Office 365 SSO AD FS

Similar Messages

• Time out error after redirection (ADFS-Office 365 SSO)

  Hi everyone,
   I've been having a problem with configuring ADFS and Office 365 SSO. So Everything is setup and signing into office 365 from the internal network works perfectly but when trying to access from the external network I get timed out. A brief overview
  of my setup:
  LAN------>Firewall---------->Firewall------>Internet
                     |
                   DMZ
  LAN network: 192.168.50.0/24
  DC-DNS, RODC-DNS, ADFS1-ADFS2 (NLB), DIRSYNC.
  DMZ: 172.16.50.0/24
  ADFS Proxy1-ADFS Proxy 2 (NLB) (NLB IP: 172.16.50.225)
  Firewall-Firewall: 10.10.10.0/24
  Internal Firewall: Inside: 192.168.50.254/Outside: 10.10.10.2
  External Firewall: Inside: 10.10.10.1/Outside: 172.31.130.83 (working in a class lab with my universities private network)
  Our network engineering department has its own firewall, I was given a Public IP address of 199.50.X.X that port forwards both port 80 and 443 to the outside interface of the external firewall (172.31.130.83)
  The internal firewall allows outgoing and incoming connections from anywhere for troubleshooting the issue. The External Firewall has been configured portforward both port 80 and 443 to the adfs proxy NLB address.
  Other firewall configurations such as NAT and static routes have been configured correctly.
  I've updated the public DNS records, the A record for my ADFS from the public IP address godaddy assigned to my public domain to the public IP given to me (199.50.X.X). I added the adfs server internal IP and name to the adfs proxy host files and DNS resolution
  is working both internal and externally.
  Using a domain-joined computer and user I am able to sign into office 365 with no problems. The problem starts when I try to access from an external device. When entering a domain user email at the office portal, it tries to redirect me to my adfs proxy
  but after a minute or so it fails to load my internal adfs login page and using google chrome I see a timeout error.
  Checked event viewer on both adfs and adfs proxy servers and nothing is showing up, checked my firewalls and everything seems to be working fine, I also confirmed that the faculty's firewall is receiving and forwarding correctly through ports 443 and 80
  (my external firewall also shows the same results).
  Any help would appreciated, been troubleshooting for more than  week and pretty much out of options other than starting over.
  Thank you.
  Moe.

  Hi Moe,
  Regarding specific ADFS query, I suggest you refer to experts from the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Thank you for your understanding and support.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• 802.1x wireless authentication using NPS - SSO sign on to Office 365 using ADFS

  Hi Spiceys,I'm researching for a potential client and would like to know if the following is possible:They have an existing wireless network with a working 802.1x implementation using NPS as RADIUS. They are very keen to move to Office 365 and use SSO and my understanding is that they'll need to spin up a working ADFS implementation to arrange this. We want to use Microsoft tech to tie it all in, so 3rd party SSO apps I don't want to investigate.If a wireless client is authenticated with NPS, and we have a working ADFS implementation are they able to access Office 365 resources without signing in twice? I'd imagine that the NPS auth would give them the necessary DC token, but if they access O365 resources and get redirected to the ADFS website and use Windows integrated login, will it 'just work' ? They are looking at using the full...
  This topic first appeared in the Spiceworks Community

  did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
  we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
  any input would be much appreciated.

• Outlook 2010 - SSO to Office 365 Mailbox

  Dear,
  Is it possible to do sso from an outlook 2010 client to an office 365 mailbox ?  Now my customer is always prompted for a password.  I'm just wondering if full sso is possible.  Should be the easiest solution ;-).  ADFS is configured
  and working for webmail or lync, but not for the outlook client.
  As a Citrix admin, I was asked to roam the outlook credentials.  The customer uses Citrix profile mgmt and the profile is deleted from the server after logoff.  Appdata (roaming) is redirected.  What do we need to roam the credentials ?  It's
  not working out of the box.  Looks like credentials are not stored in the roaming part of the profile.
  I understood from http://social.technet.microsoft.com/Forums/office/en-US/2fc84b45-61a4-4ef8-9906-25632a4a74d3/outlook-2010-doesnt-save-password-exchange?forum=exchangesvrclientslegacy that the credentials are stored in C:\Users\<username>\AppData\Local\Microsoft\Credentials,
  but strange enough, I only see a file in appdata\roaming\microsoft\credentials...
  Best regards / thanks in advance,
  Wim

