Upload
wim-le-noir
View
199
Download
31
Embed Size (px)
Citation preview
Le Noir, Wim | AMFS Solution | August 8, 2016
ArcelorMittal Federation Solution “FEDERATING THE OFFICE 365 ADMINISTRATION”
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
1
Contents
Introduction .................................................................................................................................................. 4
Readiness requirements ................................................................................................................................ 5
Client .......................................................................................................................................................... 5
Network ..................................................................................................................................................... 6
Proxy configuration .............................................................................................................................. 8
Testing installation ................................................................................................................................... 9
Version Information ............................................................................................................................. 9
Multiple instances ................................................................................................................................ 10
Raising network issues when using the AMFS Solution .................................................................... 10
Unsupported Characters ......................................................................................................................... 10
The federation model .................................................................................................................................. 10
Specific cases ............................................................................................................................................ 13
No WAAD object available to do the federation check ..................................................................... 13
Federated services with multiple federation contexts ....................................................................... 13
Super Administrator ............................................................................................................................ 13
Blocking AMFS solution globally/locally ........................................................................................... 13
Applying custom management scopes .................................................................................................. 13
Export accounts belonging to Armony.Net ........................................................................................ 14
Update management scope for exported accounts Armony.net ....................................................... 15
Main form ..................................................................................................................................................... 17
Office 365.................................................................................................................................................. 17
Tips & tricks ................................................................................................................................................. 19
Automatic alerts when new version is released ................................................................................... 19
Bulk processing ....................................................................................................................................... 20
Search for account ................................................................................................................................... 21
Search for IDM data ................................................................................................................................ 21
Protect an account (e.g. service accounts)............................................................................................ 22
Disaster/Recovery Scenario ........................................................................................................................ 23
Federated Services ....................................................................................................................................... 23
Manipulate Management Scope (AMFS) ............................................................................................. 24
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
2
Synchronize Management Scope (IDM)(AMFS), Synchronize Retired Accounts (IDM)(AMFS),
Synchronize Expired Accounts (IDM)(AMFS), Export Management Scope (CSV)(AMFS) and
Export Accounts to CSV for Bulk processing (AMFS) ........................................................................ 24
Set account photo (EXO), Get account photo (download)(EXO) and View account photo (EXO)
.................................................................................................................................................................. 26
Import Management Scope (AMFS) ..................................................................................................... 26
Federate Selected Service (AMFS) and Assign Federated Service (AMFS)........................................ 27
Governing the federation .....................................................................................................................30
Maintain federation model .....................................................................................................................30
Remove assigned federated service (AMFS) and Remove all assigned federated service(s)(AMFS)
................................................................................................................................................................... 31
Assign license (E1, E3, E1S4BOnly, E3S4BOnly, E1NoEXO and E3NoEXO (Office365) .................... 33
Assign license(s) and plan(s)(Office365) .............................................................................................. 34
Assign MFA enabled application (SECURITY) .....................................................................................36
Create cloud account via AMEI or e-mail address (Office365) and View Account IDM Meta Data
(AMFS)...................................................................................................................................................... 37
Reset cloud account password (Office365) ...........................................................................................38
Disable cloud account (Office365), Enable Cloud Account (OFFICE365), Remove cloud account
and put in Recycle Bin (Office365), Remove account from Recycle Bin (Office365) ...................... 39
Set selected client policy (S4B), Set selected external access policy (S4B), Set selected hosted
voice mail policy (S4B), Set selected voice policy (S4B), Get selected conferencing policy (S4B),
Get selected client policy (S4B), Get selected external access policy (S4B), Get selected hosted
voice mail policy (S4B) and Get selected voice policy (S4B) ............................................................. 42
Disable/Enable video in Skype for Business (S4B) and Set Selected Conferencing Policy (S4B)... 45
Verify user SIP address (S4B) ................................................................................................................ 46
Global activity report (S4B) and User activity report (S4B) ............................................................... 47
Global PSTN usage report (S4B) and User PSTN usage report (S4B) ............................................... 49
Enable dial-in conferencing (S4B), Update dial-in conferencing settings (S4B) and Reset leader
PIN dial-in conferencing (S4B) ............................................................................................................. 50
License report (Office365) and License and service status report (Office365) and license, service
status and S4B report (OFFICE365) ...................................................................................................... 52
Assign role with elevated rights (Office365) and Remove Role with Elevated Rights (OFFICE365)
.................................................................................................................................................................. 54
Security ......................................................................................................................................................... 55
Audit ............................................................................................................................................................. 57
Limitations .................................................................................................................................................. 58
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
3
Registered attributes .................................................................................................................................. 59
extension_a040d6d9fd6a4ea595b7f74f74df758c_employeeNumber ................................................ 59
extension_c77e68a23a6a4f91af48a93b63f95e0f_AMEI ....................................................................... 59
extension_c77e68a23a6a4f91af48a93b63f95e0f_AMCOMPANYCODE ............................................ 59
extension_c77e68a23a6a4f91af48a93b63f95e0f_AMSEGMENTCODE ............................................. 59
extension_c77e68a23a6a4f91af48a93b63f95e0f_AMBUCODE .......................................................... 59
extension_c77e68a23a6a4f91af48a93b63f95e0f_AMDEPARTMENTCODE ..................................... 59
extension_c77e68a23a6a4f91af48a93b63f95e0f_AMBDCODE .......................................................... 59
extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSAccountType ................................................ 59
extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSSegmentCode ............................................... 59
extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSBUCode ........................................................ 60
Support ........................................................................................................................................................ 60
ArcelorMittal Business Units & Companies ............................................................................................. 61
WAAD Domains ......................................................................................................................................... 62
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
4
Introduction
The standard administration platform Office 365 has limited federation capabilities specifically on
the level of granularity it falls short for big organizations. Moreover the protection of management
scope is only available for limited number of Office 365 services (Exchange Online) and would be
difficult to implement for ArcelorMittal due to the high number of legacy Active Directory domains
federated in our Office 365 tenant. Such configuration would also leverage the past rather than
preparing for the future.
The standard role assignment in the portal is for most functions tenant wide which poses a
substantial risks from different perspectives (security, operations, etc.).
Taken into consideration that the ArcelorMittal is a highly federated organizational structure and
business reorganizations happen at high pace the Office 365 Program team architected a role based
administration model where management scope is sourced from the Identity Management
repository (IDM commonly known as RIITA). The majority of HR systems are already interfacing
with IDM and global security policy requires all physical persons (internal/external) using
ArcelorMittal IT systems to have an AMEI (ArcelorMittal global unique identifier for a physical
person).
Access to ArcelorMittal IT systems is provided via IT account(s). Those IT account(s) must be
linked to an AMEI so the identity important life cycle phases are properly managed (entry/exit). In
the ideal world an end user should only need to remember one IT account to access all the IT
services granted to him/her so he/she can execute his/her role within the ArcelorMittal
organization (commonly known as Single Sign On (SSO).
All IT accounts accessing Office 365 are hosted in one Windows Azure Directory named
ArcelorMittal which was created together with the Office 365 tenant. Each account is uniquely
identified via its userPrincipalName (UPN)(e.g. [email protected]).
To achieve the required granularity each federated service is one to one implemented with a
function in the Office 365 Administration Libraries (Function ≡ PowerShell Cmdlet and Library ≡
PowerShell Module). Each federate service has a Windows Azure Active Directory (WAAD) group.
The WAAD group name identifies the service federated as well as the management scope covered.
All WAAD groups associated with the AMFS solution are prefixed with “AMFS-“ to ease the search
in the Windows Azure Portal as well as simplify support.
The front-end to enable the federation of the Office 365 administration globally was built with
SAPIEN PowerShell Studio 2016. This manual contains the installation and the usage instructions.
For now the Office 365 & Skype for Business federated services are completed as well as the overall
security model. The SharePoint Online, Exchange Online, Rights Management Service, Azure and
OneDrive for Business federated services will be offered at a later stage aligned with the global Go-
To-Gold planning . This forms the rich PC client application. In parallel a WEB based interface will
Identity
(AMEI)
Account
(UPN)
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
5
be developed together with a partner using Azure Automation Engine to enable the federation of
the Office 365 administration.
Readiness requirements
CLIENT
An active Office 365 work account is required to use the solution (cloud or federated).
The following 64-bit operating systems of Windows can run the AMFS Solution:
1. Windows 10
2. Windows 8.1 or Windows 8
3. Windows Server 2012 R2 or Windows Server 2012
4. Windows 7 Service Pack 1 (SP1)
5. Windows Server 2008 R2 SP1
A 64-bit version of Windows is required as the Skype for Business Online module and Windows
Azure Active Directory module is only supported on 64-bit.
The Microsoft .NET Framework 4.5.x and the Windows Management Framework 3.0 or the
Windows Management Framework 4.0 is required.
https://msdn.microsoft.com/library/5a4x27ek(VS.110).aspx
https://www.microsoft.com/en-us/download/details.aspx?id=40855
The AMFS Solutions uses the modules that are required for Office 365, SharePoint Online, and
Skype for Business Online. It also leverages services if the federated AD domains which require
Active Directory module to be installed (see 1.). On Windows 7 the tools for roles and features must
be enabled after installation of the package.
1. Remote Server Administration Tools (RSAT) for Windows operating systems
https://support.microsoft.com/en-us/kb/2693643
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
6
2. Microsoft Online Service Sign-in Assistant for IT Professionals RTW
https://www.microsoft.com/en-us/download/details.aspx?id=41950
3. Windows Azure Active Directory Module for Windows PowerShell (64-bit version)
http://go.microsoft.com/fwlink/p/?linkid=236297
4. SharePoint Online Management Shell
https://www.microsoft.com/en-us/download/details.aspx?id=35588
5. Skype for Business Online, Windows PowerShell Module
https://www.microsoft.com/en-us/download/details.aspx?id=39366
Windows PowerShell needs to be configured to run signed scripts for Skype for Business Online,
Exchange Online, and the Security & Compliance Center. Start Windows PowerShell command as
administrator and run the below command or use the ‘Test/Remediate’ pushbutton via the AMFS
Solution main screen.
Set-ExecutionPolicy RemoteSigned
Enable-PSRemoting -SkipNetworkProfileCheck -Force
A screen resolution of 1920x1080 is recommended when using the AMFS Solution.
