Solved

exchange, office 365, active directory

Posted on 2016-11-03
2
63 Views
Last Modified: 2016-11-04
I am planning hybrid migration from exchange 2010 to office 365

I am going to set up tenants in office 365
build ADFS  for single  sign on, any idea why relying part trust and claimsto be configured"
I will be using azure AD connect to synchronize AD objects and the then move mailboxes

any idea to do I really need Microsoft federation gateway?
0
Comment
Question by:pramod1
2 Comments
 
LVL 14

Expert Comment

by:Jason Crawford
ID: 41872951
I would just skip the Hybrid configuration and use a Staged Migration instead.  You can still sync AD attributes including password hashes.  The only difference is it's a one-way sync.
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41873137
There's an automated configuration cmdlet in the Azure Active Directory powershell cmdlets that will configure ADFS to talk to your Office 365 tenant, so you don't need to know the realm or relying party information. You just have to run the setup as instructed by MS.

The Federation Gateway is used to allow Free/Busy data sharing between your Exchange server and Office 365. It isn't required for ADFS, but is required if you will have some mailboxes on prem and others in the cloud. Without the Federation Gateway configured, the mailboxes in O365 couldn't see calendar data from Onprem, and vice versa.

As for whether to use Password sync or ADFS for authentication, there are actually significant technical and operational differences between the two solutions.
1. With Password Sync, password changes can take up to 30 minutes or more (depending on sync frequency settings) to apply in Office 365, and password changes in O365 won't apply, so you either have to do a manual sync to cause an immediate password change or wait for the sync to occur before the password can be used in O365.
2. ADFS is quite a bit more secure than Password sync, because it allows your users to authenticate to your actual domain when logging in to O365. The ADFS login process uses your domain servers to authenticate users with Kerberos, as opposed to password sync where your password hashes are uploaded and stored on Microsoft's Servers. If, at some point, someone were able to break Microsoft's security in O365 (and your tenant in particular), they would have enough information from Password sync to then directly attack your LAN environment. With ADFS, a compromised Office 365 environment cannot lead to compromise of your network environment, since O365's systems are not aware of the credentials or authentication processes involved when users connect with ADFS. That said, the risk of O365 being compromised is very low. Lower, in fact, than many business Domain environments (MS's Datacenters have top notch physical access security), but the mere potential of LAN exposure caused by having password hashes stored on a third party's servers (that are outside of one's control, no less) justifies the additional licensing, hardware, and administrative costs associated with using ADFS.

If you understand those two points and are willing to accept the risks and wait time associated with using Password sync, by all means, you are welcome to do so. I just want to point these things out so you can make an informed decision.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question