of 39
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
1/39
Published: 9/10/2012
12012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Office 365 for SMB Jump Start
Mod 3: Office 365 DirSync,
Single Sign-On & ADFSChris Oakman | Managing Partner Infrastructure Team | Eastridge Technology
Stephen Hall | CEO & SMB Technologist | District Computers
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
2/39
Published: 9/10/2012
22012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Day 1Administering Office 365
Day 2Administering Exchange Online
Office 365 Overview & Infrastructure Exchange Online Deployment & Migration
Office 365 User Management Exchange Online FOPE
Office 365 DirSync, Single Sign-On & ADFS Exchange Online Archiving & Compliance
MEAL BREAK
Administering Lync Online
Administering SharePoint Online
Exchange Online Overview & User Management
Jump Start Schedule Target Agenda
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
3/39
Published: 9/10/2012
32012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Module 3: Office 365 DirSync,Single Sign-On & ADFSReviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
4/39
Published: 9/10/2012
42012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Cloud Identity
Separate credential fromcorporate credential
Authentication occurs via clouddirectory service
Password policy stored inOffice 365
Federated Identity
Same credential as corporatecredential
Authentication occurs via on-premises Active Directoryservice
Password policy is stored on-premises
Requires Directory
Synchronization
Reviewing Identity Types
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
5/39
Published: 9/10/2012
52012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Cloud IdentityCloud Identity +
DirSyncFederated Identity*
Scenario Smaller organizations
without on-premises Active
Directory
Medium to Large organizations
with Active Directory on-
premises
Large enterprise organizations
with Active Directory on-premises
Requires DirSync
Pros
Does not require on-
premises serverdeployment
Source of Authority is on-
premises
Enables coexistence
Single Sign-On experience
Source of Authority is on-
premises
2 Factor Authentication options
Enables coexistence
Cons
No Single Sign-On
No 2 Factor Authentication
options
2 sets of credentials to
manage with, potentially,
different password policies
No Single Sign-On
No 2 Factor Authenticationoptions
2 sets of credentials to manage
with, potentially, differentpassword policies
Requires on-premises serverdeployment
Requires on-premises server
deployment in high availability
scenario
Reviewing Identity Usage Scenarios
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
6/39
Published: 9/10/2012
62012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Module 3: Office 365 DirSync,Single Sign-On & ADFSReviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
7/39
Published: 9/10/2012
72012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Application that synchronizes on-premises ActiveDirectory with Office 365
x64 version based on FIM
Previous x86 versions based upon ILM 2007
Bundled with SQL 2008 R2 Express Edition
Designed as an appliance Set it and forget it
What is DirSync?
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
8/39
Published: 9/10/2012
82012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Provisions objects in Office 365 with same emailaddresses as the objects in the on-premises environment
Provides unified Global Address List experience between
on-premises and Office 365 Objects hidden from GAL on-premises also hidden from Office 365
GAL
Enables mail routing between on-premises and Office 365with a shared domain namespace
Enables application coexistence for Microsoft Lync
Enables Exchange coexistence scenarios simple and hybrid scenarios
DirSync | Enables Coexistence
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
9/39
Published: 9/10/2012
92012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Enables run state administration and management ofusers, groups, and contacts Synchronizes adds/deletes/modifications of users, groups, and
contacts from on-premise to Office 365 Not intended as a single use bulk upload tool
DirSync | Enables Single Sign-On
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
10/39
Published: 9/10/2012
102012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Entire Active Directory forest scoped for synchronization
What is synchronized? All user objects
All group objects
Mail-enabled contact objects
Passwords are not synchronized
Synchronization is from on-premises to Office 365 only (unless write-back is enabled)
Synchronization occurs every 3 hours Use Start-OnlineCoexistenceSync cmdlet to force a sync
DirSync Synchronization
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
11/39
Published: 9/10/2012
112012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Mail-enabled/mailbox-enabled users are synchronizedas mail-enabled users (not mailbox-enabled users) Visible in the Office 365 GAL (unless explicitly hidden from GAL)
Logon enabled, but not automatically licensed to use services Target address is synchronized for mail-enabled users
Regular NT users are synchronized as regular NT users Not automatically provisioned as mail-enabled in Office 365
Resource mailboxes are synchronized as resourcemailboxes
Synchronized users are not automatically assigned alicense
DirSync Synchronization | User Objects
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
12/39
Published: 9/10/2012
122012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Group Objects Mail-enabled groups are synchronized as mail-enabled
Group memberships are synchronized
Security groups are synchronized as security groups
Contacts Objects Only mail-enabled contacts are synchronized
Target address is synchronized to Office 365
DirSync Synchronization
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
13/39
Published: 9/10/2012
132012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
New user, group, and contact objects that are added toon-premises are added to Office 365
Existing user, group, and contact objects that are deleted
from on-premises are deleted from Office 365
Existing user objects that are disabled on-premises aredisabled in Office 365
Existing user, group, or contact objects attributes (those
that are synchronized) that are modified on-premises aremodified in Office 365
DirSync Synchronization
bli h d 9 10 2012
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
14/39
Published: 9/10/2012
142012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Microsoft Online Services
Logon Enabled User Object (Unlicensed)Mail-Enabled User (not Mailbox-Enabled)ProxyAddresses:
SMTP: [email protected]: [email protected]
TargetAddress:[email protected]
DirSync Synchronization
On-premises
ActiveDirectory
ExchangeServer
DirSync(client side)
OnlineDirectory
AWS(DirSync Web
Service)
SharePointOnline
Live ID
ExchangeOnline
Lync Online
Sync Cycle Step 1:Import Users, Groups,and Contacts from sourceActive Directory forest
Sync Cycle Step 2:Imports Users, Groups, andContacts from Microsoft
Online Services via AWS
Sync Cycle Step 3:Export Users, Groups, andContacts that do not alreadyexist in Microsoft OnlineServices
User ObjectMailbox-Enabled
ProxyAddresses:SMTP: [email protected]
P bli h d 9/10/2012ff f
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
15/39
Published: 9/10/2012
152012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
First synchronization cycle after installation is a fullsynchronization Time-consuming process relative to number of objects synchronized
~5000 objects per hour
Subsequent synchronization cycles are deltas only Much faster
Not all on-premises attributes synchronized for eachobject type, but 100+ attributes are synchronized
DirSync Synchronization
P bli h d 9/10/2012Offi 36 f S S
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
16/39
Published: 9/10/2012
162012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Once implemented, on-premises AD becomes thesource of authority for synchronized objects Modifications to synchronized objects must occur in the on-premises
AD Synchronized objects cannot be modified or deleted via the portal
unless DirSync is disabled for the tenant
Scoping/Filtering Custom scoping or filtering is officially unsupported (guidance
coming soon)
V1 DirSync filter XML file no longer an available option for filtering
DirSync Synchronization
P bli h d 9/10/2012Offi 365 f SMB J S
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
17/39
Published: 9/10/2012
172012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
On-premises objectGuid AD attribute assigned value forsourceAnchor attribute during initial object synchronization Referred to as a hard match
DirSync knows which Office 365 objects it is the source of authorityfor by examining sourceAnchor attribute
DirSync can also match user objects created via theportal with on-premises objects if there is a match usingthe primary SMTP address
Referred to as a soft match
DirSync Synchronization
Published: 9/10/2012Offi 365 f SMB J St t
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
18/39
Published: 9/10/2012
182012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Synchronization errors are emailed to the TechnicalContact for the subscription Recommend using distribution group as Technical Contact email
address Example errors include:
Synchronization health status Sent once a day if a synchronization cycle has not registered 24 hours
after last successful synchronization
Objects whose attributes contain invalid characters
Objects with duplicate/conflicting email addresses
Sync quota limit exceeded
DirSync Synchronization
Published: 9/10/2012Offi 365 f SMB J St t
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
19/39
Published: 9/10/2012
192012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Module 3: Office 365 DirSync,Single Sign-On & ADFSReviewing Identities
Understanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS
Published: 9/10/2012Offi 365 f SMB J St t
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
20/39
Published: 9/10/2012
202012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Must be joined to an Active Directory domain within thesame forest that will be synchronized with Office 365 Does not have to be joined to the root domain
Cannot be a domain controller Must be able to communicate with any/all domain
controllers forest wide
Should be located in an access controlled environment Should be limited to those with access to domain controllers and
other security sensitive systems
DirSync | Computer Requirements
Published: 9/10/2012Office 365 for SMB J mp Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
21/39
Published: 9/10/2012
212012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Only routable domains can be used with DirSyncdeployment Non-routable domains include .local OR .loc OR .internal.
