Office 365 useful deployment information
I attended an Office 365 deployment fast track training session at Microsoft this week and came back with some interesting information (or it was to me but you guys might already know all this stuff). There seem to be some misconceptions in particular surrounding ADFS and whether it is a requirement for Hybrid deployments.
1. You don’t need ADFS to do Hybrid. In respect of hybrid, ADFS gives you nothing except that authentication requests are sent back to on premises ADFS instead of dealt with by Azure. ADFS is only really needed for massive deployments (50k+ AD objects) or if someone objects to password hashes (which are not reversible so not really a valid objection in my opinion) being stored in Azure. All that is need for Hybrid is dirsync (+ password sync assuming you don’t want different passwords). ADFS gives you added complexity and a single point of failure unless you have L4 load balancers and multiple ADFS servers and ADFS proxy’s and for most small – medium business that is surely somewhat defeating the purpose of going cloud.
2. Before running dirsync you should plan and check your on premises AD is ready. The most important thing is to ensure that the UPN’s for your objects have valid FQDN’s (e.g. no .local addresses). This tool will check AD for you: http://onramp.office365.com. There was also talk that you should ensure that your on-premises AD password policy meets the minimum requirements of Azure’s password policy or you will have issues sync’ing passwords.
3. Dirsync remediation tool. If you have jumped ahead and not checked out your AD and ended up dirsync’ing bad objects then this tool (idfix) is for fixing it: http://www.microsoft.com/en-gb/download/details.aspx?id=36832
4. This: http://fasttrack.office365.com is good for setting up a proof of concept for a customer and then going live with it, it’s kind of a step by step deployment…
5. You can setup a demo tenant with a load of pre-created data to demonstrate all the cool features of things like SkyDrive Pro and the new Office 365 suite, Excel for example does some really cool stuff which should get people seriously interested in upgrading to the latest Office suite. The only downside is it expires every 30 days so you have to keep setting it up again but it’s not hard and doesn’t take long. It even gives you a complete walk through of how to demo Office 365, although I would suggest you focus on bits that customers will find interesting rather than go through the whole thing. Login with your partner ID here https://www.microsoftofficedemos.com/
6. Office 365 ProPlus application suite is licensed per user not per device, each user can install the Office 365 suite 5 times. This means it is not suitable for RDS, Citrix, hot desking etc. However, there is a concession on licensing for office 365 subscribers that allows you to use volume licensing versions of Office 2013 ProPlus at no extra cost. The only caveat here is that to use the volume license version you must buy at least one volume license key as Microsoft won’t give you one.
7. For Hybrid deployments you need a Hybrid Exchange server, there was some confusion as to whether this could be setup on an existing Exchange server, the consensus seemed to be that you can but shouldn’t but this was something of a grey area. You do not need to license a 2013 Hybrid server so there is no cost (other than hardware resources) to build a 2013 Exchange server to use as your Hybrid, the Hybrid wizard is significantly improved on 2013 so is worth considering if you are otherwise on 2007 or 2010. The Hybrid 2013 server(s) must have all the roles although you can split the roles over multiple servers. The hybrid server does nothing except pass TLS encrypted mail between on premises and the cloud so load should be pretty minimal.
8. Security between Hybrid and online servers. Kind of obvious but you can’t have things like hosted mail hygiene solutions or firewalls inspecting traffic between the Hybrid server and Office 365 servers or TLS won’t work. In fact you wouldn’t have 3rd party hosted mail hygiene full stop because anti-spam and AV is built into Office 365.
9. You can now install dirsync on a DC but this is not supported and is only for non-production environments.
10. In a hybrid environment delegation won’t work between mailboxes that are on Office 365 and mailboxes that are on-premises. So check for delegates and ensure mailboxes are moved together where delegation exists (this is also a problem with 2013 co-existence). Apparently Microsoft are intending to fix this but there is no ETA.
11. There is no such thing as single sign on for Office 365 Outlook (doesn’t matter whether you have ADFS or not). SSO and ADFS seems to be something of a misnomer, there are certain things that can used forms based authentication (e.g. OWA) where SSO will be facilitated by ADFS for internal users but it is not ADFS as such that is doing the SSO. The short of it is that you simply will end up putting in your password more often. It can be cached in cookies, credential manager etc so should be fairly infrequent for users to get extra login prompts. Even for the parts of Office 365 that will get a kind of SSO with ADFS, bearing in mind that Outlook for example won’t benefit, it seems pretty hard to justify the extra resources and complexity required for ADFS.
Hope this helps clear up a few misconceptions about deploying Office 365, it certainly did for me.