Improve company productivity with a Business Account.Sign Up

x
?
Solved

exchange, office 365, active directory

Posted on 2016-11-03
2
Medium Priority
?
114 Views
Last Modified: 2016-11-04
I am planning hybrid migration from exchange 2010 to office 365

I am going to set up tenants in office 365
build ADFS  for single  sign on, any idea why relying part trust and claimsto be configured"
I will be using azure AD connect to synchronize AD objects and the then move mailboxes

any idea to do I really need Microsoft federation gateway?
0
Comment
Question by:pramod1
2 Comments
 
LVL 17

Expert Comment

by:Jason Crawford
ID: 41872951
I would just skip the Hybrid configuration and use a Staged Migration instead.  You can still sync AD attributes including password hashes.  The only difference is it's a one-way sync.
0
 
LVL 44

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41873137
There's an automated configuration cmdlet in the Azure Active Directory powershell cmdlets that will configure ADFS to talk to your Office 365 tenant, so you don't need to know the realm or relying party information. You just have to run the setup as instructed by MS.

The Federation Gateway is used to allow Free/Busy data sharing between your Exchange server and Office 365. It isn't required for ADFS, but is required if you will have some mailboxes on prem and others in the cloud. Without the Federation Gateway configured, the mailboxes in O365 couldn't see calendar data from Onprem, and vice versa.

As for whether to use Password sync or ADFS for authentication, there are actually significant technical and operational differences between the two solutions.
1. With Password Sync, password changes can take up to 30 minutes or more (depending on sync frequency settings) to apply in Office 365, and password changes in O365 won't apply, so you either have to do a manual sync to cause an immediate password change or wait for the sync to occur before the password can be used in O365.
2. ADFS is quite a bit more secure than Password sync, because it allows your users to authenticate to your actual domain when logging in to O365. The ADFS login process uses your domain servers to authenticate users with Kerberos, as opposed to password sync where your password hashes are uploaded and stored on Microsoft's Servers. If, at some point, someone were able to break Microsoft's security in O365 (and your tenant in particular), they would have enough information from Password sync to then directly attack your LAN environment. With ADFS, a compromised Office 365 environment cannot lead to compromise of your network environment, since O365's systems are not aware of the credentials or authentication processes involved when users connect with ADFS. That said, the risk of O365 being compromised is very low. Lower, in fact, than many business Domain environments (MS's Datacenters have top notch physical access security), but the mere potential of LAN exposure caused by having password hashes stored on a third party's servers (that are outside of one's control, no less) justifies the additional licensing, hardware, and administrative costs associated with using ADFS.

If you understand those two points and are willing to accept the risks and wait time associated with using Password sync, by all means, you are welcome to do so. I just want to point these things out so you can make an informed decision.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In a Cross Forest, the steps to migrate users are quite complicated and even in the official articles of Technet there is no clear recommendation on which approach to take .. From an experience, I mention and simplify which way to go and how to use …
Microsoft Exchange Server gives you the ability to roll back a corrupt database, but still preserve any data written to that database since the last successful backup. Unfortunately the documentation on how to do this when recovering using imaging b…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Watch the software video of Kernel Import PST to Office 365 tools which can easily import PST and OST files to Office 365 for bulk mailboxes. The process of migration is simple and user can map source and destination mailboxes and easily import data…

602 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question