fabianwilliams-zz · October 10, 2014 15:15
diff --git a/golf_registerSPOPrincipaltoSP2013 b/golf_registerSPOPrincipaltoSP2013
 #you will need to set up a Trusted Authority in your ON Premises SP2013
 #below takes SPO Principal Object and registers it with SP On Prem Root Web
 
 $spoappprincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $spoappid).ObjectID
 $sponameidentifier = "$spoappprincipalID@$spocontextID"
 $appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier $sponameidentifier -displayName "SharePoint Online"
 
 #you can verify this worked by running the POSH below
 
 Get-SPAppPrincipal -site $site.rootweb -NameIdentifier $sponameidentifier | format-table -autosize -wrap
 
 #to set the SharePoint Authentication Realm do the below
 
 Set-SPAuthenticationRealm -realm $spocontextID
 
 #to test it works type the below to see the output of the variables and object
 
 $spocontextID
 
 #and
 
 Get-SPAuthenticationRealm
diff --git a/alpha_loadingposhmodultes b/alpha_loadingposhmodultes
 Add-PSSnapin Microsoft.SharePoint.PowerShell
 Import-Module Microsoft.PowerShell.Utility
 Import-Module MSOnline -force
 Import-Module MSOnlineExtended -force
 Import-Module Microsoft.Online.SharePoint.PowerShell -force
diff --git a/bravo_enableremoting b/bravo_enableremoting
 #as you will be using POSH from your local
 #pc to affect Office 365 you must enable remoting
 enable-psremoting
 new-pssession

 
diff --git a/charlie_logintoO365TennantPermalink b/charlie_logintoO365TennantPermalink
 #you will need to grab the publishing file from O365
 #you will need a Global Admin creds to do that
 $cred=Get-Credential
 Connect-MsolService -Credential $cred
diff --git a/delta_setVarsForSPNandCerts b/delta_setVarsForSPNandCerts
 #you will be setting up the SPN and Certs here
 #based on on your Public Authority SSL certs and
 #Replacement STS cert
 #in my example it was $spcn="*.fabiansworld.com" below
 
 $spcn="*.<public_root_domain_name>.com"
 $spsite=Get-Spsite <principal_web_application_URL>
 $site=Get-Spsite $spsite
 $spoappid="00000003-0000-0ff1-ce00-000000000000"
 $spocontextID = (Get-MsolCompanyInformation).ObjectID
 $metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID + "/metadata/json/1"
 
 #to test for the value that you just set which will return the GUID for the
 #spocontextid type the below
 
 $metadataEndpoint
diff --git a/echo_uploadSelfSignSerttoO365 b/echo_uploadSelfSignSerttoO365
 #the replacement STS Cert that was put on SharePoint On Prem needs
 #to be on O365 as well
 #it is better practice to set the end date value to one day less than the expiration date

 $cerPath = "<path to replacement certificate (.cer file)>"
 $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $pfxPath, $pfxPass
 $cer.Import($cerPath)
 $binCert = $cer.GetRawCertData()
 $credValue = [System.Convert]::ToBase64String($binCert);
 New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage Verify -Value $credValue -StartDate <start_date> -EndDate <end_date>
diff --git a/foxtrot_addSPNofPubDomainToAzure b/foxtrot_addSPNofPubDomainToAzure
 #by default O365 SPO  has a Principal Object public token GUID mapped to SPO
 #you need to add your public domain as well that will be
 #particpating in Hybrid

 $msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
 $spns = $msp.ServicePrincipalNames
 $spns.Add("$spoappid/$spcn") 
 Set-MsolServicePrincipal -AppPrincipalId $spoappid -ServicePrincipalNames $spns

 #to test your entry you should see your publid domain SPN with the POSH
 #statement below. in fact you will see two, one for SPO and one for your domain

