Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

exchange, office 365, active directory

Posted on 2016-11-03
2
Medium Priority
?
101 Views
Last Modified: 2016-11-04
I am planning hybrid migration from exchange 2010 to office 365

I am going to set up tenants in office 365
build ADFS  for single  sign on, any idea why relying part trust and claimsto be configured"
I will be using azure AD connect to synchronize AD objects and the then move mailboxes

any idea to do I really need Microsoft federation gateway?
0
Comment
Question by:pramod1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 16

Expert Comment

by:Jason Crawford
ID: 41872951
I would just skip the Hybrid configuration and use a Staged Migration instead.  You can still sync AD attributes including password hashes.  The only difference is it's a one-way sync.
0
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41873137
There's an automated configuration cmdlet in the Azure Active Directory powershell cmdlets that will configure ADFS to talk to your Office 365 tenant, so you don't need to know the realm or relying party information. You just have to run the setup as instructed by MS.

The Federation Gateway is used to allow Free/Busy data sharing between your Exchange server and Office 365. It isn't required for ADFS, but is required if you will have some mailboxes on prem and others in the cloud. Without the Federation Gateway configured, the mailboxes in O365 couldn't see calendar data from Onprem, and vice versa.

As for whether to use Password sync or ADFS for authentication, there are actually significant technical and operational differences between the two solutions.
1. With Password Sync, password changes can take up to 30 minutes or more (depending on sync frequency settings) to apply in Office 365, and password changes in O365 won't apply, so you either have to do a manual sync to cause an immediate password change or wait for the sync to occur before the password can be used in O365.
2. ADFS is quite a bit more secure than Password sync, because it allows your users to authenticate to your actual domain when logging in to O365. The ADFS login process uses your domain servers to authenticate users with Kerberos, as opposed to password sync where your password hashes are uploaded and stored on Microsoft's Servers. If, at some point, someone were able to break Microsoft's security in O365 (and your tenant in particular), they would have enough information from Password sync to then directly attack your LAN environment. With ADFS, a compromised Office 365 environment cannot lead to compromise of your network environment, since O365's systems are not aware of the credentials or authentication processes involved when users connect with ADFS. That said, the risk of O365 being compromised is very low. Lower, in fact, than many business Domain environments (MS's Datacenters have top notch physical access security), but the mere potential of LAN exposure caused by having password hashes stored on a third party's servers (that are outside of one's control, no less) justifies the additional licensing, hardware, and administrative costs associated with using ADFS.

If you understand those two points and are willing to accept the risks and wait time associated with using Password sync, by all means, you are welcome to do so. I just want to point these things out so you can make an informed decision.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question