Preparing for Office 365

Preparing for Office 365 Jan Egil Ring Senior Consultant, Infrastructure jan.egil.ring@crayon.com

Agenda • Overview • Identity management • Federation • DirSync • Client requirements • Gotchas • Planning listJanuary 22, 2012 NIC 2012

Microsoft Office 365 – what is it?

• What’s New in Office 365 • • • • • •• • • • • •• • • • • • • • •• • • • • • 4 | Microsoft Confidential

• • •• • •• • • •• •• •• • • 5 | Microsoft Confidential

Planning list • Decide which program to signup for (Small Business, Enterprise, Education) • Sign up for a trial subscription and deploy a lab/pilot environmentJanuary 22, 2012 NIC 2012

Demo:Microsoft Online Portal

Office 365 Identity Features• Password policy controls for Microsoft Online IDs• Single sign-on with corporate credentials• Directory Synchronization updates• Role-based administration: Five administration roles • Company Admin • Billing Admin • User Account Admin • HelpDesk Admin • Service Support Admin• “Admin on behalf of” for support partners 8

Identity Architecture1. Microsoft Online IDs Microsoft Online2. Microsoft Online IDs + DirSync Services3. Federated IDs + DirSync Identity Services Trust Exchange Contoso customer Online premises Active Authentication Directory platform IdP SharePoint Federation Server 2.0 Online IdP MS Online Directory Provisioning Directory Lync AD platform Store Sync Online Office 365 Desktop Setup Admin Portal 9

Identity Options Comparison 1. MS Online IDs 2. MS Online IDs + Dir Sync 3. Federated IDs + Dir SyncAppropriate for Appropriate for Appropriate for • Smaller orgs without AD • Medium/Large orgs with • Larger enterprise orgs with on-premise AD on-premise AD on-premisePros Pros Pros • No servers required on- • Users and groups mastered • SSO with corporate cred premise on-premise • IDs mastered on-premise • Enables co-existence • Password policy controlled scenarios on-premiseCons • No SSO • 2FA solutions possible Cons • No 2FA • Enables co-existence • No SSO • 2 sets of credentials to scenarios • No 2FA manage with differing • 2 sets of credentials to Cons password policies manage with differing • High availability server • IDs mastered in the cloud password policies deployments required • Single server deployment 10

Authentication flow (passive/web profile) Customer Microsoft Online Services User Source IDActive Directory User Source NET ID ID AD FS 2.0 Server Authentication platform ` Exchange Online or Client SharePoint Online(joined to CorpNet) 11

Authentication flow (MEX/Rich Client profile) Customer Microsoft Online Services Active Directory User Source ID NET ID AD FS 2.0 Server Authentication platform ` Client Exchange Online (joined to CorpNet) 12

Identity Details• Microsoft Online Services requirements • MS Online business scenarios always use WS-* • WS-Trust provides support for rich client authentication • Identity federation supported initially only through AD FS 2.0• Protocols supported • WS-*, SAML1.1 • SAML-P coming later (with Shibboleth support)• Strong authentication (2FA) solutions • Web applications via ADFS Proxy sign in page or other proxies (UAG/TMG) • Rich Clients dependent on configuration 13

AD FS 2.0 Deployment Options1.Single server configuration2.AD FS 2.0 server farm and load-balancer3.AD FS 2.0 proxy server or UAG/TMG Active Directory AD FS 2.0 AD FS 2.0 AD FS 2.0 Server Server Server Proxy AD FS 2.0 Server Proxy Internal user Enterprise DMZ 14

Deployment Options Identity Federation• Domain conversion is a big switch• Staged Rollout • Start with a Federated Domain and license users over time• Piloting Federation • Suitable for Existing production standard domain (running Directory Sync) containing production licensed users • Must use a different test domain, not sub-domain of an existing domain • Update Users UPN on premise to new Test domain • Must revert users back to a Managed domain at end of pilot 15

Preparing for Identity Federation• Every User must have a UPN• UPN suffix must match a validated domain in Office 365• UPN Character restrictions • Letters, numbers, dot or dash • No dot before @ symbol• Users may need to understand that they must use UPN to logon to Office 365 Apps • Can be hidden from users with smart links from domain machines 16

