Monthly archives "September 2015"

You CAD! Cloud App Discovery–Part 2

Joe Kuster

As I had blogged about previously, Microsoft’s Cloud App Discovery tool is an interesting way of collecting great telemetry data from your environment with a minimal investment of time and no on-prem infrastructure. As I mentioned in my prior article:

Cloud App Discovery–Cool tool, but is it ready for Primetime?, CAD was incredibly problematic, causing network connection issues and even BSODs. Last week, Microsoft released a new version of CAD claiming significant stability enhancements as well as better privacy notifications. To put it to the test, I installed it on my production desktop, where it had previously had issues with both OneDrive for Business and CrashPlan.

After installing the app and rebooting, I updated a single file in OneDrive for Business and kept an eye on CrashPlan over the next two days. After 48 hours, OneDrive for Business still had not synchronized the text file I updated.


CrashPlan fared no better, being unable to connect to cloud storage since the install.


After uninstalling the app, the situation immediately resolved itself, no reboot required:


Testing on two other systems shows no changes in stability from the prior release. On the plus side, I do have better terms and agreement controls for privacy concerns, but disabling line of business applications is a complete show stopper.

Summary: As I mentioned before, I really wanted to like CAD. It would solve a large number of issues my clients have, but for the time being, test carefully.

OneDrive for Business–Incompatible Office Products error

Joe Kuster

If you have received the following OneDrive for Business error and you are using Office Pro Plus (the downloadable Click to Run install), you probably haven’t found much useful information. So I’ve outlined the cause and potential resolution below:


“Sorry, we can’t perform this action. Incompatible Office products are installed on your machine. If you have an administrator, please contact them for help.”



This may happen at any point, even with no other office products open. This is due to the fact that the OneDrive for Business services are running into issues when they try to start in the background. For me, this mysteriously started on 9/12/15, with no hint as to what triggered it. The dialog box itself offers a hint, but tells you nothing about how to solve it.

At first, I was under the impression OneDrive was having issues as it was no longer running in the status bar on the bottom right. Rebooting did not resolve the issue. So, assuming my Office ProPlus install was corrupt, I downloaded the installer from to reinstall. Upon running the installer however, I received the following error.


Despite Visio 2013 and Project 2013 standard installs co-existing peacefully with ProPlus, it seems a recent Office update has begun pushing the issue to pick one method or the other, but not both installation methods for Office.

Sadly, at this time, there is no workaround to maintain both a traditional installer for Visio or Project and Office ProPlus. You must uninstall Visio or Project to solve the issue. You can however add Visio or Project to your Office Subscription.

Other users have reported the same behavior with the OneDrive stand alone installer. This only applies to Windows 7 or older as it is built in for Windows 8 and Windows 10, but if you have this error and the above does not apply to you, go to the Control Panel, Programs and Features and remove all versions of OneDrive.

Integrate Azure RMS Protection for SharePoint On Prem (Step by Step video)

Joe Kuster

Azure Rights Management (RMS) can protect your on-premises servers using the free RMS Connector app. Basically the RMS Connector is a tiny application that provides an RMS Proxy rather than having to deal with the complexity and limitations of a real RMS server. The RMS Connector basically allows  SharePoint, Exchange and/or a File Classification Infrastructure (FCI) enabled Windows File Server to connect to it the exact same as a local RMS server.

The utility is a couple fold, first, it extends the same templates and RMS Authority beyond your local on-prem environment, allowing for better mobile or BYOD consumption of protected data while still respecting the security. Secondly, native RMS servers are hard to setup, hard to manage and really limited…

By using Azure RMS to do the heavy lifting, Microsoft does all of the high availability, crossing of domains, federation, manages the encryption keys, certificates, auditing, revocation of permissions, reporting and other complexities for you. All you have to do is tell one of the supported servers/applications is “Hey, I’ve got an RMS Authority in Azure, you can connect to it via this RMS connector server” and immediately everything starts working.

As a word of caution, this example is not high availability. For production, you should have two servers with the RMS Connector and load balance them behind a load balancer.


  • Azure RMS must be configured
  • SharePoint server must be 2010+
  • The RMS Connector cannot be installed on any servers that it is protecting

Step by Step below:

Why bother doing this? Well for starters thanks to Azure Application Proxy my on-prem SharePoint serves are now easily available outside of my firewall. Integrating RMS ensures my data is protected, audited and easily secured even on BYOD devices. This lets me be more productive without releasing my control of my data, even if it’s shared outside of my environment.

Questions or comments? Hit me up at @Joe_Kuster on twitter.

SSO Fix for using AWS with Azure AD Premium

Joe Kuster

If you are trying to use the Microsoft provided step by step for AWS SSO, there are several major issues or omissions with the document. The original can be found here: 


First as an omission or potential change since the document was written, when assigning a Role, it will also ask you to assign a policy. Just pick the policy which matches the permissions you wish to give users who care connecting this way.

Second, when you complete the step by step, you will most likely encounter one of the following errors:

  • Error: RoleSessionName in AuthnResponse must match [a-zA-Z_0-9+=,.@-]{2,32} (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)


  • Error: RoleSessionName is required in AuthnResponse (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)


While the first issue is pretty minor and you would probably be able to figure out what you need to do, the second issue is pretty big. The reason for this error is that the instructions tell you to copy and paste in unique IDs which won’t be valid for your environment. In this case, your connection strings are dependent on your role name and provider naming as well as the unique ID. You’ll have to look this up in your AWS portal under: IAM > Roles > [Whatever you named your Role]


In this case, I called my Role “AWS_Administrator”



As a unique ID, pretty much everything in AWS’s IAM pages have a ARN. You need to point to the unique ARNs of your environment. Look up your ARN as shown.



Next, look at the bottom of that page to find your Provider ARN



Merge those two ARNs in the following format:

arn:aws:iam::[Unique ID]:role/[RoleName],arn:aws:iam::[Unique ID]:saml-provider/[ProviderName]


That merged string should be used as the “” role attribute value



Lastly, as another error, the author recommends configuring the “” Attributes with “User:Email” which is just invalid and would be passed as a literal constant. Instead, use User.Email or UserPrincipalName.



If this isn’t enough to resolve your issue, AWS does have a SAML troubleshooting page, but it’s extremely general and may not be of much help if you are using the Azure AD Application Gallery:

Wrangling your Corporate Identity

Joe Kuster


Your Corporate Identity is no longer in control, as a matter of fact, it’s stampeding towards a cliff.

No, I am not referring to branding, viral marketing or even the advent of social media snafus, instead, I’m talking about accounts for your users and using that as a benchmark, IT no longer has direct control of the accounts users use to do their jobs, plain and simple. Blasphemy you might cry, my users are all in Active Directory! Well, yes, but that is not their corporate identity any more. Instead, in this cloud based, web friendly world, a user now has part of the corporate identity in dozens of places that aren’t under IT’s control. The HR department has unique logins to submit employee data to the government, the Marketing Team has a login for dozens of off-prem tools from LinkedIn, Glassdoor, company Facebook, and Twitter. Purchasing has a unique shopping account everywhere they shop, from Amazon to TigerDirect. An employee might have dozens if not hundreds of accounts just to do their job. On top of that, we expect them to have unique complex passwords for each service but when they need help, IT doesn’t own the system to even reset a password. How did this happen? Well, let’s back up a bit.

In those heady days of the early 1990’s, users had one password to log into their PC, and all that the user accessed was local on their system. Anything that they needed to share, was usually on a floppy disk. That was it. Later, the need to collaborate led to file servers and email, which was initially disconnected from their PC login. Thankfully, that was quickly absorbed into Active Directory in the days of NT, and things were good again. The same login to access a computer was also used for email and file server access, often automatically. IT thought things were going pretty well.

Then the web came and users started using external services, from hiring employees, buying paper, sending documents to partners and filing tax forms. These were legitimate business needs; so of course, they happened whether or not IT was involved. Sometimes they shared these accounts on Post-It notes with co-workers. Most re-used simple passwords. Then the inevitable happened and security concerns popped up, so in response we asked them to stop reusing those accounts and passwords. More recently, the SaaS/Cloud movement took hold and even on premises systems were moved outside of the firewall and into the cloud. It wasn’t long before users would have a different password for, SalesForce, Jira, Kronos, PeopleSoft, Oracle apps, Google Apps in addition to their AD account.

This quiet revolution snuck up on IT, which was just happy when Single Sign On worked for resources like email, file servers, SharePoint and maybe a couple 3rd party apps that live on-premises like their ERP solution. We often weren’t involved as new services were spun up by “shadow IT” and if we didn’t know about it, how were we supposed to manage it?

So just how deep of a hole are you in? Ask yourself the following questions:

· If an employee lost a password due to phishing, how would you even know? How long would it take to lock it back down? Could you ever guarantee that all of the services they re-used their password with were updated before your data was leaked?

· How many cloud apps do your users access? Zero is not a valid answer here. Now times that by 10 for the actual number. (Hint, IT usually guesses 8, reality puts the average north of 80)

· How many login prompts does an average user see daily in the course of business?

· Can my users download corporate data from the cloud to untrusted devices like phones or home systems?

· Who manages your corporate social media, and what would stop them from resetting the password and going rogue?

· How many hours and tickets does it take to onboard new users with every system they need access to?

· How many extra SaaS licenses (SalesForce, Box, GoToMeeting, etc.) are you wasting due to employee churn?

· How do you know the user logging in, really is the user you think they are?

· Would you even know if an employee started offloading all of their data outside of your company for malicious use?

· How long would it take you to block access to every service a soon-to-be-fired employee uses?

· Can you see who accessed what data, when regardless of where they saved it? Can you revoke their permissions to view it after they’ve downloaded it?

Tools like a good Single Sign on, only scratch the surface of the above. Without securing the device, applications and data, an Identity Management tool is an incomplete solution. If only there was an umbrella solution that covered all of the above? Well, thankfully there is, enter Microsoft Enterprise Mobility Suite (EMS).


The Enterprise Mobility Suite license includes Microsoft Intune, Azure AD Premium, Azure Rights Management, Microsoft Identity Manager, Microsoft Forefront Identity Manager and as a fresh addition, Microsoft Advanced Threat Analytics.

EMS is an impressive platform of tools, often poised to fill the gaps in and around other products. It is also your new best hope at wrangling control of your corporate identity!