Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

exchange, office 365, active directory

Posted on 2016-11-03
2
Medium Priority
?
106 Views
Last Modified: 2016-11-04
I am planning hybrid migration from exchange 2010 to office 365

I am going to set up tenants in office 365
build ADFS  for single  sign on, any idea why relying part trust and claimsto be configured"
I will be using azure AD connect to synchronize AD objects and the then move mailboxes

any idea to do I really need Microsoft federation gateway?
0
Comment
Question by:pramod1
2 Comments
 
LVL 16

Expert Comment

by:Jason Crawford
ID: 41872951
I would just skip the Hybrid configuration and use a Staged Migration instead.  You can still sync AD attributes including password hashes.  The only difference is it's a one-way sync.
0
 
LVL 43

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41873137
There's an automated configuration cmdlet in the Azure Active Directory powershell cmdlets that will configure ADFS to talk to your Office 365 tenant, so you don't need to know the realm or relying party information. You just have to run the setup as instructed by MS.

The Federation Gateway is used to allow Free/Busy data sharing between your Exchange server and Office 365. It isn't required for ADFS, but is required if you will have some mailboxes on prem and others in the cloud. Without the Federation Gateway configured, the mailboxes in O365 couldn't see calendar data from Onprem, and vice versa.

As for whether to use Password sync or ADFS for authentication, there are actually significant technical and operational differences between the two solutions.
1. With Password Sync, password changes can take up to 30 minutes or more (depending on sync frequency settings) to apply in Office 365, and password changes in O365 won't apply, so you either have to do a manual sync to cause an immediate password change or wait for the sync to occur before the password can be used in O365.
2. ADFS is quite a bit more secure than Password sync, because it allows your users to authenticate to your actual domain when logging in to O365. The ADFS login process uses your domain servers to authenticate users with Kerberos, as opposed to password sync where your password hashes are uploaded and stored on Microsoft's Servers. If, at some point, someone were able to break Microsoft's security in O365 (and your tenant in particular), they would have enough information from Password sync to then directly attack your LAN environment. With ADFS, a compromised Office 365 environment cannot lead to compromise of your network environment, since O365's systems are not aware of the credentials or authentication processes involved when users connect with ADFS. That said, the risk of O365 being compromised is very low. Lower, in fact, than many business Domain environments (MS's Datacenters have top notch physical access security), but the mere potential of LAN exposure caused by having password hashes stored on a third party's servers (that are outside of one's control, no less) justifies the additional licensing, hardware, and administrative costs associated with using ADFS.

If you understand those two points and are willing to accept the risks and wait time associated with using Password sync, by all means, you are welcome to do so. I just want to point these things out so you can make an informed decision.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A walk-through example of how to obtain and apply new DID phone numbers to your cloud PBX enabled users that are configured in Office 365. Whether you have 1, 10 or 100+ users in your tenant, it's quite easy to get them phone-enabled and making/rece…
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question