mod 3: office 365 dirsync, single sign-on &...
TRANSCRIPT
Published: 9/10/2012
1
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Office 365 for SMB Jump Start
Mod 3: Office 365 DirSync, Single Sign-On & ADFSChris Oakman | Managing Partner Infrastructure Team | Eastridge Technology
Stephen Hall | CEO & SMB Technologist | District Computers
Published: 9/10/2012
2
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Day 1
Administering Office 365
Day 2
Administering Exchange Online
Office 365 Overview & Infrastructure Exchange Online Deployment & Migration
Office 365 User Management Exchange Online FOPE
Office 365 DirSync, Single Sign-On & ADFS Exchange Online Archiving & Compliance
MEAL BREAK
Administering Lync Online
Administering SharePoint Online
Exchange Online Overview & User Management
Jump Start Schedule – Target Agenda
Published: 9/10/2012
3
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Module 3: Office 365 DirSync, Single Sign-On & ADFSReviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS
Published: 9/10/2012
4
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Cloud Identity
• Separate credential from
corporate credential
• Authentication occurs via cloud
directory service
• Password policy stored in
Office 365
Federated Identity
• Same credential as corporate
credential
• Authentication occurs via on-
premises Active Directory
service
• Password policy is stored on-
premises
• Requires Directory
Synchronization
Reviewing Identity Types
Published: 9/10/2012
5
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Cloud IdentityCloud Identity +
DirSyncFederated Identity*
Scenario• Smaller organizations
without on-premises Active
Directory
• Medium to Large organizations
with Active Directory on-
premises
• Large enterprise organizations
with Active Directory on-premises
• Requires DirSync
Pros
• Does not require on-
premises server
deployment
• “Source of Authority” is on-
premises
• Enables coexistence
• Single Sign-On experience
• “Source of Authority” is on-
premises
• 2 Factor Authentication options
• Enables coexistence
Cons
• No Single Sign-On
• No 2 Factor Authentication
options
• 2 sets of credentials to
manage with, potentially,
different password policies
• No Single Sign-On
• No 2 Factor Authentication
options
• 2 sets of credentials to manage
with, potentially, different
password policies
• Requires on-premises server
deployment
• Requires on-premises server
deployment in high availability
scenario
Reviewing Identity Usage Scenarios
Published: 9/10/2012
6
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Module 3: Office 365 DirSync, Single Sign-On & ADFSReviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS
Published: 9/10/2012
7
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Application that synchronizes on-premises Active
Directory with Office 365
• x64 version based on FIM‒ Previous x86 versions based upon ILM 2007
• Bundled with SQL 2008 R2 Express Edition
• Designed as an “appliance”‒ “Set it and forget it”
What is DirSync?
Published: 9/10/2012
8
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment
• Provides unified Global Address List experience between on-premises and Office 365‒ Objects hidden from GAL on-premises also hidden from Office 365
GAL
• Enables mail routing between on-premises and Office 365 with a shared domain namespace
• Enables application coexistence for Microsoft Lync
• Enables Exchange coexistence scenarios‒ simple and hybrid scenarios
DirSync | Enables Coexistence
Published: 9/10/2012
9
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Enables “run state” administration and management of
users, groups, and contacts‒ Synchronizes adds/deletes/modifications of users, groups, and
contacts from on-premise to Office 365
• Not intended as a single use bulk upload tool
DirSync | Enables Single Sign-On
Published: 9/10/2012
10
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Entire Active Directory forest scoped for synchronization
• What is synchronized?‒ All user objects
‒ All group objects
‒ Mail-enabled contact objects
‒ Passwords are not synchronized
‒ Synchronization is from on-premises to Office 365 only (unless “write-
back” is enabled)
• Synchronization occurs every 3 hours‒ Use “Start-OnlineCoexistenceSync” cmdlet to force a sync
DirSync Synchronization
Published: 9/10/2012
11
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Mail-enabled/mailbox-enabled users are synchronized as mail-enabled users (not mailbox-enabled users)‒ Visible in the Office 365 GAL (unless explicitly hidden from GAL)
‒ Logon enabled, but not automatically licensed to use services
‒ Target address is synchronized for mail-enabled users
• Regular NT users are synchronized as regular NT users‒ Not automatically provisioned as mail-enabled in Office 365
• Resource mailboxes are synchronized as resource mailboxes
• Synchronized users are not automatically assigned a license
DirSync Synchronization | User Objects
Published: 9/10/2012
12
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Group Objects‒ Mail-enabled groups are synchronized as mail-enabled
‒ Group memberships are synchronized
‒ Security groups are synchronized as security groups
• Contacts Objects‒ Only mail-enabled contacts are synchronized
‒ Target address is synchronized to Office 365
DirSync Synchronization
Published: 9/10/2012
13
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• New user, group, and contact objects that are added to
on-premises are added to Office 365
• Existing user, group, and contact objects that are deleted
from on-premises are deleted from Office 365
• Existing user objects that are disabled on-premises are
disabled in Office 365
• Existing user, group, or contact objects attributes (those
that are synchronized) that are modified on-premises are
modified in Office 365
DirSync Synchronization
Published: 9/10/2012
14
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Microsoft Online Services
Logon Enabled User Object (Unlicensed)
Mail-Enabled User (not Mailbox-Enabled)
ProxyAddresses:
SMTP: [email protected]
smtp: [email protected]
TargetAddress:
DirSync Synchronization
On-premises
Active
Directory
Exchange
Server
DirSync(client side)
Online
Directory
AWS(DirSync Web
Service)
SharePoint
Online
Live ID
Exchange
Online
Lync Online
Sync Cycle Step 1:
Import Users, Groups,
and Contacts from source
Active Directory forest
Sync Cycle Step 2:
Imports Users, Groups, and
Contacts from Microsoft
Online Services via AWS
Sync Cycle Step 3:
Export Users, Groups, and
Contacts that do not already
exist in Microsoft Online
Services
User Object
Mailbox-Enabled
ProxyAddresses:
SMTP: [email protected]
Published: 9/10/2012
15
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• First synchronization cycle after installation is a full
synchronization‒ Time-consuming process relative to number of objects synchronized
‒ ~5000 objects per hour
• Subsequent synchronization cycles are deltas only ‒ Much faster
• Not all on-premises attributes synchronized for each
object type, but 100+ attributes are synchronized
DirSync Synchronization
Published: 9/10/2012
16
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Once implemented, on-premises AD becomes the
“source of authority” for synchronized objects‒ Modifications to synchronized objects must occur in the on-premises
AD
‒ Synchronized objects cannot be modified or deleted via the portal
unless DirSync is disabled for the tenant
• Scoping/Filtering‒ Custom scoping or filtering is officially unsupported (guidance
coming soon)
‒ V1 DirSync filter XML file no longer an available option for filtering
DirSync Synchronization
Published: 9/10/2012
17
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• On-premises objectGuid AD attribute assigned value for
sourceAnchor attribute during initial object synchronization ‒ Referred to as a “hard match”
‒ DirSync knows which Office 365 objects it is the “source of authority”
for by examining sourceAnchor attribute
• DirSync can also match user objects created via the
portal with on-premises objects if there is a match using
the primary SMTP address‒ Referred to as a “soft match”
DirSync Synchronization
Published: 9/10/2012
18
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Synchronization errors are emailed to the Technical
Contact for the subscription‒ Recommend using distribution group as Technical Contact email
address
• Example errors include:‒ Synchronization health status
• Sent once a day if a synchronization cycle has not registered 24 hours
after last successful synchronization
‒ Objects whose attributes contain invalid characters
‒ Objects with duplicate/conflicting email addresses
‒ Sync quota limit exceeded
DirSync Synchronization
Published: 9/10/2012
19
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Module 3: Office 365 DirSync, Single Sign-On & ADFSReviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS
Published: 9/10/2012
20
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Must be joined to an Active Directory domain within the
same forest that will be synchronized with Office 365‒ Does not have to be joined to the root domain
• Cannot be a domain controller
• Must be able to communicate with any/all domain
controllers forest wide
• Should be located in an access controlled environment‒ Should be limited to those with access to domain controllers and
other security sensitive systems
DirSync | Computer Requirements
Published: 9/10/2012
21
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Only routable domains can be used with DirSync
deployment ‒ Non-routable domains include .local OR .loc OR .internal.
• If organization has AD w/ only internal namespace,
must:‒ Add a routable UPN suffix in Active Directory Forests and Trusts.
‒ Configure each user with that routable UserPrincipalName suffix
‒ [email protected] must be changed do [email protected]
‒ If this is not done, once DirSync runs, users will appear in Office365
as [email protected] instead of [email protected]
DirSync | AD Requirements
Published: 9/10/2012
22
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Windows Installer 4.5 or later
• Windows PowerShell version 2.0
• Microsoft .NET Framework version 3.5 or later.
• Windows Server 2003/R2 x86 with Service Pack 2 or
later, or Windows Server 2008 x86 with the latest
service pack installed. ‒ x64 is supported
• Microsoft Online Services Sign-In Assistant‒ Not a prerequisite for installation, but required when connecting to
Office 365
DirSync | Software Requirements
Published: 9/10/2012
23
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Minimum of 1GB hard drive space‒ 600 MB for a complete installation of all Directory Synchronization
Tool components
‒ 400 MB required to create the initial database file
• Additional hard drive space most likely required for mid-size or larger
companies
• Server hardware should meet minimum requirements‒ For SQL Server 2008 R2 Express Edition and FIM (x64) or Identity
Lifecycle Manager 2007 Feature Pack 1 (x86 - legacy)
DirSync | Hardware Requirements
Published: 9/10/2012
24
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Synchronization with Office
365 occurs over SSL
• Internal network
communication will use typical
Active Directory related ports
Service Protocol Port
LDAP TCP/UDP 389
Kerberos TCP/UDP 88
DNS TCP/UDP 53
Kerberos
Change Password
TCP/UDP 464
RPC TCP 135
RPC randomly
allocated high TCP ports
TCP1024 - 6553549152 - 655351
SMB TCP 445
SSL TCP 443
SQL TCP 1433
DirSync | Network Requirements
1 This is the range in Windows Server 2008 and in Windows Vista.
Published: 9/10/2012
25
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Account used to install DirSync must have1. local machine administrator permissions
2. If using full SQL, rights within SQL to create the DirSync database,
and to setup the SQL service account with the role of db_owner
Account used to configure DirSync must reside in the
local machine MIISAdmins group1. Account used to install DirSync is automatically added
Administrator permission in the Office 365 tenant1. DirSync uses an administrator account in the tenant to provision
and update/modify objects
DirSync | Permission Requirements
Published: 9/10/2012
26
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Enterprise Administrator permission in the on-premise
Active Directory‒ Credential is not stored/saved by the configuration wizard
‒ Used to create the “MSOL_AD_Sync” domain account in the
“CN=Users” container of the root domain of the forest
‒ Used to delegate the following permissions on each domain
partition in the forest
• Replicating Directory Changes
• Replicating Directory Changes all
• Replication Synchronization
DirSync | Permission Requirements
Published: 9/10/2012
27
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Module 3: Office 365 DirSync, Single Sign-On & ADFSReviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS
Published: 9/10/2012
28
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Enables users to access both the on-premises and
cloud-based organizations with a single user name and
password
• Provides users with a familiar sign-on experience
• Allows administrators to easily control account policies
for cloud-based organization mailboxes by using on-
premises Active Directory management tools.
Single Sign-On | Purpose
Published: 9/10/2012
29
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Policy Control
• Access Control
• Reduced Support Calls
• Security
Single Sign-On | Benefits
Published: 9/10/2012
30
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Windows Server 2008 or Windows Server 2008 R2
• Active Directory Federation Services 2.0 (ADFS 2.0)
• PowerShell
• Web Server (IIS)
• .NET 3.5 SP1
• Windows Identity Foundation
• Publicly registered domain name
• SSL Certificates
• Microsoft Online Services Module for Windows PowerShell‒ Microsoft Online Sign In Assistant
• High availability design
Single Sign-On | Server Requirements
Published: 9/10/2012
31
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Internet Explorer 7.0 or later
• Firefox 3.0
• Chrome 6.0 or later
• Safari 4.0 or later
• Microsoft Office 2010/2007SP2
• Microsoft Office for Mac 2011 SP1
• Microsoft Office 2008 for Mac version 12.2.9
• Office 365 Desktop Setup‒ Microsoft Online Sign In Assistant
Single Sign-On | Client Requirements
Published: 9/10/2012
32
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Office 365 Desktop Setup
• Automatically detects necessary updates for a computer‒ Installs Microsoft Online Sign In Assistant
‒ Installs operating system and client software updates required for
connectivity with Office 365
• Automatically configures Internet Explorer and rich
clients for use with Office 365
• Office 365 Desktop Setup is not an authentication or
sign-in service and should not be confused with single
sign-on
Single Sign-On | Requirements
Published: 9/10/2012
33
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• Microsoft Online Sign-In Assistant
• Can be installed automatically by Office 365 Desktop
Setup or manually
• Enables authentication support by obtaining a service
token from Office 365 and returning it to a rich client
(e.g. Lync)
• Not required for web kiosk scenarios (e.g. OWA)
• Required for on-premises computers connecting to
Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell)
Single Sign-On | Requirements
Published: 9/10/2012
34
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
ADFS 2.0 Components
ADFS 2.0 Server
• Default topology for Office 365 is an AD FS 2.0 federation server farm that consists of multiple servers hosting your organization’s Federation Service.
• Recommend using at least two federation servers in a load-balanced configuration.
ADFS 2.0 Proxy Server
• Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm.
• A Federation server proxies should be deployed in the DMZ
Published: 9/10/2012
35
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
1. Single server configuration
2. AD FS 2.0 Server Farm and load-balancer
3. AD FS 2.0 Proxy Server or UAG/TMGi. (External Users, Active Sync, Down-level Clients with Outlook)
AD FS 2.0 Deployment Options
EnterprisePerimeter
AD FS 2.0
Server
Proxy
External
userInternal
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
AD FS 2.0
Server
Proxy
Published: 9/10/2012
36
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Number of users Minimum number of servers
Fewer than 1,000 users
0 dedicated federation servers
0 dedicated federation server proxies
1 dedicated NLB server
1,000 to 15,000 users2 dedicated federation servers
2 dedicated federation server proxies
15,000 to 60,000 usersBetween 3 and 5 dedicated federation servers
At least 2 dedicated federation server proxies
Deployment Architecture
Published: 9/10/2012
37
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Identity Federation | Authentication FlowWeb Profile
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online or
SharePoint Online
Active Directory
Customer Microsoft Online Services
User
Source
ID
Logon (SAML 1.1) Token
Source User ID: ABC123 Auth Token
Unique ID: 254729
Published: 9/10/2012
38
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
• ADFS 2.0 Deployment‒ http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx
‒ http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-
08-exchange-online-hybrid-scenarios-part-1
• More information on DirSync‒ http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspx
‒ http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-
02-deploying-sso-part-1.aspx
• Check out the course appendix
Recommended Resources
Published: 9/10/2012
39
©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is
for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. Some information relates to pre-released product which may be substantially
modified before it’s commercially released. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.