Version 2.

0 for Office 365

Jump Start Schedule

Day 1
Administering Office 365

Day 2
Administering Office 365

Office 365 Overview & Infrastructure

Administering Lync Online

Office 365 User Management

Administering SharePoint Online

Office 365 DirSync, Single Sign-On & ADFS

Exchange Online Basic Management

MEAL BREAK
Exchange Online Deployment & Migration
Exchange Security & Protection

Exchange Online Archiving & Compliance

Reviewing Identities
Understanding DirSync
DirSync Requirements
Understanding Single Sign-On & ADFS
Windows Azure & ADFS

Verifying that a user, device, or service

such as an application provided on a
network server is the entity that it claims
to be.

Determining which actions an

authenticated entity is authorized to
perform on the network

Cloud Identity

Directory & Password

Synchronization*

Single identity in the cloud Suitable

for small organizations with no
integration to on-premises
directories

Single identity
suitable for medium
and large organizations without
federation*

Federated Identity

Single federated identity

and credentials suitable
for medium and large
organizations

Rich experience with Office Apps

Windows Azure
Active Directory

Ease of deployment, management

and support
Lower cost as no additional servers are required
On-Premises
High availability and reliability as all Identities and
Services are managed in the cloud

Cloud Identity

Ex: alice@contoso.com

User

Windows Azure
Active Directory

Rich experience with Office Apps

Directory synchronization between on-premises and
online

Directory
Synchronization
Password
Synchronization

Identities are created and managed

on-premises and synchronized to the cloud

AD

Single identity and credentials but no single Sign-On

for on-premises and office 365 services
Password synchronization enables single sign-on at
lower cost than federation
Reuse existing directory implementation on-premises
* Password Synchronization may not be available at GA, the
target is to update the service in 1H CY2013

Non-AD
(LDAP)

Cloud Identity

Ex: alice@contoso.com

On-Premises Identity
Ex: Domain\Alice

User

Single identity and sign-on for on-premises and

office 365 services
Identities mastered on-premises with single
point of management

Windows Azure
Active Directory

Federation

Directory
Synchronization

Directory synchronization to synchronize

directory objects into Office 365

AD

Secure Token based authentication

Client access control based on IP address with

ADFS
Strong factor authentication options
for additional security with ADFS

Non-AD
(LDAP)

On-Premises Identity
Ex: Domain\Alice

User

Reviewing Identities
Understanding DirSync
DirSync Requirements
Understanding Single Sign-On & ADFS
Windows Azure & ADFS

An application that synchronizes on-premises Active Directory

Objects with Office365
Users, Contacts and Groups

Initially designed as a software based appliance

Set it and forget it

Multi Forest Support now available

Now called the Windows Azure Active Directory Sync Tool

Provisions objects in Office 365 with same email addresses as the

objects in the on-premises environment
Provides a unified Global Address List experience between onpremises and Office 365
Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365

Enables coexistence for Exchange

Works in both simple and hybrid deployment scenarios

Enabler for mail routing between on-premises and Office 365 with
a shared domain namespace
Enables coexistence for Microsoft Lync

Enables run-State administration and management of users,

groups and contacts
Synchronizes adds/deletes/modifications of users, groups and contacts from on-premise to Office

365

Enabler for Single Sign-On

Not intended as a single use bulk upload tool

Directory Synchronization Options

PowerShell & Graph API
Suitable for Organizations using
Active Directory (AD)

Suitable for large organizations with

certain AD and Non-AD scenarios

Suitable for small/medium size

organizations with AD or Non-AD

Provides best experience to most customers

using AD

Complex multi-forest AD scenarios

Performance limitations apply with

PowerShell and Graph API provisioning

Supports Exchange Co-existence scenarios

Non-AD synchronization through Microsoft

premier deployment support

Coupled with ADFS, provides best option for

federation and synchronization

Requires Forefront Identity Manager and

additional software licenses

Supports Password Synchronization with no

additional cost
Does not require any additional software
licenses

PowerShell requires scripting experience

PowerShell option can be used where the
customer/partner may have wrappers around
PowerShell scripts (eg: Self Service
Provisioning)

 X64 FIM Appliance (set and forget)

X86 MIIS Appliance now unsupported

If you call into support with they will make you upgrade first before helping

Scoping of object sync within Forest now supported

AD GUID used as SourceAnchor (Link between AD and
Office 365 Object)
Password Synchronization for DirSync coming 1H CY2013
Password Sync Early On-Boarding program underway

Entire Active Directory Forest is scoped for synchronization by

default
Ability to modify what gets synced has been added

What is synchronized?

All user objects

All group objects
Mail-enabled contact objects
Synchronization is from on-premises to Office 365 only (unless write-back is enabled

Synchronization occurs every 3 hours

Use Start-OnlineCoexistenceSync cmdlet to force a sync

Mail-enabled/mailbox-enabled users are synchronized as mailenabled users (not mailbox-enabled users)

Visible in the Office 365 GAL (unless explicitly hidden from GAL)
Logon enabled, but not automatically licensed to use services
Target address is synchronized for mail-enabled users

Regular NT users are synchronized as regular NT users

Not automatically provisioned as mail-enabled in Office 365

Resource mailboxes are synchronized as resource mailboxes

Synchronized users are not automatically assigned a license

Group Objects
Mail-enabled groups are synchronized as mail-enabled
Group memberships are synchronized
Security groups are synchronized as security groups

Contacts Objects
Only mail-enabled contacts are synchronized
Target address is synchronized to Office 365

New user, group, and contact objects that are added to onpremises are added to Office 365
Existing user, group, and contact objects that are deleted from onpremises are deleted from Office 365
Existing user objects that are disabled on-premises are disabled in
Office 365
Existing user, group, or contact objects attributes (those that are
synchronized) that are modified on-premises are modified in Office
365
Objects are recoverable within 30 days of deletion

First synchronization cycle after installation is a full synchronization

Time-consuming process relative to number of objects synchronized
~5000 objects per hour

Subsequent synchronization cycles are deltas only

Much faster

Not all on-premises attributes synchronized for each object type,

but 100+ attributes are synchronized

Once implemented, on-premises AD becomes the source of

authority for synchronized objects
Modifications to synchronized objects must occur in the on-premises AD
Synchronized objects cannot be modified or deleted via the portal unless DirSync is disabled for the

tenant

Scoping/Filtering
Customers can exclude objects from synchronizing to Office 365
Scoping can be done at the following levels:

AD Domain-based

Organizational Unit-based

User Attribute based

On-premises objectGuid AD attribute assigned value for

sourceAnchor attribute during initial object synchronization
Referred to as a hard match
DirSync knows which Office 365 objects it is the source of authority for by examining

sourceAnchor attribute

DirSync can also match user objects created via the portal with onpremises objects if there is a match using the primary SMTP
address
Referred to as a soft match

Synchronization errors are emailed to the Technical Contact for the

subscription
Recommend using distribution group as Technical Contact email address

Example errors include:

Synchronization health status
Sent once a day if a synchronization cycle has not registered 24 hours after last successful

synchronization
Objects whose attributes contain invalid characters
Objects with duplicate/conflicting email addresses
Sync quota limit exceeded

List of attributes that are synchronized

http://support.microsoft.com/default.aspx?scid=kb;en-US;2256198&wa=wsignin1.0

Run the Microsoft Office 365 Deployment Rediness Tool

Analyze on-premise environment

http://community.office365.com/en-us/forums/183/p/2285/8155.aspx

Domains
User Identity and Account Provisioning
Exchange Online
Lync Online
SharePoint Online
Client
Network

DirSync (Single Forest) must be joined to a domain with the same

forest that will be synchronized
DirSync Server should never be installed on a domain controller
DirSync Server should be Windows Server 2008 (x64) or better
By default SQL Server 2008 R2 Express is installed
10GB Database limit (approx. 50,000 objects)
Full SQL Option available

X64 Single\Multi Forest Appliance available (O365 connector also

available for complex scenarios

Only routable domains can be used with DirSync deployment

Non-routable domains include .local OR .loc OR .internal.

If organization has AD w/ only internal namespace, must:

Add a routable UPN suffix in Active Directory Forests and Trusts.