  Hi,
  Thank you for your question.
  I am trying to involve someone familiar with this topic to further look at this issue.
  Melon Chen
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• Removing Exchange 2007 from SBS 2008 after Migrating to Office 365 Mid Sized with DirSync and SSO

  We have recently completed off a Migration of Exchange 2007 to Office 365 Mid Sized platform.
  I now need to decomission the old SBS 2008 server as they have moved to a Windows Server 2012 R2 server setup for DC, File and print and application servers.
  I need to know what are the ramifications of removing the Exchange 2007 server from the SBS 2008 server and will this remove the LegacyDN details from AD and cause any issues with internal emails between users using Outlook linked through to Office365.
  I understand that after removing Exchange 2007 there will be no friendly GUI to update and maintain proxyAddress, targetAddress and LegacyDN addresses, I am comfortable doing this in ADSI edit or with a script.
  Will this remove the x500 addresses relating to the on premise Exchange Orgainisation and just leave behind the x500 addresses for Exchange Labs which I assume is the x500 addresses for the Azure AD intergration for Office365.

  Hi ,
  Thank you for posting your issue in the forum.
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
  Thank you for your understanding and support.
  Best Regards,
  Andy Qi
  Andy Qi
  TechNet Community Support

• ADFS single sign-on with office 365 and multiple forests

  I have 2 forests with one of them (Forest A) only running Exchange / Office 365 in hybrid mode. The other forest (Forest B) has my AD accounts for everyday user login and work. Is there a way to set up ADFS between these 2 forests in order for Forest B
  to achieve single sign-on to office 365? Today users have to login with separate office 365 accounts in order to access email and sharepoint. Short of migrating Forest A into Forest B and getting down to one forest / domain, is there anything else we can do
  to achieve single sign-on?

  Hi,
  Based on my research, we can have one ADFS farm servicing multiple forests, here are some related articles below for your references:
  Multi-forest and Multi-tenant scenarios with Office 365
  http://blogs.technet.com/b/educloud/archive/2013/08/02/multi-forest-and-multi-tenant-scenarios-with-office-365.aspx
  Hybrid Deployment Prerequisites
  http://technet.microsoft.com/en-us/library/hh534377(v=exchg.150).aspx
  SupportMultipleDomain switch, when managing SSO to Office 365
  http://blogs.technet.com/b/abizerh/archive/2013/02/06/supportmultipledomain-switch-when-managing-sso-to-office-365.aspx
  For more information about Office 365, I suggest you refer to Office 365 community below:
  http://community.office365.com/en-us/f/default.aspx
  Best Regards,
  Amy

• Howto deploy a temporary exchange 2013 server for migration between two Office 365 accounts?