If organization has AD w/ only internal namespace,must: Add a routable UPN suffix in Active Directory Forests and Trusts.
Configure each user with that routable UserPrincipalName suffix
[email protected] must be changed do [email protected]
If this is not done, once DirSync runs, users will appear in Office365as [email protected] instead of [email protected]
DirSync | AD Requirements
Published: 9/10/2012Office 365 for SMB Jump Start
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
22/39
Published: 9/10/2012
222012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Windows Installer 4.5 or later
Windows PowerShell version 2.0
Microsoft .NET Framework version 3.5 or later.
Windows Server 2003/R2 x86 with Service Pack 2 orlater, or Windows Server 2008 x86 with the latestservice pack installed. x64 is supported
Microsoft Online Services Sign-In Assistant Not a prerequisite for installation, but required when connecting to
Office 365
DirSync | Software Requirements
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
23/39
Published: 9/10/2012
232012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Minimum of 1GB hard drive space 600 MB for a complete installation of all Directory Synchronization
Tool components
400 MB required to create the initial database file Additional hard drive space most likely required for mid-size or larger
companies
Server hardware should meet minimum requirements For SQL Server 2008 R2 Express Edition and FIM (x64) or Identity
Lifecycle Manager 2007 Feature Pack 1 (x86 - legacy)
DirSync | Hardware Requirements
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
24/39
Published: 9/10/2012
242012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Synchronization with Office365 occurs over SSL
Internal networkcommunication will use typicalActive Directory related ports
Service Protocol Port
LDAP TCP/UDP 389
Kerberos TCP/UDP 88
DNS TCP/UDP 53
KerberosChangePassword
TCP/UDP 464
RPC TCP 135
RPC randomlyallocated highTCP ports
TCP1024 - 6553549152 - 655351
SMB TCP 445
SSL TCP 443
SQL TCP 1433
DirSync | Network Requirements
1 This is the range in Windows Server 2008 and in Windows Vista.
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
25/39
Published: 9/10/2012
252012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Account used to install DirSync must have1. local machine administrator permissions
2. If using full SQL, rights within SQL to create the DirSync database,
and to setup the SQL service account with the role of db_ownerAccount used to configure DirSync must reside in thelocal machine MIISAdmins group
1. Account used to install DirSync is automatically added
Administrator permission in the Office 365 tenant
1. DirSync uses an administrator account in the tenant to provisionand update/modify objects
DirSync | Permission Requirements
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
26/39
/ /
262012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Enterprise Administrator permission in the on-premiseActive Directory Credential is not stored/saved by the configuration wizard
Used to create the MSOL_AD_Sync domain account in theCN=Users container of the root domain of the forest
Used to delegate the following permissions on each domainpartition in the forest Replicating Directory Changes Replicating Directory Changes all
Replication Synchronization
DirSync | Permission Requirements
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
27/39
/ /
272012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Module 3: Office 365 DirSync,Single Sign-On & ADFSReviewing Identities
Understanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
28/39
282012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Enables users to access both the on-premises andcloud-based organizations with a single user name andpassword
Provides users with a familiar sign-on experience Allows administrators to easily control account policies
for cloud-based organization mailboxes by using on-premises Active Directory management tools.
Single Sign-On | Purpose
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
29/39
292012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Policy Control
Access Control
Reduced Support Calls
Security
Single Sign-On | Benefits
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
30/39
302012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Windows Server 2008 or Windows Server 2008 R2 Active Directory Federation Services 2.0 (ADFS 2.0) PowerShell Web Server (IIS) .NET 3.5 SP1 Windows Identity Foundation Publicly registered domain name SSL Certificates Microsoft Online Services Module for Windows PowerShell
Microsoft Online Sign In Assistant High availability design
Single Sign-On | Server Requirements
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
31/39
312012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Internet Explorer 7.0 or later
Firefox 3.0
Chrome 6.0 or later
Safari 4.0 or later
Microsoft Office 2010/2007SP2
Microsoft Office for Mac 2011 SP1
Microsoft Office 2008 for Mac version 12.2.9
Office 365 Desktop Setup Microsoft Online Sign In Assistant
Single Sign-On | Client Requirements
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
32/39
322012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Office 365 Desktop Setup
Automatically detects necessary updates for a computer Installs Microsoft Online Sign In Assistant
Installs operating system and client software updates required forconnectivity with Office 365
Automatically configures Internet Explorer and richclients for use with Office 365
Office 365 Desktop Setup is not an authentication or
sign-in service and should not be confused with singlesign-on
Single Sign-On | Requirements
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
33/39
332012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 for SMB Jump Start
Microsoft Online Sign-In Assistant
Can be installed automatically by Office 365 DesktopSetup or manually
Enables authentication support by obtaining a servicetoken from Office 365 and returning it to a rich client(e.g. Lync)
Not required for web kiosk scenarios (e.g. OWA)
Required for on-premises computers connecting toOffice 365 (e.g. DirSync, Exchange, ADFS, PowerShell)
Single Sign-On | Requirements
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
34/39
342012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
p
ADFS 2.0 ComponentsADFS 2.0 Server
Default topology for Office 365 is an ADFS 2.0 federation server farm thatconsists of multiple servers hosting your
organizations Federation Service. Recommend using at least twofederation servers in a load-balancedconfiguration.
ADFS 2.0 Proxy Server
Federation server proxies are used toredirect client authentication requestscoming from outside your corporate
network to the federation server farm. A Federation server proxies should bedeployed in the DMZ
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
35/39
352012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
p
1. Single server configuration
2. AD FS 2.0 Server Farm and load-balancer
3. AD FS 2.0 Proxy Server or UAG/TMG
i. (External Users, Active Sync, Down-level Clients with Outlook)
AD FS 2.0 Deployment Options
EnterprisePerimeter
AD FS 2.0ServerProxy
ExternaluserInternal
user
ActiveDirectory
AD FS 2.0Server
AD FS 2.0Server
AD FS 2.0
ServerProxy
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
36/39
362012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
p
Number of users Minimum number of servers
Fewer than 1,000 users
0 dedicated federation servers
0 dedicated federation server proxies
1 dedicated NLB server
1,000 to 15,000 users2 dedicated federation servers
2 dedicated federation server proxies
15,000 to 60,000 usersBetween 3 and 5 dedicated federation servers
At least 2 dedicated federation server proxies
Deployment Architecture
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
37/39
372012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
p
Identity Federation | Authentication FlowWeb Profile
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online or
SharePoint Online
Active Directory
Customer Microsoft Online Services
UserSource
ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123 Auth Token
UPN:[email protected] ID: 254729
Published: 9/10/2012Office 365 for SMB Jump Start
7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
38/39
382012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
p
ADFS 2.0 Deployment http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx
http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1
More information on DirSync http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspx
http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspx
Check out the course appendix
Recommended Resources
Published: 9/10/2012Office 365 for SMB Jump Start
http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspxhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspxhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspxhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspxhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspxhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx7/26/2019 03 o365 Smb Js Dirsync Sso Adfs
39/39
2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or otheri h i f i h i i f i f i l l d h i f i f C i f h d f hi i i f d h i k di i
p
2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein isfor informational purposes only and represents the current view of Microsoft Corporation as of the date of this pr esentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be acommitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. Some information relates to pre-released product which may be substantiallymodified before its commercially released. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.