Configure each user with that routable UserPrincipalName suffix
user@domain.local must be changed do user@domain.com
If this is not done, once DirSync runs, users will appear in Office365 as
user@domain.onmicrosoft.com instead of user@domain.com

Recommend a system that exceeds the minimum OS

requirements
Number of
objects in AD

CPU

Memory

Hard disk size

Fewer than 10,000

1.6GHz

4GB

70GB

10,000-50,000

1.6GHz

4GB

70GB

50,000-100,000

1.6GHz

16GB

100GB

100,000-300,000

1.6GHz

32GB

300GB

300,000-600,000

1.6GHz

32GB

450GB

More than 600,000

1.6GHz

32GB

500GB

Synchronization with Office

365 occurs over SSL
Internal network
communication will use
typical Active Directory
related ports
DirSync server must be able
to contact all DCs in the
Forest

Service

Protocol

Port

LDAP

TCP/UDP

389

Kerberos

TCP/UDP

88

DNS

TCP/UDP

53

Kerberos
Change
Passowrd

TCP/UDP

464

RPC

TCP

135

RPC randomly
allocated high
TCP Ports

TCP

1024-64435
49152-65535*

SMB

TCP

445

SSL

TCP

443

SQL

TCP

1433

* This is the range in Windows Server 2008

Account used to install DirSync must have

Account used to configure DirSync must reside in the local machine

MIISAdmins group

local machine administrator permissions

If using full SQL, rights within SQL to create the DirSync database, and to setup the SQL service
account with the role of db_owner

Account used to install DirSync is automatically added

Administrator permission in the Office 365 tenant

DirSync uses an administrator account in the tenant to provision and update/modify objects

Enterprise Administrator permission in the on-premise Active

Directory
Credential is not stored/saved by the configuration wizard
Used to create the MSOL_AD_Sync domain account in the CN=Users container of the root

domain of the forest

Used to delegate the following permissions on each domain partition in the forest
Replicating Directory Changes
Replicating Directory Changes all
Replication Synchronization

Enables users to access both the on-premises and

cloud-based organizations with a single user name
and password
Provides users with a familiar sign-on experience
Allows administrators to easily control account
policies for cloud-based organization mailboxes by
using on-premises Active Directory management
tools.

Policy Control
Access Control
Reduced Support Calls
Security

Windows Server 2008 or Windows Server 2008 R2 (2012 not currently supported)
ADFS 2.0 Setup installs: Web Server (IIS), .Net 3.5 SP1, Windows Identity Foundation
Publicly registered, routable domain name
SSL Certificate(s), *Wild Card Supported
Microsoft Online Services Module for Windows PowerShell
Microsoft Online Sign In Assistant
High Availability Design, Dual-Site, Load Balanced
Choice between Windows Internal Database(WID) and SQL
WID supports a maximum of 5 Federation Servers
SQL supports SAML Replay Detection, Artifact Store

Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS
Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When
adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers.

Browser
Internet Explorer 8.0 or later, Firefox 10.0, Chrome 17.0 or later, Safari 5.0 or later

Office Client
Microsoft Office 2010/2007 (Latest Service Pack)
Microsoft Office for Mac 2011 (Latest Service Pack)

Note: Support for Microsoft Office 2008 for Mac version 12.2.9 ended 4/9/2013

Office 365 Desktop Setup (Suggested)

Microsoft Online Sign In Assistant

Active Federation (MEX)

Applies to rich clients supporting ADFS

Used by Lync and Office Subscription client
Clients will negotiate authentication directly with on-premises ADFS server

Basic Authentication (Active Profile)

Applies to clients authenticating with basic authentication

Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web Services
Clients send basic authentication credentials to Exchange Online via SSL. Exchange Online proxies

the request to the on-premises ADFS server on behalf of the client

Passive Federation (Passive Profile)

Applies to web browsers and documents opened via SharePoint Online

Used by the Microsoft Online Portal, OWA, and SharePoint Portal
Web clients (browsers) will authenticate directly with on-premises ADFS server
When working through the firewall considerations ensure that MSO Datacenter IP ranges have
been granted access to port 443 to the ADFS Proxy Server located in the DMZ.

Block all external access to Office 365 based on the IP address

of the external client
Block all external access to Office 365 except Exchange Active
Sync; all other clients such as Outlook are blocked.

Block all external access to Office 365 except for passive

browser based applications such as Outlook Web Access or
SharePoint Online
Use the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default
log all denied authorizations and the values it based the denial upon.

User objects must have a value for UPN in on-premises Active

Directory
UPN domain suffix must match a verified domain in Office 365
Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified domain and is

used if UPN does not match a verified domain

Users must switch to using UPN to logon to Office 365

Not domain\username

UPN must have valid characters

Office 365 Deployment Readiness Tool will verify that on-premises objects have valid characters

If the customer does not have a valid and routable UPN suffix then one can be added via Active
Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix.

Office 365 Desktop Setup

Automatically detects necessary updates for a computer
Installs Microsoft Online Sign In Assistant
Installs operating system and client software updates required for connectivity with Office 365

Automatically configures Internet Explorer and rich clients for use

with Office 365
Office 365 Desktop Setup is not an authentication or sign-in service
and should not be confused with single sign-on

Microsoft Online Sign-In Assistant

Can be installed automatically by Office 365 Desktop Setup or
manually
Enables authentication support by obtaining a service token from
Office 365 and returning it to a rich client (e.g. Lync)
Not required for web kiosk scenarios (e.g. OWA)
Required for on-premises computers connecting to Office 365 (e.g.
DirSync, Exchange, ADFS, PowerShell)

AD FS 2.x Server
Default topology for Office 365 is an AD
FS 2.x federation server farm that
consists of multiple servers hosting your
organizations Federation Service
Recommend using at least two
federation servers in a load-balanced
configuration

AD FS 2.x Proxy Server

Federation server proxies are used to
redirect client authentication requests
coming from outside your corporate
network to the federation server farm
Federation server proxies should be
deployed in the DMZ

Single server configuration

AD FS 2.x Server Farm and load-balancer
AD FS 2.x Proxy Server or UAG/TMG
(External Users, Active Sync, Down-level Clients with Outlook)

1.

Single server configuration

2.

AD FS 2.0 Server Farm and load-balancer

3.

AD FS 2.0 Proxy Server or UAG/TMG

i.

(External Users, Active Sync, Down-level Clients with Outlook)

Active
Directory
AD FS 2.0
Server

Internal
user

AD FS 2.0
Server

AD FS 2.0
Server
Proxy
AD FS 2.0
Server
Proxy

Enterprise

Perimeter

External
user

Number of users

Minimum number of servers

Fewer than 1,000 users

0 dedicated federation servers

0 dedicated federation server proxies
1 dedicated NLB server

1,000 to 15,000 users

2 dedicated federation servers

2 dedicated federation server proxies

15,000 to 60,000 users

Between 3 and 5 dedicated federation servers

At least 2 dedicated federation server proxies

AD FS 2.0 Capacity Planning Sizing Spreadsheet

http://www.microsoft.com/en-us/download/details.aspx?id=2278

Understanding client authentication path

MEX
Web

Lync 2010/
Office Subscription

Active

AD FS 2.0
Proxy

OWA
Internal

Basic auth
proposal: Pass
client IP, protocol,
device name

Exchange
Online

MEX
Web
Active

Corporate
Boundary

OWA
External
Username
Password

AD FS 2.0
Server
Lync 2010/
Office Subscription

Username
Password

Username
Password
Username
Password

Outlook 2010/2007
IMAP/POP

Outlook 2010/2007
Active Sync
IMAP/POP
Active Sync

Virtual Network Support Site to Site VPN

Computing: 99.95% SLA Uptime for High Available System
99.9% SLA Uptime for Single System

Storage: 99.9%
Full Control over your Virtual Machines
Pay as you Go, OPEX vs CAPEX

VPN

Active
Directory
AD FS 2.0
Server

Active
Directory

AD FS 2.0
Server

IaaS

Enterprise
48

Cloud Service: Role which several VMs take upon themselves to

execute. E.G. ADFS. Cloud services need to have two instances or
more to quality for the SLA of 99,95%. 1 External Virtual IP Address
per Cloud Service
Availability Group

EndPoints: You need to add an endpoint to a machine for other

resources on the Internet or other virtual networks to communicate
with it. You can associate specific ports and a protocol to endpoints.
Resources can connect to an endpoint by using a protocol of TCP
or UDP. The TCP protocol includes HTTP and HTTPS
communication.
Virtual Network enables you to create secure site-to-site
connectivity, as well as protected private virtual networks in the
cloud.

AD FS 2.0
Server
DirSync
LB
ENDPOINT

GATEWAY

IP SEC
DEVICE

Windows
Azure

Enterprise

AD FS 2.0
Server

CLOUD
SERVICE

 Prepare for directory synchronization:

http://technet.microsoft.com/en-us/library/jj151831.aspx

Directory synchronization roadmap:

http://technet.microsoft.com/en-us/library/hh967642.aspx

Set up your directory sync computer:

http://technet.microsoft.com/en-us/library/dn144767.aspx

Update Rollup 2 for ADFS 2.0:

http://support.microsoft.com/kb/2681584

ADFS 2.0 Step-by-Step and How To Guides

http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx