The new Office - Enterprise Pitch Deck - Customer preview edition

Mod 3: DirSync, Single Sign-On & ADFSChris Oakman | Managing Partner Infrastructure Team | Eastridge TechnologyStephen Hall | CEO & SMB Technologist | District ComputersVersion 2.0 for Office 3656/11/20131Microsoft Office 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Day 1Administering Office 365Day 2Administering Office 365Office 365 Overview & InfrastructureAdministering Lync OnlineOffice 365 User ManagementAdministering SharePoint OnlineOffice 365 DirSync, Single Sign-On & ADFSExchange Online Basic ManagementMEAL BREAKExchange Online Deployment & MigrationExchange Security & ProtectionExchange Online Archiving & ComplianceJump Start Schedule Target Agenda6/11/20132Microsoft Office 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Module 3: DirSync, Single Sign-On & ADFS

Reviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFSWindows Azure & ADFS

For Midsize Businesses and Enterprises6/11/20133Microsoft Office365 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Identity management deals with identifying individuals in a system and controlling access to the resources in that systemVerifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.Integral components of identity and access managementDetermining which actions an authenticated entity is authorized to perform on the networkAuthenticationAuthorization

What is identity management?

Auth you are who you say you are e.g. auth to O365 using you UPN (user Principal Name)Authorization Once you have authenticated what do you have access to e.g. are you a standard user or a global admin and add, register/verify domain names

4Core identity scenarios with Office 365Cloud IdentitySingle identity in the cloud Suitable for small organizations with no integration to on-premises directories

Windows Azure Active DirectoryOn-Premises IdentityDirsync & Password Sync*Directory & Password Synchronization*Single identitysuitable for medium and large organizations without federation*

Windows Azure Active DirectoryFederated IdentityOn-Premises IdentityFederationSingle federated identity and credentials suitable for medium and large organizations

Windows Azure Active DirectoryDirectory Sync* Password Synchronization may not be available at GA, the target is to update the service by 1HCY2013Single Cloud Identity suitable for Small and Medium Organizations with no significant need for On-Premises directory or applications

Single Identity but separate credentials suitable for Medium and Large organizations*

Single Federated Identity and credentials suitable for Medium and Large organizations5Cloud identityRich experience with Office AppsEase of deployment, management and supportLower cost as no additional servers are required On-PremisesHigh availability and reliability as all Identities and Services are managed in the cloudWindows Azure Active DirectoryUser

Cloud IdentityEx: alice@contoso.com

Considerations:

Separate identities and credentials for Office 365 Services if there are existing On-Premises directories and servicesSeparate Password policies for Online and On-Premises applicationsNo Single Sign-on to applications Online and On-Premises

6/11/20136Microsoft Office 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Directory & Password Synchronization*Rich experience with Office AppsDirectory synchronization between on-premises and onlineIdentities are created and managed on-premises and synchronized to the cloudSingle identity and credentials but no single Sign-On for on-premises and office 365 servicesPassword synchronization enables single sign-on at lower cost than federationReuse existing directory implementation on-premisesWindows Azure Active DirectoryUser

On-Premises IdentityEx: Domain\AliceDirectory SynchronizationPassword SynchronizationCloud IdentityEx: alice@contoso.com

ADNon-AD(LDAP)* Password Synchronization may not be available at GA, the target is to update the service in 1H CY2013Considerations:

Additional server for directory and password synchronizationRequires FIM for multi-forest and Non-ADAdditional licenses for FIMAdditional cost for password synchronization if the On-Premises directory store is not AD

6/11/20137Microsoft Office 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Federated identitySingle identity and sign-on for on-premises and office 365 servicesIdentities mastered on-premises with single point of managementDirectory synchronization to synchronize directory objects into Office 365Secure Token based authenticationClient access control based on IP address with ADFSStrong factor authentication optionsfor additional security with ADFS

Windows Azure Active DirectoryUser

On-Premises IdentityEx: Domain\AliceFederationADNon-AD(LDAP)Directory Synchronization

6/11/20138Microsoft Office 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Module 3: DirSync, Single Sign-On & ADFS

Reviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFSWindows Azure & ADFS

For Midsize Businesses and Enterprises6/11/20139Microsoft Office365 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.What is DirSync?An application that synchronizes on-premises Active Directory Objects with Office365Users, Contacts and GroupsInitially designed as a software based applianceSet it and forget itMulti Forest Support now availableNow called the Windows Azure Active Directory Sync ToolDirSync | Enables CoexistenceProvisions objects in Office 365 with same email addresses as the objects in the on-premises environmentProvides a unified Global Address List experience between on-premises and Office 365Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365Enables coexistence for ExchangeWorks in both simple and hybrid deployment scenariosEnabler for mail routing between on-premises and Office 365 with a shared domain namespaceEnables coexistence for Microsoft LyncDirSync | Enables Single Sign-OnEnables run-State administration and management of users, groups and contactsSynchronizes adds/deletes/modifications of users, groups and contacts from on-premise to Office 365Enabler for Single Sign-OnNot intended as a single use bulk upload toolDirectory Synchronization OptionsSuitable for small/medium size organizations with AD or Non-ADPerformance limitations apply with PowerShell and Graph API provisioningPowerShell requires scripting experiencePowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) PowerShell & Graph APISuitable for Organizations using Active Directory (AD)Provides best experience to most customers using ADSupports Exchange Co-existence scenariosCoupled with ADFS, provides best option for federation and synchronizationSupports Password Synchronization with no additional costDoes not require any additional software licenses

DirSyncSuitable for large organizations with certain AD and Non-AD scenariosComplex multi-forest AD scenariosNon-AD synchronization through Microsoft premier deployment supportRequires Forefront Identity Manager and additional software licenses

Office 365 Connector

13Single Forest DirsyncX64 FIM Appliance (set and forget)X86 MIIS Appliance now unsupportedIf you call into support with they will make you upgrade first before helpingScoping of object sync within Forest now supportedAD GUID used as SourceAnchor (Link between AD and Office 365 Object)Password Synchronization for DirSync coming 1H CY2013Password Sync Early On-Boarding program underway

DirSync SynchronizationEntire Active Directory Forest is scoped for synchronization by defaultAbility to modify what gets synced has been addedWhat is synchronized?All user objectsAll group objectsMail-enabled contact objectsSynchronization is from on-premises to Office 365 only (unless write-back is enabledSynchronization occurs every 3 hoursUse Start-OnlineCoexistenceSync cmdlet to force a sync

By default, the entire AD is syncd. New support for syncing only specific OUs and objects.Write-back is only part of full Hybrid Exchange installation

6/11/201315Microsoft Office 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.DirSync Synchronization | User ObjectsMail-enabled/mailbox-enabled users are synchronized as mail-enabled users (not mailbox-enabled users)Visible in the Office 365 GAL (unless explicitly hidden from GAL)Logon enabled, but not automatically licensed to use servicesTarget address is synchronized for mail-enabled usersRegular NT users are synchronized as regular NT usersNot automatically provisioned as mail-enabled in Office 365Resource mailboxes are synchronized as resource mailboxesSynchronized users are not automatically assigned a license

Still have to login to office365 to assign license after sync.

6/11/201316Microsoft Office 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.DirSync SynchronizationGroup ObjectsMail-enabled groups are synchronized as mail-enabledGroup memberships are synchronizedSecurity groups are synchronized as security groupsContacts ObjectsOnly mail-enabled contacts are synchronizedTarget address is synchronized to Office 365

DirSync SynchronizationNew user, group, and contact objects that are added to on-premises are added to Office 365Existing user, group, and contact objects that are deleted from on-premises are deleted from Office 365Existing user objects that are disabled on-premises are disabled in Office 365Existing user, group, or contact objects attributes (those that are synchronized) that are modified on-premises are modified in Office 365Objects are recoverable within 30 days of deletion

DirSync SynchronizationFirst synchronization cycle after installation is a full synchronizationTime-consuming process relative to number of objects synchronized~5000 objects per hourSubsequent synchronization cycles are deltas only Much fasterNot all on-premises attributes synchronized for each object type, but 100+ attributes are synchronized

DirSync SynchronizationOnce implemented, on-premises AD becomes the source of authority for synchronized objectsModifications to synchronized objects must occur in the on-premises ADSynchronized objects cannot be modified or deleted via the portal unless DirSync is disabled for the tenantScoping/FilteringCustomers can exclude objects from synchronizing to Office 365Scoping can be done at the following levels:AD Domain-basedOrganizational Unit-basedUser Attribute based

DirSync SynchronizationOn-premises objectGuid AD attribute assigned value for sourceAnchor attribute during initial object synchronization Referred to as a hard matchDirSync knows which Office 365 objects it is the source of authority for by examining sourceAnchor attributeDirSync can also match user objects created via the portal with on-premises objects if there is a match using the primary SMTP addressReferred to as a soft match

DirSync SynchronizationSynchronization errors are emailed to the Technical Contact for the subscriptionRecommend using distribution group as Technical Contact email addressExample errors include:Synchronization health statusSent once a day if a synchronization cycle has not registered 24 hours after last successful synchronizationObjects whose attributes contain invalid charactersObjects with duplicate/conflicting email addressesSync quota limit exceededList of attributes that are synchronizedhttp://support.microsoft.com/default.aspx?scid=kb;en-US;2256198&wa=wsignin1.0Module 3: DirSync, Single Sign-On & ADFS

Reviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFSWindows Azure & ADFS

For Midsize Businesses and EnterprisesSlide purpose: Introduce that Office 365 is your complete office in the cloud

How to present this slide: Keep in mind that most people, when they hear Office 365, only hear Office and think Word, PowerPoint, Excel. And when they hear cloud, they think web apps only, thinking this is only a browser-based version of Office, similar to Google Apps. So its important to take your time and labor on these 2 points specifically. Transition from previous slide by saying, We understand what technology you need to help you manage the business challenges you are facing. We are excited that there is a new offering in the market that has been designed specifically for you.

Talk trackIntroducing Office 365 Small Business Premium this is an offering specifically designed for businesses with 1-10 usersFirst of all, Office 365 is a cloud-based productivity service hosted by MicrosoftIt includes the latest version of the familiar Office applications (like Word, PowerPoint, Excel, that you currently run on your PC or laptop) that is always up to dateIt also includes anywhere access to email, calendar, documents, and HD video conferencing that works seamlessly with the Office you knowAnd these are business-class productivity tools and enterprise-level security specifically designed for small businesses needs and price rangeBecause this is designed with small businesses in mind, its easy to set up and manage, without the need for IT experience.Plus, since this is a cloud service, it is supported and backed by a 99.9% uptime guarantee service level agreement.In contrast, some key business needs, such as Voice for PC to PC calling, Google Contacts, and Google Video, are not covered by the Google Apps for Business service level agreement (SLA). Whats unique about Office 365 is that:It works perfectly with the Office you know and use so you or your employees dont have to learn a new tool or require additional trainingIt is designed to help you work seamlessly online or offline:Say you are working on a proposal and want to get feedback from your partners or customers. You can start working on it on your own computer, then save to the cloud and share it securely with partners or customers for feedback. They can then access the documents and work on them with you online instead of emailing different versions back and forth. If you go offline, say when on a plane, you can still access the documents and work on them offline (using SkyDrive Pro), and Office 365 will automatically sync the document back to the cloud as soon as you have connections again.These are all enterprise-class services trusted by large corporations designed to give you the reliability and security you expect.Coca-Cola Enterprises (72,000 employees), Starbucks, Campbell Soup, Hyatt Hotels (106,000 employees), the Department of Veterans Affairs (600,000 employees), Lowes (>200,000employees), Hallmark (9,500 employees), Japan Airlines (20,000 employees), and Burger King (3,500 users). We do not violate your privacy or confidentiality requirements by using scanning technologies to read your email for targeting advertising like Google does.

Lets drill down now on the specifics of Office 365 to help you understand why its the right technology for your business. The first area we talked about is anywhere access.6/11/201323Microsoft Office365 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.DirSync Prerequisite RemediationRun the Microsoft Office 365 Deployment Rediness Tool http://community.office365.com/en-us/forums/183/p/2285/8155.aspxAnalyze on-premise environmentDomainsUser Identity and Account ProvisioningExchange OnlineLync OnlineSharePoint OnlineClientNetworkDirSync RequirementsDirSync (Single Forest) must be joined to a domain with the same forest that will be synchronizedDirSync Server should never be installed on a domain controllerDirSync Server should be Windows Server 2008 (x64) or betterBy default SQL Server 2008 R2 Express is installed10GB Database limit (approx. 50,000 objects)Full SQL Option availableX64 Single\Multi Forest Appliance available (O365 connector also available for complex scenarios

When using the Full SQL option, you must ensure that the EA account as sysadmin rights on the SQL database and the the Dirsync account as public permissions6/11/201325Microsoft Office 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.DirSync | AD RequirementsOnly routable domains can be used with DirSync deployment Non-routable domains include .local OR .loc OR .internal.

If organization has AD w/ only internal namespace, must:Add a routable UPN suffix in Active Directory Forests and Trusts.Configure each user with that routable UserPrincipalName suffixuser@domain.local must be changed do user@domain.comIf this is not done, once DirSync runs, users will appear in Office365 as user@domain.onmicrosoft.com instead of user@domain.comNeed to add a screen shot to show how this is done. Maybe just a demo.This can be a showstopper if company has hardcoded usernames into some application.

6/11/201326Microsoft Office 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Hardware RecommendationsRecommend a system that exceeds the minimum OS requirements

Number of objects in ADCPUMemoryHard disk sizeFewer than 10,0001.6GHz4GB70GB10,000-50,0001.6GHz4GB70GB50,000-100,0001.6GHz16GB100GB100,000-300,0001.6GHz32GB300GB300,000-600,0001.6GHz32GB450GBMore than 600,0001.6GHz32GB500GBDirSync | Network RequirementsSynchronization with Office 365 occurs over SSLInternal network communication will use typical Active Directory related portsDirSync server must be able to contact all DCs in the ForestServiceProtocolPortLDAPTCP/UDP389KerberosTCP/UDP88DNSTCP/UDP53Kerberos Change PassowrdTCP/UDP464RPCTCP135RPC randomly allocated high TCP PortsTCP1024-6443549152-65535*SMBTCP445SSLTCP443SQLTCP1433* This is the range in Windows Server 2008DirSync | Permission RequirementsAccount used to install DirSync must havelocal machine administrator permissionsIf using full SQL, rights within SQL to create the DirSync database, and to setup the SQL service account with the role of db_ownerAccount used to configure DirSync must reside in the local machine MIISAdmins groupAccount used to install DirSync is automatically addedAdministrator permission in the Office 365 tenantDirSync uses an administrator account in the tenant to provision and update/modify objects

DirSync | Permission RequirementsEnterprise Administrator permission in the on-premise Active DirectoryCredential is not stored/saved by the configuration wizardUsed to create the MSOL_AD_Sync domain account in the CN=Users container of the root domain of the forestUsed to delegate the following permissions on each domain partition in the forestReplicating Directory Changes Replicating Directory Changes allReplication Synchronization

Module 3: DirSync, Single Sign-On & ADFS

Reviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFSWindows Azure & ADFS

For Midsize Businesses and Enterprises6/11/201331Microsoft Office365 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Single Sign-On | PurposeEnables users to access both the on-premises and cloud-based organizations with a single user name and passwordProvides users with a familiar sign-on experienceAllows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools.

Single Sign-On | BenefitsPolicy ControlAccess ControlReduced Support CallsSecurity

Single Sign-On | Server RequirementsWindows Server 2008 or Windows Server 2008 R2 (2012 not currently supported)ADFS 2.0 Setup installs: Web Server (IIS), .Net 3.5 SP1, Windows Identity FoundationPublicly registered, routable domain name SSL Certificate(s), *Wild Card SupportedMicrosoft Online Services Module for Windows PowerShellMicrosoft Online Sign In AssistantHigh Availability Design, Dual-Site, Load BalancedChoice between Windows Internal Database(WID) and SQLWID supports a maximum of 5 Federation ServersSQL supports SAML Replay Detection, Artifact Store

Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers.Refer to the technet link for more details.

34Single Sign-On | Client RequirementsBrowserInternet Explorer 8.0 or later, Firefox 10.0, Chrome 17.0 or later, Safari 5.0 or later

Office ClientMicrosoft Office 2010/2007 (Latest Service Pack)Microsoft Office for Mac 2011 (Latest Service Pack) Note: Support for Microsoft Office 2008 for Mac version 12.2.9 ended 4/9/2013

Office 365 Desktop Setup (Suggested)Microsoft Online Sign In Assistant

Single Sign-On | Client EndpointsActive Federation (MEX)Applies to rich clients supporting ADFSUsed by Lync and Office Subscription clientClients will negotiate authentication directly with on-premises ADFS serverBasic Authentication (Active Profile)Applies to clients authenticating with basic authenticationUsed by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web ServicesClients send basic authentication credentials to Exchange Online via SSL. Exchange Online proxies the request to the on-premises ADFS server on behalf of the clientPassive Federation (Passive Profile)Applies to web browsers and documents opened via SharePoint OnlineUsed by the Microsoft Online Portal, OWA, and SharePoint PortalWeb clients (browsers) will authenticate directly with on-premises ADFS serverWhen working through the firewall considerations ensure that MSO Datacenter IP ranges have been granted access to port 443 to the ADFS Proxy Server located in the DMZ. 36Client access controlLimit access to Office 365 based on network connectivity (internet versus intranet)Block all external access to Office 365 based on the IP address of the external clientBlock all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint OnlineUse the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default log all denied authorizations and the values it based the denial upon.Refer to the technet link for more details.

37Deployment Considerations for UPNUser objects must have a value for UPN in on-premises Active DirectoryUPN domain suffix must match a verified domain in Office 365Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified domain and is used if UPN does not match a verified domainUsers must switch to using UPN to logon to Office 365Not domain\usernameUPN must have valid charactersOffice 365 Deployment Readiness Tool will verify that on-premises objects have valid charactersIf the customer does not have a valid and routable UPN suffix then one can be added via Active Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix. 6/11/201338Microsoft Office365 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Single Sign-On | RequirementsOffice 365 Desktop SetupAutomatically detects necessary updates for a computerInstalls Microsoft Online Sign In AssistantInstalls operating system and client software updates required for connectivity with Office 365Automatically configures Internet Explorer and rich clients for use with Office 365Office 365 Desktop Setup is not an authentication or sign-in service and should not be confused with single sign-on

Single Sign-On | RequirementsMicrosoft Online Sign-In AssistantCan be installed automatically by Office 365 Desktop Setup or manuallyEnables authentication support by obtaining a service token from Office 365 and returning it to a rich client (e.g. Lync)Not required for web kiosk scenarios (e.g. OWA)Required for on-premises computers connecting to Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell)Single Sign-On | ADFS 2.x ComponentsAD FS 2.x ServerDefault topology for Office 365 is an AD FS 2.x federation server farm that consists of multiple servers hosting your organizations Federation ServiceRecommend using at least two federation servers in a load-balanced configuration

AD FS 2.x Proxy ServerFederation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farmFederation server proxies should be deployed in the DMZ