The solution itself is installed via a published MSI. The MSI is published on the SPO Site of the
‘Office 365 Program’ (AMFS Solution MSI) The dependent software packages can be downloaded
from the SPO Site as well (AMFS Solution Dependent Software Modules)
NETWORK
The AMFS solution needs to connect to all Office 365 services and requires Internet access. All
network requirements to fulfill can be found on Office 365 Network Readiness Requirements.
It’s important to mention that the Office 365 administration services has more network
connectivity requirements compared to the default Office 365 service requirements. In this sense it
may well be that one can use Office 365 but at the same time experience difficulties using the
ArcelorMittal Federation Solution.
To facilitate analysis of network connectivity issues a Test Form was built. In the Test Form some
common errors can also be remediated (last 4 buttons on the Test Form). For those services, to run
successfully, the AMFS Solution should be run with local Administrator Rights (use ‘Run As
Administrator’). Once done the program can again be started as Normal User. The Test Form can
be reached via clicking the ‘Test/Remediate’ button on the Main Form.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
7
The ‘Remediate WinRM Error’, ‘Remediate ServicePoint Clean-Up’ as well as the ‘Remediate
Certificate Error’ can occur on Windows 7 and Windows 10. The ‘Remediate maxJsonLenght Error’
and ‘Remediate ServicePoint Clean-Up’ only occur on Windows 7. If an option is disabled it means
that the program could remediate the issue when starting the application.
The AMFS solution also connects to corporate IT services (mainly IDM-RIITA). This requires
corporate network connectivity. However if corporate network connectivity is not available the
solution will still work with reduced functionality. The features that require real-time connection
to the corporate network are mainly there to support the life cycle of the business meta data stored
in WAAD. The main features that will not be available when corporate network connectivity is not
available are:
1. Synchronize IDM meta data
2. Check retired cloud accounts
3. Check expired cloud accounts
4. Link AMEI with Office 365 account (UPN)
5. View IDM data (double click AMEI field)
The solution has been tested with VPN Americas (Cisco) & VPN Europe (F5).
The solution has also been tested with the Cloud Proxy Europe (Cloud Proxy PAC File Link). In
case of connectivity and/or network related issues one should first try to remediate via the ‘Set
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
8
cloud proxy (ZScaler)’ pushbutton. If the error continues its most likely related to a bug in the
AMFS Solution. If not the information should be shared with the network support team assigned
for the location.
Proxy configuration
During the development of AMFS solution network connectivity issues were frequently
encountered. The below have proven to be helpful when investigating the connectivity issue. If one
receives the error below when starting the AMFS Solution after initial login the below section
should resolve the issue depending the local context.
Connected to Corporate Network (LAN, WiFi-4-INCA)
To configure cloud proxy run below commands as ‘Run as administrator’ in a command window:
REM SET CLOUD PROXY NETSH WINHTTP SET PROXY GATEWAY.ZSCALERTWO.NET:10299 NETSH WINHTTP SHOW PROXY REM START AMFS SOLUTION "C:\PROGRAM FILES\ARCELORMITTAL\ARCELORMITTAL FEDERATION SOLUTION\AMFS SOLUTION.EXE" EXIT
If a specific proxy is being used at your location change accordingly. If you don’t know the proxy
configuration settings ask your local network team to assist you. Below sample of the proxy
configuration used at business unit ArcelorMittal Ghent
REM SET PROXY BU GHENT NETSH WINHTTP SET PROXY PROXY.SIDMAR.BE:8080 NETSH WINHTTP SHOW PROXY REM START AMFS SOLUTION "C:\PROGRAM FILES\ARCELORMITTAL\ARCELORMITTAL FEDERATION SOLUTION\AMFS SOLUTION.EXE" EXIT
Connected to Internet (Home, hotel, guest network, etc.)
In case of issues connecting to remote PowerShell modules try to disable proxy configuration
settings by switching to ‘direct mode’. See below commands. Always inform your local network
team of the outcome so they can remediate accordingly and run the commands with administrator
privileges.
REM RESET PROXY TO DIRECT NETSH WINHTTP RESET PROXY NETSH WINHTTP SHOW PROXY
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
9
REM START AMFS SOLUTION "C:\PROGRAM FILES\ARCELORMITTAL\ARCELORMITTAL FEDERATION SOLUTION\AMFS SOLUTION.EXE" EXIT
TESTING INSTALLATION
To test if the AMFS Solution is properly installed one should get a login screen like shown below
when starting the AMFS Solution. Use your normal Office 365 credentials. For those using a
federated account your password is the same as your PC login account. If you don’t see the login
screen the software failed to install or you have one of the software dependencies not properly
covered.
When pressing OK the AMFS Solution tries to connect to Office 365 and perform login, connect to
IDM to check corporate network connectivity and connect to Exchange Online to check for user
photo. If all is successful main form of the AMFS solution should show. If it takes very long for the
main screen to show it means that one of the remote administration server modules cannot be
reached. The AMFS solution will show the error message which contains the relevant network
information. Either take a screen snapshot or look in the AMFS solution log file and share content
with your local network team.
Version Information
On the first form of the application one can press F1. In this case the AMFS Tool version
information will be displayed in separate window. See sample below.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
10
Multiple instances
Because of limitations on the number of remote connections that can be made to Office 365
administration platforms only one instance is allowed per host. If one tries to start a second
instance the below error will popup:
Raising network issues when using the AMFS Solution
During the development of the application network issues were frequently encountered. The
assignment of such issues to the correct resolution group is very difficult due to the complexity.
One easy trick in those cases is to connect to Internet without proxy (use ‘Automatically detect
settings’ in browser) and enable VPN for corporate network connectivity. If the issue is still
occurring the issue should be escalated to the application owner of the ArcelorMittal Federation
Solution. In all other cases the issue should be raised with the team supporting your local network
and proxy configuration.
UNSUPPORTED CHARACTERS
The solution synchronizes data from different sources. Those sources should have their data
properly checked against illegal characters.
User principal name unsupported characters are: “?@\+”. Email address unsupported characters are
“[\!#$%&*+/=?^`{}]”. If such characters are encountered it’s replaced with “_”. In case such
replacement happened the normal logic may be broken for the associated objects.
The federation model
The Office 365 standard administration consoles have limited federation capabilities on the level of
services that can be federated. Moreover the protection of management scope is only available for
limited number of Office 365 services (Exchange Online) and is mainly based on filtering of
Windows Azure Active Directory (WAAD) attribute values. The latter could be used within
ArcelorMittal but it would require high level of standardization and normalization of the required
attributes and their values in the existing federated Windows Active Directories (AD)(currently
more than 60 Active Directory domains are federated in the Office 365 tenant). Launching such
program would require substantial effort, pose substantial risk for existing business applications
(market software as well as developed software) and delay Office 365 adoption.
Taken into consideration that the ArcelorMittal is a highly federated organizational structure and
business reorganizations happen at high pace the Office 365 Program team architected a role based
administration model where management scope is sourced from the Identity Management
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
11
repository (IDM commonly known as RIITA). The majority of HR systems are already interfacing
with IDM and global security policy requires all persons (internal/external) using ArcelorMittal IT
systems to have an AMEI (ArcelorMittal global unique identifier for a physical person). Access to
ArcelorMittal IT systems is provided via IT account(s). Those IT account(s) must be linked to an
AMEI so the identity important life cycle phases are properly managed (entry/exit). In the ideal
world an end user should only need to remember one IT account to access all the IT services
granted to him/her so he/she can execute his/her role within the ArcelorMittal organization
(commonly known as Single Sign On (SSO).
Access to the Office 365 is also granted via an IT account. 2 type of accounts are supported and
used.
Type 1 is a federated account where the authentication is federated to the on premise
Active Directory. The end user using a federated account will automatically have access to
Office 365 after successful PC login (SSO experience between AD & Office 365).
Type 2 is a cloud account where the authentication is federated to the Office 365 WAAD.
The end user using a cloud account will have a separate account and password for Office
365.
All accounts with access to Office 365 must have an AMEI assigned to them. For federated accounts
the AMEI is populated via AAD Connect in a registered attribute in WAAD (name attribute is
[extension_a040d6d9fd6a4ea595b7f74f74df758c_employeeNumber]. For cloud accounts the
account creation process requires an active AMEI value as mandatory attribute and as a
consequence the AMEI is populated during the account creation process. The registered attribute
used in WAAD for the AMEI is [extension_c77e68a23a6a4f91af48a93b63f95e0f_AMEI]).
One physical person (≡ AMEI) can have more than one Office 365 account(s)(e.g. service accounts,
etc.). Administration services federated to the level of AMEI are so called self-service services
meaning the end user himself is authorized to execute the service (e.g. typical sample is password
reset).
In the AMFS solution 5 levels of management scope are implemented, namely:
1. Global
1.1. WAAD Domain
1.1.1. IDM Business Unit
1.1.1.1. IDM Company
1.1.1.1.1. IDM Identity (AMEI)
The levels are hierarchical in the sense that any identity belongs only to one company. Each
company belongs to a business unit and each business unit belongs to global (the ArcelorMittal
Group). Those 4 levels of management scope are sourced from IDM Repository (RIITA). The data
itself is owned by the different HR departments (One HRIS Program).
Within ArcelorMittal we have multiple Active Directory (AD) domains which handle
authentication on behalf of the WAAD. Those federated AD domains can also be used as
management scope within the AMFS solution (WAAD Domain). One WAAD domain, namely
ArcelorMittal.OnMicrosoft.Com hosts the cloud accounts. In this case the authentication is not
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
12
federated to the on premise AD domain but handled in the cloud. A list of all WAAD domains can
be found in the paragraph WAAD domain.
When a service is federated for a management scope the service execution can only be
executed at that management scope or at lower level if federated.
When a service is not federated for a management scope the execution is handled at the
N+1 management scope level when federated. If not federated at N+1 the service is operated
at ‘Global’ level.
It’s key to understand the above concepts as it guarantees autonomy for a management
scope if and when required. To enable execution of the federated services the requester
must be member of the WAAD groups defining the federation wanted.
If a requester is member of the WAAD group that can assign licenses globally and
at the same time license is federated for a company X the requester will be able to
assign licenses for all accounts not belonging to company B unless he’s also made
member of the WAAD group enabling license assignment for company X.
The same concept can block services to be executed for a management scope. Say
that Company X wants to use only federated accounts and not cloud accounts. To
achieve this federation of the cloud accounts services should be federated to
Company X but no members should be assigned to the associated WAAD groups.
This will in fact block the use of cloud accounts for Company X.
