Notes on Azure, SharePoint, and Windows Live
Recently I needed to authenticate an external SharePoint site using Windows Live. So, I logically thought of using Azure since that is way Microsoft is going and it is easier to configure than the old Windows Live way without using Azure. There are some issues with getting this to work. First, thanks to Wictor Wilen and his blog post http://www.wictorwilen.se/Post/Visual-guide-to-Azure-Access-Controls-Services-authentication-with-SharePoint-2010-part-1.aspxand Liam Cleary and his blog post http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=58. These are just my thoughts and additions on these posts.
Realm – After I set up azure services with a realm that contained the word uri (i.e. uri:myrealm) I went back and changed the realm back (back in the Edit Relying Party Applicationsection) to the real url (i.e. https://myrealm.com) and created a new Trusted Identity Token on SharePoint. This solved my 1309 error and the yellow screen of death went away.
Windows Live Account ID – The main issue around Windows Live is that you get that ugly looking account name in place of the person’s name. I figured out a clumsy but effective way to get rid of that. After the person logs in for the first time, I go to User Profile Service and find that account name (you may have to get it from the user) and then replace the name field(which is the ugly account name) with the person’s real name. I go ahead and populate the first name, last name, work email. Wait about 10-15 minutes for the timer job to run and the name in welcome control (and all other places) will be the person’s name and not their account.
Permissions – I have been able to add people via their email address instead of having to use the account name. When you add the person just make sure that you do the search (type the email in the search box and click the search icon) with the Windows Live identity provider selected. The only down side to this method that I have found is that there will be two entries in the user info list for this site collection.
I like using Windows Live accounts for several reasons. The main one is that pretty much any email address can be used, so you can incorporate your solutions with people’s work emails. Another is that I am usually signed in via Bing so I get the Single Sign On experience that I prefer.
So now I have Active Directory, Forms Based Authentication (FBA), and Windows Live (via Azure) all working on an internet facing SharePoint site (it also works with all of those on the internal side as well) and my brain is about to explode. I hope these items help some people and I am still thinking of a cleaner solution down the road.
SharePoint Ninja (aka Michael Doyle)
#sharepoint #Azure #WindowsLive #SharePoint