Rights Management

Microsoft rights management solutions be it WRM or AD-RMS have been in my opinion for many years, a solution waiting for a problem; many organisations wanted to protect and control their documents and emails from being read or altered by recipients the content was not intended for, but the product lacked some important functionality, one of which was the ability to natively classify and label content (this was left to third parties). Their solutions also required a somewhat niche skillset and as a result the adoption of Microsoft’s rights management was slow.

Azure Information Protection (AIP) is a cloud-based solution that has addressed the challenges the on-premises solution had; as a solution it still protects documents, but it now also now natively enables an organisation to classify and label its documents and emails with the benefit of the on-premises complexities being reduced by moving the operation of the rights management service to the Azure platform.

Protect, Classify and Label.


The ability to protect a document, is how a content owner can restrict who has access to the content and what they can do with the document or its contents.

This can include the inability to edit the document, restrict who can print-it or in true “Mission Impossible” style, self-destruct (when the content expires).

The control can be controlled by the end user (ad-hoc).

or administratively on the portal via (classification and labelling).

Classification and Labels

The ability to label a document enables a document to be classified by the means of the label.

By selecting for example “Internal”, the document would be labelled and classified as internal and additional settings can be applied (in addition to rights management), such as a watermark, custom header or footer.

When I started this brief summary of AIP, I described the problem as procrustean and by this I meant, that when we have a problem we normally find the solution to the problem, yet AIP was a solution that needed a problem to solve.

In my opinion GDPR is one problem that needs a solution and AIP can form part of it.

May 25th, 2018, sees the start of the General Data Protection Regulation (GDPR) being enforced and this is where AIP can help in several areas, with the main one being that of “article 25. data protection by design and by default”.

AIP has a built-in capability to automatically protect documents that contain information in certain formats such as passport numbers, government issued information and credit card numbers.

This for me is the kind of problem that Microsoft’s rights management solutions were always intended to solve, the fact that AIP can also do automatic classification is a failsafe position for many organisations that need to collect and store personal information and when combined with content expiry too, it can be a very reassuring comfort blanket.

General Data Protection Regulation (GDPR)

More AIP insights to follow…..



I regularly work with multiple Azure Active Directory and Office 365 tenants, recently I wanted to utilise a domain that was attached to a tenant that had expired in December 2015, but did not know how to recover it.

The various portals that you can utilise offer very little guidance.

Azure Active Directory was a little more than useless

AAD Error

but the new Office 365 portal offered hope, with an indication as to which tenant it was attached to.

O365 Clue

So now what are my credentials?

Recover Account

Fortunately there is a link to reset your account details which were emailed to my @outlook.com email address which I added when creating the tenant.

So once I had recovered my credentials then I could access the portal and delete the domain.


If you get the message below, you have objects(users, groups or contacts) in the directory that still have the domain you are trying to delete associated to them.


The domain is now removed and can be utilised in another tenant.





Recently I faced an issue with Azure AD Connect.

The scenario:

A Windows Server 2012 R2 box with direct access to the internet with Azure AD Connect installed and running under the context of a service account.

As Azure AD Connect was running in the context of a service account, it wanted to utilise a proxy server to connect to the internet as it is WPAD aware.

The error message given was:

An error occurred executing Configure AAD Sync task: user_realm_discovery_failed: User Realm Discovery Failed

The trace log file also reported:

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: user_realm_discovery_failed: User realm discovery failed —> System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required.

All the solutions (AADConnect Troubleshooting) I found on the internet pointed me at configuring the machine.config (C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config) with the required proxy server settings, but in my scenario I did not want to utilise a proxy server.

To resolve the issue I added the syntax below to the machine.config file which resolved the issue.

                <defaultProxy enabled=”false”></defaultProxy>

As always test in your environment before deploying into production.

AADConnect Troubleshooting – https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnect-troubleshoot-connectivity/ (Accessed 16/05/2016)





Azure Active Directory Connect (AADConnect) is the tool that connects your on-premises Active Directory to Azure Active Directory.

At the end of the setup there is a rather unhelpful message asking you to run


Translated to English this means. (also see Update 20/07/2016)

  1. Open PowerShell and set your execution policy to unrestricted.
    set-executionpolicy unrestricted

  2. Change directory to
    C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep

  3. Then
    import-module .\AdSyncPrep.psm1

  4. Then

  5. Supply values for the following parameters:

    AdConnectorAccount: your AAD connector account.

    AzureADCredentials: your credentials for Azure.

  6. If successful you should see
    Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD.Configuration Complete

  7. As good practice, set  your execution policy back to restricted.
    set-executionpolicy restricted

Update 20/07/2016:

This must be run from a computer that has the Active Directory module for Windows PowerShell and the AD DS Snap-Ins and Command-Line Tools installed.


Failure to have both options installed will result in two errors:

The first error is obvious.


The second is not quite so obvious, a dsacls.exe error is generated as the command line tooling is not installed.

DSAcls Error




Last week Microsoft announced some radical changes to the Microsoft MVP program

Steve Guggenheimer: Moving into the next generation of the Microsoft MVP Award
MVP Website: Award Update – Oct 2015

In summary (there are a few exceptions), MVP’s have been categorised under one of ten new headings. Directory Services now comes under the categorisation of Enterprise Mobility, therefore I am now an MVP for Enterprise mobility.

My initial thought was, Enterprise Mobility? I don’t do telephony

I soon realised Microsoft’s logic in their categorisations, enterprise mobility is not all about mobile telephones and the utilisation of various parts of the radio spectrum, it is in fact about being able to access your enterprise from anywhere and on any device and identity is a key component of Microsoft’s enterprise mobility strategy.

In an on-premises world the de facto enterprise identity solution is Active Directory (Directory Services) and in the Microsoft cloud it is Microsoft Azure Active Directory. The term hybrid identity is the fusing of the two methods of identity together to create a seamless identity solution be it on-premises or in the cloud.

As I delve deeper into the deeper corners of Microsoft identity, I will share my story to this blog and unlike the 15 year old teenager that is Active Directory, not everything that can be written about the Azure Active Directory and Hybrid Identity has been written yet.