  Objective:
  We plan to migrate our office 365 from our current tennant (E3) to a new tennant (M) to drastically cut our annual costs for the same services, while retaining the mail and group memberships of all our users. This will involve installing an exchange server
  to download and upload mail from the old tennant to the new tennant.
  Background: 
  We are a longtime O365 customer, and have been a customer since before the "Midsize business" plans existed. There is no "cookie cutter" migration path from E3 to M. Microsoft currently recommends deploying an MS exchange server and off-boarding
  the mailboxes from your E3 subscription and then On-boarding them to a new account under the M plan.  As ridiculous as this is, this is indeed the path our company has decided to go. It isn't cool/fair that we're being shackled to the E plans (that are
  vastly more expensive) when we're a small/midsize business that has been a longtime customer of O365, while new customers of equal size to us can expect to save over $4000 annually. The services (when compared) offered are nearly identical.
  After calling MS support several times for guidance for this issue, I am advised that we should contact a 'partner' and ask for their support in doing this migration. We did as requested and were provided a quote to the tune of approximately $15,000 to do this
  migration for us. Obviously this is unacceptable, and thus our business has decided to rely on my abilities to get it done. Again, involving an MS partner is not an option.
  Environment:
  1 MS AD domain:
  - Original FQDN was @contoso.ca of this domain and UPNs were [email protected]
  - UPN has been changed to [email protected] to allow for ADFS
  - ADFS has been deployed and SSO works for all users with UPN [email protected]
  - An "On-Prem exchange server" does not yet exist
  1 O365 Account where main tennant FQDN is @corp.com
  - There are 5 registered domains
  -contoso.ca
  -corp.com
  - contoso.legacy.ca
  -deprecated/will be deleted
  -deprecated/will be deleted
  - There are 40 E3 licenses, all using a @corp.com UPN
  - There are 5 E1 licenses (we acknowledge that these will be upgraded to an M following the migration) that use the UPN contoso.legacy.ca
  - No accounts currently use contoso.ca for email
  - O365 was upgraded to 'the latest version' sometime in summer 2013.
  Migration Plan (High Level):
  Setup a local windows server (trial license)  
    Deploy an exchange 2013 server (trial license) on the aforementioned windows server  http://technet.microsoft.com/en-us/evalcenter/hh973395.aspx
    Prepare and deploy Dirsync Deployment
  of Dirsync
    Add exchange to office 365 and begin replicating the mailboxes from the cloud to the exchange server. Wait for synchronization to complete.
  More information: http://technet.microsoft.com/en-us/library/hh534377(v=exchg.150).aspx
  http://help.outlook.com/en-us/140/ff633682.aspx
    Evaluate total time it took to sync data. 
  Time it takes to download data to exchange should be relatively similar to time it takes to restore mail to the new service.
    Open a new office365 account under the M plan.
    Plan a 1 hour mail & contoso.ca domain login outage
    temporarily change all user UPN's to match the new tennant
    perform a dirsync to the new tennant
    disable dirsync after all accounts have been auto-created/provisioned
    re-establish UPN + mail access.
    Plan a date and time for the cut over.
    remove the exchange hybrid server from the old tennant. 
    Point MX records directly to the exchange server.
    Cut office 365 service.
    After the 30 minutes ~ 1 hour 'mandatory' wait time imposed by MS to 'register' the domain with O365, add @corp.com to
  the new tennant
    fix all user UPN's in the cloud to match their real UPN's.
  This can be done with powershell.
    attach exchange hybrid server to new tennant
    Point MX records to the new tennant 
    Migrate all data from the local exchange server to the cloud under the new plan.
  Current progress (Lab):
  I have created a sandbox (Lab with no internet access or connectivity to production) environment in VMware and cloned the following servers to it:
  1x Domain Controller (DC) running windows server 2012 (named DC02)
  1x DC running windows server 2008 R2 (named DC01)
  1x windows server 2012 R2 - prepped with all the pre-requisites to install exchange 2013. (named EXC01)
  Where I am stuck / Problem:
  I have installed exchange on the server EXC01 in the lab environment using my account. I am a domain administrator in the contoso.ca domain, but my UPN is [email protected]. 
  After the installation of exchange, I notice that my email address in Active Directory changed from @corp.com to @contoso.ca. By default, I do not see @corp.com to be an available email address to select as my email address, and changing it in AD does not resolve
  the problem. 
  In the exchange portal, I found "Mail flow ---> Accepted Domains", and believe I should add @corp.com to the accepted domain list. Questions:
  1) Must I add corp.com and the other domains that exist in office 365 to the local exchange before I go through with the hybrid wizard?
  2) If I must add them to exchange, I am provided with three choices: 
  - Authoritative Domain
  - Internal Relay Domain
  - External Relay Domain
  Given that the domain is currently in office365 and is authoritative there, which of these applies?
  3) Most documentation I have found has been about a one way migration from on-prem to the cloud. I have had a hard time finding a step by step guide for cloud to local (new server) and then back to cloud. Does anyone here have any good documentation for this
  process? Would love it if it took into consideration multiple UPN/email addresses.

  Hi,
  Here are my answers you can refer to:
  1. Yes, we should select the primary SMTP domain for our organization and any other accepted domains that will be used in the hybrid deployment:
  http://technet.microsoft.com/en-us/library/jj200787(v=exchg.150).aspx
  2. It depends on the usage of the specific accepted domain. And Exchange version has no influence.
  To determine it, you can firstly check the function of the three types in the following article:
  http://technet.microsoft.com/en-us/library/bb124423(v=exchg.150).aspx
  3. Here are some reference about the migration from on-premise Exchange server to Office 365:
  http://www.msexchange.org/articles-tutorials/office-365/exchange-online/configuring-exchange-2013-hybrid-deployment-migrating-office-365-exchange-online-part1.html
  Additionally, since the issue is related to Exchange online, I recommend you ask for help on our Exchange online forum to get more professional help:
  http://social.technet.microsoft.com/Forums/msonline/en-US/home?forum=onlineservicesexchange
  If you have any question, please feel free to let me know.
  thanks,
  Angela Shi
  TechNet Community Support

