As Office 365 becomes increasingly powerful and the functionality becomes closer to what expect from an on premise configuration on Skype for Business, you need to be able to take advantage of the solutions you find online.
I have read the Lync Server Cookbook by Alessio Giombini, Antonio Vargas, Fabrizio Volpe, and Lasse Nordvik Wedo which has a section on this but it is a bit difficult to pull the text from the book to the PowerShell window. Kudos to the team for the fantastic book. In addition, a shout out to Paul Lange who has recently completed this and provided some update feedback.
After completion of the following procedure, you should be able to use Exchange Online, utilise OWA— OOTW as it’s known now—to be able to use and sign-in to the on premise Skype for Business server.
In addition, you will be able to use the Exchange Online Calendar application to provide a Skype for Business meeting with the on premise Skype for Business servers.
You need a few things – an export of the OAuth certificate.
PowerShell to simplify the task is found below
From a Front End server load Certificate Add In on the Microsoft Management Console.
Right Click and select All Tasks, then click Export. The OAuth certificate should be the only certificate on the Server that appears with just the domain name in its Issued To field.
The OAuth does not have a Private Key that needs to be exported, so click No and Next
The certificate needs to be in a Base-64 encoded, select and press Next
Export the .cer to a convenient location and press Next
The certificate will be exported to the location, complete by pressing Finish
PowerShell to export certificate:
$CertPath = "C:\_Install\oauth.cer" $Thumbprint = (Get-CsCertificate -Type OAuthTokenIssuer).Thumbprint $OAuthCert = Get-ChildItem -Path Cert:\LocalMachine\My\$Thumbprint Export-Certificate -Cert $OAuthCert -FilePath $CertPath -Type CERT
From Skype for Business Online Topology Builder, obtain the External Web services FQDN.
Enable OAuth on Tenant
From the Skype for Business Server launch the Skype for Business Management Shell.
Import-Module LyncOnlineConnector $cred = Get-Credential $sess = New-CsOnlineSession -Credential $cred Import-PSSession $sess -AllowClobber
Verify the connection is correct by typing
Validate that you get the expected tenant information returned.
The important information you are looking for is the Tenant ID.
Mark and paste the information in the following table between the “ ”
$tenantID = "a2345678-1238-43cd-a144-e45678c55dc6" New-CsOAuthServer microsoft.sts -MetadataUrl https://accounts.accesscontrol.windows.net/$tenantID/metadata/json/1
This is the same for all tenants – paste the following:
New-CsPartnerApplication -Identity microsoft.exchange -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 -ApplicationTrustLevel Full –UseOAuthServer
Installation of O365 AD Module
Next step you need to install a few things.
First installation is First is the Microsoft Online Services Sign-in assistant setup wizard – this is straight forward, so it seems. Download can be obtained from: https://www.microsoft.com/en-gb/download/details.aspx?id=28177
Second is the Azure Active Directory Module setup wizard – this isn’t so straight forward.
http://go.microsoft.com/fwlink/p/?linkid=236297 – this will kick off the download of the Windows Azure Active Directory Module – you may need follow the post installation of the MOSS below.
Kick off the installation of Microsoft Online Services Sign-in Assistant Setup
Accept the EULA and press Install.
Press Finish upon completion
To install the Azure Active directory module I’ve made the following registry edit. There seems to be a bug with the RTW version and the allowing the installation of the AADM. You can modify the installed versioning by completing a regedit.
Windows Registry Editor Version 5.00
Installation of the Azure Active Directory Module for Windows PowerShell
Launch the installer, and press Next
Accept the EULA and press Next
Ensure the installation location is correct and press Next
If the information is correct press Confirm
Once the install is complete press Finish
If this doesn’t install properly, you might need to install the beta version:
Configuring Office 365
Now that you’ve installed the Azure module, you’re going to launch it.
Paste the following:
Import-Module MSOnlineExtended Connect-MsolService
You are going to Import our exported Oauth certificate:
Paste the following – assuming you’ve exported the cert to the same location:
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate $certificate.Import("C:\cert.cer") $binaryValue = $certificate.GetRawCertData() $credentialsValue = [System.Convert]::ToBase64String($binaryValue) new-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -Type Asymmetric -Usage Verify -Value $credentialsValue
Validate the cert has been installed properly.
Get-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -ReturnKeyValues $true
Under the Value portion you should see the key information of the certificate.
You are going to do the same thing again however rather than doing it to Skype Online- which is 00000004, If you also have a hybrid Exchange you are going to do it to Exchange Online, which is 00000002
Important note: I have had a few really strange issues on this. The first time I imported the certificate fine, but when I ran a Get-MsolServicePrincipalCredential I would get a blank value back for the certificate, so I would have to Remove-MsolServicePrincipalCredential – AppPrincipalId *** -KeyID **
To resolve this I closed the Azure Active Directory Module and launched it again.
Paste this to import the OAuth to Exchange Online
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate $certificate.Import("C:\cert.cer") $binaryValue = $certificate.GetRawCertData() $credentialsValue = [System.Convert]::ToBase64String($binaryValue) New-MsolServicePrincipalCredential -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -Type Asymmetric -Usage Verify -Value $credentialsValue Set-MSOLServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000 -AccountEnabled $true
Paring the hybrid
Once this is complete the certificate import on the Skype Online and Exchange Online we need to configure the trust to the external web services on premise.
Run the following – make sure you grab that external web service you obtained earlier
$lyncSP = Get-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000 $lyncSP.ServicePrincipalNames.Add("00000004-0000-0ff1-ce00-000000000000/extweb.domain.com") Set-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $lyncSP.ServicePrincipalNames
One thing I’ve noticed is that not all Skype for Business online configurations have all the expected trusted providers.
From the Skype for Business Management shell Run:
Make sure you see both Lync Online or Skype for Business Online and Exchange Online
On several occasions I have had to add Exchange Online as a Hosting Provider at different hybrid environments New-CsHostingProvider -Identity "Exchange Online" -Enabled $True –EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFQDN "exap.um.outlook.com" -IsLocal $False -VerificationLevel UseSourceVerification