[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

exchange, office 365, active directory

Posted on 2016-11-03
2
Medium Priority
?
112 Views
Last Modified: 2016-11-04
I am planning hybrid migration from exchange 2010 to office 365

I am going to set up tenants in office 365
build ADFS  for single  sign on, any idea why relying part trust and claimsto be configured"
I will be using azure AD connect to synchronize AD objects and the then move mailboxes

any idea to do I really need Microsoft federation gateway?
0
Comment
Question by:pramod1
2 Comments
 
LVL 17

Expert Comment

by:Jason Crawford
ID: 41872951
I would just skip the Hybrid configuration and use a Staged Migration instead.  You can still sync AD attributes including password hashes.  The only difference is it's a one-way sync.
0
 
LVL 44

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41873137
There's an automated configuration cmdlet in the Azure Active Directory powershell cmdlets that will configure ADFS to talk to your Office 365 tenant, so you don't need to know the realm or relying party information. You just have to run the setup as instructed by MS.

The Federation Gateway is used to allow Free/Busy data sharing between your Exchange server and Office 365. It isn't required for ADFS, but is required if you will have some mailboxes on prem and others in the cloud. Without the Federation Gateway configured, the mailboxes in O365 couldn't see calendar data from Onprem, and vice versa.

As for whether to use Password sync or ADFS for authentication, there are actually significant technical and operational differences between the two solutions.
1. With Password Sync, password changes can take up to 30 minutes or more (depending on sync frequency settings) to apply in Office 365, and password changes in O365 won't apply, so you either have to do a manual sync to cause an immediate password change or wait for the sync to occur before the password can be used in O365.
2. ADFS is quite a bit more secure than Password sync, because it allows your users to authenticate to your actual domain when logging in to O365. The ADFS login process uses your domain servers to authenticate users with Kerberos, as opposed to password sync where your password hashes are uploaded and stored on Microsoft's Servers. If, at some point, someone were able to break Microsoft's security in O365 (and your tenant in particular), they would have enough information from Password sync to then directly attack your LAN environment. With ADFS, a compromised Office 365 environment cannot lead to compromise of your network environment, since O365's systems are not aware of the credentials or authentication processes involved when users connect with ADFS. That said, the risk of O365 being compromised is very low. Lower, in fact, than many business Domain environments (MS's Datacenters have top notch physical access security), but the mere potential of LAN exposure caused by having password hashes stored on a third party's servers (that are outside of one's control, no less) justifies the additional licensing, hardware, and administrative costs associated with using ADFS.

If you understand those two points and are willing to accept the risks and wait time associated with using Password sync, by all means, you are welcome to do so. I just want to point these things out so you can make an informed decision.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Office 365 has multiple features and services which are specially designed to help businesses to reduce their dependence on on-premises IT resources. It also offers great flexibility and enhanced security. But like any other data, Office 365 mailbo…
This article explains how to move an Exchange 2013/2016 mailbox database and logs to a different drive.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question