Version 2.

0 for Office 365

Day 1
Administering Office 365
Day 2
Administering Office 365
Office 365 Overview & Infrastructure Administering Lync Online
Office 365 User Management Administering SharePoint Online
Office 365 DirSync, Single Sign-On & ADFS Exchange Online Basic Management
MEAL BREAK
Exchange Online Deployment & Migration
Exchange Security & Protection
Exchange Online Archiving & Compliance
Jump Start Schedule
Reviewing Identities
Understanding DirSync
DirSync Requirements
Understanding Single Sign-On & ADFS
Windows Azure & ADFS

Verifying that a user, device, or service
such as an application provided on a
network server is the entity that it claims
to be.
Determining which actions an
authenticated entity is authorized to
perform on the network



Cloud Identity
Single identity in the cloud Suitable
for small organizations with no
integration to on-premises
directories




Directory & Password
Synchronization*
Single identity
suitable for medium
and large organizations without
federation*



Federated Identity
Single federated identity
and credentials suitable
for medium and large
organizations
Rich experience with Office Apps
Ease of deployment, management
and support
Lower cost as no additional servers are required
On-Premises
High availability and reliability as all Identities and
Services are managed in the cloud
Windows Azure
Active Directory
User
Cloud Identity
Ex: alice@contoso.com
Rich experience with Office Apps
Directory synchronization between on-premises and
online
Identities are created and managed
on-premises and synchronized to the cloud
Single identity and credentials but no single Sign-On
for on-premises and office 365 services
Password synchronization enables single sign-on at
lower cost than federation
Reuse existing directory implementation on-premises
Windows Azure
Active Directory
User
On-Premises Identity
Ex: Domain\Alice
Directory
Synchronization
Password
Synchronization
Cloud Identity
Ex: alice@contoso.com
AD
Non-AD
(LDAP)
* Password Synchronization may not be available at GA, the
target is to update the service in 1H CY2013
Single identity and sign-on for on-premises and
office 365 services
Identities mastered on-premises with single
point of management
Directory synchronization to synchronize
directory objects into Office 365
Secure Token based authentication
Client access control based on IP address with
ADFS
Strong factor authentication options
for additional security with ADFS

Windows Azure
Active Directory
User
On-Premises Identity
Ex: Domain\Alice
Federation
AD
Non-AD
(LDAP)
Directory
Synchronization
Reviewing Identities
Understanding DirSync
DirSync Requirements
Understanding Single Sign-On & ADFS
Windows Azure & ADFS

An application that synchronizes on-premises Active Directory
Objects with Office365
Users, Contacts and Groups
Initially designed as a software based appliance
Set it and forget it
Multi Forest Support now available
Now called the Windows Azure Active Directory Sync Tool
Provisions objects in Office 365 with same email addresses as the
objects in the on-premises environment
Provides a unified Global Address List experience between on-
premises and Office 365
Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365
Enables coexistence for Exchange
Works in both simple and hybrid deployment scenarios
Enabler for mail routing between on-premises and Office 365 with
a shared domain namespace
Enables coexistence for Microsoft Lync
Enables run-State administration and management of users,
groups and contacts
Synchronizes adds/deletes/modifications of users, groups and contacts from on-premise to Office
365
Enabler for Single Sign-On
Not intended as a single use bulk upload tool
Directory Synchronization Options
Suitable for small/medium size
organizations with AD or Non-AD
Performance limitations apply with
PowerShell and Graph API provisioning
PowerShell requires scripting experience
PowerShell option can be used where the
customer/partner may have wrappers around
PowerShell scripts (eg: Self Service
Provisioning)
PowerShell & Graph API
Suitable for Organizations using
Active Directory (AD)
Provides best experience to most customers
using AD
Supports Exchange Co-existence scenarios
Coupled with ADFS, provides best option for
federation and synchronization
Supports Password Synchronization with no
additional cost
Does not require any additional software
licenses


Suitable for large organizations with
certain AD and Non-AD scenarios
Complex multi-forest AD scenarios
Non-AD synchronization through Microsoft
premier deployment support
Requires Forefront Identity Manager and
additional software licenses

X64 FIM Appliance (set and forget)
X86 MIIS Appliance now unsupported
If you call into support with they will make you upgrade first before helping
Scoping of object sync within Forest now supported
AD GUID used as SourceAnchor (Link between AD and
Office 365 Object)
Password Synchronization for DirSync coming 1H CY2013
Password Sync Early On-Boarding program underway