 $msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
 $spns = $msp.ServicePrincipalNames 
 $spns
diff --git a/hotel_setupWAADasTrustedTokenIssuer b/hotel_setupWAADasTrustedTokenIssuer
 #for proper authentication you will need to allow WAAD to be a trusted
 #token issuer on the On Prem SharePoint. This will set up a SA Proxy in
 #your SErvice Applicaition and add a Trusted Authority in Security

 New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri $metadataEndpoint -DefaultProxyGroup
 New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true -Name "ACS"

 #you can look in CA>General Security>Manage Trust for this new entry or
 #run the POSH below to verify it worked. One of them will say ACS

 Get-SPTrustedSecurityTokenIssuer
	#you will need to set up a Trusted Authority in your ON Premises SP2013
	#below takes SPO Principal Object and registers it with SP On Prem Root Web

	$spoappprincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $spoappid).ObjectID
	$sponameidentifier = "$spoappprincipalID@$spocontextID"
	$appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier $sponameidentifier -displayName "SharePoint Online"

	#you can verify this worked by running the POSH below

	Get-SPAppPrincipal -site $site.rootweb -NameIdentifier $sponameidentifier \| format-table -autosize -wrap

	#to set the SharePoint Authentication Realm do the below

	Set-SPAuthenticationRealm -realm $spocontextID

	#to test it works type the below to see the output of the variables and object

	$spocontextID

	#and

	Get-SPAuthenticationRealm
	Add-PSSnapin Microsoft.SharePoint.PowerShell
	Import-Module Microsoft.PowerShell.Utility
	Import-Module MSOnline -force
	Import-Module MSOnlineExtended -force
	Import-Module Microsoft.Online.SharePoint.PowerShell -force
	#as you will be using POSH from your local
	#pc to affect Office 365 you must enable remoting
	enable-psremoting
	new-pssession
	#you will need to grab the publishing file from O365
	#you will need a Global Admin creds to do that
	$cred=Get-Credential
	Connect-MsolService -Credential $cred
	#you will be setting up the SPN and Certs here
	#based on on your Public Authority SSL certs and
	#Replacement STS cert
	#in my example it was $spcn="*.fabiansworld.com" below

	$spcn="*.<public_root_domain_name>.com"
	$spsite=Get-Spsite <principal_web_application_URL>
	$site=Get-Spsite $spsite
	$spoappid="00000003-0000-0ff1-ce00-000000000000"
	$spocontextID = (Get-MsolCompanyInformation).ObjectID
	$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID + "/metadata/json/1"

	#to test for the value that you just set which will return the GUID for the
	#spocontextid type the below

	$metadataEndpoint
	#the replacement STS Cert that was put on SharePoint On Prem needs
	#to be on O365 as well
	#it is better practice to set the end date value to one day less than the expiration date

	$cerPath = "<path to replacement certificate (.cer file)>"
	$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $pfxPath, $pfxPass
	$cer.Import($cerPath)
	$binCert = $cer.GetRawCertData()
	$credValue = [System.Convert]::ToBase64String($binCert);
	New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage Verify -Value $credValue -StartDate <start_date> -EndDate <end_date>
	#by default O365 SPO has a Principal Object public token GUID mapped to SPO
	#you need to add your public domain as well that will be
	#particpating in Hybrid

	$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
	$spns = $msp.ServicePrincipalNames
	$spns.Add("$spoappid/$spcn")
	Set-MsolServicePrincipal -AppPrincipalId $spoappid -ServicePrincipalNames $spns

	#to test your entry you should see your publid domain SPN with the POSH
	#statement below. in fact you will see two, one for SPO and one for your domain

	$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
	$spns = $msp.ServicePrincipalNames
	$spns
	#for proper authentication you will need to allow WAAD to be a trusted
	#token issuer on the On Prem SharePoint. This will set up a SA Proxy in
	#your SErvice Applicaition and add a Trusted Authority in Security

	New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri $metadataEndpoint -DefaultProxyGroup
	New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true -Name "ACS"

	#you can look in CA>General Security>Manage Trust for this new entry or
	#run the POSH below to verify it worked. One of them will say ACS

	Get-SPTrustedSecurityTokenIssuer