ArcelorMittal Federation Solution - Manual

Le Noir, Wim | AMFS Solution | August 8, 2016

ArcelorMittal Federation Solution “FEDERATING THE OFFICE 365 ADMINISTRATION”

ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”

1

Contents

Introduction .................................................................................................................................................. 4

Readiness requirements ................................................................................................................................ 5

Client .......................................................................................................................................................... 5

Network ..................................................................................................................................................... 6

Proxy configuration .............................................................................................................................. 8

Testing installation ................................................................................................................................... 9

Version Information ............................................................................................................................. 9

Multiple instances ................................................................................................................................ 10

Raising network issues when using the AMFS Solution .................................................................... 10

Unsupported Characters ......................................................................................................................... 10

The federation model .................................................................................................................................. 10

Specific cases ............................................................................................................................................ 13

No WAAD object available to do the federation check ..................................................................... 13

Federated services with multiple federation contexts ....................................................................... 13

Super Administrator ............................................................................................................................ 13

Blocking AMFS solution globally/locally ........................................................................................... 13

Applying custom management scopes .................................................................................................. 13

Export accounts belonging to Armony.Net ........................................................................................ 14

Update management scope for exported accounts Armony.net ....................................................... 15

Main form ..................................................................................................................................................... 17

Office 365.................................................................................................................................................. 17

Tips & tricks ................................................................................................................................................. 19

Automatic alerts when new version is released ................................................................................... 19

Bulk processing ....................................................................................................................................... 20

Search for account ................................................................................................................................... 21

Search for IDM data ................................................................................................................................ 21

Protect an account (e.g. service accounts)............................................................................................ 22

Disaster/Recovery Scenario ........................................................................................................................ 23

Federated Services ....................................................................................................................................... 23

Manipulate Management Scope (AMFS) ............................................................................................. 24


2

Synchronize Management Scope (IDM)(AMFS), Synchronize Retired Accounts (IDM)(AMFS),

Synchronize Expired Accounts (IDM)(AMFS), Export Management Scope (CSV)(AMFS) and

Export Accounts to CSV for Bulk processing (AMFS) ........................................................................ 24

Set account photo (EXO), Get account photo (download)(EXO) and View account photo (EXO)

.................................................................................................................................................................. 26

Import Management Scope (AMFS) ..................................................................................................... 26

Federate Selected Service (AMFS) and Assign Federated Service (AMFS)........................................ 27

Governing the federation .....................................................................................................................30

Maintain federation model .....................................................................................................................30

Remove assigned federated service (AMFS) and Remove all assigned federated service(s)(AMFS)

................................................................................................................................................................... 31

Assign license (E1, E3, E1S4BOnly, E3S4BOnly, E1NoEXO and E3NoEXO (Office365) .................... 33

Assign license(s) and plan(s)(Office365) .............................................................................................. 34

Assign MFA enabled application (SECURITY) .....................................................................................36

Create cloud account via AMEI or e-mail address (Office365) and View Account IDM Meta Data

(AMFS)...................................................................................................................................................... 37

Reset cloud account password (Office365) ...........................................................................................38

Disable cloud account (Office365), Enable Cloud Account (OFFICE365), Remove cloud account

and put in Recycle Bin (Office365), Remove account from Recycle Bin (Office365) ...................... 39

Set selected client policy (S4B), Set selected external access policy (S4B), Set selected hosted

voice mail policy (S4B), Set selected voice policy (S4B), Get selected conferencing policy (S4B),

Get selected client policy (S4B), Get selected external access policy (S4B), Get selected hosted

voice mail policy (S4B) and Get selected voice policy (S4B) ............................................................. 42

Disable/Enable video in Skype for Business (S4B) and Set Selected Conferencing Policy (S4B)... 45

Verify user SIP address (S4B) ................................................................................................................ 46

Global activity report (S4B) and User activity report (S4B) ............................................................... 47

Global PSTN usage report (S4B) and User PSTN usage report (S4B) ............................................... 49

Enable dial-in conferencing (S4B), Update dial-in conferencing settings (S4B) and Reset leader

PIN dial-in conferencing (S4B) ............................................................................................................. 50

License report (Office365) and License and service status report (Office365) and license, service

status and S4B report (OFFICE365) ...................................................................................................... 52

Assign role with elevated rights (Office365) and Remove Role with Elevated Rights (OFFICE365)

.................................................................................................................................................................. 54

Security ......................................................................................................................................................... 55

Audit ............................................................................................................................................................. 57

Limitations .................................................................................................................................................. 58


3

Registered attributes .................................................................................................................................. 59

extension_a040d6d9fd6a4ea595b7f74f74df758c_employeeNumber ................................................ 59

extension_c77e68a23a6a4f91af48a93b63f95e0f_AMEI ....................................................................... 59

extension_c77e68a23a6a4f91af48a93b63f95e0f_AMCOMPANYCODE ............................................ 59

extension_c77e68a23a6a4f91af48a93b63f95e0f_AMSEGMENTCODE ............................................. 59

extension_c77e68a23a6a4f91af48a93b63f95e0f_AMBUCODE .......................................................... 59

extension_c77e68a23a6a4f91af48a93b63f95e0f_AMDEPARTMENTCODE ..................................... 59

extension_c77e68a23a6a4f91af48a93b63f95e0f_AMBDCODE .......................................................... 59

extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSAccountType ................................................ 59

extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSSegmentCode ............................................... 59

extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSBUCode ........................................................ 60

Support ........................................................................................................................................................ 60

ArcelorMittal Business Units & Companies ............................................................................................. 61

WAAD Domains ......................................................................................................................................... 62


4

Introduction

The standard administration platform Office 365 has limited federation capabilities specifically on

the level of granularity it falls short for big organizations. Moreover the protection of management

scope is only available for limited number of Office 365 services (Exchange Online) and would be

difficult to implement for ArcelorMittal due to the high number of legacy Active Directory domains

federated in our Office 365 tenant. Such configuration would also leverage the past rather than

preparing for the future.

The standard role assignment in the portal is for most functions tenant wide which poses a

substantial risks from different perspectives (security, operations, etc.).

Taken into consideration that the ArcelorMittal is a highly federated organizational structure and

business reorganizations happen at high pace the Office 365 Program team architected a role based

administration model where management scope is sourced from the Identity Management

repository (IDM commonly known as RIITA). The majority of HR systems are already interfacing

with IDM and global security policy requires all physical persons (internal/external) using

ArcelorMittal IT systems to have an AMEI (ArcelorMittal global unique identifier for a physical

person).

Access to ArcelorMittal IT systems is provided via IT account(s). Those IT account(s) must be

linked to an AMEI so the identity important life cycle phases are properly managed (entry/exit). In

the ideal world an end user should only need to remember one IT account to access all the IT

services granted to him/her so he/she can execute his/her role within the ArcelorMittal

organization (commonly known as Single Sign On (SSO).

All IT accounts accessing Office 365 are hosted in one Windows Azure Directory named

ArcelorMittal which was created together with the Office 365 tenant. Each account is uniquely

identified via its userPrincipalName (UPN)(e.g. [email protected]).

To achieve the required granularity each federated service is one to one implemented with a

function in the Office 365 Administration Libraries (Function ≡ PowerShell Cmdlet and Library ≡

PowerShell Module). Each federate service has a Windows Azure Active Directory (WAAD) group.

The WAAD group name identifies the service federated as well as the management scope covered.

All WAAD groups associated with the AMFS solution are prefixed with “AMFS-“ to ease the search

in the Windows Azure Portal as well as simplify support.

The front-end to enable the federation of the Office 365 administration globally was built with

SAPIEN PowerShell Studio 2016. This manual contains the installation and the usage instructions.

For now the Office 365 & Skype for Business federated services are completed as well as the overall

security model. The SharePoint Online, Exchange Online, Rights Management Service, Azure and

OneDrive for Business federated services will be offered at a later stage aligned with the global Go-

To-Gold planning . This forms the rich PC client application. In parallel a WEB based interface will

Identity

(AMEI)

Account

(UPN)


5

be developed together with a partner using Azure Automation Engine to enable the federation of

the Office 365 administration.

Readiness requirements

CLIENT

An active Office 365 work account is required to use the solution (cloud or federated).

The following 64-bit operating systems of Windows can run the AMFS Solution:

1. Windows 10

2. Windows 8.1 or Windows 8

3. Windows Server 2012 R2 or Windows Server 2012

4. Windows 7 Service Pack 1 (SP1)

5. Windows Server 2008 R2 SP1

A 64-bit version of Windows is required as the Skype for Business Online module and Windows

Azure Active Directory module is only supported on 64-bit.

The Microsoft .NET Framework 4.5.x and the Windows Management Framework 3.0 or the

Windows Management Framework 4.0 is required.

https://msdn.microsoft.com/library/5a4x27ek(VS.110).aspx

https://www.microsoft.com/en-us/download/details.aspx?id=40855

The AMFS Solutions uses the modules that are required for Office 365, SharePoint Online, and

Skype for Business Online. It also leverages services if the federated AD domains which require

Active Directory module to be installed (see 1.). On Windows 7 the tools for roles and features must

be enabled after installation of the package.

1. Remote Server Administration Tools (RSAT) for Windows operating systems

https://support.microsoft.com/en-us/kb/2693643

https://msdn.microsoft.com/library/5a4x27ek(VS.110).aspx


https://support.microsoft.com/en-us/kb/2693643


6

2. Microsoft Online Service Sign-in Assistant for IT Professionals RTW


3. Windows Azure Active Directory Module for Windows PowerShell (64-bit version)

http://go.microsoft.com/fwlink/p/?linkid=236297

4. SharePoint Online Management Shell


5. Skype for Business Online, Windows PowerShell Module


Windows PowerShell needs to be configured to run signed scripts for Skype for Business Online,

Exchange Online, and the Security & Compliance Center. Start Windows PowerShell command as

administrator and run the below command or use the ‘Test/Remediate’ pushbutton via the AMFS

Solution main screen.

Set-ExecutionPolicy RemoteSigned

Enable-PSRemoting -SkipNetworkProfileCheck -Force

A screen resolution of 1920x1080 is recommended when using the AMFS Solution.

The solution itself is installed via a published MSI. The MSI is published on the SPO Site of the

‘Office 365 Program’ (AMFS Solution MSI) The dependent software packages can be downloaded

from the SPO Site as well (AMFS Solution Dependent Software Modules)

NETWORK

The AMFS solution needs to connect to all Office 365 services and requires Internet access. All

network requirements to fulfill can be found on Office 365 Network Readiness Requirements.

It’s important to mention that the Office 365 administration services has more network

connectivity requirements compared to the default Office 365 service requirements. In this sense it

may well be that one can use Office 365 but at the same time experience difficulties using the

ArcelorMittal Federation Solution.

To facilitate analysis of network connectivity issues a Test Form was built. In the Test Form some

common errors can also be remediated (last 4 buttons on the Test Form). For those services, to run

successfully, the AMFS Solution should be run with local Administrator Rights (use ‘Run As

Administrator’). Once done the program can again be started as Normal User. The Test Form can

be reached via clicking the ‘Test/Remediate’ button on the Main Form.


http://go.microsoft.com/fwlink/p/?linkid=236297



https://arcelormittal.sharepoint.com/sites/o365GlobalServices/Federated%20Governance%20o365%20administration/Shared%20Documents/Software%20Product%20Installation%20Package(s)/AMFS%20Solution.msi

https://arcelormittal.sharepoint.com/sites/o365GlobalServices/Federated%20Governance%20o365%20administration/Shared%20Documents/Software%20Product%20Installation%20Package(s)/AMFS%20Dependent%20Software.zip

https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US


7

The ‘Remediate WinRM Error’, ‘Remediate ServicePoint Clean-Up’ as well as the ‘Remediate

Certificate Error’ can occur on Windows 7 and Windows 10. The ‘Remediate maxJsonLenght Error’

and ‘Remediate ServicePoint Clean-Up’ only occur on Windows 7. If an option is disabled it means

that the program could remediate the issue when starting the application.

The AMFS solution also connects to corporate IT services (mainly IDM-RIITA). This requires

corporate network connectivity. However if corporate network connectivity is not available the

solution will still work with reduced functionality. The features that require real-time connection

to the corporate network are mainly there to support the life cycle of the business meta data stored

in WAAD. The main features that will not be available when corporate network connectivity is not

available are:

1. Synchronize IDM meta data

2. Check retired cloud accounts

3. Check expired cloud accounts

4. Link AMEI with Office 365 account (UPN)

5. View IDM data (double click AMEI field)

The solution has been tested with VPN Americas (Cisco) & VPN Europe (F5).

The solution has also been tested with the Cloud Proxy Europe (Cloud Proxy PAC File Link). In

case of connectivity and/or network related issues one should first try to remediate via the ‘Set

http://pacfile.arcelormittal.net/cloudproxy.arcelormittal.net/zscaler.pac


8

cloud proxy (ZScaler)’ pushbutton. If the error continues its most likely related to a bug in the

AMFS Solution. If not the information should be shared with the network support team assigned

for the location.

Proxy configuration

During the development of AMFS solution network connectivity issues were frequently

encountered. The below have proven to be helpful when investigating the connectivity issue. If one

receives the error below when starting the AMFS Solution after initial login the below section

should resolve the issue depending the local context.

Connected to Corporate Network (LAN, WiFi-4-INCA)

To configure cloud proxy run below commands as ‘Run as administrator’ in a command window:

REM SET CLOUD PROXY NETSH WINHTTP SET PROXY GATEWAY.ZSCALERTWO.NET:10299 NETSH WINHTTP SHOW PROXY REM START AMFS SOLUTION "C:\PROGRAM FILES\ARCELORMITTAL\ARCELORMITTAL FEDERATION SOLUTION\AMFS SOLUTION.EXE" EXIT

If a specific proxy is being used at your location change accordingly. If you don’t know the proxy

configuration settings ask your local network team to assist you. Below sample of the proxy

configuration used at business unit ArcelorMittal Ghent

REM SET PROXY BU GHENT NETSH WINHTTP SET PROXY PROXY.SIDMAR.BE:8080 NETSH WINHTTP SHOW PROXY REM START AMFS SOLUTION "C:\PROGRAM FILES\ARCELORMITTAL\ARCELORMITTAL FEDERATION SOLUTION\AMFS SOLUTION.EXE" EXIT

Connected to Internet (Home, hotel, guest network, etc.)

In case of issues connecting to remote PowerShell modules try to disable proxy configuration

settings by switching to ‘direct mode’. See below commands. Always inform your local network

team of the outcome so they can remediate accordingly and run the commands with administrator

privileges.

REM RESET PROXY TO DIRECT NETSH WINHTTP RESET PROXY NETSH WINHTTP SHOW PROXY


9

REM START AMFS SOLUTION "C:\PROGRAM FILES\ARCELORMITTAL\ARCELORMITTAL FEDERATION SOLUTION\AMFS SOLUTION.EXE" EXIT

TESTING INSTALLATION

To test if the AMFS Solution is properly installed one should get a login screen like shown below

when starting the AMFS Solution. Use your normal Office 365 credentials. For those using a

federated account your password is the same as your PC login account. If you don’t see the login

screen the software failed to install or you have one of the software dependencies not properly

covered.

When pressing OK the AMFS Solution tries to connect to Office 365 and perform login, connect to

IDM to check corporate network connectivity and connect to Exchange Online to check for user

photo. If all is successful main form of the AMFS solution should show. If it takes very long for the

main screen to show it means that one of the remote administration server modules cannot be

reached. The AMFS solution will show the error message which contains the relevant network

information. Either take a screen snapshot or look in the AMFS solution log file and share content

with your local network team.

Version Information

On the first form of the application one can press F1. In this case the AMFS Tool version

information will be displayed in separate window. See sample below.


10

Multiple instances

Because of limitations on the number of remote connections that can be made to Office 365

administration platforms only one instance is allowed per host. If one tries to start a second

instance the below error will popup:

Raising network issues when using the AMFS Solution

During the development of the application network issues were frequently encountered. The

assignment of such issues to the correct resolution group is very difficult due to the complexity.

One easy trick in those cases is to connect to Internet without proxy (use ‘Automatically detect

settings’ in browser) and enable VPN for corporate network connectivity. If the issue is still

occurring the issue should be escalated to the application owner of the ArcelorMittal Federation

Solution. In all other cases the issue should be raised with the team supporting your local network

and proxy configuration.

UNSUPPORTED CHARACTERS

The solution synchronizes data from different sources. Those sources should have their data

properly checked against illegal characters.

User principal name unsupported characters are: “?@\+”. Email address unsupported characters are

“[\!#$%&*+/=?^`{}]”. If such characters are encountered it’s replaced with “_”. In case such

replacement happened the normal logic may be broken for the associated objects.

The federation model

The Office 365 standard administration consoles have limited federation capabilities on the level of

services that can be federated. Moreover the protection of management scope is only available for

limited number of Office 365 services (Exchange Online) and is mainly based on filtering of

Windows Azure Active Directory (WAAD) attribute values. The latter could be used within

ArcelorMittal but it would require high level of standardization and normalization of the required

attributes and their values in the existing federated Windows Active Directories (AD)(currently

more than 60 Active Directory domains are federated in the Office 365 tenant). Launching such

program would require substantial effort, pose substantial risk for existing business applications

(market software as well as developed software) and delay Office 365 adoption.

Taken into consideration that the ArcelorMittal is a highly federated organizational structure and

business reorganizations happen at high pace the Office 365 Program team architected a role based

administration model where management scope is sourced from the Identity Management


11

repository (IDM commonly known as RIITA). The majority of HR systems are already interfacing

with IDM and global security policy requires all persons (internal/external) using ArcelorMittal IT

systems to have an AMEI (ArcelorMittal global unique identifier for a physical person). Access to

ArcelorMittal IT systems is provided via IT account(s). Those IT account(s) must be linked to an

AMEI so the identity important life cycle phases are properly managed (entry/exit). In the ideal

world an end user should only need to remember one IT account to access all the IT services

granted to him/her so he/she can execute his/her role within the ArcelorMittal organization

(commonly known as Single Sign On (SSO).

Access to the Office 365 is also granted via an IT account. 2 type of accounts are supported and

used.

Type 1 is a federated account where the authentication is federated to the on premise

Active Directory. The end user using a federated account will automatically have access to

Office 365 after successful PC login (SSO experience between AD & Office 365).

Type 2 is a cloud account where the authentication is federated to the Office 365 WAAD.

The end user using a cloud account will have a separate account and password for Office

365.

All accounts with access to Office 365 must have an AMEI assigned to them. For federated accounts

the AMEI is populated via AAD Connect in a registered attribute in WAAD (name attribute is

[extension_a040d6d9fd6a4ea595b7f74f74df758c_employeeNumber]. For cloud accounts the

account creation process requires an active AMEI value as mandatory attribute and as a

consequence the AMEI is populated during the account creation process. The registered attribute

used in WAAD for the AMEI is [extension_c77e68a23a6a4f91af48a93b63f95e0f_AMEI]).

One physical person (≡ AMEI) can have more than one Office 365 account(s)(e.g. service accounts,

etc.). Administration services federated to the level of AMEI are so called self-service services

meaning the end user himself is authorized to execute the service (e.g. typical sample is password

reset).

In the AMFS solution 5 levels of management scope are implemented, namely:

1. Global

1.1. WAAD Domain

1.1.1. IDM Business Unit

1.1.1.1. IDM Company

1.1.1.1.1. IDM Identity (AMEI)

The levels are hierarchical in the sense that any identity belongs only to one company. Each

company belongs to a business unit and each business unit belongs to global (the ArcelorMittal

Group). Those 4 levels of management scope are sourced from IDM Repository (RIITA). The data

itself is owned by the different HR departments (One HRIS Program).

Within ArcelorMittal we have multiple Active Directory (AD) domains which handle

authentication on behalf of the WAAD. Those federated AD domains can also be used as

management scope within the AMFS solution (WAAD Domain). One WAAD domain, namely

ArcelorMittal.OnMicrosoft.Com hosts the cloud accounts. In this case the authentication is not


12

federated to the on premise AD domain but handled in the cloud. A list of all WAAD domains can

be found in the paragraph WAAD domain.

When a service is federated for a management scope the service execution can only be

executed at that management scope or at lower level if federated.

When a service is not federated for a management scope the execution is handled at the

N+1 management scope level when federated. If not federated at N+1 the service is operated

at ‘Global’ level.

It’s key to understand the above concepts as it guarantees autonomy for a management

scope if and when required. To enable execution of the federated services the requester

must be member of the WAAD groups defining the federation wanted.

If a requester is member of the WAAD group that can assign licenses globally and

at the same time license is federated for a company X the requester will be able to

assign licenses for all accounts not belonging to company B unless he’s also made

member of the WAAD group enabling license assignment for company X.

The same concept can block services to be executed for a management scope. Say

that Company X wants to use only federated accounts and not cloud accounts. To

achieve this federation of the cloud accounts services should be federated to

Company X but no members should be assigned to the associated WAAD groups.

This will in fact block the use of cloud accounts for Company X.

To deal with specific situation one can override the management scope determined via IDM

Repository. 2 levels are supported, namely AMFS Custom 1 and AMFS Custom 2. This can be used

for example to cater for the scenario where a WAAD domain wants to federate their services to the

scope of the WAAD domain boundaries (e.g. manage video settings for all accounts belonging to

domain ArcelorMittal.Net) instead of IDM boundaries. Within the AMFS solution those attributes

are named

1. Global

1.1. WAAD Domain

1.1.1. AMFS Custom 1

1.1.1.1. AMFS Custom 2

1.1.1.1.1. IDM Identity (AMEI)

The meta data of the management scope is stored with each target object as registered attribute. By

default a daily synchronization engine updates the IDM meta data for all licensed accounts. The

AMFS meta data has to be maintained by the IT organization opting for the IT federated model.

Specific features are added in the AMFS solution to facilitate this activity (e.g. export all accounts

Europe belonging to ArcelorMittal.net WAAD domain to CSV, update AMFS meta data via CSV,

etc.).

Some Office 365 accounts are no normal user accounts but so called service accounts. The AMFS

Solution allows to mark any account as ‘Service Account’. Practically speaking this means that

those accounts will not be affected when targeted. No federated service can be executed against

‘Service Account’ via the AMFS Solution except typing an account as ‘Service Account’ and undoing


13

that activity. The account type is stored in the WAAD registered attribute

[extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSAccountType].

Federated services needing elevated right for successful execution are run with a specific service

account. The WAAD audit log file contain all events related to that service account. This means

that all actions executed via the AMFS solution are logged. The user using the AMFS solution

doesn’t need any elevated right and/or role assignment within the Office 365 tenant.

SPECIFIC CASES

Some use cases need further explanation.

No WAAD object available to do the federation check

When a new cloud account is created the WAAD object as well as the management scope WAAD

attributes are not yet available to do the federation check. In this case the IDM attributes are

used to do the federation check.

Federated services with multiple federation contexts

In case an account management scope needs to be updated the federation check is applied

against the target context. Say a requester wants to update the management scope for an account

belonging to business unit X to business unit Y. In this case the federation check will be done

against business unit Y. For example when an account needs to be moved from Americas to Europe

it’s the receiving context (Europe) that should execute the service or Europe should federate the

European management scope federated service to an Americas account.

Super Administrator

The end user using the AMF tool doesn’t need elevated rights on the Office 365 tenant. All actions

requiring elevated rights are done via an AMFS service account with the needed elevated rights

assigned. The service account can also use the AMFS tool. When the requester is the service

account all federation/security checks are overruled.

Blocking AMFS solution globally/locally

In case there is security breach, bulk processing that needs to be halted the AMFS service account

can be disabled by another company administrator defined in the Office 365 tenant. This will in

fact block all services that require elevated rights as well as make the AMFS tool unusable. As the

elevated rights are requested synchronously from within the AMFS tool such disablement will have

immediate effect.

To kill the AMFS solution locally go into task manager of the host where the AMFS solution is

running. Stopping the associated process will stop the running AMFS solution as well as any

ongoing bulk processing.

APPLYING CUSTOM MANAGEMENT SCOPES

Although the AMFS tool provides federation at WAAD domain level sometimes demand

organizations will want to customize management scopes to their needs. As already explained 2

registered attributes are available. The below shows such scenario where the WAAD domain is


14

defined as a management scope but at the same time a higher level management scope is

introduced (e.g. region).

The difference between federating at WAAD domain level and using custom scopes is that in the

latter case the data has to be maintained by the demand organization using the custom scopes. In

the WAAD domain federation model the Office 365 UPN account suffix determines the

management scope so no data synchronization is required (less maintenance and no IDM meta

data required). Also when an account moves from one WAAD domain to another WAAD domain

the management scope is automatically up to date.

Each WAAD domain has a domain suffix applied (e.g. Armony.Net ► Arcelormittal.Net,

Lu1.Arcelor.net ► ArcelorMittal.Lu). The solution allows to define the WAAD domains as a

management scope.

In Europe there are several IT supply organizations that use the WAAD domain boundary as a

management scope (e.g. Corporate supplying services in Luxemburg for users belonging to

different companies/business units, etc.). To enable the same model in the solution the AMFS

Custom 1 could be set to ‘EUROPE’ and the AMFS Custom 2 can be set to the domain suffix. This

means we get:

1. AMFS Custom 1: EUROPE

a. AMFS Custom 2: ARMONY (accounts with suffix ArcelorMittal.Net)

b. AMFS Custom 2: CORPORATE (accounts with suffix ArcelorMittal.Lu)

c. AMFS Custom 2: SISODI (accounts with suffix Sidmar.Be)

d. Etc.

To maintain the meta data the tool provides option to export all accounts belonging to one WAAD

domain to a CSV file. That file can then be used for a bulk update of the management scope custom

attributes of all the accounts in the CSV.

This system overrules the IDM provided meta data but relies on the IT defined governance scopes

(e.g. WAAD domain).

The below scenario for Armony.Net. The form to export the data can be reached via Main Form and

the push button ‘Maintenance’. It’s key to understand as WAAD domains are consolidated (e.g.

Americas) the custom management scopes relevance will increase again.

The strategic way forward is federation to business organized management scopes (legal

entity, etc.) and not IT organized management scopes (WAAD domain, etc.). This

strengthen the self-service model not only from individual perspective but also from an

organizational perspective (P&L, demand, etc.).

Export accounts belonging to Armony.Net

Select in the combo box ‘Include accounts from’ the WAAD domain. In the sample case

ArcelorMiital.Net and press the push button ‘Export to CSV’.

One can apply multiple filters based on the UPN selected. If an UPN is selected and the checkboxes

‘Business Unit only’ and/or ‘Company only’. The filters are applied with ‘and’ operator.


15

Once export is done a message box will show the CSV file and open it automatically. After

verification of the content the file can be used in the next step updating the management scope for

the exported accounts.

Update management scope for exported accounts Armony.net

The form to execute the update can be reached via Main Form ►Office 365 ► Federation

management ► Manipulate management scope (Overrule IDM meta data). Either one can select

an UPN where the AMFS values are already correct or just fill in the desired values in the entry

fields ‘AMFS Custom 1’ and ‘AMFS Custom 2’. In the case values ‘EUROPE’ and ‘ARMONY’.


16

Once this is done press push button CSV and select the file previously exported.

Click open and the update will begin. Once all rows are processed a message box is displayed.

All the above actions are only possible if the required services are federated to the requester

executing the actions. This from a federation service perspective as well as management scope

perspective.


17

One can also update the information for one account by selecting the UPN and using the push

button ‘Customize management scope’.

Main form

After successful login the main form is displayed.

Currently the service federated are prioritized in alignment with the Go-To-Gold program. This

means that Office 365 and Skype for Business were completed for the POC of the AMFS

Solution. The Security and Compliance option enable to set multi-factor authentication for an

account as well as assign MFA enabled application to an account.

The Maintenance option mainly deals with the synchronization of the IDM and the WAAD and

will not be used by many people.

The Test/Remediate option allows the end user to evaluate the installation of the AMFS Solution

as well as remediate frequently encountered issues. Some of those issues relate to the Windows

version used others are observed cross platform.

OFFICE 365

When clicking the Office 365 push button the below form is displayed. Each one of the push button

allows to access the federated services mentioned. The following options are presented:

License Management


18

a. Allows to assign license and individual license plans by account as well as bulk

processing using CSV file. Within the services provided an option is foreseen to

switch license bundle (e.g. switch from E1 to E3 and vice versa).

Account Management

a. Allows to manage all life cycle phase of cloud accounts (create, block, recycle-bin

and remove for recycle-bin). Some of the options are also accessible for federated

accounts when applicable.

b. An export is foreseen to dump all attributes and their values for a selected Office

365 account and its related directory objects into distinct CSV files per object type

and occurrence. Namely Windows Azure Active Directory (WAAD) User Object,

Active Directory (AD) User Object and Mail Enabled User Object (Linked mailbox

hosted in Services.MittaCo.Com). The number of objects depend on the use case of

the Office 365 account selected. Per object a separate CSV file is generated. The

search in AD uses the Immutable ID value stored in WAAD.

i. Cloud Account: Only WAAD Object

ii. Federated Account:

1. WAAD & AD Object.

a. If AD Object not hosted from MittalCo.Com forest also

Mail Enabled User Object.

Federation Management

a. Allows to administer the federation. Once federation is delegated to a

management scope the authorized accounts can administer the federation

themselves for all management scopes below that authorized management scope

(e.g. Business unit federation allows to manage all federation to companies

belonging to that business unit).

Reporting

a. Aggregates the ArcelorMittal custom meta data (via registered attributes) with the

standard Office 365 reports. Reporting services are also federated to ensure data

privacy rules where applicable (e.g. anonymize user data) are followed.

User photo management

a. This feature was added as a nice to have as many end users struggle to have user

photo uploaded to the Office 365 platform as well as it can pose network issues

when used massively. The option show that customizations can easily be

integrated and federated when and if required.


19

Tips & tricks

AUTOMATIC ALERTS WHEN NEW VERSION IS RELEASED

As the AMFS solution is still in POC one can expect frequent updates. To follow those updates one

should subscribe to ‘Alert me’ SPO Site. See below.


20

Once configured any change will result in automatic mail alert when an new version is released or

any another document related to the AMFS Solution is changed. Within the mail subject a

download link is provided to install the latest version of the AMFS tool. Those using software

repackage factory can also be triggered using the same method.

BULK PROCESSING

Throughout the AMFS solution one can generate multiple reports. Those reports are always

generated as a CSV file using as separator the PC culture settings and saved under %TEMP%.

Those CSV files generated can be used as input for any bulk operations when they hold the

required attribute (in most cases userPrincipalName).


21

As the list separator can vary by PC one should always use the CSV file on the same host where the

CSV file was generated (or both PC’s should use the same culture).

The list separator of the host current culture is the item delimiter. The default is a comma (,). If one

wants to see the list separator for a host use the following PS command:

(Get-Culture).TextInfo.ListSeparator

SEARCH FOR ACCOUNT

Throughout the AMFS solution form may contain an entry field UPN marked as seen below.

If the entry field has focus one can do double click or press F1. This will allow a search on all WAAD

accounts (more than 100k). The below screen is shown.

The value typed in the entry field ‘Search Filter’ queries all accounts on mail addresses and

display names. As additional filter one can influence the scope of the WAAD accounts to be

queried. Two filters can be activated. Query ‘Enabled/Disabled’ and query ‘Licensed/Unlicensed’

accounts.

Double click on the selected item in the list box will go back to the previous form and

automatically fill in the account UPN information in the UPN field. Leaving that UPN field by

pressing return, TAB, etc. will query for the additional information of the UPN filled in and display

those attribute values in the active form.

When an account type is identified as a service account the color of the UPN field changes to red.

See below:

SEARCH FOR IDM DATA

Throughout the AMFS solution form may contain a field with an AMEI (Unique Identifier of an

identity) as seen below.


22

Double click on the field will query the IDM repository for the data associated with the AMEI value.

If found a txt file will be created and saved under %TEMP% with the file name %AMEI%.txt. See

sample below with extract. This service is protected and federated in the context of privacy. To

enable the feature the service "AMFS-View-UserIDMData" (View account IDM data (AMFS).) must

be federated for the requester for his management scope. This will allow requester to see all

relevant business meta data associated with the identity.

PROTECT AN ACCOUNT (E.G. SERVICE ACCOUNTS)

Some accounts are used as service accounts (no license assigned, etc.) and serve a specific service.

All those accounts must have an AMEI assigned to them identifying the responsible identity. The

management scope of that AMEI is also used in the federation solution. To avoid unwanted

changes to such accounts the tool allows to set ‘Account Type’.

The form to set the account type value can be reached via Main Form ►Office 365 ► Federation

management ► Manipulate management scope (Overrule IDM meta data). Select the UPN of the


23

account that should be protected, select desired ‘Account Type’ from combo box and press

‘Customize management scope’.

Once it’s set all federation is blocked for the selected account. When selecting such account in any

form the background of the UPN field changes to red (see form below) for easy recognition.

Disaster/Recovery Scenario

In the use cases where the AMFS tool is not functioning entities will be given pre-enrolled service

accounts . Those service accounts will be given the required elevated rights (role assignment). By

default they are disabled. They can be enabled as part of emergency change request to the CAB.

The assigned federated services can then be executed via the service account and the

administration portal(s) provided by the Office 365 platform. In this case management scope

protection is not anymore enforced nor secured. Some features from the tool are also not available

in the administration console(s) so the federation services are available but with reduced

functionality (e.g. bulk disable video for Skype for Business, etc.). Also the roles assigned may

encompass more services then what was initially scoped for the account (less granularity).

The service accounts will be generated on a weekly bases based on the federation meta data

available in WAAD.

Federated Services

The list of federated services is growing on a weekly bases as we’re still in POC phase. Priority was

given aligned with the go-to-gold planning of each of the services towers in the Office 365 Program.

Below the list of service federated dd. Wednesday, May 25, 2016. Some services can be executed

against CSV file. The CSV file must contain at least the header column ‘userPrincipalName’. The

service ‘Create cloud account’ can also be executed against CSV but the CSV needs to contain at

least the header column ‘AMEI’. No cloud account can exist without associated AMEI.


24

The AMFS solution also allows to generate CSV files that can be used for bulk processing based on

filtering of management scope. Meaning AMFS Custom 1, AMFS Custom 2 and WAAD domain.

This make it possible to generate a CSV containing all account belonging to Europe and having

ArcelorMittal.net (Armony.Net) as WAAD domain. Any combination is possible and if no filter is

set all accounts are taken into consideration. CSV files generated from the AMFS solution only

contain ‘licensed’ accounts.

MANIPULATE MANAGEMENT SCOPE (AMFS)

The service allows to update the AMFS Custom 1/2 values for an account. In case an entity doesn’t

want to leverage business meta data form IDM (RIITA) they can overrule with 2 attributes. In

sample below the WAAD domain is used as management scope. The service allows the value to be

updated per account or to use a CSV file to update in bulk. In case bulk update is used the values

are sourced from the active form and updated for all accounts in the CSV if authorized. The AMFS

attributes are stored in the below WAAD registered attributes:

AMFS Custom 1 in [extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSSegmentCode] AMFS Custom 2 in [extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSBUCode]

In case AMFS attributes are used (has values) it overrules the IDM sourced attribute values for the

federation.

SYNCHRONIZE MANAGEMENT SCOPE (IDM)(AMFS), SYNCHRONIZE RETIRED

ACCOUNTS (IDM)(AMFS), SYNCHRONIZE EXPIRED ACCOUNTS (IDM)(AMFS),

EXPORT MANAGEMENT SCOPE (CSV)(AMFS) AND EXPORT ACCOUNTS TO CSV FOR

BULK PROCESSING (AMFS)

The service allows to synchronize the IDM meta data with WAAD as well as export the WAAD

accounts based on different criteria to a CSV file. The IDM Business Unit/Company selection

criteria is sourced from the selected UPN. If the check box is marked (e.g. Business Unit only) the

push button will filter the data according the meta data selected in the form. In the combo box

‘Include accounts from’ one can select a WAAD domain and this puts an additional filter on top.

The CSV file can be used for any CSV processing which relies on ‘userPrincipalName’.


25

The exported CSV should not be shared cross region/culture as the export to CSV uses the localised

culture information from the client into consideration (delimiter character, etc.).

In the sample below if one would select the push button ‘Export to CSV’ a CSV file would be

generated with all accounts belonging to IDM Business Unit AM EUROPE FLAT PRODUCTS and

IDM Company T732.

The same form also allows to synchronize the cloud accounts with the expired/retired OU in the

IDM. Meaning if an AMEI is put into the Expired/Retired OU of IDM (entry/exit process) the

corresponding cloud account (if any) is also disabled.

The option ‘process in batch’ allows to execute the service without the service being interrupted

when an error occurs. All events (also errors) are then logged in the log file. A processing of all

accounts can easily take 4 Hr to complete.

When selecting the push button ‘Export mail users AMFS Tool’ a list is generated with mail

addresses of all the accounts given federation rights in the AMFS Tool. This can be used to inform

users of major release updates as well added features as the tool is developed.


26

SET ACCOUNT PHOTO (EXO), GET ACCOUNT PHOTO (DOWNLOAD)(EXO) AND

VIEW ACCOUNT PHOTO (EXO)

The service allows to set, update and download the thumbnail photo of an UPN. Any photo

selected is converted to compatible format and supported size (JPEG format and size ≤ 10 Kb).

IMPORT MANAGEMENT SCOPE (AMFS)

All accounts must have an AMEI value stored in the registered WAAD attribute

[extension_c77e68a23a6a4f91af48a93b63f95e0f_AMEI]. To cater for synchronization errors as well

as allow assignment of an AMEI to a service account this service is made available. It allows also to

identify the account owner of the service account in case of issues. On a quarterly bases a report

will be extracted for all identities having multiple accounts active on the Office 365 Platform. This

to verify the life cycle status of each of the service accounts on a regular bases.


27

FEDERATE SELECTED SERVICE (AMFS) AND ASSIGN FEDERATED SERVICE (AMFS)

The federation of services itself is also federated. Before anybody can federated a service the N+1

level should have enabled the federation capability for the management scope (done via ‘Federate

selected service (AMFS).’).

Once federated for a defined management scope the N+1 federation is blocked for all services. This

topology allows service to be blocked for execution at lower level as well as higher level (e.g.

federating enable video for a company but not assigning the federation to an account blocks in fact

the enablement of video for all accounts belonging to that company).

When a service is federated for the first time the requester is automatically added to the WAAD

group defining the federation. Otherwise, because of the inheritance blockage, nobody would be

able to execute the federate service except the super user.

The federation governance is flexible and allows anything between fully centralized (global/WAAD

domain/business unit) and completely federated (business unit/company) and anything in

between.

In the below sample the service ‘Enable video’ can be federated to global, IDM business unit 055,

IDM company 3B5, AMFS custom 1 EUROPE or AMFS custom 2 ARMONY by the requester. If at

business unit level is selected the requester should be authorized via global. If at company level the

requester should be authorized via business unit federation and if not authorized at business unit

level via global federation.


28

Once the service is federated for a certain management scope the federated service can be assigned

to an account for execution. As in the previous sample the assignment of a federated service itself is

also federated via (‘Assign federated service (AMFS)’). If authorized the requester below can

assign ‘enable video’ to the UPN selected for the different management scopes.

To make the maintenance of the federation more effective an extra pane was added to the form.

This pane allows to select multiple services in one go. Once selected the federation action will

federate all checked services in the list box according the management scope selection made. In the

sample below if one would select ‘WAAD Domain’ all account photo services (get, set & view)

would be federated for the management “arcelormittal.net”. If the ‘Add UPN for selected services’ is

checked the UPN would also be enabled for the federation selected (added to the associated

groups).


29

In the assignment form the requester UPN (e.g. form below [email protected]) is the

account that will be authorized to execute the selected federated service. The management scope of

that authorization is determined via the values coupled with the target UPN (e.g. form below

[email protected]) and the pushbutton selected (E.g. if ‘Assign IDM business unit’ is

selected [email protected] will be added to the WAAD group AMFS-Grant-

CsConferencingPolicy-EnableVideo-055). The security of the requester (e.g. form below

[email protected]) is checked if he may assign that service for that defined scope.

mailto:below%[email protected]

mailto:below%[email protected]

mailto:[email protected]


30

Governing the federation

The 2 services namely, ‘Federate selected service (AMFS)’ and ‘Assign federated service

(AMFS)’ need to be governed properly as it controls the federation model chosen for a

certain management scope as well as it authorizes accounts to execute administration

services against a management scope.

The global management scope is authorized via approval from Office 365 CAB.

Below the global management scope (company & business unit & custom 1/2) the existing

established governance bodies should define, organize and communicate the approval process (e.g.

regional management committee for business unit scope, AD scope, etc.) and company IT manager

for company management scope).

MAINTAIN FEDERATION MODEL

The service bellows governs the federation established for a management scope. One can select to

remove federation at a management scope as well as remove a specific member of the federation.

The screen is reached Main Form ►Federation Management ► Maintain Federation. By selecting

UPN one can list the federated services by each individual management scope as well as ask

overview of the federated services by WAAD federated domain or globally.


31

The option ‘Federation Report’ generates CSV file for all federated services, their management

scope(s) and their member(s). This gives an global overview of the federated administration

services implemented for the ArcelorMittal tenant.

REMOVE ASSIGNED FEDERATED SERVICE (AMFS) AND REMOVE ALL ASSIGNED

FEDERATED SERVICE(S)(AMFS)

This service enables administration of assigned federated services. When people change role their

assigned federated services need to be updated (remove one) and/or completely removed from the

system (remove all). The list box shows the technical names of the federated services the selected

UPN is assigned to. Each of those names corresponds with a WAAD Security group where the UPN

is member of.


32

In the above sample the selected UPN has 42 services federated to his account. All of them WAAD

domain management scope profilarbed.lu.

Same service can be assigned at the same time to multiple management scope types to one account

(e.g. Enable PSTN conferencing can be federated to BU 056/company 905 as well as for federated to

the WAAD domain profilarbed.lu). The account receiving the federation capabilities must not

belong to the management scope of the federated service (e.g. account belonging to

ArcelorMittal.Com federated WAAD domain can also be used for the federation against

profilarbed.lu accounts or any other management scope for that matter).

To make the maintenance of the federation more easy an option is foreseen to copy federation

applied for one account to another account with a single click. In the above sample

[email protected] received same federation capabilities as [email protected] by

clicking ‘Same for’ push button. In the backend this means that [email protected] was

added to the 42 WAAD security groups [email protected] was belonging to. After the action

was finalized a message box is displayed showing the result (see further).






33

ASSIGN LICENSE (E1, E3, E1S4BONLY, E3S4BONLY, E1NOEXO AND E3NOEXO

(OFFICE365)

The service allows to assign E1, E3, E1S4BOnly, E3S4BOnly, E1NoEXO and E3NoEXO to an account.

To be successful the selected account may not have any other license already assigned. In the case a

license is already assigned the service ‘ASSIGN LICENSE(S) AND PLAN(S)(OFFICE365)’ should be

used.

Usage location is a mandatory attribute and needs to contain a valid Country ISO Code. The

services offered via license may vary by country due to legal constraints. The current usage location

of the UPN is shown in the form as well. In the combo box ‘Usage Location’ one can select another

country if not correct. If there is a change between current usage location and selected usage

location the account will be updated first with the selected usage location before assigning the

selected license.

The service can process a CSV file. This means that for all accounts in the CSV file the selected

license and usage location are set to the values selected in the form.

The option ‘Remove all’ will remove all licenses assigned for the selected account. Multiple SKU’s

can be assigned to the same account. The service can also process a CSV file. A confirmation is

asked once. When confirmed all assigned SKU’s are removed. The service can process a CSV file.

This means that for all accounts in the CSV file the all assigned licensed can be removed.

The option ‘Remove all with a confirmation’ will remove all licenses assigned to the selected

account asking for a confirmation per SKU assigned.

The option ‘Remove all and assign license’ will remove all licenses assigned to the selected account

and assign only the selected license. The service can also process a CSV file. A confirmation is asked

before the CSV file processing is started. When the ‘Usage location’ is selected the ‘Current Usage’

location will be updated for all accounts present in the CSV file. Below typical confirmation

message box that is presented before processing is started.


34

When services are launched against a CSV file the security check is done per account listed in the

CSV file. It may well happen that only part of the accounts are processed because the requester

lacks sufficient federation capabilities. All details can be found in the log file created. For each

account processed a row is logged documenting the outcome of the run (success or fail). In case of

fail the reason of failure is also present in the log file.

The option ‘Switch E1-E3’ and ‘Switch E3-E1’ allows an easy switch between similar SKU’s. Plan

information if retained during the switch. This means that if an account has Exchange Online Plan

active in the original SKU assignment that plan will also be active in the target SKU. The plan SLA

may however. Both options also allow for bulk processing. The original SKU assignment must be

assigned to the account(s) the switch is targeted at. E.g. ‘Switch E1-E3’ in the above sample would

mean that the selected account must have an E1 assigned and that license will be switched to an E3.

The different plans statuses are retained where applicable (Exchange Online, SharePoint online,

Yammer, etc.).

ASSIGN LICENSE(S) AND PLAN(S)(OFFICE365)

In this form license(s) and associated plan(s) can be changed for an account. 2 list boxes are shown.

The middle list box shows the SKU’s/Plans available on the tenant. The icon shown besides the

SKU’s or plans shows the status of the individual SKU/Plan at a tenant level.


35

Available

Not available (e.g. consumed units ≥ subscribed units in contract)

Available but awaiting configuration, activation, etc.

The same icons are used for the already assigned SKU’s/Plans to the UPN. The icon then reflects

the status of the SKU/Plan in association with the UPN.

Multiple changes can be made at once and by clicking ‘Assign license(s)/plan(s)’ the changes are

updated for the UPN. Switching from license needs to be executed in the correct order. E.g. once

cannot assign E3 bundle while E1 bundle is assigned. To switch one needs to deselect the E1 bundle

and save the changes. Once this is done E3 bundle can be assigned.

Some combinations cannot be assigned (e.g. assigning the same plan via different SKU’s, etc.).

When such error occurs it will be displayed in a message box and no update will be done.

Before a change is saved a confirmation is asked for each major license life cycle phase; namely add,

remove and change plan(s).


36

ASSIGN MFA ENABLED APPLICATION (SECURITY)

The Office 365 platform allows to set multi-factor authentication (MFA) by account. MFA helps

secure user sign-ins for cloud services beyond just a single password (e.g. cloud accounts). With

MFA for Office 365, users are required to acknowledge a phone call, text message, or app

notification on their smart phones after correctly entering their passwords. They can sign in only

after this second authentication factor has been satisfied. The state of the MFA is shown in the

form once an account is selected.

Disabled

This is the default state for a new user not enrolled in multi-factor authentication.

Enabled

The user has been enrolled in multi-factor authentication, but has not completed

the registration process. They will be prompted to complete the process the next

time they sign in.

Enforced

The user may or may not have completed registration. If they have completed the

registration process then they are using multi-factor authentication. Otherwise,

the user will be prompted to completer the process at next sign-in

In non-browser apps (such as …Outlook etc.) will not work until app passwords are

created and entered into the non-browser apps.

The Office 365 platform also allows for multi-factor authentication by supported application.

Enabling MFA for an application for an account is done via the form below. When selecting an

account the current MFA enabled applications are checked for that account. MFA active is

visualized via check in the list Box. Checking/Unchecking and then pressing update option will

update the assignment of the MFA enabled applications for the selected account.

Currently 3 applications are MFA enabled. Exchange Online, SharePoint Online & Yammer.


37

CREATE CLOUD ACCOUNT VIA AMEI OR E-MAIL ADDRESS (OFFICE365) AND VIEW

ACCOUNT IDM META DATA (AMFS)

The service allows to create a cloud account given an AMEI or mail address. The value given is

checked against IDM. If no valid identity is found an error message is shown. When pushing the

button ‘View IDM attribute values’ a txt file is generated containing all IDM attribute names and

values and displayed on the screen.

If a valid identity is found in IDM a cloud account is created where the UPN prefix is identical to

the mail address prefix and the UPN suffix is ‘ArcelorMittal.OnMicrosoft.Com’. All IDM attribute

meta data is also updated where available (country, department, etc.). A first random password is

generated for the cloud account that must be changed at first login. The mail addresses field is by

default populated with the mail address found for the identity in the IDM. Additional mail

addresses can be added. The button ‘Send welcome mail’ will send a mail with the account details

to the selected mail addresses.

The service can process a CSV file containing valid AMEI’s. In this case the mail addresses field

should populated upfront. For each cloud account created a separate mail is send containing the

account details.


38

RESET CLOUD ACCOUNT PASSWORD (OFFICE365)

The service allows to reset a password for a cloud account. Password reset for federated accounts is

managed by the WAAD domain. The new password is automatically generated and must be

changed after first login. A mail with the new password is send to the mail addresses specified. In

the below sample the service will not work as the target is type as a service account.


39

DISABLE CLOUD ACCOUNT (OFFICE365), ENABLE CLOUD ACCOUNT (OFFICE365),

REMOVE CLOUD ACCOUNT AND PUT IN RECYCLE BIN (OFFICE365), REMOVE

ACCOUNT FROM RECYCLE BIN (OFFICE365)

Via manage accounts one can manage the life cycle phases for the cloud accounts. Pending

federation model chosen for the management scope this may be blocked. The main form is shown

below:

Each of the life cycle phases for a cloud accounts are covered. When you delete an account the

account is moved into a recycle bin for 30 days. This means they can be recovered if the


40

deletion was not intended. If the account needs to be removed permanently the push button

‘Delete cloud account from recycle bin’ can be used.

The two last actions can also be executed on federated accounts. Namely ‘Delete account’ moves

the account to a recycle bin. ‘Delete account from recycle bin’ removes the account permanently.

Pending the option chosen on the main screen a form will be displayed where one needs to select

the UPN to execute the action on. The forms are very similar so only one scenario is described

below. The scenario shown is the one ‘Disable cloud account’.

One account is selected and action pushbutton is clicked a confirmation will be asked. In the above

sample an account is selected but the account type is however a service account. Hence any action

will be blocked.

The below message box will be shown. This was also visible because of the red background in the

UPN entry field.

All the actions can only be applied to cloud accounts. If a federated accounts is selected the

following error message box will popup when trying to execute.


41

The last option ‘Get account info (AD, Mail and WAAD)’ allows to dump all object attributes and

their values associated with an Office 365 account. For each object a separate CSV file is generated.

The number of CSV files generated depends on the use case of the account as explained earlier

(max. 3). After selecting an account and selecting the option ‘Get account info…’ the UPN is

processed. First the associated WAAD Object is dumped.

From the WAAD Object the Immutable ID is extracted as well as the AD Domain/Forest associated

with the federated domain (UPN Suffix). Once extracted a search is made based on Object GUID

(AD) and Immutable ID (WAAD). If match the AD Object is dumped.

Dependent on the use case the Mail User Object is also dumped in a CSV file.


42

SET SELECTED CLIENT POLICY (S4B), SET SELECTED EXTERNAL ACCESS POLICY

(S4B), SET SELECTED HOSTED VOICE MAIL POLICY (S4B), SET SELECTED VOICE

POLICY (S4B), GET SELECTED CONFERENCING POLICY (S4B), GET SELECTED CLIENT

POLICY (S4B), GET SELECTED EXTERNAL ACCESS POLICY (S4B), GET SELECTED

HOSTED VOICE MAIL POLICY (S4B) AND GET SELECTED VOICE POLICY (S4B)

Within the Skype for Business policy architecture no custom policies can be made. Only pre-

created policies can be applied. In this context the solution offers:

4 client policies

o Client policies are the main method to control the behavior of the Skype for

Business client such as whether a user photo is displayed, how the address book is

accessed, and whether the presence state “Appear as Offline” is available to the

user.

224 conferencing policies

o The Conferencing policy determines the features and capabilities that can be used

in a Skype for Business conference. It is important because it controls features

that span legal & compliance (such as the ability to record the media used in a web

conference), security (the ability for anonymous users to participant in a

conference), and important management settings that affect the amount of

bandwidth consumed during a conference.

5 external access policies

o External access policies have the fewest settings of any of the policies, but are

important. They are the main tool to control whether users can connect externally

(outside of the corporate network), and whether the can communicate with users

outside of the organization such as contacts in a partner organization running

Skype for Business (federated contacts), and contacts in public consumer instant

messaging systems.

1 hosted voicemail policy

4 voice policies

o The Voice Policy is used to configure the PSTN calling voice experience for users,

however it is only applicable if your tenant is using the PSTN calling feature set in

Skype for Business Online (which depends on the user license). Skype for Business

Online VoIP voice calls are not governed by this policy.


43

After selecting the policy type a form is displayed where one can select the policy to be applied. The

policies that can be applied may vary by UPN pending the usage location of the UPN and the

services configured. In the below form the ‘Global’ policy is applied to the UPN

‘[email protected]’. This is default policy applied when the service plan is enabled for

UPN. In the list box below all applicable policies for the UPN ‘[email protected]’ are

shown. By selecting the policy and pressing apply the policy is applied to the UPN. The service is

also ready for bulk processing when a policy is to be applied for a group of account.

By pressing the ‘View’ button the policy is exported to a CSV file and opened. The same is achieved

when one double clicks on a policy in the list box. This allows the requester to see what the

individual policy settings are before they are applied.

Find below the most important conferencing policy settings.

Setting Description Default Global

Policy Value

AllowAnnotations Controls whether or not participants are allowed to make on-screen annotations on any content shared, and whether or not white boarding is

allowed. Annotations are not archived along with other meeting content.

True

AllowAnonymous-

ParticipantsInMeetings Controls whether anonymous users are allowed to participate in the

meeting. If this setting is ‘False’, only AD authenticated users are allowed

to attend the meeting

True

AllowAnonymous-UsersToDialOut

Controls whether anonymous users (not authenticated with Active Directory) are allowed to join a conference using dial-out phoning. With

dial-out phoning, the Skype for Business conferencing server telephones

the user; when the user answers the phone, he or she will be joined to the conference

True

AllowConference-Recording Controls whether users are allowed to record the meeting (from the client).

This setting applies to all users taking part in the conference. False


44

AllowExternal-UserControl Controls whether external users (either anonymous users or federated users) are allowed to take control of shared applications or desktops.

This setting is enforced at the per-user level for both conferences and peer-

to-peer communication sessions, so some users in a session might be

allowed to give up control of a shared application or desktop to an external user while other users might not be allowed to give up control

False

AllowExternal-

UsersToRecordMeeting Controls whether external users (either anonymous users or federated users)

are allowed to record the meeting. This setting takes effect only if the AllowConferenceRecording property is set to True.

False

AllowExternal-

UsersToSaveContent Controls whether external users (that is, users not currently logged-on to

your network) are allowed to save handouts, slides, and other meeting content

True

AllowNonEnterprise-

VoiceUsersToDialOut Controls whether or users who have not been enabled for Enterprise Voice

are allowed to join a conference using dial-out phoning. With dial-out phoning the conferencing server will dial the user via the telephone

(PSTN); when the user answers the phone, he or she will be joined to the

conference

False

EnableAppDesktop-Sharing Controls whether participants are allowed to share applications – including their desktop – in a meeting. The values are either 1) "Desktop" (users are allowed to share their entire desktop), 2) "SingleApplication" (users are allowed to share a single application, or 3)

"None" (users are not allowed to share applications or their desktop)

Desktop

EnableDialIn-Conferencing Controls whether users are able to join the meeting by dialing in with a public switched telephone network (PSTN) telephone

True

EnableFileTransfer Controls whether file transfers to all the meeting participants are allowed

during the meeting. True

EnableP2PRecording Enables users will be able to record peer-to-peer conferencing sessions. It is

enforced at the per-user level so one user in a P2P communication session

might be allowed to record it while the other user is not.

False

MaxMeetingSize Controls the maximum number of people who are allowed to attend a meeting. After the maximum number of participants has been reached,

anyone else who tries to join the meeting will be turned away with the

notice that the meeting is full.

250


45

A very good article explaining the architecture and the practical usage of policies can be found here

http://blog.insidelync.com/2016/04/key-skype-for-business-online-policy-settings/.

DISABLE/ENABLE VIDEO IN SKYPE FOR BUSINESS (S4B) AND SET SELECTED

CONFERENCING POLICY (S4B)

The service allows to enable/disable video for S4B as well as apply selected policy. When selecting

an UPN the current applied policy is shown in the field ‘Current policy’. The list box below shows

the applicable policies for the selected UPN. In the list box shown there are a lot of policies

available influencing the S4B service settings for an account. By double clicking on a policy a CSV

file is generated showing all settings influenced by the policy.

The policy ‘BposSAllModalityNoVideo’ disables the video setting on the S4B service for the selected

account. By pressing the ‘Disable Video’ button the video is disabled.

The policy ‘BposSAllModality’ enables the video setting. By pressing the ‘Enable Video’ button the

video is enabled.

By pressing the button ‘Apply Policy’ the selected policy is applied to the account.

The service can process a CSV file for each push button. This means that for all accounts in the CSV

file the selected policy will be applied, video will be disabled or enabled.

http://blog.insidelync.com/2016/04/key-skype-for-business-online-policy-settings/


46

VERIFY USER SIP ADDRESS (S4B)

During the deployment of frequent errors where encountered related to SIP address information

stored in the service domains. This only occurs for the accounts with linked mailboxes. For that

reason the below service was developed. After selection of an account and selecting the option ‘Get

information in services domain’ the SIP address is visualized. If the object is a Linked Mailbox and a

data error is spotted in the service domain the option ‘Correct SIP information in services domain’

will become enabled. If those conditions are not met the option will stay disabled.

For any change a confirmation is asked before executing. The confirmation exactly describes what

will be changed (old value, new value, add value). In the below sample the option stays disabled as

the user object relates to a cloud mailbox and not a linked mailbox.


47

GLOBAL ACTIVITY REPORT (S4B) AND USER ACTIVITY REPORT (S4B)

This report generates the CSV containing the number and type of activities that an UPN

participated in a period while connected to Skype for Business Online. Scope can be global or one

UPN only. All activities in Skype for Business Online for the last 3 months are considered. Another

period can be specified by selecting ‘Start date’ and ‘End date’ in the form.


48

Based on the selection the below data is exported to a CSV and Excel is automatically opened once

the CSV file is generated.

UserName

LastLogonTime

LastActivityTime

TotalP2PSessions

TotalP2PIMSessions

TotalP2PAudioSessions

TotalP2PVideoSessions

TotalP2PApplicationSharingSessions

TotalP2PAudioSessionMinutes

TotalP2PVideoSessionMinutes

TotalOrganizedConferences

TotalOrganizedIMConferences

TotalOrganizedAVConferences

TotalOrganizedApplicationSharingConferences

TotalOrganizedWebConferences

TotalOrganizedDialInConferences

TotalOrganizedAVConferenceMinutes

TotalParticipatedConferences

TotalParticipatedIMConferences

TotalParticipatedAVConferences

TotalParticipatedApplicationSharingConferences

TotalParticipatedWebConferences

TotalParticipatedDialInConferences


49

TotalParticipatedAVConferenceMinutes

TotalPlacedPSTNCalls

TotalReceivedPSTNCalls

TotalPlacedPSTNCallMinutes

TotalReceivedPSTNCallMinutes

TotalMessages

TotalTransferredFiles

GLOBAL PSTN USAGE REPORT (S4B) AND USER PSTN USAGE REPORT (S4B)

This option allows to generate CSV report on a global scope as well as UPN scope.

The report queries information about PSTN usage details in Skype for Business Online for the last 3

months. The period can be set by selecting the ‘Start date’ and ‘End date’. It returns the below data

for the selection.

SipUri

DateTimeOfCall

TelephoneNumber

CallID

CallType

Location

CallDuration

Currency

CallCharge


50

ENABLE DIAL-IN CONFERENCING (S4B), UPDATE DIAL-IN CONFERENCING

SETTINGS (S4B) AND RESET LEADER PIN DIAL-IN CONFERENCING (S4B)

The dial-in conferencing settings are administered via the form below. Before the below can be

used for an account the proper license should be assigned, namely the license ‘Skype for Business

PSTN Conferencing’. When the license is assigned first time the dial-in conferencing details are

set for the account using the default settings of the tenant (e.g. ‘Default conference phone

number’). In most cases this will need to be changed. This can be changed as required by selecting

new value from combo box (values region-country-state-city, below North-America, USA, Illinois,

Chicago).

Select other as required and press ‘Update dial-in conferencing’. This will update the settings for

the selected UPN. A mail is also send to the mailbox associated with the UPN including the

updated information.


51

Reset PIN will automatically generate a new leader PIN for the UPN. A mail will be send to the

UPN mail address with the updated information. Sample extract from the mail message below.

Reset conference ID will automatically generate a new conference ID for the UPN. A mail will be

send to the UPN mail address with the updated information. Sample extract from the mail message

below.


52

The tenant default toll number is set when enabling PSTN conferencing for the first time. This can

be changed as required by selecting new value from combo box (region-country-city).

Below sample mail send as result of ‘Reset PIN’ action.

LICENSE REPORT (OFFICE365) AND LICENSE AND SERVICE STATUS REPORT

(OFFICE365) AND LICENSE, SERVICE STATUS AND S4B REPORT (OFFICE365)

3 reports can be generated with multiple filters possible. The form below shows the capabilities to

establish filters.


53

1. If an UPN is selected only the accounts belonging to the management scope will be

reported on.

2. In the ‘WAAD Filter’ combo box a WAAD domain can be selected. This will limit the

accounts only to those belonging to that WAAD domain.

3. In the ‘SKU Filter’ one can select one SKU to report on.

If nothing is selected a global report is generated containing the data. One can select one filter or

combine multiple in one run (the query applies the filter with an ‘and’ operation).

The data generated by the License Report:

userPrincipalName

Blocked

AMEI

AD-AMEI

UsageLocation

Country

Domain

Business Unit Code

Company Code

AccountSku


54

The License/Plan Status report contains all data included in the License Report but also includes

the service status of each plan within the License (SKU).

The License/Plan Status report/S4B report contains all data License/Plan Status report and also S4B

profile settings. Including:

SIPAddress

SIPProxyAddress

ConferencingPolicy

ExternalAccessPolicy

ASSIGN ROLE WITH ELEVATED RIGHTS (OFFICE365) AND REMOVE ROLE WITH

ELEVATED RIGHTS (OFFICE365)

Within the Office 365 administration portals different standard roles are foreseen. Although the

AMFS Solution provides a more granular approach & management scope protection some of those

roles are required to use other platform services. One of those services is the standard Office 365

Support Service included in the Office 365 subscription. The role ‘Service Support Administrator’ is

needed to access the portal to register/follow-up on a ticket raised with Microsoft. The service is

also integral part of the Global Service Support offering. For that reason the assignment of roles

with elevated rights is also federated. One role cannot be assigned, namely ‘Company

Administrator’ as this needs authorization and approval from the Change Advisory Board (CAB). In

the assign role combo box one can select the role to be assigned to the selected UPN. Once a role is

selected the accounts already having that role assigned is shown in the list box below the push

button (‘Assign role to Office 365 Account’).


55

Beyond assignment of a role to an account removal of a role assignment is also covered in the same

form. Select role in the list box associated with the UPN and select ‘Remove selected role assigned

to Office 365 account’.

The export option generates CSV file with all standard roles and the UPN’s having a standard role

with elevated rights assigned.

Security

Using the tool only requires a valid Office 365 account (federated or cloud). No elevated rights need

to be assigned to a user to use the tool. The tool itself uses a service account to execute the actions

that require elevated rights.

Role and management scope security check is implemented via group membership in the WAAD

associated with the Office 365 tenant. Each federated service combination with a management

scope is an individual WAAD security group.

In the Office 365 administration portal one can search on all WAAD groups related to the AMFS

tool by searching on ‘AMFS-‘ prefix. See below:


56

The WAAD group name convention follows a naming convention to ease support. Pending the

management scope this may differ. When IDM management scope is applied the name of the

WAAD group is AMFS-%Federated Service%((-%IDM Business Unit%)-%IDM Company%). When

this is overruled (e.g. WAAD domain) the name is AMFS-%Federated Service%((-%AMFS Custom

1%)-%AMFS Custom 2%). When federated domain is used as management scope the name of the

federated domain is appended to the WAAD group name AMFS-%Federated Service%(-%WAAD

Domain Name%).

When no scope is identified it’s automatically global.

Below a list of services currently federated with a short description.

1. AMFS-Overrule-ManagementScope: Manipulate Management Scope (AMFS)

2. AMFS-Synchronize-ManagementScope: Synchronize Management Scope (IDM)(AMFS)

3. AMFS-Synchronize-Retired: Synchronize retired cloud accounts (IDM)(AMFS)

4. AMFS-Synchronize-Expired: Synchronize expired cloud accounts (IDM)(AMFS)

5. AMFS-Export-ManagementScope: Export Management Scope (CSV)(AMFS)

6. AMFS-Set-UserPhoto: Set account photo (EXO)

7. AMFS-Get-UserPhoto: Get account photo (download)(EXO)

8. AMFS-View-UserPhoto: View account photo (EXO)

9. AMFS-View-UserIDMData: View account IDM data (AMFS)

10. AMFS-Import-ManagementScope: Import Management Scope (AMFS)

11. AMFS-Export-CSVBulkProcessing: Export accounts to CSV for bulk processing (AMFS)

12. AMFS-Assign-Service: Assign federated service (AMFS)

13. AMFS-Remove-AssignedFederatedService: Remove assigned federated service (AMFS)

14. AMFS-Remove-AllAssignedFederatedServices: Remove all assigned federated service(s)(AMFS)

15. AMFS-Federate-Service: Federate selected service (AMFS)

16. AMFS-Set-MsolUserLicense: Assign license (E1, E3, E1S4BOnly or E3S4BOnly (Office365)

17. AMFS-Set-MsolUserLicensePlan: Assign license(s) and plan(s)(Office365)


57

18. AMFS-New-MsolUser: Create cloud account via AMEI or e-mail address (Office365)

19. AMFS-Set-MsolUserPassword: Reset cloud account password (Office365)

20. AMFS-Set-MsolUser-Disabled: Disable cloud account (Office365)

21. AMFS-Set-MsolUser-Enabled: Enable cloud account (Office365)

22. AMFS-Remove-MsolUser: Remove cloud account and put in Recycle Bin (Office365)

23. AMFS-Remove-MsolUser-FromRecycleBin: Remove account from Recycle Bin (Office365)

24. AMFS-Grant-CsConferencingPolicy: Set selected conferencing policy (S4B)

25. AMFS-Grant-CsClientPolicy: Set selected client policy (S4B)

26. AMFS-Grant-CsExternalAccessPolicy: Set selected external access policy (S4B)

27. AMFS-Grant-CsHostedVoiceMailPolicy: Set selected hosted voice mail policy (S4B)

28. AMFS-Grant-CsVoicePolicy: Set selected voice policy (S4B)

29. AMFS-Get-CsConferencingPolicy: Get selected conferencing policy (S4B)

30. AMFS-Get-CsClientPolicy: Get selected client policy (S4B)

31. AMFS-Get-CsExternalAccessPolicy: Get selected external access policy (S4B)

32. AMFS-Get-CsHostedVoiceMailPolicy: Get selected hosted voice mail policy (S4B)

33. AMFS-Get-CsVoicePolicy: Get selected voice policy (S4B)

34. AMFS-Grant-CsConferencingPolicy-DisableVideo: Disable video in Skype for Business (S4B)

35. AMFS-Grant-CsConferencingPolicy-EnableVideo: Enable video in Skype for Business (S4B)

36. AMFS-Get-CsUserActivitiesReport-Global: Global activity report (S4B)

37. AMFS-Get-CsUserActivitiesReport-User: User activity report (S4B)

38. AMFS-Get-CsPSTNUsageDetailReport-Global: Global PSTN usage report (S4B)

39. AMFS-Get-CsPSTNUsageDetailReport-User: User PSTN usage report (S4B)

40. AMFS-Enable-CsOnlineDialInConferencingUser: Enable dial-in conferencing (S4B)

41. AMFS-Set-CsOnlineDialInConferencingUser: Update dial-in conferencing settings (S4B)

42. AMFS-Set-CsOnlineDialInConferencingUser-LeaderPIN: Reset leader PIN dial-in conferencing (S4B)

43. AMFS-Set-CsOnlineDialInConferencingUser-ConferenceID: Reset conference ID conferencing (S4B)

44. AMFS-Get-LicenseReport: License report (Office365)

45. AMFS-Get-LicenseAndServiceStatusReport: License and service status report (Office365)

46. AMFS-Get-LicenseAndServiceStatusAndS4BReport: License, service status and S4B report (Office365)

47. AMFS-Add-MsolRoleMember: Assign role with elevated rights (Office365)

48. AMFS-Remove-MsolRoleMember: Remove role with elevated rights (Office365)

49. AMFS-RemoveAll-MsolUserLicense: Remove assigned license(s) (Office365)

50. AMFS-Remove-FederatedService: Remove federated service (AMFS)

51. AMFS-Report-Federation: Federation Report (AMFS)

52. AMFS-Assign-MFA: Assign MFA enabled application for user (Security)

53. AMFS-Set-MFA-Enabled: Enable MFA for account (Security)

54. AMFS-Set-MFA-Enforced: Enforce MFA for account (Security)

55. AMFS-Set-MFA-Disabled: Enforce MFA for account (Security)

56. AMFS-Get-MsolUser-SIP: Get SIP for account (S4B)

57. AMFS-Set-MsolUser-SIP: Set SIP for account (S4B)

58. AMFS-Switch-E3ToE1: Switch E3 to E1 maintaining plan status where possible (Office365)

59. AMFS-Switch-E1ToE3: Switch E1 to E3 maintaining plan status where possible (Office365)

Audit

Access to the audit log is delivered via the Windows Azure Administration portal. When filtering

the audit log on ‘[email protected]’ all activities executed with

elevated rights are shown in the audit log.


58

Each individual event can be drilled down further for the details. See below sample of one event.

The administration portal allows to export the report to a CSV file for further processing or when

needed as evidence during security/SOX ITGC audits.

Limitations

The maximum number of connections allowed at the same time with the same account is 3 for the

Office 365 tenant. As the AMFS solution is using the end user Office 365 there is not an issue from

an end user connection perspective. However the services that require elevated rights are all using

the same service account (one for the tenant). If that limit is reached the solution can be adopted

to use more service accounts (e.g. service account by region/country).


59

Registered attributes

To enable the features of the AMFS solution the WAAD schema was extended with several

attributes. Below the list of attributes and their purpose. Using Graph API one can query the

WAAD for those attributes as well as the default available WAAD attributes.

EXTENSION_A040D6D9FD6A4EA595B7F74F74DF758C_EMPLOYEENUMBER

Holds the AMEI value pushed via AAD Connect from the federated AD domain associated with the

WAAD domain. The attribute is only available for federated accounts.

EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMEI

Holds the AMEI value used by the AMFS Solution. For federated accounts this is copy from above

attribute. For cloud accounts a synchronization engine tries to match the UPN account with an

AMEI via different searches. The dominant search is based on mail address attribute match.

EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMCOMPANYCODE

Holds the company code. Used by the AMFS solution as lowest level for management scope

(beyond self-service of course). See table at end of document that shows the company codes for

those that have more than 1.000 identities.

EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMSEGMENTCODE

Holds the segment code. Currently not used by the AMFS solution.

EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMBUCODE

Holds the business unit (BU) code. Used by the AMFS solution as highest level for management

scope (beyond global of course). See table at end of document that shows the BU codes of the

companies having more than 1.000 identities.

EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMDEPARTMENTCODE

Holds the department code. Currently not used by the AMFS solution.

EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMBDCODE

Holds the business division code. Currently not used by the AMFS solution.

EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMFSACCOUNTTYPE

Holds the account type. Used by the AMFS solution to separate and protect service accounts from

normal accounts.

EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMFSSEGMENTCODE

Holds the Custom level 1 value. Used by the AMFS solution as highest level for management scope

(beyond global of course). This when IDM management scope is not used.


60

EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMFSBUCODE

Holds the Custom level 2 value. Used by the AMFS solution as lowest level for management scope

(beyond global of course). This when IDM management scope is not used.

Support

For each run of the AMFS Solution an application log file is created on %TEMP% with naming

convention %GUID%-AMFSLogFile_YYYYMMDD.txt.

Below an extract of an log file. Each line contains the DTS, type of message (Info/Error) and the

message itself. Each function/event entry/exit is logged together with all traceable runtime errors.

Some runtime errors will stop the program and or action selected, others will be ignored.

085250,Info,Enter Main function in module Startup

085250,Info,Enter Get-ScriptDirectory function in module Globals

085250,Info,Leave Get-ScriptDirectory function in module Globals

085250,Info,Preapre Splash Screen

085250,Info,Run Splash Screen with timer event

085251,Info,Enter SplashTicker function in module Startup

085251,Info,Leave SplashTicker function in module Startup







085252,Info,Stop Splash Screen with timer event

085252,Info,Stop timer on Splash Screen

085252,Info,Remove timer event from Splash Screen

085252,Info,Configure cloud proxy for this session

085252,Info,Cloud proxy configured for this session

085252,Info,Enter Get-ScriptDirectory function in module Globals

085252,Info,Leave Get-ScriptDirectory function in module Globals

085252,Info,Enter GetRequesterUPN function in module Globals

The content of the log file can help in the resolution of the incident and should be looked at (L0/L1)

by local help desk before escalating. The log file should be attached to the incident when further

escalation is done (L2/L3) so the use case that induced error is properly documented for the

resolver group assigned to the incident.

The AMFS Solution is currently in POC Phase. Any issue can be escalated to the AMFS Solution

owner ([email protected]). During POC/Pilot phase all issues will be tracked in the

issue tracker available at AMFS Solution Issue Tracker.


https://arcelormittal.sharepoint.com/sites/o365GlobalServices/Federated%20Governance%20o365%20administration/Shared%20Documents/Issue%20Tracker/AMFS%20Solution%20Issue%20Tracker.xlsx?d=wce4705d1cbb3426cab0402aba1a1f88f


61

ArcelorMittal Business Units & Companies

Below the list of Business Unit Codes & Company Codes having a count of more than 1.000

identities. In all the forms the meta data is displayed for the UPN selected or shown. If you wonder

what business unit and company code your identity is belonging to? Start the AMFS tool and all

information is displayed in the ‘Requester Info’ box. Same is done for accounts targets (UPN group

box).

By double clicking on any field holding an AMEI number all IDM meta data is displayed. When

faults are discovered this is the first place one should look at. The matching row is displayed in

yellow for the requester selected in the form.

BU COMPANY BU DESCRIPTION COMPANY DESCRIPTION

51 A303 AFRICA AND CIS JSC ArcelorMittal Temirtau

51 A305 AFRICA AND CIS PJSC ArcelorMittal Kryviy Rih

89 TA406F USA FLAT ArcelorMittal USA Flat (TB)

A305 PJSC ArcelorMittal Kryviy Rih

55 TA206F AM EUROPE FLAT PRODUCTS ArcelorMittal Poland Flat (TB)

51 A304 AFRICA AND CIS ArcelorMittal South Africa Ltd

55 3 AM EUROPE FLAT PRODUCTS ArcelorMittal Espa??a

58 TAMB1F AM SOUTH AMERICA FLAT ArcelorMittal Brazil - Division Flat (TB)

55 A213 AM EUROPE FLAT PRODUCTS ArcelorMittal Galati SA

55 T732 AM EUROPE FLAT PRODUCTS ArcelorMittal Belgium - Gent (TB) 53 TC6A3F AM DOFASCO ArcelorMittal Dofasco Flat (TB)

AM EUROPE FLAT PRODUCTS

55 3B5 AM EUROPE FLAT PRODUCTS ArcelorMittal Atlantique et Lorraine

55 TA205F AM EUROPE FLAT PRODUCTS ArcelorMittal Ostrava Flat (TB)

59 TAMB1L AM SOUTH AMERICA LONG ArcelorMittal Brasil - Division Long (TB)

55 V436 AM EUROPE FLAT PRODUCTS ArcelorMittal M??diterran??e

55 T3B5 AM EUROPE FLAT PRODUCTS ArcelorMittal Lorraine (TB)

55 V812 AM EUROPE FLAT PRODUCTS ArcelorMittal Eisenh??ttenstadt GmbH

57 TC781S AM MEXICO ArcelorMittal Las Truchas - Steel (TB)

55 746 AM EUROPE FLAT PRODUCTS ArcelorMittal Bremen GmbH

59 C113 AM SOUTH AMERICA LONG ACINDAR

TA206F ArcelorMittal Poland Flat (TB)

59 131 AM SOUTH AMERICA LONG B-M Bekaert ARAMES SA

56 A212 AM EUROPE LONG PRODUCTS ArcelorMittal Zenica, D.o.o.

51 A630 AFRICA AND CIS LLP Kurilismet

56 905 AM EUROPE LONG PRODUCTS ArcelorMittal Belval and Differdange

62 A103 NORTH AMERICA CORPORATE OFFICE

ArcelorMittal Montreal Inc.

74 13A1 MINING ArcelorMittal Mining Canada G.P.

51 10H7 AFRICA AND CIS Termirtau Associates and Ancillaries LLP


62

3 ArcelorMittal Espa??a

81 8H3 AMTP NAFTA Industrias Unicon CA

93 14A2 AM/NS CALVERT AM/NS Calvert LLC

55 T816 AM EUROPE FLAT PRODUCTS ArcelorMittal Belgium - Li?¿ge (TB)

57 TA102S AM MEXICO ArcelorMittal Mexico - Steel (TB)

72 V135 INDUSTEEL Industeel France (Consolidated)

54 V260 AM EUROPE AMDS ArcelorMittal Construction France

56 A841 AM EUROPE LONG PRODUCTS ArcelorMittal Duisburg (Consolidated)

74 A910 MINING Pe??a Colorada Servicios, S.A. de C.V.

59 11B3 AM SOUTH AMERICA LONG ArcelorMittal Bioflorestas

74 A306 MINING ArcelorMittal Liberia Ltd

72 v735 INDUSTEEL Industeel Belgium (Consolidated)

55 A722 AM EUROPE FLAT PRODUCTS Przedsiebiorstwo Uslug Kolejowych KOLPREM Sp. z.o.o.

54 758 AM EUROPE AMDS ArcelorMittal Distribution Solutions Poland Sp. z.o.o.

79 A825 AMTP EUROPE ArcelorMittal Tubular Products Ostrava a.s.

WAAD Domains

Below the list of verified domains associated with the ArcelorMittal Office 365 tenant. The domains

hosting accounts can be used as management scope in the AMFS Solution.

WAAD DOMAIN

REIMS-DISTRIB.ARCELORMITTAL.COM

ISCOR.COM

ARCELORMITTAL.LU

HAMILTON.DOFASCO.CA

CONTRACTORS.ARCELORMITTAL.COM

EMAIL.ARCELORMITTAL.COM

CARIBBEANISPAT.COM

SIDBEC.COM

WEIRTON.COM

MITTALCO.COM

NOVAHUT.CZ

ARCELORMITTAL.COM.BR

UHEGUILMAN.COM.BR

USB.ARCELOR.COM

ORMECDOSUL.COM.BR

BBCONTRATOS.COM.BR

ARCELOR.CO.CR

TREASURY.ARCELOR.COM

UGINE-ALZ.ARCELOR.COM

UGINE-GMBH.ARCELOR.COM

UGINESAVOIE.ARCELOR.COM

UGINESAVOIEUK.ARCELOR.COM

TIXIS.ARCELOR.COM


63

STAINLESS.ARCELOR.COM

SSM.ARCELOR.COM

SPRINTMETAL.ARCELOR.COM

SOLBLANK.ARCELOR.COM

SMEZ.ARCELOR.COM

RS.ARCELOR.COM

SAR.ARCELOR.COM

SARNR.ARCELOR.COM

SCSC.ARCELOR.COM

RCC.ARCELOR.COM

PFF.ARCELOR.COM

IUP.ARCELOR.COM

INDUSTEEL.ARCELOR.COM

IMPHY.ARCELOR.COM

DOFASCO.COM.MX

DOFASCO.CA

BEDINI.ARCELOR.COM

AUTO.ARCELOR.COM

AS.ARCELOR.COM

QCMINES.COM

PCT.ARCELOR.COM

PURCHASING.ARCELOR.COM

PACKAGING.ARCELOR.COM

PAB.ARCELOR.COM

MEUSIENNE.ARCELOR.COM

IRSID.ARCELOR.COM

HE.ARCELOR.COM

LOGISTICS.ARCELOR.COM

INTLSTEEL.COM

BETHSTEEL.COM

MITTALSTEEL.COM

ISPAT.COM

ARCELOR.ORG

ARCELOR.NET

ARCELOR.LU

ARCELOR.COM

JOSSAN.COM.BR

CIMAF.COM.BR

BMS.COM.BR

BMBSTEELCORD.COM.BR

BELGO-MINEIRA.COM.BR

BELGOMINEIRA.COM.BR


64

BELGOBEKAERT.COM.BR

BELGO.COM.BR

BEKAERTDOBRASIL.COM.BR

ARCELORMITTALDISTRIBUICAO.COM.BR

AMDISTRIBUICAO.COM.BR

ARCELORBRASIL.COM.BR

ARCELORMITTALSA.COM

ARCELORMITTAL.RO

ARCELORMITTAL.DE

ARCELORMITTAL.CZ

ARCELORMITTAL.NET

ARCELORMITTAL.ES

PROFILARBED.LU

SIDMAR.BE

AMCONTRATOS.COM.BR

CONTRATOSAC.COM.AR

ACINDAR.COM.AR

ARCELORMITTAL.COM.PL

ARCELORMITTAL.COM

ARCELORMITTAL.COM.AR

ARCELORMITTAL.MAIL.ONMICROSOFT.COM

ARCELORMITTAL.ONMICROSOFT.COM