Entire Active Directory Forest is scoped for synchronization by
default
Ability to modify what gets synced has been added
What is synchronized?
All user objects
All group objects
Mail-enabled contact objects
Synchronization is from on-premises to Office 365 only (unless write-back is enabled
Synchronization occurs every 3 hours
Use Start-OnlineCoexistenceSync cmdlet to force a sync

Mail-enabled/mailbox-enabled users are synchronized as mail-
enabled users (not mailbox-enabled users)
Visible in the Office 365 GAL (unless explicitly hidden from GAL)
Logon enabled, but not automatically licensed to use services
Target address is synchronized for mail-enabled users
Regular NT users are synchronized as regular NT users
Not automatically provisioned as mail-enabled in Office 365
Resource mailboxes are synchronized as resource mailboxes
Synchronized users are not automatically assigned a license

Group Objects
Mail-enabled groups are synchronized as mail-enabled
Group memberships are synchronized
Security groups are synchronized as security groups
Contacts Objects
Only mail-enabled contacts are synchronized
Target address is synchronized to Office 365

New user, group, and contact objects that are added to on-
premises are added to Office 365
Existing user, group, and contact objects that are deleted from on-
premises are deleted from Office 365
Existing user objects that are disabled on-premises are disabled in
Office 365
Existing user, group, or contact objects attributes (those that are
synchronized) that are modified on-premises are modified in Office
365
Objects are recoverable within 30 days of deletion

First synchronization cycle after installation is a full synchronization
Time-consuming process relative to number of objects synchronized
~5000 objects per hour
Subsequent synchronization cycles are deltas only
Much faster
Not all on-premises attributes synchronized for each object type,
but 100+ attributes are synchronized

Once implemented, on-premises AD becomes the source of
authority for synchronized objects
Modifications to synchronized objects must occur in the on-premises AD
Synchronized objects cannot be modified or deleted via the portal unless DirSync is disabled for the
tenant
Scoping/Filtering
Customers can exclude objects from synchronizing to Office 365
Scoping can be done at the following levels:
AD Domain-based
Organizational Unit-based
User Attribute based

On-premises objectGuid AD attribute assigned value for
sourceAnchor attribute during initial object synchronization
Referred to as a hard match
DirSync knows which Office 365 objects it is the source of authority for by examining
sourceAnchor attribute
DirSync can also match user objects created via the portal with on-
premises objects if there is a match using the primary SMTP
address
Referred to as a soft match

Synchronization errors are emailed to the Technical Contact for the
subscription
Recommend using distribution group as Technical Contact email address
Example errors include:
Synchronization health status
Sent once a day if a synchronization cycle has not registered 24 hours after last successful
synchronization
Objects whose attributes contain invalid characters
Objects with duplicate/conflicting email addresses
Sync quota limit exceeded
List of attributes that are synchronized
http://support.microsoft.com/default.aspx?scid=kb;en-US;2256198&wa=wsignin1.0

Run the Microsoft Office 365 Deployment Rediness Tool
http://community.office365.com/en-us/forums/183/p/2285/8155.aspx
Analyze on-premise environment
Domains
User Identity and Account Provisioning
Exchange Online
Lync Online
SharePoint Online
Client
Network
DirSync (Single Forest) must be joined to a domain with the same
forest that will be synchronized
DirSync Server should never be installed on a domain controller
DirSync Server should be Windows Server 2008 (x64) or better
By default SQL Server 2008 R2 Express is installed
10GB Database limit (approx. 50,000 objects)
Full SQL Option available
X64 Single\Multi Forest Appliance available (O365 connector also
available for complex scenarios

Only routable domains can be used with DirSync deployment
Non-routable domains include .local OR .loc OR .internal.

If organization has AD w/ only internal namespace, must:
Add a routable UPN suffix in Active Directory Forests and Trusts.
Configure each user with that routable UserPrincipalName suffix
user@domain.local must be changed do user@domain.com
If this is not done, once DirSync runs, users will appear in Office365 as
user@domain.onmicrosoft.com instead of user@domain.com
Recommend a system that exceeds the minimum OS
requirements

Number of
objects in AD
CPU Memory Hard disk size
Fewer than 10,000 1.6GHz 4GB 70GB
10,000-50,000 1.6GHz 4GB 70GB
50,000-100,000 1.6GHz 16GB 100GB
100,000-300,000 1.6GHz 32GB 300GB
300,000-600,000 1.6GHz 32GB 450GB
More than 600,000 1.6GHz 32GB 500GB
Synchronization with Office
365 occurs over SSL
Internal network
communication will use
typical Active Directory
related ports
DirSync server must be able
to contact all DCs in the
Forest
Service Protocol Port
LDAP TCP/UDP 389
Kerberos TCP/UDP 88
DNS TCP/UDP 53
Kerberos
Change
Passowrd
TCP/UDP 464
RPC TCP 135
RPC randomly
allocated high
TCP Ports
TCP 1024-64435
49152-65535*
SMB TCP 445
SSL TCP 443
SQL TCP 1433
* This is the range in Windows Server 2008
Account used to install DirSync must have
local machine administrator permissions
If using full SQL, rights within SQL to create the DirSync database, and to setup the SQL service
account with the role of db_owner
Account used to configure DirSync must reside in the local machine
MIISAdmins group
Account used to install DirSync is automatically added
Administrator permission in the Office 365 tenant
DirSync uses an administrator account in the tenant to provision and update/modify objects

Enterprise Administrator permission in the on-premise Active
Directory
Credential is not stored/saved by the configuration wizard
Used to create the MSOL_AD_Sync domain account in the CN=Users container of the root
domain of the forest
Used to delegate the following permissions on each domain partition in the forest
Replicating Directory Changes
Replicating Directory Changes all
Replication Synchronization


Enables users to access both the on-premises and
cloud-based organizations with a single user name
and password
Provides users with a familiar sign-on experience
Allows administrators to easily control account
policies for cloud-based organization mailboxes by
using on-premises Active Directory management
tools.

Policy Control
Access Control
Reduced Support Calls
Security

Windows Server 2008 or Windows Server 2008 R2 (2012 not currently supported)
ADFS 2.0 Setup installs: Web Server (IIS), .Net 3.5 SP1, Windows Identity Foundation
Publicly registered, routable domain name
SSL Certificate(s), *Wild Card Supported
Microsoft Online Services Module for Windows PowerShell
Microsoft Online Sign In Assistant
High Availability Design, Dual-Site, Load Balanced
Choice between Windows Internal Database(WID) and SQL
WID supports a maximum of 5 Federation Servers
SQL supports SAML Replay Detection, Artifact Store


Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS
Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When
adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers.
Browser
Internet Explorer 8.0 or later, Firefox 10.0, Chrome 17.0 or later, Safari 5.0 or later

Office Client
Microsoft Office 2010/2007 (Latest Service Pack)
Microsoft Office for Mac 2011 (Latest Service Pack)
Note: Support for Microsoft Office 2008 for Mac version 12.2.9 ended 4/9/2013

Office 365 Desktop Setup (Suggested)
Microsoft Online Sign In Assistant

Active Federation (MEX)
Applies to rich clients supporting ADFS
Used by Lync and Office Subscription client
Clients will negotiate authentication directly with on-premises ADFS server
Basic Authentication (Active Profile)
Applies to clients authenticating with basic authentication
Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web Services
Clients send basic authentication credentials to Exchange Online via SSL. Exchange Online proxies
the request to the on-premises ADFS server on behalf of the client
Passive Federation (Passive Profile)
Applies to web browsers and documents opened via SharePoint Online
Used by the Microsoft Online Portal, OWA, and SharePoint Portal
Web clients (browsers) will authenticate directly with on-premises ADFS server
When working through the firewall considerations ensure that MSO Datacenter IP ranges have
been granted access to port 443 to the ADFS Proxy Server located in the DMZ.
Block all external access to Office 365 based on the IP address
of the external client
Block all external access to Office 365 except Exchange Active
Sync; all other clients such as Outlook are blocked.
Block all external access to Office 365 except for passive
browser based applications such as Outlook Web Access or
SharePoint Online
Use the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default
log all denied authorizations and the values it based the denial upon.
User objects must have a value for UPN in on-premises Active
Directory
UPN domain suffix must match a verified domain in Office 365
Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified domain and is
used if UPN does not match a verified domain
Users must switch to using UPN to logon to Office 365
Not domain\username
UPN must have valid characters
Office 365 Deployment Readiness Tool will verify that on-premises objects have valid characters
If the customer does not have a valid and routable UPN suffix then one can be added via Active
Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix.
Office 365 Desktop Setup
Automatically detects necessary updates for a computer
Installs Microsoft Online Sign In Assistant
Installs operating system and client software updates required for connectivity with Office 365
Automatically configures Internet Explorer and rich clients for use
with Office 365
Office 365 Desktop Setup is not an authentication or sign-in service
and should not be confused with single sign-on

Microsoft Online Sign-In Assistant
Can be installed automatically by Office 365 Desktop Setup or
manually
Enables authentication support by obtaining a service token from
Office 365 and returning it to a rich client (e.g. Lync)
Not required for web kiosk scenarios (e.g. OWA)
Required for on-premises computers connecting to Office 365 (e.g.
DirSync, Exchange, ADFS, PowerShell)
AD FS 2.x Server
Default topology for Office 365 is an AD
FS 2.x federation server farm that
consists of multiple servers hosting your
organizations Federation Service
Recommend using at least two
federation servers in a load-balanced
configuration
AD FS 2.x Proxy Server
Federation server proxies are used to
redirect client authentication requests
coming from outside your corporate
network to the federation server farm
Federation server proxies should be
deployed in the DMZ
Single server configuration
AD FS 2.x Server Farm and load-balancer
AD FS 2.x Proxy Server or UAG/TMG
(External Users, Active Sync, Down-level Clients with Outlook)

1. Single server configuration
2. AD FS 2.0 Server Farm and load-balancer
3. AD FS 2.0 Proxy Server or UAG/TMG
i. (External Users, Active Sync, Down-level Clients with Outlook)





Enterprise





Perimeter
AD FS 2.0
Server
Proxy
External
user
Internal
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
AD FS 2.0
Server
Proxy
Number of users Minimum number of servers
Fewer than 1,000 users
0 dedicated federation servers
0 dedicated federation server proxies
1 dedicated NLB server
1,000 to 15,000 users
2 dedicated federation servers
2 dedicated federation server proxies
15,000 to 60,000 users
Between 3 and 5 dedicated federation servers
At least 2 dedicated federation server proxies
AD FS 2.0 Capacity Planning Sizing Spreadsheet
http://www.microsoft.com/en-us/download/details.aspx?id=2278

Understanding client authentication path
Lync 2010/
Office Subscription
Active Sync
Corporate
Boundary
Exchange
Online
AD FS 2.0
Server
MEX
Web
Active
AD FS 2.0
Proxy
MEX
Web
Active
Outlook 2010/2007
IMAP/POP
Username
Password
Username
Password
OWA
Internal
Lync 2010/
Office Subscription
Outlook 2010/2007
IMAP/POP
OWA
External
Username
Password
Active Sync
Username
Password
Basic auth
proposal: Pass
client IP, protocol,
device name

Virtual Network Support Site to Site VPN
Computing: 99.95% SLA Uptime for High Available System
99.9% SLA Uptime for Single System
Storage: 99.9%
Full Control over your Virtual Machines
Pay as you Go, OPEX vs CAPEX
48
IaaS
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server





Active
Directory
Enterprise
VPN
Cloud Service: Role which several VMs take upon themselves to
execute. E.G. ADFS. Cloud services need to have two instances or
more to quality for the SLA of 99,95%. 1 External Virtual IP Address
per Cloud Service
Availability Group


EndPoints: You need to add an endpoint to a machine for other
resources on the Internet or other virtual networks to communicate
with it. You can associate specific ports and a protocol to endpoints.
Resources can connect to an endpoint by using a protocol of TCP
or UDP. The TCP protocol includes HTTP and HTTPS
communication.
Virtual Network enables you to create secure site-to-site
connectivity, as well as protected private virtual networks in the
cloud.













IP SEC
DEVICE


GATEWAY














CLOUD
SERVICE

AD FS 2.0
Server
AD FS 2.0
Server
DirSync
LB
ENDPOINT
Enterprise
Windows
Azure
Prepare for directory synchronization:
http://technet.microsoft.com/en-us/library/jj151831.aspx
Directory synchronization roadmap:
http://technet.microsoft.com/en-us/library/hh967642.aspx
Set up your directory sync computer:
http://technet.microsoft.com/en-us/library/dn144767.aspx
Update Rollup 2 for ADFS 2.0:
http://support.microsoft.com/kb/2681584

ADFS 2.0 Step-by-Step and How To Guides
http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx