In this session we will look at how you can prepare your organization for Office 365, ranging from technical requirements for clients and servers to identity management. The session will focus on the core infrastructure of the Office 365 service.

1. Preparing for Office 365
Jan Egil Ring
Senior Consultant, Infrastructure
jan.egil.ring@crayon.com

2. Agenda
• Overview
• Identity management
• Federation
• DirSync
• Client requirements
• Gotchas
• Planning list
January 22, 2012 NIC 2012

3. Microsoft Office 365 – what is it?

4. •
What’s New in Office 365
• • •
• •
•
• •
•
• •
•
• •
• •
•
•
•
• •
•
•
•
•
•
•
4 | Microsoft Confidential

5. • • •
• • •
• • •
•
•
•
• •
• • •
5 | Microsoft Confidential

6. Planning list
• Decide which program to signup for
(Small
Business, Enterprise, Education)
• Sign up for a trial subscription and
deploy a lab/pilot environment
January 22, 2012 NIC 2012

7. Demo:
Microsoft Online Portal

8. Office 365 Identity Features
• Password policy controls for Microsoft Online IDs
• Single sign-on with corporate credentials
• Directory Synchronization updates
• Role-based administration: Five administration
roles
• Company Admin
• Billing Admin
• User Account Admin
• HelpDesk Admin
• Service Support Admin
• “Admin on behalf of” for support partners
8

9. Identity Architecture
1. Microsoft Online IDs
Microsoft Online
2. Microsoft Online IDs + DirSync Services
3. Federated IDs + DirSync Identity
Services
Trust Exchange
Contoso customer Online
premises
Active Authentication
Directory platform
IdP
SharePoint
Federation
Server 2.0 Online
IdP MS Online
Directory
Provisioning Directory Lync
AD platform Store
Sync Online
Office 365
Desktop
Setup Admin Portal
9

10. Identity Options Comparison
1. MS Online IDs 2. MS Online IDs + Dir Sync 3. Federated IDs + Dir Sync
Appropriate for Appropriate for Appropriate for
• Smaller orgs without AD • Medium/Large orgs with • Larger enterprise orgs with
on-premise AD on-premise AD on-premise
Pros Pros Pros
• No servers required on- • Users and groups mastered • SSO with corporate cred
premise on-premise • IDs mastered on-premise
• Enables co-existence • Password policy controlled
scenarios on-premise
Cons
• No SSO • 2FA solutions possible
Cons
• No 2FA • Enables co-existence
• No SSO
• 2 sets of credentials to scenarios
• No 2FA
manage with differing • 2 sets of credentials to Cons
password policies manage with differing • High availability server
• IDs mastered in the cloud password policies deployments required
• Single server deployment
10

11. Authentication flow (passive/web profile)
Customer Microsoft Online Services
User
Source ID
Active Directory
User
Source NET ID
ID
AD FS 2.0 Server Authentication platform
`
Exchange Online or
Client
SharePoint Online
(joined to CorpNet)
11

12. Authentication flow (MEX/Rich Client profile)
Customer Microsoft Online Services
Active Directory
User
Source ID
NET ID
AD FS 2.0 Server Authentication platform
`
Client Exchange Online
(joined to CorpNet)
12

13. Identity Details
• Microsoft Online Services requirements
• MS Online business scenarios always use WS-*
• WS-Trust provides support for rich client
authentication
• Identity federation supported initially only through AD
FS 2.0
• Protocols supported
• WS-*, SAML1.1
• SAML-P coming later (with Shibboleth support)
• Strong authentication (2FA) solutions
• Web applications via ADFS Proxy sign in page or other
proxies (UAG/TMG)
• Rich Clients dependent on configuration
13

14. AD FS 2.0 Deployment Options
1.Single server configuration
2.AD FS 2.0 server farm and load-balancer
3.AD FS 2.0 proxy server or UAG/TMG
Active
Directory
AD FS 2.0 AD FS 2.0 AD FS 2.0
Server Server Server
Proxy
AD FS 2.0
Server
Proxy
Internal
user Enterprise
DMZ
14

15. Deployment Options Identity Federation
• Domain conversion is a big switch
• Staged Rollout
• Start with a Federated Domain and license users over
time
• Piloting Federation
• Suitable for Existing production standard domain
(running Directory Sync) containing production licensed
users
• Must use a different test domain, not sub-domain of an
existing domain
• Update Users UPN on premise to new Test domain
• Must revert users back to a Managed domain at end of
pilot
15

16. Preparing for Identity Federation
• Every User must have a UPN
• UPN suffix must match a validated domain in
Office 365
• UPN Character restrictions
• Letters, numbers, dot or dash
• No dot before @ symbol
• Users may need to understand that they must
use UPN to logon to Office 365 Apps
• Can be hidden from users with smart links from
domain machines
16

17. Demo:
Office 365 Deployment
Readiness Tool

18. Single Forest AD Structures
• Matching domains
• Internal Domain and External domain are the same E.g.
contoso.com
• Sub Domain
• Internal domains is a sub domain of the external domain
E.g. Corp.contoso.com
• .Local Domain
• Internal domain is not publicly “registered” E.g.
Contoso.local
• Multiple distinct UPN suffixes in Single forest
• E.g. mix of users having login UPNs under contoso.com
and fabrikam.com 18

19. Single Forest Considerations
• Matching domain
• No special requirements
• Sub Domain
• Requires Domains registered in order, primary then sub
domains
• Local Domain
• Domain ownership can‟t be proved, must use a different
domain
• Requires all users to get new UPN
• Multiple distinct domains
• Requires additional switches to support a single ADFS
server during setup
19

20. Multi Forest Support
• Key requirement to enable Single Sign On
with multi forest
• Various models being investigated
• Single Account/Resources forests
• Multiple separate Account forests with Single
resource forest
• Consolidated Sync forest (V1)
• True Multi forest
20

21. Update Rollup 1 for Active Directory
Federation Services (AD FS) 2.0
• Released in October 2011
• Hotfixes and new features
• Major feature for Office 365: Multiple Issuer Support
http://support.microsoft.com/kb/2607496

22. Demo: Active Directory
Federation Services

23. Planning list
• If testing/deploying federation, remember to
install AD FS 2.0 Update Rollup 1
• Based on the demo/lab experiences, decide
which identity features you want to deploy
January 22, 2012 NIC 2012

24. Directory Sync
What is Directory Sync?
• What does Directory Sync do for you & your
users
• When to use Directory Sync
Using Directory Sync
• Requirements
• How Directory Sync works
• Gotchas

25. Identity Architecture
1. Microsoft Online IDs
Microsoft Online
2. Microsoft Online IDs + DirSync Services
3. Federated IDs + DirSync Identity
Services
Trust Exchange
Contoso customer Online
premises
Active Authentication
Directory platform
IdP
SharePoint
Federation
Server 2.0 Online
IdP MS Online
Directory
Provisioning Directory Lync
AD platform Store
Sync Online
Office 365
Desktop
Setup Admin Portal
25

26. What does Directory Sync do for
you
• Enables you to manage your company‟s
information in one central location for both on-
premise intranet and Office 365
• Runs as an appliance
• Install and forget
• Proactively reports errors via email
• “No news is good news”

27. What does Directory
Synchronization do for users
• Seamless user experience across on-premise
and Office 365 services (Exchange, Lync,
SharePoint)
• Flavors of Co-Existence
• Identity Co-Existence (aka Single Sign-On,
Federated Identity, Federated Authentication)
• Application Co-Existence

28. Identity Co-Existence
• Facilitates “Single Sign-On” Experience
• For users: Single set of credentials to manage
• On-premise users, security
groups, distribution lists, contacts are
available in the cloud
• Complete Address Books in Exchange Online
• SharePoint Online ACL‟ing via Security Groups
• Users, contacts, groups can be created directly
in Office 365, or sync‟d from on-premise!

29. Exchange Server Co-Existence
• 2 types:
• Simple
• Rich
Simple Co-Existence:
• Full, consistent Address Book available
across all O365 services
• Exchange Online users can receive mail at
any of their (valid) on-premise Proxy
Addresses
• Conf Room support (Outlook Room Finder)

30. Exchange Server Co-Existence
Rich Co-Existence:
• Hybrid Deployments
• Staged migrations
• Keep data on-premise for various business or legal
requirements
• Free/Busy available to users on-premise and
in cloud

31. Exchange Server Co-Existence
Rich Co-Existence (con’t)
• Cross-Premise Services
• Customers with on-premise mailbox can have
voicemail in cloud
• Cloud Archiving
• Filtering Co-Existence (safe senders, blocked
senders)

32. When to use Directory
Synchronization
• Common Scenarios:
Scenario Use Directory
Synchronization?
Initial on-boarding/bulk No
Provisioning of users
only*
Identity Federation Yes
Long-term Yes
migration/adoption of
Office 365 Services
Partial Yes
adoption/migration to
Office 365 Services

33. Requirements
3 types of requirements:
1. Host OS that runs Directory Sync
• 32-bit ONLY
• Microsoft Windows Server® 2003 SP2 x86
• Microsoft Windows Server 2008 x86
• Cannot be Domain Controller
2. Active Directory Forest functional
level sync‟d by Directory Sync
• Microsoft Windows Server 2000
• Microsoft Windows Server 2003
• Microsoft Windows Server 2008
• Microsoft Windows Server 2008 R2
NOTE: known incompatibility with Recycle Bin feature

34. Requirements
3 types of requirements:
1. Host OS that runs Directory Sync
• 32-bit and 64-bit
• Microsoft Windows Server® 2003 SP2 x86
• Microsoft Windows Server 2008 x86/x64
• Microsoft Windows Server 2008 R2
• Cannot be Domain Controller
2. Active Directory Forest functional level
sync‟d by Directory Sync
• Microsoft Windows Server 2000
• Microsoft Windows Server 2003
• Microsoft Windows Server 2008
• Microsoft Windows Server 2008 R2
NOTE: known incompatibility with Recycle Bin feature in 32-bit client

35. Setting up Directory Sync -
Requirements
3. Rich Co-Existence
• Rich co-existence, need Exchange 2010 SP1 Client
Access Server (CAS) – Free
• Installs schema extensions required to support Rich
Co-Existence

36. Demo: Microsoft Online
Directory Sync Setup

37. How Directory Synchronization works
Architecture

38. Architecture - Client
• Uses Enterprise Admin credentials at configuration to
create self-managed account for sync purposes:
• Attribute-level write permissions for Rich Co-Existence
• Uses managed account with Global Administrator
privileges for Tenant
• Authenticates to O365 via Microsoft Online ID
• Syncs all users, contacts and groups from your (single)
AD forest
• Queries AD DirSync control for changes
• Filters out well-known objects and attributes patterns
• Syncs every 3 hours

39. Architecture - Client
• First sync run “full sync”
• Start-up, sync‟s all objects
• Subsequent runs “delta sync”
• Changes only
• Time required depends on data
size/complexity

40. Architecture - Client
• Based on ILM (32-bit) and FIM (64-bit)
• SQL Server 2008 R2 Express
• Should use full Microsoft SQL Server 2005 /
2008 for larger customers
• 10GB DB size limit
• Microsoft Online ID components for
Authentication to Office 365

41. Architecture - Server
• Syncs objects in “batches”
• Users provisioned into Microsoft Online ID
for login to Office 365
• All objects provisioned into Office 365
Directory Store
• objects flow into services based on subscription
(Exchange Online, Lync Online, SharePoint
Online)

42. Architecture – Sync Object Limits
• All customers initially subject to 10,000 object
limit
• “objects” = users, security groups, distribution
lists, contacts
• Will receive email
• contact support to increase object limit
• Larger customers (20,000+ users) sign-up for
special subscription type
• work with your MS account reps for more details!

43. Attribute Validation
• ProxyAddresses sanitization
• proxy addresses with non-registered domains are
stripped
• UPN Validation
• If UPN uses a non-registered domain, it will be
replaced with:
mailNickName „@‟ domain.onmicrosoft.com
(where domain is the primary domain the customer
registered at sign-up)

44. Attribute Validations
Attribute Most common issues
userPrincipalName • cannot have dot „.‟ immediately preceding „@‟
• cannot exceed 113 chars (64 for username,
48 for domain)
• cannot contain ! # $ % & * + - / = ? ^ _` {
|}~<>()
• cannot have duplicate UPNs
sAmAccountName • cannot contain “ / [ ] : | < > + = ; ? ,
• cannot end with dot „.‟
• cannot be more than 20 chars
• cannot be empty
proxyAddresses • cannot contain smtp addresses with domains
that are not registered for the tenant
• cannot have duplicate proxy addresses

45. Writing to On-Premise AD
• If Rich Co-Existence disabled, Directory Sync will not modify
customer‟s on-prem AD
• If Rich Co-Existence enabled, Directory Sync will modify up to 6
attributes on users:
Attribute Feature
SafeSendersHash Filtering Coexistence
BlockedSendersHash enables on-premise filtering using cloud
SafeRecipientHash safe/blocked sender info
msExchArchiveStatus Cloud Archive
Allows users to archive mail to the Office 365
service
ProxyAddresses Mailbox off-boarding
(cloudLegDN) Enables off-boarding of mailboxes back to on-
premise
cloudmsExchUCVoiceMailSe Voicemail Co-Existence
ttings Enables on-premise mailbox users to have Lync in
the cloud

46. Synchronization Errors
• Synchronization errors are communicated to
the IT Generalist via email
• Technical Contact is a very important to
Microsoft Online Directory Sync for
communication of sync health, errors, etc.
• Administrators must address these errors
through on-premise changes

47. Common Asks
• Filtering
• Not supported
• Automated “scoping out” can lead to data loss (user
mailboxes!)
• Filter file no longer supported
• Highly available Directory Sync
• Directory Sync tool not configurable for high
availability
NOTE: when Directory Sync tool down, Office 365 data
goes “stale”, Federated Authentication, etc. still works!

48. • Scale & Large customers?
• Directory Sync is used for MSFT! (~1M objects)
• Customers with 50K+ objects - use full SQL
installation
• PowerShell-based configuration

49. • Sync‟d objects are mastered on-premise
• need to update on-premise object to update cloud
object
• Stopping Directory Synchronization
• Cannot “de-activate” Directory Synchronization via
Microsoft Online Portal
• Can “turn off” Directory Synchronization client
• DirSync can now be activated/deactivated:
• Set-MsolDirSyncEnabled -EnableDirSync $false
• Set-MsolDirSyncEnabled -EnableDirSync $true
• http://support.microsoft.com/kb/2619062/en-us

50. Planning list
Things to think about:
1. Do you plan to enable Identity Federation?
• Register domains with Office 365
• Activate Federation
2. Do you plan to enable Rich Co-existence?
• Exchange 2010 SP1 CAS deployed on-premise?
3. Is your Active Directory “ready”?
• Microsoft Online Deployment Guide
(http://www.microsoft.com/online/deploy.aspx)
• Office 365 Deployment Readiness Tool

51. Client Requirements
Software Supported Versions
Office clients Microsoft Office® 2010 or Office 2007 SP2
Office 2008 for Mac & Entourage 2008 Web Services Edition
Office 2011 for Mac and Outlook 2011 for Mac
Microsoft Lync™ 2010
Communicator for Mac
Operating systems Windows 7
Windows Vista SP2
Windows XP SP3 with RPC over HTTP patch
Windows XP Home Edition , Windows XP Media Center Edition
MAC OS X 10.4 (Tiger), 10.5 (Leopard), 10.6 (Snow Leopard)
System software Microsoft .NET Framework 3.0 (for Windows XP)
Java client 1.4.2 (for Macintosh OS X)*
Client applications Microsoft Online Services Connector
Browser software Microsoft Internet Explorer 7
Mozilla Firefox 3.x, Apple Safari 3.x

52. Update XP / XP / Vista / Vista / Win7 / Win7 /
O2007 O2010 O2007 O2010 O2007 O2010
Windows XP SP3 X X
Vista SP2
X X
RPC over HTTP (KB974841 – XP, new for
X X X X
Vista)
Security update KB960818 – June 2009 &
X
new Office 2010 update)
Office 2007 SP2 X X X
Security Update for Office 2007 (KB972652
X X X
– Nov 2009)
Office Update KB980210
X
(only for WS 2008 R2)
Outlook hosting update for Office 2007 X X X
Outlook hosting update for Office 2010 X X X
Office Update KB2435954 X
Authentication components
(Microsoft Online Services Sign in Assistant X X X X X X
52 | Microsoft Confidential
& Add-on)

53. Office Professional Plus – What is it?
Flexible service offering with pay-as-you-go, per-user licensing
Word Publisher
The complete Office experience with services integration in Office 365
Excel Access
PowerPoint InfoPath
SharePoint
OneNote Simplified end user set-up to use online services
Workspace
Outlook Lync
Always the latest version of the Office apps, including Office Web Apps
• Excel • PowerPoint
• OneNote • Word
Familiar Office user experience to access services

54. Volume License Comparisons
Office Professional Plus Office Professional Plus
Subscription License Volume License
Download location • Office 365 Portal • VL Software Center
Software • Office Pro Plus + subscription agent • VL bits (Pro Plus or Standard)
• Single EXE • Extracted to use with deployment tools
Product Key / • Subscription based activation • Volume License technologies
Activation • Term – 30 days (monthly) • MAK perpetual activation,
• No keys to manage – only users KMS 180 days
• Manage KMS and /or MAK keys
When Reduced • In 60 days since last activation • MAK: N/A
Functionality Mode • “hard” RFM • KMS: within 180 days
(RFM) starts • “Notification mode”
Deployment options • Office 365 Portal • Unmanaged & Managed Options
• Unmanaged & Managed options • App-V
• Terminal Services
# of copies allowed • 5 active installs on different devices • Single device per license/activation
per user • Downgrade rights
• No downgrade rights
Fulfillment • Electronic software download • $27/ DVD media
54 | Microsoft Confidential

55. Connector Overview
• Updates client PCs with Windows and/or Office
products to work with Office 365 Services
• Leverages WSUS/WU to detect, download & install
updates
• Only installs updates that are required to connect to and
use services
• * Configure clients for subscribed services
• Run on-demand by end users with minimal system
footprint – Local Admin permissions to install
• Supports IT Admin Deployment (elevated privileges)

56. Connector Goals and Scenarios
• Goals
• Configure Office apps for end users (small and large
companies)
• Ensure Office 365 minimum requirements
• Windows: XP SP3 with Internet Explorer® 7, Microsoft
Vista® SP2, Windows Server® 2008 R2, Windows 7
RTM
• Office versions: Office 2007 SP2, Office 2010 RTM
• Scenarios
• Update/configure based on licensed services
• End user with elevated privileges
• End user without elevated privileges
• Small IT admin deployments
• Large IT admin deployments

57. Planning list
• Consider using the MAP Toolkit to inventory your
client environment for Office 365 readiness (Video
tutorial: http://bit.ly/sb2spo)
• Ensure prerequisites are deployed in advance –
Windows XP SP3, Windows Vista SP2, Windows 7,
Office 2007 SP2, Office 2010 as well as the Office
365 Connector and other hotfixes
January 22, 2012 NIC 2012

58. Gotchas
• No support for Office 2003
• No support for Internet Explorer 6
• No support for Office Communicator 2007 R2
• Client requirements (Online Services Connector)
• Removing domains
• Can‟t de-register domain from Office 365 until all users that have attributes with that domain
are removed
• No support for shared SIP-domain between Lync Online and Lync On-premise
• 3rd party tool required to migrate from Sharepoint On-premise to Sharepoint Online
• No Enterprise Voice (telephony) available in Lync Online
May or may not be deployment-blockers

59. Call to action (if deploying Office
365)
 Read the documentation (deployment guide
and service plans)
 Determine your serviceplan (Small Business,
Enterprise or Education)
 Run the Office 365 Deployment Readiness
Tool
 Design your Office 365 infrastructure (i.e. AD
FS servers, DirSync server, Exchange 2010)
 Test and pilot

60. Resources
• Microsoft Office 365 Deployment Guide
• http://www.microsoft.com/download/en/details.aspx?id=26509
• Office 365 ebook
• http://download.microsoft.com/download/1/2/F/12F1FF78-73E1-4714-9A08-
6A76FA3DA769/656949ebook.pdf
• Office 365 Deployment Readiness Tool
• http://community.office365.com/en-us/f/183/p/2285/8155.aspx
• Service Descriptions
• http://www.microsoft.com/download/en/details.aspx?id=13602
• PowerShell-module
• http://blog.powershell.no/2011/05/09/administering-microsoft-office-365-using-
windows-powershell

61. Planning list
• Decide which program to signup for (Small Business, Enterprise, Education)
• Sign up for a trial subscription and deploy a lab/pilot environment
• If testing/deploying federation, remember to install AD FS 2.0 Update Rollup 1
• Based on the demo/lab experiences, decide which identity features you want to deploy
• Do you plan to enable Identity Federation?
• Register domains with Office 365
• Activate Federation
• Do you plan to enable Rich Co-existence?
Exchange 2010 SP1 CAS deployed on-premise?
• Is your Active Directory “ready”?
• Microsoft Online Deployment Guide (http://www.microsoft.com/online/deploy.aspx)
• Office 365 Deployment Readiness Tool
• Consider using the MAP Toolkit to inventory your client environment for Office 365 readiness (Video tutorial:
http://bit.ly/sb2spo)
• Ensure prerequisites are deployed in advance
• Windows XP SP3, Windows Vista SP2, Windows 7
• Office 2007 SP2, Office 2010
• Office 365 Connector
• Required hotfixes
January 22, 2012 NIC 2012

62. Contact info
New-Object PSObject -Property @{
Name = "Jan Egil Ring"
"E-mail" =" jan.egil.ring@crayon.com"
TwitterId = "@JanEgilRing"
Website = "blog.powershell.no"
}