• Certificates for Office 365 Hybrid Exchange 2010 Exchange Online v15

  Certificates for Office 365 Hybrid Exchange 2010 Exchange Online v15
  We need to set up a hybrid server to allow us to begin moving mailboxes to Exchange Online. We created a new Server 2012 R2 server with Exchange 2013 SP1 to act as our Hybrid server. Reading the literature leaves me with questions about what
  certificates I need.  My understanding is that the certificates in play on the on-premise Exchange 2010 servers don't need to be changed.
  I've looked at the TechNet article "Certificate requirements for hybrid deployments" 
  http://technet.microsoft.com/en-us/library/hh563848(v=exchg.150).aspx
  Certificate requirements for the new Exchange 2013 SP1 server are still unclear to me, I think the new server needs a SAN certificate with:
  Hybridserver.domain.edu
  autodiscover.domain.edu
  EWS.domain.edu
  Can anyone clarify?

  Cert is required only if you want to deploy ADFS for SSO.
  Otherwise you can use your existing Cert for all the Services
  Cheers,
  Gulab Prasad
  Technology Consultant
  Blog:
  http://www.exchangeranger.com    Twitter:
    LinkedIn:
     Check out CodeTwo’s tools for Exchange admins
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Access to my Office 365 third-party app for external user : "a User account is not registered for the account"

  In my third-party web application of Office 365, I want to have access to the contacts, events and emails of all the users from the organizations who installed my app. The thing is I don't want that all these users have to grant me access, I just want one
  admin of the org to grant access for my app and then be able to retrieve the data I need for all the users.
  To test for one organization, I logged in as the admin and proceed to the Oauth2 authentication to retrieve the access token and in the first request (the GET one to retrieve an authorization code) i add the parameter
  prompt=admin_consent.
  With this access token, I can access the data (emails, contact, event) of the admin
  for instance for the contacts
  uri: https://outlook.office365.com/ews/odata/Users(adminemail)/Contacts
  but not the data of the other users of this org with this uri
  uri: https://outlook.office365.com/ews/odata/Users(useremail)/Contacts
  The only thing I can do is retrieve an access token for each user but it supposed that each user has to authorize the access to the app but it's very cumbersome. So, i don't see what enables the parameter prompt=admin_consent and how to use it. Does anybody
  know what it does?
  And my question is: how can I do to access the data of all the users of one organization when the access has been granted by one admin?
  Thank you!

      
  This was answered on StackOverflow by Dushyant Gill.  http://stackoverflow.com/questions/25316175/access-to-my-office-365-third-party-app-for-external-user-a-user-account-is-n/25316678#25316678
  You are sending the OAuth request to a tenant specific endpoint of Azure AD. Note the {key_provided} part of your Url - that part represents the tenantid or a registered domain name of an Azure AD tenant. Azure AD throws this error is the user signing in
  is not a user in that tenant.
  Multi-tenant applications like yours have two options:
  Perform home realm discovery yourself and send the SSO request to the correct tenant-specific endpoint of Azure AD: when a new Azure AD organization signs-up for your application, record its tenant ID, and registered domain names. On your login page, ask
  the user for their email and try to discover what Org they belong to using the suffix the email.
  Use the common endpoint of Azure AD. Instead of the {key_provided} part of the URL, use 'common'. In this case Azure AD will determine the user's tenant and sign-in the user. The token that your application will receive will still be from the user's tenant
  (iss claim).
  2 is more convenient for apps. However #1 has an advantage when the user's Organization has customized their sign-in page with the company logo etc - in the case of #1 the user will directly be taken to the customized and familiar sign-in page.
  I recommend a combination of the two: try determining the user's organization and sending them to the tenant specific SSO endpoint. If you're not able to - send them to the common endpoint.