Single Sign-On | ADFS 2.x Deployment OptionsSingle server configurationAD FS 2.x Server Farm and load-balancer AD FS 2.x Proxy Server or UAG/TMG(External Users, Active Sync, Down-level Clients with Outlook)

Single server configurationAD FS 2.0 Server Farm and load-balancer AD FS 2.0 Proxy Server or UAG/TMG(External Users, Active Sync, Down-level Clients with Outlook)AD FS 2.0 Deployment OptionsEnterprisePerimeterAD FS 2.0 ServerProxy

External userInternaluser

ActiveDirectoryAD FS 2.0 ServerAD FS 2.0 ServerAD FS 2.0 ServerProxy

Speaker Notes:

Provide a general overview of AD FS server possible topologies:

- Single server configuration Easiest one Internal Only- AD FS 2.0 Server Farm and load-balancer Provide access to external users. More info in next slides- AD FS 2.0 Proxy Server or UAG/TMG Alternative deployment not using AD FS 2.0 Proxy

43Deployment ArchitectureNumber of usersMinimum number of serversFewer than 1,000 users0 dedicated federation servers0 dedicated federation server proxies 1 dedicated NLB server1,000 to 15,000 users2 dedicated federation servers2 dedicated federation server proxies15,000 to 60,000 usersBetween 3 and 5 dedicated federation serversAt least 2 dedicated federation server proxiesAD FS 2.0 Capacity Planning Sizing Spreadsheethttp://www.microsoft.com/en-us/download/details.aspx?id=2278

http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx#bk_plandeploy

Single server deployments are still not recommended. Customers with fewer than 1,000 users should still have high availability. In other words, at least 2 proxies and 2 internal serversFor example, two internet facing (perimeter network) servers for ADFS proxies, and two existing internal servers for internal ADFS servers.ADFS can be installed onto an existing application server.Including a domain controllerA load balancer should still be deployed in perimeter network in front of ADFS proxies (thus, a dedicated load balancer)

For more than 1,000 users, dedicated server resources are recommended.44Understanding client authentication path

Module 3: DirSync, Single Sign-On & ADFS

Reviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFSWindows Azure & ADFS

For Midsize Businesses and Enterprises6/11/201346Microsoft Office365 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Windows Azure & ADFSVirtual Network Support Site to Site VPNComputing: 99.95% SLA Uptime for High Available System99.9% SLA Uptime for Single SystemStorage: 99.9%Full Control over your Virtual MachinesPay as you Go, OPEX vs CAPEXWhy Windows Azure for ADFS?48IaaS

ActiveDirectoryAD FS 2.0 ServerAD FS 2.0 ServerActiveDirectoryEnterpriseVPNWindows Azure: TerminologyCloud Service: Role which several VMs take upon themselves to execute. E.G. ADFS. Cloud services need to have two instances or more to quality for the SLA of 99,95%. 1 External Virtual IP Address per Cloud ServiceAvailability Group

Windows Azure: TerminologyEndPoints: You need to add an endpoint to a machine for other resources on the Internet or other virtual networks to communicate with it. You can associate specific ports and a protocol to endpoints. Resources can connect to an endpoint by using a protocol of TCP or UDP. The TCP protocol includes HTTP and HTTPS communication. Virtual Network enables you to create secure site-to-site connectivity, as well as protected private virtual networks in the cloud.

Windows Azure Example

ADFS Windows Azure

IP SEC DEVICE

GATEWAY

CLOUD SERVICE

AD FS 2.0 ServerAD FS 2.0 ServerDirSyncLB ENDPOINTEnterpriseWindows AzureAdditional ResourcesPrepare for directory synchronization: http://technet.microsoft.com/en-us/library/jj151831.aspx Directory synchronization roadmap: http://technet.microsoft.com/en-us/library/hh967642.aspxSet up your directory sync computer: http://technet.microsoft.com/en-us/library/dn144767.aspxUpdate Rollup 2 for ADFS 2.0: http://support.microsoft.com/kb/2681584

ADFS 2.0 Step-by-Step and How To Guideshttp://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx