 365 tenant will be established.
View licenses
Once the connection is established, you can view the current licensing configuration using the cmdlet Get-MsolAccountSku, which returns all SKUs owned by the organization. You will receive detailed information on licensing, find out how many licenses are used, how many are available in total:
If you need to claim user licenses that were created from the shell or were synchronized with DirSync, you will need to know the account SKU number in the format tenant:SkuPartNumber. For example, in the figure above: an ENTERPRISE subscription account has been registered in the system, the tenant name is uclabs, 5 of the 25 available licenses are used.
Setting up user accounts
To create a new user account, use the cmdlet New-MsolUser. As an example, let's create a user account step by step and assign licenses during the setup process:
DisplayName "Steve Johnson"`
FirstName Steve`
LastName Johnson`
LicenseAssignment uclabs:ENTERPRISEPACK `
UsageLocation US
Note that the parameter –Password was not used to assign the initial password. In this case, the account is assigned a random password:
You can manually change the password using the option –Password :
In the figure you can see that the initially assigned random password is not secure. Account passwords will need to be replaced with stronger ones that meet the following requirements:
- The password must contain both uppercase and lowercase letters.
- The password must contain at least one character that is neither alphabetic nor numeric.
- You cannot set a password similar to the username.
- You cannot use spaces or breaks.
If you do not want to adhere to such requirements, you can write:
StrongPasswordRequired V $false(parameter available with cmdlet New-MsolUser) or disable password requirements in the cmdlet Set-MsolUser.
Selective Licensing
Office 365 licenses can contain a subset of subscriptions. For example, in the figure you see the licensing settings in the Microsoft Online Services Portal for a user with an E3 plan license - all available subscriptions are displayed on the screen:
You can disable certain subscriptions during licensing and select only the necessary ones, but this requires information about the available subscriptions. In the example above, we see in detail the EnterprisePack sku plan that the cmdlet returns Get-MsolAccountSku :
Get-MsolAccountSku | Where-Object ($_.SkuPartNumber -eq "ENTERPRISEPACK") |
ForEach-Object($_.ServiceStatus)
The results are not entirely obvious at first glance. Here's what is meant:
- OFFICESUBSCRIPTION – Office Professional Plus
- MCOSTANDARD – Lync Online
- SHAREPOINTWAC – Microsoft Office Web Apps
- SHAREPOINTENTERPRISE – SharePoint Online
- EXCHANGE_S_ENTERPRISE – Exchange Online
Now that we have received the necessary subscription information, we can selectively assign licenses to users. For example, we can change the entry we created earlier so that the user is assigned only Office Professional Plus and Exchange Online licenses. To do this, create a licensing parameters object using the cmdlet New-MsoLicenseOptions. When we run this command we define the account SKU, which in our example would be tenant:ENTERPRISEPACK, then we disable certain plans. We can also disable subscriptions using the parameter DisabledPlans:
PS> $options = New-MsolLicenseOptions -AccountSkuId uclabs:ENTERPRISEPACK `
DisabledPlans MCOSTANDARD,SHAREPOINTWAC,SHAREPOINTENTERPRISE
In the following example, the Licensing Options object LicenseOption saved with variable $options, which can be assigned the required value when changing the account:
LicenseOptions $options
Assign a value to a variable $options Licensing parameters object can be used at the account creation stage:
DisplayName "Joe Neilsen" -FirstName Joe`
LastName Neilsen -LicenseAssignment uclabs:ENTERPRISEPACK `
LicenseOptions $options -UsageLocation US
As a reminder, you can also manage Exchange Online through a remote environment. Exchange PowerShell, but if you assign a license Microsoft Online Services ModuleForPowershell, then the mailbox is turned on automatically.
Multiple licensing
In some situations, it may be necessary to repeat the license assignment process for accounts multiple times. This is especially true if you will be using DirSync to sync local user accounts with the cloud - ultimately, each user must be assigned a license. In this case, use the cmdlet Get-MsolUser which will determine which users are currently unlicensed (parameter UnlicensedUsersOnly):
We select all unlicensed users and pass these objects down the channel to the cmdlet Set-MsolUserLicense, and then assign licenses to accounts.
First of all, make sure that the region of use is registered for your accounts. Here's an example where the region of use for all unlicensed accounts is US:
Get-MsolUser -UnlicensedUsersOnly | Set-MsolUser -UsageLocation us
Now let's license these users:
Get-MsolUser -UnlicensedUsersOnly |
Set-MsolUserLicense -AddLicenses uclabs:ENTERPRISEPACK
Additionally, you can use the licensing parameters object LicenseOptions, if there is a need to selectively connect subscriptions to users.
Setting up accounts from CSV files
You can create accounts in the web portal using a CSV file - this allows you to assign multiple licenses at once. This works really well for us. This is what it looks like:
As you can see, the values in the columns correspond to the parameters that we previously specified in the cmdlet New-MsolUse r. In fact, we perform a CSV import of cmdlets: the file is read into the shell, accounts are created and licensed in Office 365. Let's look at the script code:
LicenseAssignment "uclabs:ENTERPRISEPACK" `
UsageLocation US
The only problem with this scenario is that if the code is executed like this, a random password will be generated for each user, and we will not receive this information. But with the help of small changes to the script, we will configure the transfer of information through the channel to a special file and thus document passwords for newly created accounts:
Import-Csv -Path c:\users.csv | ForEach-Object(
New-MsolUser -FirstName $_.FirstName -LastName $_.LastName `
UserPrincipalName $_.UserPrincipalName `
DisplayName "$($_.FirstName) $($_.LastName)" `
LicenseAssignment "uclabs:ENTERPRISEPACK" -UsageLocation US
) | Export-Csv -Path c:\provisioned_users.csv –NoTypeInformation
As you can see, we've added an Export-CSV command at the end of the script, which will allow us to save account information, including initial passwords. Using this information we can change passwords for end users.
And this is not the only way. You can also add an additional column to the original CSV file that will contain the new password value. As a result, it can be assigned directly during the setup process.
Any program is not only files and functionality, it is also a service. And the more modern the program, the more complex its basis and the wider the scope of services provided. Today, this concept has stepped to a new level, providing the user not with a service or program as such, but with some kind of comprehensive solution, including both in different proportions. A striking example of such a future is a proposal called Microsoft Office 365 (version available in Russian).
The new commercial concept of the development company is a list of subscription services available via the Internet, access to which allows you to use familiar programs, regardless of where exactly the service consumer is currently located and what device he is using. As a result of subscribing to Office 365, the user receives constant access to a unique business package, including the necessary office suite, as well as software for managing it and email communication.
You can download office 365 for free in Russian (or rather, subscribe to these services), and receive an activation key for 30 days for a test to evaluate how much you like this software.
Depending on the subscription option, the software package includes a different set of programs, but in general the following are available to the user:
- the Sharepoint system (Microsoft SharePoint Products and Technologies), which provides the user with a simple and effective page builder and allows you to create a business card website;
- a place to store absolutely any information within Onedrive (cloud file storage from Microsoft);
- the ability to send email using a business-class service located on the Exchange server base (originally conceived as a collaboration project, including a wide range of tools for exchanging voice and text messages);
- Lync communicator, which provides text messaging and conferences in both audio and video formats, including desktop sharing;
- access to the most up-to-date version of the office suite available on the market, and is currently represented by Office 2016.
Currently, home users can use this package as a combination of desktop programs and network services. A fairly modest payment allows you to download to your PC and, after installation, use the practically irreplaceable Microsoft Access (creation and management of relational databases), Microsoft Word (a well-known text editor) and Microsoft Excel (a spreadsheet processor for formulas, various tables and graphs), as well as useful for business:
- OneNote(a program for taking notes, extremely useful as a personal organizer, has a tree structure; recently you can download OneNote for free from the Microsoft website);
- Outlook(a world-famous email client for managing user email accounts, has rich functionality, extensive capabilities for managing address book contacts, customizable spam filters, mechanisms for creating backup copies of user data);
- PowerPoint(a well-known program for creating presentations);
- Publisher(a custom publishing system that helps create marketing materials for the needs and objectives of the company).
A good finishing touch to the package is sixty paid minutes of Skype calls to phones in four dozen countries around the world, but the selection of these countries is not entirely clear - for example, Ukraine is not included in this list for some reason. Note that Skype was recently acquired by Microsoft, which is engaged in its further maintenance and development.
Any previous version in Russian Microsoft Office can be downloaded for free for Windows 10, 8, 7 and XP on your PC, however, it would not be entirely appropriate to think that downloading Office 365 is due to the fact that this package is a set of web services that is distributed through a subscription.
Users of another popular operating system from Apple – Mac OS X. They also have access to the main office suite programs at the Office 2013 level, and they also have space for files on the SkyDrive cloud.
In both cases, all programs are licensed and contain only those functions that the developers have endowed them with, but there is a catch in this case: all licenses are tied to the same Microsoft account, so making someone a beautiful gift (post on the Internet) or you won’t be able to sell your purchase just like that.
However, there is also a plus in this approach: having once purchased licenses, the user can regulate them within his account - add useful features or remove unnecessary functionality using the office.com portal.
The most global advantage of the innovation is the ability to collaborate: files located on SkyDrive can be viewed and edited by office applications, which has made Office 365 a truly innovative and progressive solution in the application software market.
A distinctive feature of the proposal was its interface: after all the programs included in the installation package are installed and launched, it becomes clear that this is a slightly adapted and modified Metro interface, which became famous thanks to Windows 8.
The new design is distinguished by a pleasant lightness, which immediately has a beneficial effect on the speed of applications and ease of use, which is characteristic of almost all products from Microsoft.
In general, we can confidently say that the development and implementation of Office 365 will not go unnoticed by the company, because the trend towards the development of client-server technologies continues to gain momentum. Let's add to all this well-known office programs and their high speed and proper reliability. Office 365 will definitely confirm its high position in the office software market, and for many consumers, the web-based nature of popular software will become a decisive factor in their choice.
