Office 365 offers two types of identitiesThe type of identity affects the user experience and administrative requirements
Applications like Outlook can save the password for future logons. The password will not have to be entered again until the password is changed or resetWeb browsers that have the capability to “keep me signed in” will not prompt the user for a password until they sign outUsers using web experience with Federated Identities on domain joined machines authenticating outside of corporate network may still receive a prompt for credentials“Rich applications” (e.g. Lync) require the Microsoft Online Services Sign-In Assistant
Multiple exchange organizations currently not supportedFor more details, please refer to the Wiki article here
Multiple exchange organizations currently not supportedFor more details, please refer to the Wiki article here
Slide Objective: Discuss integration scenarios betweenLync, Exchange, and SharePointNotesNo matter what the combination is between on-premises and Online deployments, Lync client presence integration always works. It is possible because this kind of integration is done at the client level and not between Lync and Exchange servers.Another thing to highlight is that when using a Lync Server on-premises deployment, users get the same features no matter if Exchange Online or Exchange on-premises is used. As mentioned earlier, IM/P in OWA and voicemail integration when using Lync Server on-premises with Exchange Online is possible thanks to Lync Federation between Office 365 and Lync Server 2010 on-premises.Also, note that no voicemail integration is possible between Lync Online and Exchange Online because Lync Online does not provide Enterprise Voice feature.When looking at the integration matrix between Lync and SharePoint, it is possible to see that in every case Lync client presence integration works: it is possible because integration is done at the client level and not between Lync and SharePoint servers.Note that Skill search in Lync client is only available when using a combination of Lync Server on-premises and SharePoint Server on-premises.
Here is a summary of the migration tools and options we have with Exchange Online. Customers have choices to move to the cloud quickly with native migration options, to take a more measured approach to the cloud according to their business requirements or maintaining mailboxes on-premises and online for a longer period of time.We have a single management experience with their tools and API across all migration sets. Note: Exchange hybrid does not work with Exchange 2003. However, Exchange 2003 customers will be able to deploy Exchange 2010 hybrid with Exchange Online 15 in order to have a smoother experience to migrate to the cloud, if other options are not ideal for their business requirements.
This is what you get when you have Hybrid coexistence. Some features are optional and require more configuration than others.
Service Descriptions Office 365 Service Descriptions:http://technet.microsoft.com/en-us/library/jj819284.aspx Office 365 Service Updates:http://community.office365.com/en-us/wikis/office_365_service_updates/974.aspx Office 365 Service Upgrade Center for Enterprises:http://community.office365.com/en-us/wikis/office_365_service_updates/office-365-service-upgrade-center-for-enterprise.aspx
Office 365 Deployment CenterSign-up for a trial: http://alturl.com/rt9j8The new Office 365 Deployment Center: Find the tools, guidance, and technical resources Pilot and Deploy Office 365 http://www.deployoffice365.com/
Understanding Identities Cloud Identity Federated Identity• Separate credential from on- • Same credential as on-premises premises credential credential• Authentication occurs via cloud • Authentication occurs via on- directory service premises directory service• Password policy is stored in Office • Password policy is stored on- 365 premises• Does not require on-premises server • Requires on-premises DirSync server deployment • Requires on-premises ADFS server
Understanding Identities Cloud Identity Cloud Identity + DirSync Federated Identity Smaller organizations with or without on- Medium to Large organizations with Active Large enterprise organizations with Active premises Active Directory Directory on-premises Directory on-premisesScenario Does not require on-premises server “Source of Authority” is on-premises Single Sign-On experience deployment Enables coexistence “Source of Authority” is on-premisesBenefits 2 Factor Authentication options Enables coexistence No Single Sign-On No Single Sign-On Requires on-premises ADFS server deployment in high availability scenario No 2 Factor Authentication options No 2 Factor Authentication options Requires on-premises DirSync server Two sets of credentials to manage Two sets of credentials to manage deploymentLimitations Different password policies Different password policies Requires on-premises DirSync server deployment
Understanding Identities Cloud Identity Federated Identity Federated Identity (domain joined computer) (non-domain joined computer)Microsoft Outlook® 2010 on Sign in each session Sign in each session Sign in each sessionWindows® 7Outlook 2007 on Windows 7 Sign in each session Sign in each session Sign in each sessionOutlook 2010 or Outlook 2007 on Sign in each session Sign in each session Sign in each sessionWindows Vista® or Windows XPExchange ActiveSync® Sign in each session Sign in each session Sign in each sessionPOP, IMAP, Microsoft Outlook for Mac Sign in each session Sign in each session Sign in each session2011Web Experiences: Office 365 Portal /Outlook Web App / SharePoint Online Sign in each browser session No Prompt Sign in each browser session/ Office Web AppsOffice 2010 or Office 2007 using Sign in each SharePoint Online session Sign in each SharePoint Online Session Sign in each SharePoint Online SessionSharePoint OnlineLync Online Sign in each session No prompt Sign in each sessionOutlook for Mac 2011 Sign in each session Sign in each session Sign in each session
Do 3Realize ADFS is more than Federated Identities
ADFS Enables Enables users to access both the on-premises and cloud-based organizations with a single user name and password Provides users with a familiar sign-on experience Allows administrators to easily control account policies for cloud-based organization mailboxes by using on- premises Active Directory management tools SharePoint Hybrid Search
Access Control PoliciesScenario Description Office 365 access is allowed from all clients on the internalBlock all external access to Office 365 corporate network, but requests from external clients are denied based on the IP address of the external client. Office 365 access is allowed from all clients on the internal corporate network, as well as from any external clientBlock all external access to Office 365, except Exchange devices, such as smart phones, that make use of ExchangeActiveSync ActiveSync. All other external clients, such as those using Outlook, are blocked.Block all external access to Office 365, except for browser- Blocks external access to Office 365, except for passivebased applications such as Outlook Web Access or (browser-based) applications such as Outlook Web AccessSharePoint Online or SharePoint Online. This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365Block all external access to Office 365 for members of only for members of one or more Active Directory group. Itdesignated Active Directory groups can also be used to provide external access only to members of a group.
Do 4Is your environment ready to hook up to Office 365?
Deployment Readiness Tool• http://community.office365.com/en- us/forums/183/p/2285/8155.aspx• Requirements: • No administrative rights required • Domain user • Domain joined machine
Windows Azure Active DirectoryMulti-forest AD support is availablethrough Microsoft-led deployments Federation DirSync on FIMMulti-forest DirSync appliance supports using ADFSmultiple dis-joint account forests AD ADFIM 2010 Office 365 connector supportscomplex multi-forest topologies AD On-Premises Identity Ex: DomainAlice User
Non-ADSynchronization Windows Azure Active DirectoryPreferred option for DirectorySynchronization with Non-AD Sources Federation using Non- Office 365Non-AD support with FIM is available ADFS STS Connector on FIMthrough Microsoft-led deploymentsFIM 2010 Office 365 connector supports Non-AD (LDAP)complex multi-forest topologies On-Premises Identity Ex: DomainAlice User
Network Requirements Lync: Lync 2013 Network Bandwidth Requirements for Media Traffic: http://technet.microsoft.com/en-us/library/jj688118.aspx Lync 2010 Bandwidth Calculator: http://www.microsoft.com/en- us/download/details.aspx?id=19011 Exchange: Exchange Client Network Bandwidth Calculator: http://gallery.technet.microsoft.com/office/Exchange-Client-Network-8af1bf00 SharePoint: Plan for Bandwidth Requirements: http://technet.microsoft.com/en- us/library/cc262952(v=office.12).aspx
Connecting to Office 365 Office 365 URLS and IP Address Ranges http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh373144.aspx Exchange Online URLs and IP Address Ranges http://technet.microsoft.com/en-us/exchangelabshelp/gg263350 RSS Updates for URL and IP Address Range Changes http://go.microsoft.com/fwlink/?linkid=236301 Set up your network for Lync Online http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh416761.aspx
ADFS and Azure Current Guidance: ADFS should only be deployed in Azure VM for High Availability. We would also not recommend a customer deploy the underlying AD domain controller to Azure. There would be latency issues for NTML authentication of domain join machines. http://msdn.microsoft.com/en- us/library/windowsazure/jj156090.aspx You can deploy corporate domain controllers alongside AD FS on Windows Azure virtual machines, which provides additional guarantees of service availability in the event of unforeseen failures such as natural disasters. This is especially true for online services such as Microsoft Office 365 that can authenticate users directly from their on-premises corporate Active Directory.
Azure and Office365 http://weblogs.asp.net/scottgu/archive/2012/07/26/wi ndows-azure-and-office-365.aspx Developing Windows Azure Web Sites Integrated with Office 365 Developing Windows Azure Workflows Integrated with Office 365
Windows Azure™ AD RMSIntegration with Exchange Online Company Confidential Company Confidential Read Only Do not forward (Works across tenants)Integration with SharePoint Online There is no support for SharePoint Online Wave 15 (v2013) integration with customer on-premise AD RMS infrastructure. Documents that have been protected with RMS can be uploaded to SharePoint Online only in standard document libraries. In Office 365 Wave 15 (v2013), SharePoint Online supports RMS integration with the Windows Azure RMS service
Do 7UC & C: Decide what to keep On Premises andwhat to move to Online
Lync Interoperability withExchange and SharePoint Exchange Online Exchange Server Presence integration = (on-premises) OOF messages in Lync,Lync Online Lync client presence integration Lync client presence integration calendar-based presence IM/Presence in OWA status, embedded presence in MicrosoftLync Server on-premises Lync client presence integration Lync client presence Office Outlook® and Office IM/Presence in OWA integration Exchange voicemail integration IM/Presence in OWA Exchange voice-mail integration SharePoint Online SharePoint Server Presence integration = (on-premises) embedded presence andLync Online Lync client presence integration Lync client presence integration click-to-communicate in SharePoint sitesLync Server on-premises Lync client presence integration Lync client presence integration Skill search in Lync client
Do 8Ready to move Exchange, think about youroptions
Migration options IMAP migration Cutover migration Staged migration IMAP migration Supports wide range of email platforms Email only (no calendar, contacts, or tasks) HybridMigration Cutover Exchange migration Good for fast, cutover migrations No Exchange upgrade required on-premises Exchange 5.5 X Staged Exchange migration Exchange 2000 X No Exchange upgrade required on-premises Exchange 2003 X X X Identity federation with on-premises directory Exchange 2007 X X X X Exchange 2010 X X X Hybrid deployment Exchange 2013 X X XHybrid Manage users on-premises and online Notes/Domino X Enables cross-premises calendaring, smooth migration, GroupWise X and easy off-boarding Other X
Cutover vs. Staged Cutover Staged Cutover is designed for small/fast Staged uses the same migration engine migrations to Office 365. as cutover but in conjunction with Office Mailbox data and address book data is 365 Directory Synchronization to allow synced from on-premises to Exchange you to move a few users at a time Online via Outlook Anywhere (RPC over Mailbox data is copied via Outlook https) Anywhere As the name sounds it’s an “all at once” Users/contacts & groups are synchronized move via Directory Sync Limited to a maximum of 1000 mailboxes Exchange 2010 or later is not supported total (but hybrid based moves are)
Cutover Migration server roles On-premises Exchange organization Office 365 Users, Contacts & Groups via Outlook Anywhere (NSPI) Mailbox Data via Outlook Anywhere (MAPI) Existing Exchange environment (Exchange 2003 or later)
Staged Migration server roles On-premises Exchange organization Users, Contacts & Groups via dirsync Office 365 Office 365 Active Directory Synchronization Mailbox Data via Outlook Anywhere (MAPI) Existing Exchange environment (Exchange 2003 or 2007)
Hybrid Feature Comparison Feature Simple Hybrid Mail routing between on-premises and cloud (recipients on either side) Mail routing with shared namespace (if desired) on both sides Unified GAL Free/Busy and calendar sharing cross-premises Out of Office understands that cross-premises is “internal” to the organization Mailtips, messaging tracking, and mailbox search work cross-premises OWA redirection cross-premise (single OWA URL for both on-premises and cloud) Single tool to manage cross-premises Exchange functions (including migrations) Mailbox moves support both onboarding and offboarding No outlook reconfiguration or OST resync required after mailbox migration Preserve auth header (ensure internal email is not spam, resolve against GAL, etc.) Centralized mail flow , ensures that all email routes inbound/outbound via on-prem
Hybrid overview Federation Trust • Delegated authentication for on-premises/cloud web services • Enables Free/busy, calendar sharing, message tracking & online archive Integrated Admin • Manage all of your Exchange functions, whether cloud or on-premises Experience from the same place; Exchange Administration Center Native Mailbox • Online mailbox moves • Preserve the Outlook profile and offline folders Move • Leverages the Mailbox Replication Service (MRS) • Authenticated and encrypted mail flow between on-premises and the cloud Secure Mail Flow • Preserves the internal Exchange messages headers, allowing a seamless end user experience • Support for compliance mail flow scenarios (centralized transport)
Hybrid server roles On-premises Exchange organization Office 365 Active Directory Synchronization Users, Contacts & Groups via dirsync Office 365 Secure Mail Flow Sharing (free/busy, MailTips, archive, etc.) Existing Exchange Mailbox Data via Outlook Anywhere (MAPI) environment (Exchange 2007 or later) Exchange 2013 Client Access & Mailbox Server
Exchange 2010 Hybrid Support Exchange 2010 SP3 will be compatible with current and new O365 tenants Exchange 2010 based hybrid deployments will continue to support Exchange 2003 coexistence with the new O365 tenants Once the new O365 service is launched, Exchange 2013 based hybrid is recommended for all new deployments (unless migrating from Exchange 2003)
Everything Moved… Remove the Hybrid Server? In short, leave a CAS behind, maybe an Hub if you need an on- premises central mail routing server for apps/printers/scanners/etc…. Check: http://blogs.technet.com/b/exchange/archive/2012/12 /05/decommissioning-your-exchange-2010-servers- in-a-hybrid-deployment.aspx
One More to BookmarkExchange 2013 Deployment Assistanthttp://technet.microsoft.com/en-US/exdeploy2013/Checklist?state=672-W-AAAAAAAAQAAA
Hybrid – Only Exchange? SharePoint 2013 hybrid resources: http://www.microsoft.com/en-us/download/details.aspx?id=35593 One-way hybrid environment with SharePoint Server 2013 and Office 365 Two-way hybrid Search environment with SharePoint Server 2013 and Office 365 Business Connectivity Services Hybrid Overview Planning for Hybrid Voice with Lync 2013: http://technet.microsoft.com/en-us/library/jj205095.aspx
Lync OnlineFederation with LyncFederation with MSNFederation with Skype
Skype – Lync: StatusIs IM and presence available today between Lync and Skype? Yes, on a limited basisCan Skype users add Lync users to their contact lists today? Not yet, target = JuneCan Lync users add Skype users to their Lync contact lists today? Yes, but using Skype users’ Microsoft accountsWhat communications capabilities will be supported between Lync and Skype as partof the upcoming release? In June: presence, one-on-one IM, and audio callingWhat must Skype users do to connect to Lync contacts in the upcoming release? New Skype App + Sign in with Microsoft accountWill Skype Connectivity work with Lync 2010? Yes
SharePoint Online Microsoft iTunes Skype firstname.lastname@example.org ivcrieki email@example.com Password x Password z Password y firstname.lastname@example.org Password ghi Telenet Office365 Skynet email@example.com Password def Gmail Facebook Pandora firstname.lastname@example.org Password abc