Demo:Office 365 DeploymentReadiness Tool

Single Forest AD Structures• Matching domains • Internal Domain and External domain are the same E.g. contoso.com• Sub Domain • Internal domains is a sub domain of the external domain E.g. Corp.contoso.com• .Local Domain • Internal domain is not publicly “registered” E.g. Contoso.local• Multiple distinct UPN suffixes in Single forest • E.g. mix of users having login UPNs under contoso.com and fabrikam.com 18

Single Forest Considerations• Matching domain • No special requirements• Sub Domain • Requires Domains registered in order, primary then sub domains• Local Domain • Domain ownership can‟t be proved, must use a different domain • Requires all users to get new UPN• Multiple distinct domains • Requires additional switches to support a single ADFS server during setup 19

Multi Forest Support• Key requirement to enable Single Sign On with multi forest• Various models being investigated • Single Account/Resources forests • Multiple separate Account forests with Single resource forest • Consolidated Sync forest (V1) • True Multi forest 20

Update Rollup 1 for Active DirectoryFederation Services (AD FS) 2.0• Released in October 2011• Hotfixes and new features• Major feature for Office 365: Multiple Issuer Support http://support.microsoft.com/kb/2607496

Demo: Active DirectoryFederation Services

Planning list • If testing/deploying federation, remember to install AD FS 2.0 Update Rollup 1 • Based on the demo/lab experiences, decide which identity features you want to deployJanuary 22, 2012 NIC 2012

Directory SyncWhat is Directory Sync?• What does Directory Sync do for you & your users• When to use Directory SyncUsing Directory Sync• Requirements• How Directory Sync works• Gotchas

Identity Architecture1. Microsoft Online IDs Microsoft Online2. Microsoft Online IDs + DirSync Services3. Federated IDs + DirSync Identity Services Trust Exchange Contoso customer Online premises Active Authentication Directory platform IdP SharePoint Federation Server 2.0 Online IdP MS Online Directory Provisioning Directory Lync AD platform Store Sync Online Office 365 Desktop Setup Admin Portal 25

What does Directory Sync do foryou• Enables you to manage your company‟s information in one central location for both on- premise intranet and Office 365• Runs as an appliance • Install and forget• Proactively reports errors via email • “No news is good news”

What does DirectorySynchronization do for users• Seamless user experience across on-premise and Office 365 services (Exchange, Lync, SharePoint)• Flavors of Co-Existence • Identity Co-Existence (aka Single Sign-On, Federated Identity, Federated Authentication) • Application Co-Existence

Identity Co-Existence• Facilitates “Single Sign-On” Experience• For users: Single set of credentials to manage• On-premise users, security groups, distribution lists, contacts are available in the cloud • Complete Address Books in Exchange Online • SharePoint Online ACL‟ing via Security Groups• Users, contacts, groups can be created directly in Office 365, or sync‟d from on-premise!

Exchange Server Co-Existence• 2 types: • Simple • RichSimple Co-Existence:• Full, consistent Address Book available across all O365 services• Exchange Online users can receive mail at any of their (valid) on-premise Proxy Addresses• Conf Room support (Outlook Room Finder)

Exchange Server Co-ExistenceRich Co-Existence:• Hybrid Deployments • Staged migrations • Keep data on-premise for various business or legal requirements• Free/Busy available to users on-premise and in cloud

Exchange Server Co-ExistenceRich Co-Existence (con’t)• Cross-Premise Services • Customers with on-premise mailbox can have voicemail in cloud • Cloud Archiving • Filtering Co-Existence (safe senders, blocked senders)

When to use DirectorySynchronization• Common Scenarios: Scenario Use Directory Synchronization? Initial on-boarding/bulk No Provisioning of users only* Identity Federation Yes Long-term Yes migration/adoption of Office 365 Services Partial Yes adoption/migration to Office 365 Services

Requirements3 types of requirements:1. Host OS that runs Directory Sync • 32-bit ONLY • Microsoft Windows Server® 2003 SP2 x86 • Microsoft Windows Server 2008 x86 • Cannot be Domain Controller2. Active Directory Forest functional level sync‟d by Directory Sync • Microsoft Windows Server 2000 • Microsoft Windows Server 2003 • Microsoft Windows Server 2008 • Microsoft Windows Server 2008 R2 NOTE: known incompatibility with Recycle Bin feature