• Identity Delegation within Office 365

  Hello,
    For a Business Intelligence solution that is deployed onto Office 365 + Power BI + SharePoint Online, would a logged on user identity be delegated to the back end SQL Server and SQL Server Analysis Services in case of
     a. SQL Server and SQL Server Analysis Services being hosted on-premise
     b. SQL Server and SQL Server Analysis Services being hosted on Windows Azure IaaS
     c. Azure SQL Database (Paas) and SQL Server Analysis Services being hosted on Windows Azure IaaS
  Would this be true in one / both of the following cases
    a. When a user credential (including password) has be synchronized to the Active Directory present on Office 365
    b. When SSO has been configured and Active Directory Federation has been implemented
  Regards,
  Hemant

  Hi,
  Agree with Jesper Hassing.
  Here is a similar case may help you:
  https://social.technet.microsoft.com/forums/lync/en-US/c957bfe4-3e05-4023-9786-e459f4901d5d/lync-2013-client-increase-message-size
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Managing multiple Office 365 accounts

  Hi
  Does anyone have a good solution to managing multiple Office 365/Exchange 365 accounts? I provide IT services to a number of small businesses, all unrelated and I am responsible for over 6 separate instances of Office 365 (mostly Exchange, a couple also
  have sharepoint) for clients. I also use it myself (Exchange and Sharepoint).
  My issue is that as soon as I log into a client admin portal, it removes my authentication to my own or other accounts and I cannot use my own sharepoint or Exchange online services. I can only be logged in to one. As all my business runs in Sharepoint and
  Exchange, this is very annoying. Outlook is OK, its authentication doesn't change when I log in as someone else (Outlook Web Access does obviously). I never had this issue with BPOS, the SSO application kept my business systems online even when I logged into
  a client portal but now that there is no SSO, I dont have this luxury. My IE homepages are all my Office 365 portal pages and if I log in as another client, they all log into the client next time.
  I need an intermediate portal interface that allows me to store credentials for each client separately and allow me to log into multiple online services accounts without affecting other accounts. I often find myself needing to access 2-3 accounts at the
  same time and have to use different browsers for each one (it is close but not quite 100% in Firefox or Chrome). Does such a system exist? Surely I am not alone in managing many accounts at the same time. I can run multiple powershell sessions independently
  but I dont want to do everything through powershell all the time and cannot log in as the client to check things this way.
  Regards
  Ben

  If you want to work on your computer with different office 365 accounts, you don't need to run different browsers!
  Since IE8 there is a hidden function called "New Session". It works great for SharePoint Online and it works if you want to login with different credentials to you SharePoint OnPremise during testing. I love it!
  More information and screenshots:
  https://www.facebook.com/media/set/?set=a.544497252247574.130281.203330989697537&type=1
  Marek Czarzbon, Made In Point

• Office 365 AD FS without Dirsync

  With have an on-premise AD and an Office 365 subscription. We are gonna use the o365 only for giving students in our campus free access to Office 365 Pro Plus. For now I have been testing DirSync with password sync with success.
  I have now a question; is it possible to use AD FS without DirSync as the only goal is to give access to Office 365 Pro Plus and as we only sync the mimimum attributes required? I read many times that it is not recommended but as we will not use any others
  cloud services, what is the good answer?
  Another thing: I do manage a child domain. Another team manages the parent domain. I can read here
  http://technet.microsoft.com/en-us/library/jj205461.aspx that "When the top-level domain is set up for single sign-on, all subdomains are automatically set up as well."
  So is it possible for us to use AD FS between our child-domain and Azure and the other team to use AD FS between their parent domain and Azure without problems?
  BR

  Hi SupportS2L,
  It sounds to me like you probably already have the best solution for your environment in place.
  If you simply want to provide students easy access to any services hosted from 365 using the same password as on premise AD DirSync really is all you need. You then control which services in O365 you want them to access from the O365 admin portal as im sure
  you already are.
  DirSync is a prerequisite of ADFS so I don't believe you would be able to run ADFS without DirSync. I have seen some TechNet blogs that explain how you can operate ADFS without DirSync functioning but only for the purposes of
  testing before you finalise the SSO setup with DirSync. Remember that when you implement ADFS you change the authentication point on O365 from the highly available cloud to your on premise ADFS and ADFS Proxy setup so high availability is a must
  and can get expensive for the relevant server and network infrastructure.
  Thanks

• Can I migrate users from a hosted Exchange 2010 to Office 365 Enterprise E1 without the need of third party software?

  I am hoping I am posting to the correct forum.  We are currently using a hosted Exchange 2010 service through Intermedia and due to continuing issues with them and the pricing, we are getting ready to migrate to Microsoft’s Office 365 Enterprise
  E1 platform.  My question is this, besides the fact that we will need to set up ADFS for SSO, will I be able to migrate our existing mailboxes from Intermedia to Office 365 without having to purchase additional software? 
  The current configuration we have with Intermedia allows for us to use OWA and our OST files for our current users are cached locally on the workstations. 
  We also do not have any public folders in use.  I have searched the web, but I have not been able to find a definitive answer or steps that I should take to prepare for this type of migration. 
  Any suggestions on this matter would be appreciated.  Thank you.

  It looks as I should be able to from reading that article.  Not sure why the company that want to set this all up for me wanted $12,000 for something I can do with 6 steps.
  Thank you

• Office 365 ProPlus Activation Issues

  Issue Resolved: 
  After adding all of the Office 365 URL's and Address Ranges to our internet filters exception list activation worked. 
  Hi Everyone
  I'm preparing for a deployment of Office 365 ProPlus using the Office Deployment Tool (ODT) and having trouble getting Office to activate after installation.  Using my custom .xml file, I'm able to install only Office products that are needed without
  issue using a Group Policy start-up script.  It is necessary for me to do this because none of the users in my environment have local administrator rights and cannot install Office on their own using Click-to-Run.  Installing with a start-up script
  uses the System account to circumvent that issue.  Upon first launch of Office 365 ProPlus I'm prompted to enter my email address and password for activation and promptly receive the error "There is a problem with your account.  Please try again
  later."
  I've verified that an Office 365 ProPlus license has been provisioned for my account through our portal and have ADFS running without issue.  Here's where things start to get strange... In testing, I added myself as a local administrator to my desktop
  and downloading/installed the Click-to-Run from our Office portal.  Upon launching Office for the first time it was activated automatically and the portal showed that a license was used.
  As of right now I'm at a bit of a loss as to why I can't activate Office using valid credentials with proper licenses provisioned when installing with the ODT but it auto activated when using Click-to-Run.  Any help or suggestions would be much appreciated.
  See below for a copy of my configuration.xml
  <Configuration>
    <Add SourcePath="PATH TO OFFICE INSTALL FILES" OfficeClientEdition="32">
      <Product ID="O365ProPlusRetail">
        <Language ID="en-us" />
        <ExcludeApp ID="Access" />
        <ExcludeApp ID="Groove" />
        <ExcludeApp ID="InfoPath" />
        <ExcludeApp ID="Lync" />
        <ExcludeApp ID="Project" />
        <ExcludeApp ID="SharePointDesigner" />
        <ExcludeApp ID="Visio" />
      </Product> 
    </Add>
    <Display Level="None" AcceptEULA="TRUE" />
    <Logging Level="Standard" Path="%temp%" />
    <Property Name="FORCEAPPSHUTDOWN" Value="TRUE" />
  </Configuration>
  **note: Add SourcePath="PATH TO OFFICE INSTALL FILES" points to the Office\Data folders which were created when using the ODT in /download mode.
  Edit:
  After troubleshooting the issue more yesterday I found that whenever I try to activate Office 365 ProPlus an error is generated in the application log.
  The description for Event ID 0 from source MSOIDSVC.EXE cannot be found. Either the component that raises
  this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  InitializeSvcAPI failed with hr = 0x8004825b
  I've thus far been unsuccessful in figuring out what MSOIDSVC.EXE is or what it does. 
  Edit: 
  http://community.office365.com/en-us/w/sso/534.aspx 
  MSOIDSVC.EXE is part of the Microsoft Services Sign-In Assistant (MSO SIA).  After installing MSO SIA and verifying that the services were running activation still failed. 

  hi,
  Thank you for sharing your solutions and experience here. It will be very beneficial for other community members
  who have similar questions.

• Office 365 Activation issues

  Having an issue where users are unable to activate Office 365. Install was done on an image being deployed with SCCM 2012R2 on Windows 7 machines using CTR.  When we run the connectivity analyzer I get the following response:
  A SOAP fault response was received from the Security Token service.
  Reason: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from
  ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the
  Microsoft .NET Framework SDK documentation and inspect the server trace logs.
  Code: s:Receiver
  Subcode: a:InternalServiceFault
  Users ARE able to access the portal using SSO with federated services using ADFS 3.0 on Windows Server 2012 R2 with proxies on Windows Server 2012 R2 and Dirsync running consistently with no errors on Windows Server 2012 R2.  AD is at Forest and Domain
  functional levels of Windows 2003.
  TB

  Hello all, I'm having problems activating this preview of Office. Any suggestions. Thanks Kirk
  kirk
  I'd try here:
  http://community.office365.com/en-us/f/default.aspx
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)