Alternative “Portal” Access to Office 365 Services

A great post by Sean McNeill reminding us that there are alternative methods to access Office 365 services (Exchange Online, SharePoint Online, Lync Online) in the event of an outage to the primary O365 portal.

Todd (@oddytee)


Adding a Subdomain to Office 365

The other day I attempted to add a subdomain to an Office 365 account but received an unwelcomed message…

Can’t add domain … is a subdomain of a domain which was added by using the Microsoft Online Services Module for Windows PowerShell. You must also use this tool to add to Microsoft Online Services.

So…I made the attempt to add it via PowerShell.  First, I reviewed my domain (get-msoldomain) and all appeared fine–Status is Verified and Authentication is Federated.

Next, I attempted to add the domain via PowerShell… New-MsolDomain -Name

But received this…

New-MsolDomain : Unable to add this domain. It is a subdomain and its authentication type is different from the authentication type of the root domain. At line:1 char:15 + New-MsolDomain <<<<  -Name     + CategoryInfo: OperationStopped: (:) [New-MsolDomain], MicrosoftOnlineException     + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DomainUnexpectedAuthenticationException,Microsoft.Online.Administration.Automation.NewDomain

Finally, I tried this command… New-MsolFederatedDomain -DomainName

And received another error…

New-MsolFederatedDomain : Failed to connect to Active Directory Federation Services 2.0 on the local machine.  Please try running Set-MsolADFSContext before running this command again. At line:1 char:24 + New-MsolFederatedDomain <<<<  -DomainName + CategoryInfo: InvalidOperation: (:) [New-MsolFederatedDomain], FederationException + FullyQualifiedErrorId : InvalidCommandSequenceGeneva,Microsoft.Online.Identity.Federation.Powershell.AddFederatedDomainCommand

I opened a ticket with O365 support to assist with troubleshooting and received a call back to address.  We were able to resolve the issue relatively quickly.  The key to resolving was in the error received in the previous command I issued … “Failed to connect to Active Directory Federation Services 2.0 on the local machine“.  As I was running the commands from the DirSync server or an admin workstation, the “local machine” being referred to in the error wasn’t the correct machine to run the command from.

Being fairly new to AD FS implementations, apparently it is important where you run your commands from when you have AD FS set up.  All that needed to be done was to access Office 365 via PowerShell from the primary AD FS server and run the same command as above…

New-MsolFederatedDomain -DomainName

Once the command was issued from the primary AD FS server, I received the message “Successfully added ‘’ domain.”  I checked the domain list in my tenant and via PowerShell (get-msoldomain) to confirm the subdomain was present–and federated.

To test, I added the UPN for my subdomain to the on-premise domain, modified a few accounts to reflect the new local UPN account name, forced DirSync, confirmed the O365 account name had changed and successfully logged into the portal with the new UPN account name (via SSO).

FYI…My actual domain name is not “”.

by Todd Nelson

Disable Expiration of Office 365 Account Password

You might have a rare situation in which you need to maintain a password for a specific Office 365 account or for all accounts.  Other than being a bad security decision and model it can be done.  However, it can only be done when connected to Office 365 via PowerShell.

In the PowerShell console, check the password status of an individual user or all users.

For individual users… Get-MsolUser -UserPrincipalName “O365 Account UPN” | Select PasswordNeverExpires

For all users, use this command… Get-MsolUser | Select UserPrincipalName, PasswordNeverExpires

If the field for “PasswordNeverExpires” is blank (or does not have a value), the account is likely to be an object that is being synchronized from your local Active Directory.  If the “PasswordNeverExpires” field has a value of “False”, then the account password has an expiration set for it.  Our goal is to disable password expiry by setting the value to “True”.

To set the value to true, we will again show examples for an individual and all users.

For individual users… Set-MsolUser -UserPrincipalName “O365 Account UPN” -PasswordNeverExpires $true

For all users… Get-MsolUser | Set-MsolUser -PasswordNeverExpires $true

If for any reason you need to reset password expiry, change the value of the “-PasswordNeverExpires” switch in the two previous commands to “$false”.

Good luck.

Reference(s): Configure user passwords to never expire

by Todd Nelson

SharePoint Online Error Access Denied When Accessing Team Site

Are your users receiving “Error: Access Denied” when accessing the SharePoint Online Team Site?

Here is how to resolve it…

Log into the Office 365 portal as the global admin.

Access the Team Site

Click the Site Actions drop down (top left corner of the page) and select Site Settings

Under the Users and Permissions click on People and Groups

Click the New drop down and select Add Users

In the Select Users section, enter the name of a user that has been assigned a SharePoint Online license and click the Check Name icon.

Once the name is validated, click OKNOTE: If the name does not validate, it is potentially because the account has not been assigned a SharePoint Online license.

The new user appears in the Team Site Members page.  At this point, the user will now be able to access the Team Site.


by Todd Nelson