Requirements3 types of requirements:1. Host OS that runs Directory Sync • 32-bit and 64-bit • Microsoft Windows Server® 2003 SP2 x86 • Microsoft Windows Server 2008 x86/x64 • Microsoft Windows Server 2008 R2 • Cannot be Domain Controller2. Active Directory Forest functional level sync‟d by Directory Sync • Microsoft Windows Server 2000 • Microsoft Windows Server 2003 • Microsoft Windows Server 2008 • Microsoft Windows Server 2008 R2 NOTE: known incompatibility with Recycle Bin feature in 32-bit client

Setting up Directory Sync -Requirements3. Rich Co-Existence • Rich co-existence, need Exchange 2010 SP1 Client Access Server (CAS) – Free • Installs schema extensions required to support Rich Co-Existence

Demo: Microsoft OnlineDirectory Sync Setup

How Directory Synchronization worksArchitecture

Architecture - Client• Uses Enterprise Admin credentials at configuration to create self-managed account for sync purposes: • Attribute-level write permissions for Rich Co-Existence• Uses managed account with Global Administrator privileges for Tenant • Authenticates to O365 via Microsoft Online ID• Syncs all users, contacts and groups from your (single) AD forest • Queries AD DirSync control for changes • Filters out well-known objects and attributes patterns• Syncs every 3 hours

Architecture - Client• First sync run “full sync” • Start-up, sync‟s all objects• Subsequent runs “delta sync” • Changes only• Time required depends on data size/complexity

Architecture - Client• Based on ILM (32-bit) and FIM (64-bit)• SQL Server 2008 R2 Express • Should use full Microsoft SQL Server 2005 / 2008 for larger customers • 10GB DB size limit• Microsoft Online ID components for Authentication to Office 365

Architecture - Server• Syncs objects in “batches”• Users provisioned into Microsoft Online ID for login to Office 365• All objects provisioned into Office 365 Directory Store • objects flow into services based on subscription (Exchange Online, Lync Online, SharePoint Online)

Architecture – Sync Object Limits• All customers initially subject to 10,000 object limit • “objects” = users, security groups, distribution lists, contacts • Will receive email • contact support to increase object limit• Larger customers (20,000+ users) sign-up for special subscription type • work with your MS account reps for more details!

Attribute Validation• ProxyAddresses sanitization • proxy addresses with non-registered domains are stripped• UPN Validation • If UPN uses a non-registered domain, it will be replaced with: mailNickName „@‟ domain.onmicrosoft.com (where domain is the primary domain the customer registered at sign-up)

Attribute Validations Attribute Most common issuesuserPrincipalName • cannot have dot „.‟ immediately preceding „@‟ • cannot exceed 113 chars (64 for username, 48 for domain) • cannot contain ! # $ % & * + - / = ? ^ _` { |}~<>() • cannot have duplicate UPNssAmAccountName • cannot contain “ / [ ] : | < > + = ; ? , • cannot end with dot „.‟ • cannot be more than 20 chars • cannot be emptyproxyAddresses • cannot contain smtp addresses with domains that are not registered for the tenant • cannot have duplicate proxy addresses

Writing to On-Premise AD• If Rich Co-Existence disabled, Directory Sync will not modify customer‟s on-prem AD• If Rich Co-Existence enabled, Directory Sync will modify up to 6 attributes on users: Attribute Feature SafeSendersHash Filtering Coexistence BlockedSendersHash enables on-premise filtering using cloud SafeRecipientHash safe/blocked sender info msExchArchiveStatus Cloud Archive Allows users to archive mail to the Office 365 service ProxyAddresses Mailbox off-boarding (cloudLegDN) Enables off-boarding of mailboxes back to on- premise cloudmsExchUCVoiceMailSe Voicemail Co-Existence ttings Enables on-premise mailbox users to have Lync in the cloud

Synchronization Errors• Synchronization errors are communicated to the IT Generalist via email • Technical Contact is a very important to Microsoft Online Directory Sync for communication of sync health, errors, etc.• Administrators must address these errors through on-premise changes

Common Asks• Filtering • Not supported • Automated “scoping out” can lead to data loss (user mailboxes!) • Filter file no longer supported• Highly available Directory Sync • Directory Sync tool not configurable for high availability NOTE: when Directory Sync tool down, Office 365 data goes “stale”, Federated Authentication, etc. still works!

• Scale & Large customers? • Directory Sync is used for MSFT! (~1M objects) • Customers with 50K+ objects - use full SQL installation • PowerShell-based configuration

• Sync‟d objects are mastered on-premise • need to update on-premise object to update cloud object• Stopping Directory Synchronization • Cannot “de-activate” Directory Synchronization via Microsoft Online Portal • Can “turn off” Directory Synchronization client• DirSync can now be activated/deactivated: • Set-MsolDirSyncEnabled -EnableDirSync $false • Set-MsolDirSyncEnabled -EnableDirSync $true • http://support.microsoft.com/kb/2619062/en-us

Planning listThings to think about:1. Do you plan to enable Identity Federation? • Register domains with Office 365 • Activate Federation2. Do you plan to enable Rich Co-existence? • Exchange 2010 SP1 CAS deployed on-premise?3. Is your Active Directory “ready”? • Microsoft Online Deployment Guide (http://www.microsoft.com/online/deploy.aspx) • Office 365 Deployment Readiness Tool

Client RequirementsSoftware Supported VersionsOffice clients Microsoft Office® 2010 or Office 2007 SP2 Office 2008 for Mac & Entourage 2008 Web Services Edition Office 2011 for Mac and Outlook 2011 for Mac Microsoft Lync™ 2010 Communicator for MacOperating systems Windows 7 Windows Vista SP2 Windows XP SP3 with RPC over HTTP patch Windows XP Home Edition , Windows XP Media Center Edition MAC OS X 10.4 (Tiger), 10.5 (Leopard), 10.6 (Snow Leopard)System software Microsoft .NET Framework 3.0 (for Windows XP) Java client 1.4.2 (for Macintosh OS X)*Client applications Microsoft Online Services ConnectorBrowser software Microsoft Internet Explorer 7 Mozilla Firefox 3.x, Apple Safari 3.x

Update XP / XP / Vista / Vista / Win7 / Win7 / O2007 O2010 O2007 O2010 O2007 O2010Windows XP SP3 X XVista SP2 X XRPC over HTTP (KB974841 – XP, new for X X X XVista)Security update KB960818 – June 2009 & Xnew Office 2010 update)Office 2007 SP2 X X XSecurity Update for Office 2007 (KB972652 X X X– Nov 2009)Office Update KB980210 X(only for WS 2008 R2)Outlook hosting update for Office 2007 X X XOutlook hosting update for Office 2010 X X XOffice Update KB2435954 XAuthentication components(Microsoft Online Services Sign in Assistant X X X X X X 52 | Microsoft Confidential& Add-on)

Office Professional Plus – What is it? Flexible service offering with pay-as-you-go, per-user licensing Word Publisher The complete Office experience with services integration in Office 365 Excel AccessPowerPoint InfoPath SharePoint OneNote Simplified end user set-up to use online services Workspace Outlook Lync Always the latest version of the Office apps, including Office Web Apps • Excel • PowerPoint • OneNote • Word Familiar Office user experience to access services

Volume License Comparisons Office Professional Plus Office Professional Plus Subscription License Volume LicenseDownload location • Office 365 Portal • VL Software CenterSoftware • Office Pro Plus + subscription agent • VL bits (Pro Plus or Standard) • Single EXE • Extracted to use with deployment toolsProduct Key / • Subscription based activation • Volume License technologiesActivation • Term – 30 days (monthly) • MAK perpetual activation, • No keys to manage – only users KMS 180 days • Manage KMS and /or MAK keysWhen Reduced • In 60 days since last activation • MAK: N/AFunctionality Mode • “hard” RFM • KMS: within 180 days(RFM) starts • “Notification mode”Deployment options • Office 365 Portal • Unmanaged & Managed Options • Unmanaged & Managed options • App-V • Terminal Services# of copies allowed • 5 active installs on different devices • Single device per license/activation per user • Downgrade rights • No downgrade rightsFulfillment • Electronic software download • $27/ DVD media 54 | Microsoft Confidential

Connector Overview• Updates client PCs with Windows and/or Office products to work with Office 365 Services • Leverages WSUS/WU to detect, download & install updates • Only installs updates that are required to connect to and use services• * Configure clients for subscribed services• Run on-demand by end users with minimal system footprint – Local Admin permissions to install• Supports IT Admin Deployment (elevated privileges)

Connector Goals and Scenarios• Goals • Configure Office apps for end users (small and large companies) • Ensure Office 365 minimum requirements • Windows: XP SP3 with Internet Explorer® 7, Microsoft Vista® SP2, Windows Server® 2008 R2, Windows 7 RTM • Office versions: Office 2007 SP2, Office 2010 RTM• Scenarios • Update/configure based on licensed services • End user with elevated privileges • End user without elevated privileges • Small IT admin deployments • Large IT admin deployments

Planning list • Consider using the MAP Toolkit to inventory your client environment for Office 365 readiness (Video tutorial: http://bit.ly/sb2spo) • Ensure prerequisites are deployed in advance – Windows XP SP3, Windows Vista SP2, Windows 7, Office 2007 SP2, Office 2010 as well as the Office 365 Connector and other hotfixesJanuary 22, 2012 NIC 2012

Gotchas• No support for Office 2003• No support for Internet Explorer 6• No support for Office Communicator 2007 R2• Client requirements (Online Services Connector)• Removing domains • Can‟t de-register domain from Office 365 until all users that have attributes with that domain are removed• No support for shared SIP-domain between Lync Online and Lync On-premise• 3rd party tool required to migrate from Sharepoint On-premise to Sharepoint Online• No Enterprise Voice (telephony) available in Lync Online May or may not be deployment-blockers

Call to action (if deploying Office365) Read the documentation (deployment guide and service plans) Determine your serviceplan (Small Business, Enterprise or Education) Run the Office 365 Deployment Readiness Tool Design your Office 365 infrastructure (i.e. AD FS servers, DirSync server, Exchange 2010) Test and pilot

Resources• Microsoft Office 365 Deployment Guide • http://www.microsoft.com/download/en/details.aspx?id=26509• Office 365 ebook • http://download.microsoft.com/download/1/2/F/12F1FF78-73E1-4714-9A08- 6A76FA3DA769/656949ebook.pdf• Office 365 Deployment Readiness Tool • http://community.office365.com/en-us/f/183/p/2285/8155.aspx• Service Descriptions • http://www.microsoft.com/download/en/details.aspx?id=13602• PowerShell-module • http://blog.powershell.no/2011/05/09/administering-microsoft-office-365-using- windows-powershell

Planning list• Decide which program to signup for (Small Business, Enterprise, Education)• Sign up for a trial subscription and deploy a lab/pilot environment • If testing/deploying federation, remember to install AD FS 2.0 Update Rollup 1 • Based on the demo/lab experiences, decide which identity features you want to deploy• Do you plan to enable Identity Federation? • Register domains with Office 365 • Activate Federation• Do you plan to enable Rich Co-existence? Exchange 2010 SP1 CAS deployed on-premise?• Is your Active Directory “ready”? • Microsoft Online Deployment Guide (http://www.microsoft.com/online/deploy.aspx) • Office 365 Deployment Readiness Tool• Consider using the MAP Toolkit to inventory your client environment for Office 365 readiness (Video tutorial: http://bit.ly/sb2spo)• Ensure prerequisites are deployed in advance • Windows XP SP3, Windows Vista SP2, Windows 7 • Office 2007 SP2, Office 2010 • Office 365 Connector • Required hotfixes January 22, 2012 NIC 2012

Contact infoNew-Object PSObject -Property @{Name = "Jan Egil Ring""E-mail" =" jan.egil.ring@crayon.com"TwitterId = "@JanEgilRing"Website = "blog.powershell.no"}

Preparing for Office 365

by Jan Egil Ring on Jan 22, 2012

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Preparing for Office 365 — Presentation Transcript