To deal with specific situation one can override the management scope determined via IDM
Repository. 2 levels are supported, namely AMFS Custom 1 and AMFS Custom 2. This can be used
for example to cater for the scenario where a WAAD domain wants to federate their services to the
scope of the WAAD domain boundaries (e.g. manage video settings for all accounts belonging to
domain ArcelorMittal.Net) instead of IDM boundaries. Within the AMFS solution those attributes
are named
1. Global
1.1. WAAD Domain
1.1.1. AMFS Custom 1
1.1.1.1. AMFS Custom 2
1.1.1.1.1. IDM Identity (AMEI)
The meta data of the management scope is stored with each target object as registered attribute. By
default a daily synchronization engine updates the IDM meta data for all licensed accounts. The
AMFS meta data has to be maintained by the IT organization opting for the IT federated model.
Specific features are added in the AMFS solution to facilitate this activity (e.g. export all accounts
Europe belonging to ArcelorMittal.net WAAD domain to CSV, update AMFS meta data via CSV,
etc.).
Some Office 365 accounts are no normal user accounts but so called service accounts. The AMFS
Solution allows to mark any account as ‘Service Account’. Practically speaking this means that
those accounts will not be affected when targeted. No federated service can be executed against
‘Service Account’ via the AMFS Solution except typing an account as ‘Service Account’ and undoing
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
13
that activity. The account type is stored in the WAAD registered attribute
[extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSAccountType].
Federated services needing elevated right for successful execution are run with a specific service
account. The WAAD audit log file contain all events related to that service account. This means
that all actions executed via the AMFS solution are logged. The user using the AMFS solution
doesn’t need any elevated right and/or role assignment within the Office 365 tenant.
SPECIFIC CASES
Some use cases need further explanation.
No WAAD object available to do the federation check
When a new cloud account is created the WAAD object as well as the management scope WAAD
attributes are not yet available to do the federation check. In this case the IDM attributes are
used to do the federation check.
Federated services with multiple federation contexts
In case an account management scope needs to be updated the federation check is applied
against the target context. Say a requester wants to update the management scope for an account
belonging to business unit X to business unit Y. In this case the federation check will be done
against business unit Y. For example when an account needs to be moved from Americas to Europe
it’s the receiving context (Europe) that should execute the service or Europe should federate the
European management scope federated service to an Americas account.
Super Administrator
The end user using the AMF tool doesn’t need elevated rights on the Office 365 tenant. All actions
requiring elevated rights are done via an AMFS service account with the needed elevated rights
assigned. The service account can also use the AMFS tool. When the requester is the service
account all federation/security checks are overruled.
Blocking AMFS solution globally/locally
In case there is security breach, bulk processing that needs to be halted the AMFS service account
can be disabled by another company administrator defined in the Office 365 tenant. This will in
fact block all services that require elevated rights as well as make the AMFS tool unusable. As the
elevated rights are requested synchronously from within the AMFS tool such disablement will have
immediate effect.
To kill the AMFS solution locally go into task manager of the host where the AMFS solution is
running. Stopping the associated process will stop the running AMFS solution as well as any
ongoing bulk processing.
APPLYING CUSTOM MANAGEMENT SCOPES
Although the AMFS tool provides federation at WAAD domain level sometimes demand
organizations will want to customize management scopes to their needs. As already explained 2
registered attributes are available. The below shows such scenario where the WAAD domain is
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
14
defined as a management scope but at the same time a higher level management scope is
introduced (e.g. region).
The difference between federating at WAAD domain level and using custom scopes is that in the
latter case the data has to be maintained by the demand organization using the custom scopes. In
the WAAD domain federation model the Office 365 UPN account suffix determines the
management scope so no data synchronization is required (less maintenance and no IDM meta
data required). Also when an account moves from one WAAD domain to another WAAD domain
the management scope is automatically up to date.
Each WAAD domain has a domain suffix applied (e.g. Armony.Net ► Arcelormittal.Net,
Lu1.Arcelor.net ► ArcelorMittal.Lu). The solution allows to define the WAAD domains as a
management scope.
In Europe there are several IT supply organizations that use the WAAD domain boundary as a
management scope (e.g. Corporate supplying services in Luxemburg for users belonging to
different companies/business units, etc.). To enable the same model in the solution the AMFS
Custom 1 could be set to ‘EUROPE’ and the AMFS Custom 2 can be set to the domain suffix. This
means we get:
1. AMFS Custom 1: EUROPE
a. AMFS Custom 2: ARMONY (accounts with suffix ArcelorMittal.Net)
b. AMFS Custom 2: CORPORATE (accounts with suffix ArcelorMittal.Lu)
c. AMFS Custom 2: SISODI (accounts with suffix Sidmar.Be)
d. Etc.
To maintain the meta data the tool provides option to export all accounts belonging to one WAAD
domain to a CSV file. That file can then be used for a bulk update of the management scope custom
attributes of all the accounts in the CSV.
This system overrules the IDM provided meta data but relies on the IT defined governance scopes
(e.g. WAAD domain).
The below scenario for Armony.Net. The form to export the data can be reached via Main Form and
the push button ‘Maintenance’. It’s key to understand as WAAD domains are consolidated (e.g.
Americas) the custom management scopes relevance will increase again.
The strategic way forward is federation to business organized management scopes (legal
entity, etc.) and not IT organized management scopes (WAAD domain, etc.). This
strengthen the self-service model not only from individual perspective but also from an
organizational perspective (P&L, demand, etc.).
Export accounts belonging to Armony.Net
Select in the combo box ‘Include accounts from’ the WAAD domain. In the sample case
ArcelorMiital.Net and press the push button ‘Export to CSV’.
One can apply multiple filters based on the UPN selected. If an UPN is selected and the checkboxes
‘Business Unit only’ and/or ‘Company only’. The filters are applied with ‘and’ operator.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
15
Once export is done a message box will show the CSV file and open it automatically. After
verification of the content the file can be used in the next step updating the management scope for
the exported accounts.
Update management scope for exported accounts Armony.net
The form to execute the update can be reached via Main Form ►Office 365 ► Federation
management ► Manipulate management scope (Overrule IDM meta data). Either one can select
an UPN where the AMFS values are already correct or just fill in the desired values in the entry
fields ‘AMFS Custom 1’ and ‘AMFS Custom 2’. In the case values ‘EUROPE’ and ‘ARMONY’.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
16
Once this is done press push button CSV and select the file previously exported.
Click open and the update will begin. Once all rows are processed a message box is displayed.
All the above actions are only possible if the required services are federated to the requester
executing the actions. This from a federation service perspective as well as management scope
perspective.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
17
One can also update the information for one account by selecting the UPN and using the push
button ‘Customize management scope’.
Main form
After successful login the main form is displayed.
Currently the service federated are prioritized in alignment with the Go-To-Gold program. This
means that Office 365 and Skype for Business were completed for the POC of the AMFS
Solution. The Security and Compliance option enable to set multi-factor authentication for an
account as well as assign MFA enabled application to an account.
The Maintenance option mainly deals with the synchronization of the IDM and the WAAD and
will not be used by many people.
The Test/Remediate option allows the end user to evaluate the installation of the AMFS Solution
as well as remediate frequently encountered issues. Some of those issues relate to the Windows
version used others are observed cross platform.
OFFICE 365
When clicking the Office 365 push button the below form is displayed. Each one of the push button
allows to access the federated services mentioned. The following options are presented:
License Management
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
18
a. Allows to assign license and individual license plans by account as well as bulk
processing using CSV file. Within the services provided an option is foreseen to
switch license bundle (e.g. switch from E1 to E3 and vice versa).
Account Management
a. Allows to manage all life cycle phase of cloud accounts (create, block, recycle-bin
and remove for recycle-bin). Some of the options are also accessible for federated
accounts when applicable.
b. An export is foreseen to dump all attributes and their values for a selected Office
365 account and its related directory objects into distinct CSV files per object type
and occurrence. Namely Windows Azure Active Directory (WAAD) User Object,
Active Directory (AD) User Object and Mail Enabled User Object (Linked mailbox
hosted in Services.MittaCo.Com). The number of objects depend on the use case of
the Office 365 account selected. Per object a separate CSV file is generated. The
search in AD uses the Immutable ID value stored in WAAD.
i. Cloud Account: Only WAAD Object
ii. Federated Account:
1. WAAD & AD Object.
a. If AD Object not hosted from MittalCo.Com forest also
Mail Enabled User Object.
Federation Management
a. Allows to administer the federation. Once federation is delegated to a
management scope the authorized accounts can administer the federation
themselves for all management scopes below that authorized management scope
(e.g. Business unit federation allows to manage all federation to companies
belonging to that business unit).
Reporting
a. Aggregates the ArcelorMittal custom meta data (via registered attributes) with the
standard Office 365 reports. Reporting services are also federated to ensure data
privacy rules where applicable (e.g. anonymize user data) are followed.
User photo management
a. This feature was added as a nice to have as many end users struggle to have user
photo uploaded to the Office 365 platform as well as it can pose network issues
when used massively. The option show that customizations can easily be
integrated and federated when and if required.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
19
Tips & tricks
AUTOMATIC ALERTS WHEN NEW VERSION IS RELEASED
As the AMFS solution is still in POC one can expect frequent updates. To follow those updates one
should subscribe to ‘Alert me’ SPO Site. See below.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
20
Once configured any change will result in automatic mail alert when an new version is released or
any another document related to the AMFS Solution is changed. Within the mail subject a
download link is provided to install the latest version of the AMFS tool. Those using software
repackage factory can also be triggered using the same method.
BULK PROCESSING
Throughout the AMFS solution one can generate multiple reports. Those reports are always
generated as a CSV file using as separator the PC culture settings and saved under %TEMP%.
Those CSV files generated can be used as input for any bulk operations when they hold the
required attribute (in most cases userPrincipalName).
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
21
As the list separator can vary by PC one should always use the CSV file on the same host where the
CSV file was generated (or both PC’s should use the same culture).
The list separator of the host current culture is the item delimiter. The default is a comma (,). If one
wants to see the list separator for a host use the following PS command:
(Get-Culture).TextInfo.ListSeparator
SEARCH FOR ACCOUNT
Throughout the AMFS solution form may contain an entry field UPN marked as seen below.
If the entry field has focus one can do double click or press F1. This will allow a search on all WAAD
accounts (more than 100k). The below screen is shown.
