I am looking for a list of "Best Practices" for using & administrating DirSync & ADFS that I can give my customers after we set up their Cloud environment for access to Office 365 & other Azure services.
I have so far:
In the On-premise Active Directory every user needs a UPN which is resolvable from the internet. So if your on-premise domain is ‘domain.local’ your users need an UPN like: email@example.com
The DirSync server should have the same physical access security as a Domain Controller.
Make sure Microsoft Online Services Identity Federation Management tool is installed in the on-premise environment. This tool installs a set of PowerShell commands that are used to create and configure federation between on-premise and #Office365. The commands that can be used for this are: Set-MSOLContextCredential, Add-MSOLFederatedDomain and/or Convert-MSOLDomainToconverFederated.
To check the federation setup, the Get-MSOLFederationProperty –DomainName <domain> can be used. This will show all settings for the ADFS2.0 and Microsoft Federation Gateway for the domain entered.
The Windows Azure Active Directory Sync Tool can be installed on a computer if all the following conditions are true:
•Windows PowerShell 1.0 is installed on the computer.
•You are logged on to the computer as a member of the local Administrators group.
•The computer has a 64-bit processor.
•The computer is running one of the following operating systems:
Windows Server 2003 x64 with Service Pack 2 (SP2) or a later version
An x64-based version of Windows Server 2008
•The computer isn't a domain controller.
•The computer is joined to an Active Directory domain and is located in the forest that you want to sync with Windows Azure Active Directory (Windows Azure AD).
•The Microsoft .NET Framework 3.5 or a later version is installed on the computer.