The value typed in the entry field ‘Search Filter’ queries all accounts on mail addresses and
display names. As additional filter one can influence the scope of the WAAD accounts to be
queried. Two filters can be activated. Query ‘Enabled/Disabled’ and query ‘Licensed/Unlicensed’
accounts.
Double click on the selected item in the list box will go back to the previous form and
automatically fill in the account UPN information in the UPN field. Leaving that UPN field by
pressing return, TAB, etc. will query for the additional information of the UPN filled in and display
those attribute values in the active form.
When an account type is identified as a service account the color of the UPN field changes to red.
See below:
SEARCH FOR IDM DATA
Throughout the AMFS solution form may contain a field with an AMEI (Unique Identifier of an
identity) as seen below.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
22
Double click on the field will query the IDM repository for the data associated with the AMEI value.
If found a txt file will be created and saved under %TEMP% with the file name %AMEI%.txt. See
sample below with extract. This service is protected and federated in the context of privacy. To
enable the feature the service "AMFS-View-UserIDMData" (View account IDM data (AMFS).) must
be federated for the requester for his management scope. This will allow requester to see all
relevant business meta data associated with the identity.
PROTECT AN ACCOUNT (E.G. SERVICE ACCOUNTS)
Some accounts are used as service accounts (no license assigned, etc.) and serve a specific service.
All those accounts must have an AMEI assigned to them identifying the responsible identity. The
management scope of that AMEI is also used in the federation solution. To avoid unwanted
changes to such accounts the tool allows to set ‘Account Type’.
The form to set the account type value can be reached via Main Form ►Office 365 ► Federation
management ► Manipulate management scope (Overrule IDM meta data). Select the UPN of the
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
23
account that should be protected, select desired ‘Account Type’ from combo box and press
‘Customize management scope’.
Once it’s set all federation is blocked for the selected account. When selecting such account in any
form the background of the UPN field changes to red (see form below) for easy recognition.
Disaster/Recovery Scenario
In the use cases where the AMFS tool is not functioning entities will be given pre-enrolled service
accounts . Those service accounts will be given the required elevated rights (role assignment). By
default they are disabled. They can be enabled as part of emergency change request to the CAB.
The assigned federated services can then be executed via the service account and the
administration portal(s) provided by the Office 365 platform. In this case management scope
protection is not anymore enforced nor secured. Some features from the tool are also not available
in the administration console(s) so the federation services are available but with reduced
functionality (e.g. bulk disable video for Skype for Business, etc.). Also the roles assigned may
encompass more services then what was initially scoped for the account (less granularity).
The service accounts will be generated on a weekly bases based on the federation meta data
available in WAAD.
Federated Services
The list of federated services is growing on a weekly bases as we’re still in POC phase. Priority was
given aligned with the go-to-gold planning of each of the services towers in the Office 365 Program.
Below the list of service federated dd. Wednesday, May 25, 2016. Some services can be executed
against CSV file. The CSV file must contain at least the header column ‘userPrincipalName’. The
service ‘Create cloud account’ can also be executed against CSV but the CSV needs to contain at
least the header column ‘AMEI’. No cloud account can exist without associated AMEI.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
24
The AMFS solution also allows to generate CSV files that can be used for bulk processing based on
filtering of management scope. Meaning AMFS Custom 1, AMFS Custom 2 and WAAD domain.
This make it possible to generate a CSV containing all account belonging to Europe and having
ArcelorMittal.net (Armony.Net) as WAAD domain. Any combination is possible and if no filter is
set all accounts are taken into consideration. CSV files generated from the AMFS solution only
contain ‘licensed’ accounts.
MANIPULATE MANAGEMENT SCOPE (AMFS)
The service allows to update the AMFS Custom 1/2 values for an account. In case an entity doesn’t
want to leverage business meta data form IDM (RIITA) they can overrule with 2 attributes. In
sample below the WAAD domain is used as management scope. The service allows the value to be
updated per account or to use a CSV file to update in bulk. In case bulk update is used the values
are sourced from the active form and updated for all accounts in the CSV if authorized. The AMFS
attributes are stored in the below WAAD registered attributes:
AMFS Custom 1 in [extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSSegmentCode] AMFS Custom 2 in [extension_c77e68a23a6a4f91af48a93b63f95e0f_AMFSBUCode]
In case AMFS attributes are used (has values) it overrules the IDM sourced attribute values for the
federation.
SYNCHRONIZE MANAGEMENT SCOPE (IDM)(AMFS), SYNCHRONIZE RETIRED
ACCOUNTS (IDM)(AMFS), SYNCHRONIZE EXPIRED ACCOUNTS (IDM)(AMFS),
EXPORT MANAGEMENT SCOPE (CSV)(AMFS) AND EXPORT ACCOUNTS TO CSV FOR
BULK PROCESSING (AMFS)
The service allows to synchronize the IDM meta data with WAAD as well as export the WAAD
accounts based on different criteria to a CSV file. The IDM Business Unit/Company selection
criteria is sourced from the selected UPN. If the check box is marked (e.g. Business Unit only) the
push button will filter the data according the meta data selected in the form. In the combo box
‘Include accounts from’ one can select a WAAD domain and this puts an additional filter on top.
The CSV file can be used for any CSV processing which relies on ‘userPrincipalName’.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
25
The exported CSV should not be shared cross region/culture as the export to CSV uses the localised
culture information from the client into consideration (delimiter character, etc.).
In the sample below if one would select the push button ‘Export to CSV’ a CSV file would be
generated with all accounts belonging to IDM Business Unit AM EUROPE FLAT PRODUCTS and
IDM Company T732.
The same form also allows to synchronize the cloud accounts with the expired/retired OU in the
IDM. Meaning if an AMEI is put into the Expired/Retired OU of IDM (entry/exit process) the
corresponding cloud account (if any) is also disabled.
The option ‘process in batch’ allows to execute the service without the service being interrupted
when an error occurs. All events (also errors) are then logged in the log file. A processing of all
accounts can easily take 4 Hr to complete.
When selecting the push button ‘Export mail users AMFS Tool’ a list is generated with mail
addresses of all the accounts given federation rights in the AMFS Tool. This can be used to inform
users of major release updates as well added features as the tool is developed.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
26
SET ACCOUNT PHOTO (EXO), GET ACCOUNT PHOTO (DOWNLOAD)(EXO) AND
VIEW ACCOUNT PHOTO (EXO)
The service allows to set, update and download the thumbnail photo of an UPN. Any photo
selected is converted to compatible format and supported size (JPEG format and size ≤ 10 Kb).
IMPORT MANAGEMENT SCOPE (AMFS)
All accounts must have an AMEI value stored in the registered WAAD attribute
[extension_c77e68a23a6a4f91af48a93b63f95e0f_AMEI]. To cater for synchronization errors as well
as allow assignment of an AMEI to a service account this service is made available. It allows also to
identify the account owner of the service account in case of issues. On a quarterly bases a report
will be extracted for all identities having multiple accounts active on the Office 365 Platform. This
to verify the life cycle status of each of the service accounts on a regular bases.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
27
FEDERATE SELECTED SERVICE (AMFS) AND ASSIGN FEDERATED SERVICE (AMFS)
The federation of services itself is also federated. Before anybody can federated a service the N+1
level should have enabled the federation capability for the management scope (done via ‘Federate
selected service (AMFS).’).
Once federated for a defined management scope the N+1 federation is blocked for all services. This
topology allows service to be blocked for execution at lower level as well as higher level (e.g.
federating enable video for a company but not assigning the federation to an account blocks in fact
the enablement of video for all accounts belonging to that company).
When a service is federated for the first time the requester is automatically added to the WAAD
group defining the federation. Otherwise, because of the inheritance blockage, nobody would be
able to execute the federate service except the super user.
The federation governance is flexible and allows anything between fully centralized (global/WAAD
domain/business unit) and completely federated (business unit/company) and anything in
between.
In the below sample the service ‘Enable video’ can be federated to global, IDM business unit 055,
IDM company 3B5, AMFS custom 1 EUROPE or AMFS custom 2 ARMONY by the requester. If at
business unit level is selected the requester should be authorized via global. If at company level the
requester should be authorized via business unit federation and if not authorized at business unit
level via global federation.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
28
Once the service is federated for a certain management scope the federated service can be assigned
to an account for execution. As in the previous sample the assignment of a federated service itself is
also federated via (‘Assign federated service (AMFS)’). If authorized the requester below can
assign ‘enable video’ to the UPN selected for the different management scopes.
To make the maintenance of the federation more effective an extra pane was added to the form.
This pane allows to select multiple services in one go. Once selected the federation action will
federate all checked services in the list box according the management scope selection made. In the
sample below if one would select ‘WAAD Domain’ all account photo services (get, set & view)
would be federated for the management “arcelormittal.net”. If the ‘Add UPN for selected services’ is
checked the UPN would also be enabled for the federation selected (added to the associated
groups).
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
29
In the assignment form the requester UPN (e.g. form below [email protected]) is the
account that will be authorized to execute the selected federated service. The management scope of
that authorization is determined via the values coupled with the target UPN (e.g. form below
[email protected]) and the pushbutton selected (E.g. if ‘Assign IDM business unit’ is
selected [email protected] will be added to the WAAD group AMFS-Grant-
CsConferencingPolicy-EnableVideo-055). The security of the requester (e.g. form below
[email protected]) is checked if he may assign that service for that defined scope.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
30
Governing the federation
The 2 services namely, ‘Federate selected service (AMFS)’ and ‘Assign federated service
(AMFS)’ need to be governed properly as it controls the federation model chosen for a
certain management scope as well as it authorizes accounts to execute administration
services against a management scope.
The global management scope is authorized via approval from Office 365 CAB.
Below the global management scope (company & business unit & custom 1/2) the existing
established governance bodies should define, organize and communicate the approval process (e.g.
regional management committee for business unit scope, AD scope, etc.) and company IT manager
for company management scope).
MAINTAIN FEDERATION MODEL
The service bellows governs the federation established for a management scope. One can select to
remove federation at a management scope as well as remove a specific member of the federation.
The screen is reached Main Form ►Federation Management ► Maintain Federation. By selecting
UPN one can list the federated services by each individual management scope as well as ask
overview of the federated services by WAAD federated domain or globally.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
31
The option ‘Federation Report’ generates CSV file for all federated services, their management
scope(s) and their member(s). This gives an global overview of the federated administration
services implemented for the ArcelorMittal tenant.
REMOVE ASSIGNED FEDERATED SERVICE (AMFS) AND REMOVE ALL ASSIGNED
FEDERATED SERVICE(S)(AMFS)
This service enables administration of assigned federated services. When people change role their
assigned federated services need to be updated (remove one) and/or completely removed from the
system (remove all). The list box shows the technical names of the federated services the selected
UPN is assigned to. Each of those names corresponds with a WAAD Security group where the UPN
is member of.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
32
In the above sample the selected UPN has 42 services federated to his account. All of them WAAD
domain management scope profilarbed.lu.
Same service can be assigned at the same time to multiple management scope types to one account
(e.g. Enable PSTN conferencing can be federated to BU 056/company 905 as well as for federated to
the WAAD domain profilarbed.lu). The account receiving the federation capabilities must not
belong to the management scope of the federated service (e.g. account belonging to
ArcelorMittal.Com federated WAAD domain can also be used for the federation against
profilarbed.lu accounts or any other management scope for that matter).
To make the maintenance of the federation more easy an option is foreseen to copy federation
applied for one account to another account with a single click. In the above sample
[email protected] received same federation capabilities as [email protected] by
clicking ‘Same for’ push button. In the backend this means that [email protected] was
added to the 42 WAAD security groups [email protected] was belonging to. After the action
was finalized a message box is displayed showing the result (see further).
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
33
ASSIGN LICENSE (E1, E3, E1S4BONLY, E3S4BONLY, E1NOEXO AND E3NOEXO
(OFFICE365)
The service allows to assign E1, E3, E1S4BOnly, E3S4BOnly, E1NoEXO and E3NoEXO to an account.
To be successful the selected account may not have any other license already assigned. In the case a
license is already assigned the service ‘ASSIGN LICENSE(S) AND PLAN(S)(OFFICE365)’ should be
used.
Usage location is a mandatory attribute and needs to contain a valid Country ISO Code. The
services offered via license may vary by country due to legal constraints. The current usage location
of the UPN is shown in the form as well. In the combo box ‘Usage Location’ one can select another
country if not correct. If there is a change between current usage location and selected usage
location the account will be updated first with the selected usage location before assigning the
selected license.
The service can process a CSV file. This means that for all accounts in the CSV file the selected
license and usage location are set to the values selected in the form.
The option ‘Remove all’ will remove all licenses assigned for the selected account. Multiple SKU’s
can be assigned to the same account. The service can also process a CSV file. A confirmation is
asked once. When confirmed all assigned SKU’s are removed. The service can process a CSV file.
This means that for all accounts in the CSV file the all assigned licensed can be removed.
The option ‘Remove all with a confirmation’ will remove all licenses assigned to the selected
account asking for a confirmation per SKU assigned.
The option ‘Remove all and assign license’ will remove all licenses assigned to the selected account
and assign only the selected license. The service can also process a CSV file. A confirmation is asked
before the CSV file processing is started. When the ‘Usage location’ is selected the ‘Current Usage’
location will be updated for all accounts present in the CSV file. Below typical confirmation
message box that is presented before processing is started.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
34
When services are launched against a CSV file the security check is done per account listed in the
CSV file. It may well happen that only part of the accounts are processed because the requester
lacks sufficient federation capabilities. All details can be found in the log file created. For each
account processed a row is logged documenting the outcome of the run (success or fail). In case of
fail the reason of failure is also present in the log file.
The option ‘Switch E1-E3’ and ‘Switch E3-E1’ allows an easy switch between similar SKU’s. Plan
information if retained during the switch. This means that if an account has Exchange Online Plan
active in the original SKU assignment that plan will also be active in the target SKU. The plan SLA
may however. Both options also allow for bulk processing. The original SKU assignment must be
assigned to the account(s) the switch is targeted at. E.g. ‘Switch E1-E3’ in the above sample would
mean that the selected account must have an E1 assigned and that license will be switched to an E3.
The different plans statuses are retained where applicable (Exchange Online, SharePoint online,
Yammer, etc.).
ASSIGN LICENSE(S) AND PLAN(S)(OFFICE365)
In this form license(s) and associated plan(s) can be changed for an account. 2 list boxes are shown.
The middle list box shows the SKU’s/Plans available on the tenant. The icon shown besides the
SKU’s or plans shows the status of the individual SKU/Plan at a tenant level.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
35
Available
Not available (e.g. consumed units ≥ subscribed units in contract)
Available but awaiting configuration, activation, etc.
The same icons are used for the already assigned SKU’s/Plans to the UPN. The icon then reflects
the status of the SKU/Plan in association with the UPN.
Multiple changes can be made at once and by clicking ‘Assign license(s)/plan(s)’ the changes are
updated for the UPN. Switching from license needs to be executed in the correct order. E.g. once
cannot assign E3 bundle while E1 bundle is assigned. To switch one needs to deselect the E1 bundle
and save the changes. Once this is done E3 bundle can be assigned.
Some combinations cannot be assigned (e.g. assigning the same plan via different SKU’s, etc.).
When such error occurs it will be displayed in a message box and no update will be done.
Before a change is saved a confirmation is asked for each major license life cycle phase; namely add,
remove and change plan(s).
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
36
ASSIGN MFA ENABLED APPLICATION (SECURITY)
The Office 365 platform allows to set multi-factor authentication (MFA) by account. MFA helps
secure user sign-ins for cloud services beyond just a single password (e.g. cloud accounts). With
MFA for Office 365, users are required to acknowledge a phone call, text message, or app
notification on their smart phones after correctly entering their passwords. They can sign in only
after this second authentication factor has been satisfied. The state of the MFA is shown in the
form once an account is selected.
Disabled
This is the default state for a new user not enrolled in multi-factor authentication.
Enabled
The user has been enrolled in multi-factor authentication, but has not completed
the registration process. They will be prompted to complete the process the next
time they sign in.
Enforced
The user may or may not have completed registration. If they have completed the
registration process then they are using multi-factor authentication. Otherwise,
the user will be prompted to completer the process at next sign-in
In non-browser apps (such as …Outlook etc.) will not work until app passwords are
created and entered into the non-browser apps.
The Office 365 platform also allows for multi-factor authentication by supported application.
Enabling MFA for an application for an account is done via the form below. When selecting an
account the current MFA enabled applications are checked for that account. MFA active is
visualized via check in the list Box. Checking/Unchecking and then pressing update option will
update the assignment of the MFA enabled applications for the selected account.
Currently 3 applications are MFA enabled. Exchange Online, SharePoint Online & Yammer.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
37
CREATE CLOUD ACCOUNT VIA AMEI OR E-MAIL ADDRESS (OFFICE365) AND VIEW
ACCOUNT IDM META DATA (AMFS)
The service allows to create a cloud account given an AMEI or mail address. The value given is
checked against IDM. If no valid identity is found an error message is shown. When pushing the
button ‘View IDM attribute values’ a txt file is generated containing all IDM attribute names and
values and displayed on the screen.
If a valid identity is found in IDM a cloud account is created where the UPN prefix is identical to
the mail address prefix and the UPN suffix is ‘ArcelorMittal.OnMicrosoft.Com’. All IDM attribute
meta data is also updated where available (country, department, etc.). A first random password is
generated for the cloud account that must be changed at first login. The mail addresses field is by
default populated with the mail address found for the identity in the IDM. Additional mail
addresses can be added. The button ‘Send welcome mail’ will send a mail with the account details
to the selected mail addresses.
The service can process a CSV file containing valid AMEI’s. In this case the mail addresses field
should populated upfront. For each cloud account created a separate mail is send containing the
account details.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
38
RESET CLOUD ACCOUNT PASSWORD (OFFICE365)
The service allows to reset a password for a cloud account. Password reset for federated accounts is
managed by the WAAD domain. The new password is automatically generated and must be
changed after first login. A mail with the new password is send to the mail addresses specified. In
the below sample the service will not work as the target is type as a service account.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
39
DISABLE CLOUD ACCOUNT (OFFICE365), ENABLE CLOUD ACCOUNT (OFFICE365),
REMOVE CLOUD ACCOUNT AND PUT IN RECYCLE BIN (OFFICE365), REMOVE
ACCOUNT FROM RECYCLE BIN (OFFICE365)
Via manage accounts one can manage the life cycle phases for the cloud accounts. Pending
federation model chosen for the management scope this may be blocked. The main form is shown
below:
Each of the life cycle phases for a cloud accounts are covered. When you delete an account the
account is moved into a recycle bin for 30 days. This means they can be recovered if the
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
40
deletion was not intended. If the account needs to be removed permanently the push button
‘Delete cloud account from recycle bin’ can be used.
The two last actions can also be executed on federated accounts. Namely ‘Delete account’ moves
the account to a recycle bin. ‘Delete account from recycle bin’ removes the account permanently.
Pending the option chosen on the main screen a form will be displayed where one needs to select
the UPN to execute the action on. The forms are very similar so only one scenario is described
below. The scenario shown is the one ‘Disable cloud account’.
One account is selected and action pushbutton is clicked a confirmation will be asked. In the above
sample an account is selected but the account type is however a service account. Hence any action
will be blocked.
The below message box will be shown. This was also visible because of the red background in the
UPN entry field.
All the actions can only be applied to cloud accounts. If a federated accounts is selected the
following error message box will popup when trying to execute.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
41
The last option ‘Get account info (AD, Mail and WAAD)’ allows to dump all object attributes and
their values associated with an Office 365 account. For each object a separate CSV file is generated.
The number of CSV files generated depends on the use case of the account as explained earlier
(max. 3). After selecting an account and selecting the option ‘Get account info…’ the UPN is
processed. First the associated WAAD Object is dumped.
From the WAAD Object the Immutable ID is extracted as well as the AD Domain/Forest associated
with the federated domain (UPN Suffix). Once extracted a search is made based on Object GUID
(AD) and Immutable ID (WAAD). If match the AD Object is dumped.
Dependent on the use case the Mail User Object is also dumped in a CSV file.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
42
SET SELECTED CLIENT POLICY (S4B), SET SELECTED EXTERNAL ACCESS POLICY
(S4B), SET SELECTED HOSTED VOICE MAIL POLICY (S4B), SET SELECTED VOICE
POLICY (S4B), GET SELECTED CONFERENCING POLICY (S4B), GET SELECTED CLIENT
POLICY (S4B), GET SELECTED EXTERNAL ACCESS POLICY (S4B), GET SELECTED
HOSTED VOICE MAIL POLICY (S4B) AND GET SELECTED VOICE POLICY (S4B)
Within the Skype for Business policy architecture no custom policies can be made. Only pre-
created policies can be applied. In this context the solution offers:
4 client policies
o Client policies are the main method to control the behavior of the Skype for
Business client such as whether a user photo is displayed, how the address book is
accessed, and whether the presence state “Appear as Offline” is available to the
user.
224 conferencing policies
o The Conferencing policy determines the features and capabilities that can be used
in a Skype for Business conference. It is important because it controls features
that span legal & compliance (such as the ability to record the media used in a web
conference), security (the ability for anonymous users to participant in a
conference), and important management settings that affect the amount of
bandwidth consumed during a conference.
5 external access policies
o External access policies have the fewest settings of any of the policies, but are
important. They are the main tool to control whether users can connect externally
(outside of the corporate network), and whether the can communicate with users
outside of the organization such as contacts in a partner organization running
Skype for Business (federated contacts), and contacts in public consumer instant
messaging systems.
1 hosted voicemail policy
4 voice policies
o The Voice Policy is used to configure the PSTN calling voice experience for users,
however it is only applicable if your tenant is using the PSTN calling feature set in
Skype for Business Online (which depends on the user license). Skype for Business
Online VoIP voice calls are not governed by this policy.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
43
After selecting the policy type a form is displayed where one can select the policy to be applied. The
policies that can be applied may vary by UPN pending the usage location of the UPN and the
services configured. In the below form the ‘Global’ policy is applied to the UPN
‘[email protected]’. This is default policy applied when the service plan is enabled for
UPN. In the list box below all applicable policies for the UPN ‘[email protected]’ are
shown. By selecting the policy and pressing apply the policy is applied to the UPN. The service is
also ready for bulk processing when a policy is to be applied for a group of account.
By pressing the ‘View’ button the policy is exported to a CSV file and opened. The same is achieved
when one double clicks on a policy in the list box. This allows the requester to see what the
individual policy settings are before they are applied.
Find below the most important conferencing policy settings.
Setting Description Default Global
Policy Value
AllowAnnotations Controls whether or not participants are allowed to make on-screen annotations on any content shared, and whether or not white boarding is
allowed. Annotations are not archived along with other meeting content.
True
AllowAnonymous-
ParticipantsInMeetings Controls whether anonymous users are allowed to participate in the
meeting. If this setting is ‘False’, only AD authenticated users are allowed
to attend the meeting
True
AllowAnonymous-UsersToDialOut
Controls whether anonymous users (not authenticated with Active Directory) are allowed to join a conference using dial-out phoning. With
dial-out phoning, the Skype for Business conferencing server telephones
the user; when the user answers the phone, he or she will be joined to the conference
True
AllowConference-Recording Controls whether users are allowed to record the meeting (from the client).
This setting applies to all users taking part in the conference. False
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
44
AllowExternal-UserControl Controls whether external users (either anonymous users or federated users) are allowed to take control of shared applications or desktops.
This setting is enforced at the per-user level for both conferences and peer-
to-peer communication sessions, so some users in a session might be
allowed to give up control of a shared application or desktop to an external user while other users might not be allowed to give up control
False
AllowExternal-
UsersToRecordMeeting Controls whether external users (either anonymous users or federated users)
are allowed to record the meeting. This setting takes effect only if the AllowConferenceRecording property is set to True.
False
AllowExternal-
UsersToSaveContent Controls whether external users (that is, users not currently logged-on to
your network) are allowed to save handouts, slides, and other meeting content
True
AllowNonEnterprise-
VoiceUsersToDialOut Controls whether or users who have not been enabled for Enterprise Voice
are allowed to join a conference using dial-out phoning. With dial-out phoning the conferencing server will dial the user via the telephone
(PSTN); when the user answers the phone, he or she will be joined to the
conference
False
EnableAppDesktop-Sharing Controls whether participants are allowed to share applications – including their desktop – in a meeting. The values are either 1) "Desktop" (users are allowed to share their entire desktop), 2) "SingleApplication" (users are allowed to share a single application, or 3)
"None" (users are not allowed to share applications or their desktop)
Desktop
EnableDialIn-Conferencing Controls whether users are able to join the meeting by dialing in with a public switched telephone network (PSTN) telephone
True
EnableFileTransfer Controls whether file transfers to all the meeting participants are allowed
during the meeting. True
EnableP2PRecording Enables users will be able to record peer-to-peer conferencing sessions. It is
enforced at the per-user level so one user in a P2P communication session
might be allowed to record it while the other user is not.
False
MaxMeetingSize Controls the maximum number of people who are allowed to attend a meeting. After the maximum number of participants has been reached,
anyone else who tries to join the meeting will be turned away with the
notice that the meeting is full.
250
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
45
A very good article explaining the architecture and the practical usage of policies can be found here
http://blog.insidelync.com/2016/04/key-skype-for-business-online-policy-settings/.
DISABLE/ENABLE VIDEO IN SKYPE FOR BUSINESS (S4B) AND SET SELECTED
CONFERENCING POLICY (S4B)
The service allows to enable/disable video for S4B as well as apply selected policy. When selecting
an UPN the current applied policy is shown in the field ‘Current policy’. The list box below shows
the applicable policies for the selected UPN. In the list box shown there are a lot of policies
available influencing the S4B service settings for an account. By double clicking on a policy a CSV
file is generated showing all settings influenced by the policy.
The policy ‘BposSAllModalityNoVideo’ disables the video setting on the S4B service for the selected
account. By pressing the ‘Disable Video’ button the video is disabled.
The policy ‘BposSAllModality’ enables the video setting. By pressing the ‘Enable Video’ button the
video is enabled.
By pressing the button ‘Apply Policy’ the selected policy is applied to the account.
The service can process a CSV file for each push button. This means that for all accounts in the CSV
file the selected policy will be applied, video will be disabled or enabled.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
46
VERIFY USER SIP ADDRESS (S4B)
During the deployment of frequent errors where encountered related to SIP address information
stored in the service domains. This only occurs for the accounts with linked mailboxes. For that
reason the below service was developed. After selection of an account and selecting the option ‘Get
information in services domain’ the SIP address is visualized. If the object is a Linked Mailbox and a
data error is spotted in the service domain the option ‘Correct SIP information in services domain’
will become enabled. If those conditions are not met the option will stay disabled.
For any change a confirmation is asked before executing. The confirmation exactly describes what
will be changed (old value, new value, add value). In the below sample the option stays disabled as
the user object relates to a cloud mailbox and not a linked mailbox.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
47
GLOBAL ACTIVITY REPORT (S4B) AND USER ACTIVITY REPORT (S4B)
This report generates the CSV containing the number and type of activities that an UPN
participated in a period while connected to Skype for Business Online. Scope can be global or one
UPN only. All activities in Skype for Business Online for the last 3 months are considered. Another
period can be specified by selecting ‘Start date’ and ‘End date’ in the form.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
48
Based on the selection the below data is exported to a CSV and Excel is automatically opened once
the CSV file is generated.
UserName
LastLogonTime
LastActivityTime
TotalP2PSessions
TotalP2PIMSessions
TotalP2PAudioSessions
TotalP2PVideoSessions
TotalP2PApplicationSharingSessions
TotalP2PAudioSessionMinutes
TotalP2PVideoSessionMinutes
TotalOrganizedConferences
TotalOrganizedIMConferences
TotalOrganizedAVConferences
TotalOrganizedApplicationSharingConferences
TotalOrganizedWebConferences
TotalOrganizedDialInConferences
TotalOrganizedAVConferenceMinutes
TotalParticipatedConferences
TotalParticipatedIMConferences
TotalParticipatedAVConferences
TotalParticipatedApplicationSharingConferences
TotalParticipatedWebConferences
TotalParticipatedDialInConferences
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
49
TotalParticipatedAVConferenceMinutes
TotalPlacedPSTNCalls
TotalReceivedPSTNCalls
TotalPlacedPSTNCallMinutes
TotalReceivedPSTNCallMinutes
TotalMessages
TotalTransferredFiles
GLOBAL PSTN USAGE REPORT (S4B) AND USER PSTN USAGE REPORT (S4B)
This option allows to generate CSV report on a global scope as well as UPN scope.
The report queries information about PSTN usage details in Skype for Business Online for the last 3
months. The period can be set by selecting the ‘Start date’ and ‘End date’. It returns the below data
for the selection.
SipUri
DateTimeOfCall
TelephoneNumber
CallID
CallType
Location
CallDuration
Currency
CallCharge
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
50
ENABLE DIAL-IN CONFERENCING (S4B), UPDATE DIAL-IN CONFERENCING
SETTINGS (S4B) AND RESET LEADER PIN DIAL-IN CONFERENCING (S4B)
The dial-in conferencing settings are administered via the form below. Before the below can be
used for an account the proper license should be assigned, namely the license ‘Skype for Business
PSTN Conferencing’. When the license is assigned first time the dial-in conferencing details are
set for the account using the default settings of the tenant (e.g. ‘Default conference phone
number’). In most cases this will need to be changed. This can be changed as required by selecting
new value from combo box (values region-country-state-city, below North-America, USA, Illinois,
Chicago).
Select other as required and press ‘Update dial-in conferencing’. This will update the settings for
the selected UPN. A mail is also send to the mailbox associated with the UPN including the
updated information.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
51
Reset PIN will automatically generate a new leader PIN for the UPN. A mail will be send to the
UPN mail address with the updated information. Sample extract from the mail message below.
Reset conference ID will automatically generate a new conference ID for the UPN. A mail will be
send to the UPN mail address with the updated information. Sample extract from the mail message
below.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
52
The tenant default toll number is set when enabling PSTN conferencing for the first time. This can
be changed as required by selecting new value from combo box (region-country-city).
Below sample mail send as result of ‘Reset PIN’ action.
LICENSE REPORT (OFFICE365) AND LICENSE AND SERVICE STATUS REPORT
(OFFICE365) AND LICENSE, SERVICE STATUS AND S4B REPORT (OFFICE365)
3 reports can be generated with multiple filters possible. The form below shows the capabilities to
establish filters.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
53
1. If an UPN is selected only the accounts belonging to the management scope will be
reported on.
2. In the ‘WAAD Filter’ combo box a WAAD domain can be selected. This will limit the
accounts only to those belonging to that WAAD domain.
3. In the ‘SKU Filter’ one can select one SKU to report on.
If nothing is selected a global report is generated containing the data. One can select one filter or
combine multiple in one run (the query applies the filter with an ‘and’ operation).
The data generated by the License Report:
userPrincipalName
Blocked
AMEI
AD-AMEI
UsageLocation
Country
Domain
Business Unit Code
Company Code
AccountSku
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
54
The License/Plan Status report contains all data included in the License Report but also includes
the service status of each plan within the License (SKU).
The License/Plan Status report/S4B report contains all data License/Plan Status report and also S4B
profile settings. Including:
SIPAddress
SIPProxyAddress
ConferencingPolicy
ExternalAccessPolicy
ASSIGN ROLE WITH ELEVATED RIGHTS (OFFICE365) AND REMOVE ROLE WITH
ELEVATED RIGHTS (OFFICE365)
Within the Office 365 administration portals different standard roles are foreseen. Although the
AMFS Solution provides a more granular approach & management scope protection some of those
roles are required to use other platform services. One of those services is the standard Office 365
Support Service included in the Office 365 subscription. The role ‘Service Support Administrator’ is
needed to access the portal to register/follow-up on a ticket raised with Microsoft. The service is
also integral part of the Global Service Support offering. For that reason the assignment of roles
with elevated rights is also federated. One role cannot be assigned, namely ‘Company
Administrator’ as this needs authorization and approval from the Change Advisory Board (CAB). In
the assign role combo box one can select the role to be assigned to the selected UPN. Once a role is
selected the accounts already having that role assigned is shown in the list box below the push
button (‘Assign role to Office 365 Account’).
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
55
Beyond assignment of a role to an account removal of a role assignment is also covered in the same
form. Select role in the list box associated with the UPN and select ‘Remove selected role assigned
to Office 365 account’.
The export option generates CSV file with all standard roles and the UPN’s having a standard role
with elevated rights assigned.
Security
Using the tool only requires a valid Office 365 account (federated or cloud). No elevated rights need
to be assigned to a user to use the tool. The tool itself uses a service account to execute the actions
that require elevated rights.
Role and management scope security check is implemented via group membership in the WAAD
associated with the Office 365 tenant. Each federated service combination with a management
scope is an individual WAAD security group.
In the Office 365 administration portal one can search on all WAAD groups related to the AMFS
tool by searching on ‘AMFS-‘ prefix. See below:
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
56
The WAAD group name convention follows a naming convention to ease support. Pending the
management scope this may differ. When IDM management scope is applied the name of the
WAAD group is AMFS-%Federated Service%((-%IDM Business Unit%)-%IDM Company%). When
this is overruled (e.g. WAAD domain) the name is AMFS-%Federated Service%((-%AMFS Custom
1%)-%AMFS Custom 2%). When federated domain is used as management scope the name of the
federated domain is appended to the WAAD group name AMFS-%Federated Service%(-%WAAD
Domain Name%).
When no scope is identified it’s automatically global.
Below a list of services currently federated with a short description.
1. AMFS-Overrule-ManagementScope: Manipulate Management Scope (AMFS)
2. AMFS-Synchronize-ManagementScope: Synchronize Management Scope (IDM)(AMFS)
3. AMFS-Synchronize-Retired: Synchronize retired cloud accounts (IDM)(AMFS)
4. AMFS-Synchronize-Expired: Synchronize expired cloud accounts (IDM)(AMFS)
5. AMFS-Export-ManagementScope: Export Management Scope (CSV)(AMFS)
6. AMFS-Set-UserPhoto: Set account photo (EXO)
7. AMFS-Get-UserPhoto: Get account photo (download)(EXO)
8. AMFS-View-UserPhoto: View account photo (EXO)
9. AMFS-View-UserIDMData: View account IDM data (AMFS)
10. AMFS-Import-ManagementScope: Import Management Scope (AMFS)
11. AMFS-Export-CSVBulkProcessing: Export accounts to CSV for bulk processing (AMFS)
12. AMFS-Assign-Service: Assign federated service (AMFS)
13. AMFS-Remove-AssignedFederatedService: Remove assigned federated service (AMFS)
14. AMFS-Remove-AllAssignedFederatedServices: Remove all assigned federated service(s)(AMFS)
15. AMFS-Federate-Service: Federate selected service (AMFS)
16. AMFS-Set-MsolUserLicense: Assign license (E1, E3, E1S4BOnly or E3S4BOnly (Office365)
17. AMFS-Set-MsolUserLicensePlan: Assign license(s) and plan(s)(Office365)
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
57
18. AMFS-New-MsolUser: Create cloud account via AMEI or e-mail address (Office365)
19. AMFS-Set-MsolUserPassword: Reset cloud account password (Office365)
20. AMFS-Set-MsolUser-Disabled: Disable cloud account (Office365)
21. AMFS-Set-MsolUser-Enabled: Enable cloud account (Office365)
22. AMFS-Remove-MsolUser: Remove cloud account and put in Recycle Bin (Office365)
23. AMFS-Remove-MsolUser-FromRecycleBin: Remove account from Recycle Bin (Office365)
24. AMFS-Grant-CsConferencingPolicy: Set selected conferencing policy (S4B)
25. AMFS-Grant-CsClientPolicy: Set selected client policy (S4B)
26. AMFS-Grant-CsExternalAccessPolicy: Set selected external access policy (S4B)
27. AMFS-Grant-CsHostedVoiceMailPolicy: Set selected hosted voice mail policy (S4B)
28. AMFS-Grant-CsVoicePolicy: Set selected voice policy (S4B)
29. AMFS-Get-CsConferencingPolicy: Get selected conferencing policy (S4B)
30. AMFS-Get-CsClientPolicy: Get selected client policy (S4B)
31. AMFS-Get-CsExternalAccessPolicy: Get selected external access policy (S4B)
32. AMFS-Get-CsHostedVoiceMailPolicy: Get selected hosted voice mail policy (S4B)
33. AMFS-Get-CsVoicePolicy: Get selected voice policy (S4B)
34. AMFS-Grant-CsConferencingPolicy-DisableVideo: Disable video in Skype for Business (S4B)
35. AMFS-Grant-CsConferencingPolicy-EnableVideo: Enable video in Skype for Business (S4B)
36. AMFS-Get-CsUserActivitiesReport-Global: Global activity report (S4B)
37. AMFS-Get-CsUserActivitiesReport-User: User activity report (S4B)
38. AMFS-Get-CsPSTNUsageDetailReport-Global: Global PSTN usage report (S4B)
39. AMFS-Get-CsPSTNUsageDetailReport-User: User PSTN usage report (S4B)
40. AMFS-Enable-CsOnlineDialInConferencingUser: Enable dial-in conferencing (S4B)
41. AMFS-Set-CsOnlineDialInConferencingUser: Update dial-in conferencing settings (S4B)
42. AMFS-Set-CsOnlineDialInConferencingUser-LeaderPIN: Reset leader PIN dial-in conferencing (S4B)
43. AMFS-Set-CsOnlineDialInConferencingUser-ConferenceID: Reset conference ID conferencing (S4B)
44. AMFS-Get-LicenseReport: License report (Office365)
45. AMFS-Get-LicenseAndServiceStatusReport: License and service status report (Office365)
46. AMFS-Get-LicenseAndServiceStatusAndS4BReport: License, service status and S4B report (Office365)
47. AMFS-Add-MsolRoleMember: Assign role with elevated rights (Office365)
48. AMFS-Remove-MsolRoleMember: Remove role with elevated rights (Office365)
49. AMFS-RemoveAll-MsolUserLicense: Remove assigned license(s) (Office365)
50. AMFS-Remove-FederatedService: Remove federated service (AMFS)
51. AMFS-Report-Federation: Federation Report (AMFS)
52. AMFS-Assign-MFA: Assign MFA enabled application for user (Security)
53. AMFS-Set-MFA-Enabled: Enable MFA for account (Security)
54. AMFS-Set-MFA-Enforced: Enforce MFA for account (Security)
55. AMFS-Set-MFA-Disabled: Enforce MFA for account (Security)
56. AMFS-Get-MsolUser-SIP: Get SIP for account (S4B)
57. AMFS-Set-MsolUser-SIP: Set SIP for account (S4B)
58. AMFS-Switch-E3ToE1: Switch E3 to E1 maintaining plan status where possible (Office365)
59. AMFS-Switch-E1ToE3: Switch E1 to E3 maintaining plan status where possible (Office365)
Audit
Access to the audit log is delivered via the Windows Azure Administration portal. When filtering
the audit log on ‘[email protected]’ all activities executed with
elevated rights are shown in the audit log.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
58
Each individual event can be drilled down further for the details. See below sample of one event.
The administration portal allows to export the report to a CSV file for further processing or when
needed as evidence during security/SOX ITGC audits.
Limitations
The maximum number of connections allowed at the same time with the same account is 3 for the
Office 365 tenant. As the AMFS solution is using the end user Office 365 there is not an issue from
an end user connection perspective. However the services that require elevated rights are all using
the same service account (one for the tenant). If that limit is reached the solution can be adopted
to use more service accounts (e.g. service account by region/country).
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
59
Registered attributes
To enable the features of the AMFS solution the WAAD schema was extended with several
attributes. Below the list of attributes and their purpose. Using Graph API one can query the
WAAD for those attributes as well as the default available WAAD attributes.
EXTENSION_A040D6D9FD6A4EA595B7F74F74DF758C_EMPLOYEENUMBER
Holds the AMEI value pushed via AAD Connect from the federated AD domain associated with the
WAAD domain. The attribute is only available for federated accounts.
EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMEI
Holds the AMEI value used by the AMFS Solution. For federated accounts this is copy from above
attribute. For cloud accounts a synchronization engine tries to match the UPN account with an
AMEI via different searches. The dominant search is based on mail address attribute match.
EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMCOMPANYCODE
Holds the company code. Used by the AMFS solution as lowest level for management scope
(beyond self-service of course). See table at end of document that shows the company codes for
those that have more than 1.000 identities.
EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMSEGMENTCODE
Holds the segment code. Currently not used by the AMFS solution.
EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMBUCODE
Holds the business unit (BU) code. Used by the AMFS solution as highest level for management
scope (beyond global of course). See table at end of document that shows the BU codes of the
companies having more than 1.000 identities.
EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMDEPARTMENTCODE
Holds the department code. Currently not used by the AMFS solution.
EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMBDCODE
Holds the business division code. Currently not used by the AMFS solution.
EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMFSACCOUNTTYPE
Holds the account type. Used by the AMFS solution to separate and protect service accounts from
normal accounts.
EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMFSSEGMENTCODE
Holds the Custom level 1 value. Used by the AMFS solution as highest level for management scope
(beyond global of course). This when IDM management scope is not used.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
60
EXTENSION_C77E68A23A6A4F91AF48A93B63F95E0F_AMFSBUCODE
Holds the Custom level 2 value. Used by the AMFS solution as lowest level for management scope
(beyond global of course). This when IDM management scope is not used.
Support
For each run of the AMFS Solution an application log file is created on %TEMP% with naming
convention %GUID%-AMFSLogFile_YYYYMMDD.txt.
Below an extract of an log file. Each line contains the DTS, type of message (Info/Error) and the
message itself. Each function/event entry/exit is logged together with all traceable runtime errors.
Some runtime errors will stop the program and or action selected, others will be ignored.
085250,Info,Enter Main function in module Startup
085250,Info,Enter Get-ScriptDirectory function in module Globals
085250,Info,Leave Get-ScriptDirectory function in module Globals
085250,Info,Preapre Splash Screen
085250,Info,Run Splash Screen with timer event
085251,Info,Enter SplashTicker function in module Startup
085251,Info,Leave SplashTicker function in module Startup
085251,Info,Enter SplashTicker function in module Startup
085251,Info,Leave SplashTicker function in module Startup
085252,Info,Enter SplashTicker function in module Startup
085252,Info,Leave SplashTicker function in module Startup
085252,Info,Enter SplashTicker function in module Startup
085252,Info,Leave SplashTicker function in module Startup
085252,Info,Stop Splash Screen with timer event
085252,Info,Stop timer on Splash Screen
085252,Info,Remove timer event from Splash Screen
085252,Info,Configure cloud proxy for this session
085252,Info,Cloud proxy configured for this session
085252,Info,Enter Get-ScriptDirectory function in module Globals
085252,Info,Leave Get-ScriptDirectory function in module Globals
085252,Info,Enter GetRequesterUPN function in module Globals
The content of the log file can help in the resolution of the incident and should be looked at (L0/L1)
by local help desk before escalating. The log file should be attached to the incident when further
escalation is done (L2/L3) so the use case that induced error is properly documented for the
resolver group assigned to the incident.
The AMFS Solution is currently in POC Phase. Any issue can be escalated to the AMFS Solution
owner ([email protected]). During POC/Pilot phase all issues will be tracked in the
issue tracker available at AMFS Solution Issue Tracker.
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
61
ArcelorMittal Business Units & Companies
Below the list of Business Unit Codes & Company Codes having a count of more than 1.000
identities. In all the forms the meta data is displayed for the UPN selected or shown. If you wonder
what business unit and company code your identity is belonging to? Start the AMFS tool and all
information is displayed in the ‘Requester Info’ box. Same is done for accounts targets (UPN group
box).
By double clicking on any field holding an AMEI number all IDM meta data is displayed. When
faults are discovered this is the first place one should look at. The matching row is displayed in
yellow for the requester selected in the form.
BU COMPANY BU DESCRIPTION COMPANY DESCRIPTION
51 A303 AFRICA AND CIS JSC ArcelorMittal Temirtau
51 A305 AFRICA AND CIS PJSC ArcelorMittal Kryviy Rih
89 TA406F USA FLAT ArcelorMittal USA Flat (TB)
A305 PJSC ArcelorMittal Kryviy Rih
55 TA206F AM EUROPE FLAT PRODUCTS ArcelorMittal Poland Flat (TB)
51 A304 AFRICA AND CIS ArcelorMittal South Africa Ltd
55 3 AM EUROPE FLAT PRODUCTS ArcelorMittal Espa??a
58 TAMB1F AM SOUTH AMERICA FLAT ArcelorMittal Brazil - Division Flat (TB)
55 A213 AM EUROPE FLAT PRODUCTS ArcelorMittal Galati SA
55 T732 AM EUROPE FLAT PRODUCTS ArcelorMittal Belgium - Gent (TB) 53 TC6A3F AM DOFASCO ArcelorMittal Dofasco Flat (TB)
AM EUROPE FLAT PRODUCTS
55 3B5 AM EUROPE FLAT PRODUCTS ArcelorMittal Atlantique et Lorraine
55 TA205F AM EUROPE FLAT PRODUCTS ArcelorMittal Ostrava Flat (TB)
59 TAMB1L AM SOUTH AMERICA LONG ArcelorMittal Brasil - Division Long (TB)
55 V436 AM EUROPE FLAT PRODUCTS ArcelorMittal M??diterran??e
55 T3B5 AM EUROPE FLAT PRODUCTS ArcelorMittal Lorraine (TB)
55 V812 AM EUROPE FLAT PRODUCTS ArcelorMittal Eisenh??ttenstadt GmbH
57 TC781S AM MEXICO ArcelorMittal Las Truchas - Steel (TB)
55 746 AM EUROPE FLAT PRODUCTS ArcelorMittal Bremen GmbH
59 C113 AM SOUTH AMERICA LONG ACINDAR
TA206F ArcelorMittal Poland Flat (TB)
59 131 AM SOUTH AMERICA LONG B-M Bekaert ARAMES SA
56 A212 AM EUROPE LONG PRODUCTS ArcelorMittal Zenica, D.o.o.
51 A630 AFRICA AND CIS LLP Kurilismet
56 905 AM EUROPE LONG PRODUCTS ArcelorMittal Belval and Differdange
62 A103 NORTH AMERICA CORPORATE OFFICE
ArcelorMittal Montreal Inc.
74 13A1 MINING ArcelorMittal Mining Canada G.P.
51 10H7 AFRICA AND CIS Termirtau Associates and Ancillaries LLP
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
62
3 ArcelorMittal Espa??a
81 8H3 AMTP NAFTA Industrias Unicon CA
93 14A2 AM/NS CALVERT AM/NS Calvert LLC
55 T816 AM EUROPE FLAT PRODUCTS ArcelorMittal Belgium - Li?¿ge (TB)
57 TA102S AM MEXICO ArcelorMittal Mexico - Steel (TB)
72 V135 INDUSTEEL Industeel France (Consolidated)
54 V260 AM EUROPE AMDS ArcelorMittal Construction France
56 A841 AM EUROPE LONG PRODUCTS ArcelorMittal Duisburg (Consolidated)
74 A910 MINING Pe??a Colorada Servicios, S.A. de C.V.
59 11B3 AM SOUTH AMERICA LONG ArcelorMittal Bioflorestas
74 A306 MINING ArcelorMittal Liberia Ltd
72 v735 INDUSTEEL Industeel Belgium (Consolidated)
55 A722 AM EUROPE FLAT PRODUCTS Przedsiebiorstwo Uslug Kolejowych KOLPREM Sp. z.o.o.
54 758 AM EUROPE AMDS ArcelorMittal Distribution Solutions Poland Sp. z.o.o.
79 A825 AMTP EUROPE ArcelorMittal Tubular Products Ostrava a.s.
WAAD Domains
Below the list of verified domains associated with the ArcelorMittal Office 365 tenant. The domains
hosting accounts can be used as management scope in the AMFS Solution.
WAAD DOMAIN
REIMS-DISTRIB.ARCELORMITTAL.COM
ISCOR.COM
ARCELORMITTAL.LU
HAMILTON.DOFASCO.CA
CONTRACTORS.ARCELORMITTAL.COM
EMAIL.ARCELORMITTAL.COM
CARIBBEANISPAT.COM
SIDBEC.COM
WEIRTON.COM
MITTALCO.COM
NOVAHUT.CZ
ARCELORMITTAL.COM.BR
UHEGUILMAN.COM.BR
USB.ARCELOR.COM
ORMECDOSUL.COM.BR
BBCONTRATOS.COM.BR
ARCELOR.CO.CR
TREASURY.ARCELOR.COM
UGINE-ALZ.ARCELOR.COM
UGINE-GMBH.ARCELOR.COM
UGINESAVOIE.ARCELOR.COM
UGINESAVOIEUK.ARCELOR.COM
TIXIS.ARCELOR.COM
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
63
STAINLESS.ARCELOR.COM
SSM.ARCELOR.COM
SPRINTMETAL.ARCELOR.COM
SOLBLANK.ARCELOR.COM
SMEZ.ARCELOR.COM
RS.ARCELOR.COM
SAR.ARCELOR.COM
SARNR.ARCELOR.COM
SCSC.ARCELOR.COM
RCC.ARCELOR.COM
PFF.ARCELOR.COM
IUP.ARCELOR.COM
INDUSTEEL.ARCELOR.COM
IMPHY.ARCELOR.COM
DOFASCO.COM.MX
DOFASCO.CA
BEDINI.ARCELOR.COM
AUTO.ARCELOR.COM
AS.ARCELOR.COM
QCMINES.COM
PCT.ARCELOR.COM
PURCHASING.ARCELOR.COM
PACKAGING.ARCELOR.COM
PAB.ARCELOR.COM
MEUSIENNE.ARCELOR.COM
IRSID.ARCELOR.COM
HE.ARCELOR.COM
LOGISTICS.ARCELOR.COM
INTLSTEEL.COM
BETHSTEEL.COM
MITTALSTEEL.COM
ISPAT.COM
ARCELOR.ORG
ARCELOR.NET
ARCELOR.LU
ARCELOR.COM
JOSSAN.COM.BR
CIMAF.COM.BR
BMS.COM.BR
BMBSTEELCORD.COM.BR
BELGO-MINEIRA.COM.BR
BELGOMINEIRA.COM.BR
ArcelorMittal Federation Solution | “FEDERATING THE OFFICE 365 ADMINISTRATION”
64
BELGOBEKAERT.COM.BR
BELGO.COM.BR
BEKAERTDOBRASIL.COM.BR
ARCELORMITTALDISTRIBUICAO.COM.BR
AMDISTRIBUICAO.COM.BR
ARCELORBRASIL.COM.BR
ARCELORMITTALSA.COM
ARCELORMITTAL.RO
ARCELORMITTAL.DE
ARCELORMITTAL.CZ
ARCELORMITTAL.NET
ARCELORMITTAL.ES
PROFILARBED.LU
SIDMAR.BE
AMCONTRATOS.COM.BR
CONTRATOSAC.COM.AR
ACINDAR.COM.AR
ARCELORMITTAL.COM.PL
ARCELORMITTAL.COM
ARCELORMITTAL.COM.AR
ARCELORMITTAL.MAIL.ONMICROSOFT.COM
ARCELORMITTAL.ONMICROSOFT.COM