Office 365 deploym. ployment checklists. Chapter 27

Chapter 27 Office 365 deploym ployment checklists This document provides some checklists to help you make sure that you install and configure your Office 365 deployment correctly and with a minimum of issues. The checklists are in the following functional sections: "Deployment workflow overview" on page 27-30 "Active Directory checklist" on page 27-33 "Office 365 checklist" on page 27-35 "Directory Synchronization checklist" on page 27-37 "Centrify Identity Service checklist" on page 27-41 "Centrify for Office 365 checklist" on page 27-42 "Centrify for Office 365 verification checklist" on page 27-44 "Centrify for Office 365 desktop checklist" on page 27-44 "Centrify for Office 365 mobile checklist" on page 27-45 29

Deployment workflow overview Deployment workflow overview view The diagram below illustrates the general process that you undertake when deploying Centrify for Office 365. We ve organized the info into stages so that it s easier to plan, test, and verify information at each point in the process. Chapter 27 Office 365 deployment checklists 30

Deployment workflow overview We recommend that at each deployment stage, you get your deployment working and test and verify that data is handled correctly before you move on to the next deployment stage. For example, even if you re using provisioning, it s a good practice to first configure your Office 365 application for SSO and configure the account mapping to verify that SSO works. Depending on how many users you have, you may also find that it s useful to migrate your users in batches rather than all at once. Deployment workflow for the deprecated Office 365 application If you re using the deprecated version of Office 365, here s the workflow for getting that kind of deployment up and running. Cloud Manager user s guide 31

Deployment workflow overview For example, for customers who are already using DirSync, it can be useful to migrate users in batches to the new application and automatic user provisioning. Chapter 27 Office 365 deployment checklists 32

Active Directory checklist Active Directory checklist cklist AD1 AD2 Map or list of your Active Directory topology, and be sure to include the following: Multiple domains Multiple forests Child domains Untrusted domains Have you specified an alternative UPN suffix for users? Later, when you configure Centrify Identity Service, you ll need this list to verify that each domain in each forest has a login suffix. If you have an alternate UPN specified and you plan on using automatic user provisioning, you ll need to edit the provisioning script slightly to accommodate your alternate UPN suffix. For instructions, see Configuring Office 365 to synchronize users from a different domain. Note: If you re using an older version of the Office 365 application (without provisioning), you ll need to continue using the login suffixes that you created. If you ve added alternative UPN suffixes in Active Directory, you must also create a login suffix in Cloud Manager for each of the alternative UPN suffixes. Example: For example, consider the following example configuration: Domain name = acme.com Alternative UPN suffix = wileycoyote.com The login suffix would be as follows: login suffix = wileycoyote.com With the login suffix, a user can log in either with user@acme.com or user@wileycoyote.com. Additional information: For more details about using login suffixes, see https:// cloud.centrify.com/vfslow/lib/docs///adminref/index.html#context/ cloudhelp/cloud-admin-mod-del-login-aliases For more information on how to configure the alt UPN, see http:// technet.microsoft.com/library/jj151831.aspx. and http:// technet.microsoft.com/en-us/library/cc772007.aspx. For more information about preparing Active Directory, see http:// technet.microsoft.com/en-us/library/hh852478.aspx Cloud Manager user s guide 33

Active Directory checklist AD3 Have you set up a test domain in Active Directory? It s a best practice to set up a test domain and use it to go through the Office 365 configuration process before you configure or alter your production deployment. When setting up a test domain, keep in mind the following: You must add and verify a publicly addressable domain in Office 365. If you use a local domain (one that doesn t have a publicly valid suffix), you must add an alternate domain and an alternate UPN suffix in Active Directory that matches the publicly addressable domain (suffix) in Office 365. AD4 Do you have untrusted domains? If you have untrusted domains, on-premise Exchange servers, and are going to use automatic user provisioning, you ll need to select the domain that the on-premise Exchange server belongs to when you configure provisioning. When you install a cloud connector in an untrusted domain, the cloud service creates a login suffix for that domain for you automatically. Chapter 27 Office 365 deployment checklists 34

Office 365 checklist Office 365 checklist cklist If you re already using ADFS with Office 365, you can ignore many of these setup tasks because you ve already completed them as part of your ADFS setup. The tasks that you can probably ignore are designated with a check mark ( ). Note If you are migrating from an on-premise Office or Exchange deployment to a new Office 365 deployment, Centrify has partnered with some consulting groups that can offer planning, implementation, and migration services for Office 365. For details, please contact Centrify Sales. Off1 Your Office 365 account allows federation. Plans A, E, G, M allow federation. For details, see "Supported Office 365 account types" on page 28-53. Off2 Off3 Off4 Off5 Off6 Off7 Is your Office 365 Managed or Federated currently? Your domains are validated and registered in Office 365. If you haven t done this yet, it can take up to 72 hours to complete. You have configured the DNS settings correctly for Office 365 domain ownership validation and registration. You have set the default domain correctly. The default domain must be the one that uses the onmicrosoft.com domain. Your Office 365 account can handle the number of Active Directory objects that you have. The Office 365 administrator account is one that is <domain>.onmicrosoft.com, and the account is not in Active Directory. Off8 You can successfully log in to the Office 365 administrator portal with your Office 365 administrator credentials. If you re using Office 365 in managed mode, that means that it authenticates users with their user name and passwords. If you re using Office 365 in federated mode, that means that you have ADFS installed, configured, and running successfully. With ADFS, many of the setup tasks listed herein are already completed. For details, see "Creating and verifying a domain in Office 365" on page 28-54. For details, see "Creating and verifying a domain in Office 365" on page 28-54 and http://onlinehelp.microsoft.com/en-us/ office365-enterprises/jj554758.aspx For details, see "Setting the default domain" on page 28-56. If your have more than 50,000 Active Directory objects, please contact Microsoft support for a quota increase. For more information about preparing Active Directory, go here: http://technet.microsoft.com/en-us/library/hh852478.aspx You need this administrator account to be outside of Active Directory in case you need to revert your Office 365 account back to user password authentication or if you need to make any configuration changes, such as changing your certificate or Issuer name. For details, see "Creating Office 365 user accounts by synchronizing with Active Directory" on page 28-69. If you can t log in to the Office 365 administrator portal, contact Microsoft support. ADFS can ignore Cloud Manager user s guide 35

Office 365 checklist Off9 The Office 365 user account email domain matches the Active Directory user s UserPrincipalName (UPN) attribute. Off10 If at all possible, use and register a test domain. Make sure that you set up and register the domain in Office 365. Off11 List the related Microsoft components that you plan to use with Office 365: Email (web access) Outlook (thick client) SharePoint online Lync/Skype for Business Office Online CRM CRM Outlook plugin Yammer (coming soon) Off12 If you plan on using Office 365 for email, will you be using a hybrid deployment? Off13 Are users only in Office 365, or are they synchronized from Active Directory? In order for Directory Synchronization to work, the UPN in Active Directory must match the user s email domain in Office 365. Depending on which components you plan to use, there may be some additional configurations to perform. After all the setup tasks are complete, you ll need to test the thick clients. A hybrid deployment is one where you use one or more onpremise Exchange servers in addition to the cloud-based Office 365. If you have a hybrid deployment, sometimes there are questions about pointing the MX record to the on-premise Exchange server (in the domain DNS settings in office 365). You can leave the MX record pointing to the on-premise server instead of changing it to point to Office 365. If your users are only in Office 365, be sure that DirSync does two-way synchronization to migrate the user info into Active Directory. By default, DirSync synchronizes from Active Directory to Office 365, but it can do two-way synchronization. For details, see "Creating Office 365 user accounts by synchronizing with Active Directory" on page 28-69. ADFS can ignore Off14 If you re using ADFS, did you purchase Office 365 from a third party? If so, is that third party ok with you migrating to use Centrify Identity Service as your IdP? If you purchased Office 365 from a third-party, understand that you configure your Office 365 application to use one identity provider. You cannot use some pieces of Office 365 in one provider and other pieces with Centrify Identity Service. Off15 In the Office 365 administrator portal, Active Directory synchronization is enabled. Whether you re using automatic provisioning or DirSync, you need to enable synchronization in the Office 365 administrator portal. For details, see Creating Office 365 user accounts by synchronizing with Active Directory and Enabling directory synchronization for cloud users. Chapter 27 Office 365 deployment checklists 36

Directory Synchronization checklist Directory Synchronization n checklist This section covers tasks related to setting up DirSync for use with Office 365. The current Centrify for Office 365 with provisioning support does not require you to use DirSync. However, this section applies to you if your deployment scenario involves any of the following features: You re currently using DirSync, either with or without ADFS, and you haven t yet migrated to using Centrify for Office 365. Note You re currently using DirSync with an earlier version of Centrify for Office 365. You ll need to make sure that you upgrade to the latest version of DirSync before moving on to the next deployment section. You can continue using the v1 version of Centrify for Office 365 that uses DirSync; however, that version will be deprecated in the future. If you re already using ADFS with Office 365, you can ignore many of these setup tasks because you ve already completed them as part of your ADFS setup. The tasks that you can probably ignore are designated with a check mark ( ). If you re not using DirSync currently, you can move on to the next deployment section. DS1 DS2 DS3 DS4 DS5 Windows Azure Active Directory sign-in assistant downloaded and installed. Windows Azure Active Directory module for Powershell hot fix downloaded and installed. Microsoft Active Directory Synchronization tool downloaded. If you already had DirSync installed, is DirSync used only to synchronize the passwords? Verify that DirSync is configured to synchronize all desired attributes. For the server that hosts DirSync, all preparatory tasks have been completed. For details, see "Preparing to install the Microsoft Directory Synchronization tool" on page 28-51. For details, see "Preparing to install the Microsoft Directory Synchronization tool" on page 28-51. For details, see "Preparing to install the Microsoft Directory Synchronization tool" on page 28-51. Some deployments have installed DirSync already but configured it so that it synchronizes the passwords only. If this is your situation, you don t have to re-install DirSync but you do need to configure it differently so that it synchronizes most attributes. Whether or not DirSync synchronizes passwords doesn t affect federation. For details about password synchronization, see http:// blogs.technet.com/b/educloud/archive/2013/06/03/newazure-active-directory-sync-tool-with-password-sync-isnow-available.aspx. For details, see "Preparing to install the Microsoft Directory Synchronization tool" on page 28-51. ADFS can ignore Cloud Manager user s guide 37

Directory Synchronization checklist DS6 DS7 Your Active Directory system meets or exceeds the DirSync and Office 365 requirements. Prior to installing DirSync, ensure that the UPN of Active Directory user accounts matches the domain in Office 365 portal. Use the Microsoft Deployment Readiness toolkit to make sure that your Active Directory system meets or exceeds the requirements. The tool will indicate what fixes you need to make, if any. For details, see "Preparing to install the Microsoft Directory Synchronization tool" on page 28-51. See " on the Microsoft Readiness toolkit" on page 27-39. For details, see "Preparing to install the Microsoft Directory Synchronization tool" on page 28-51. ADFS can ignore DS8 DS9 DS10 If you have more than 10,000 objects in Active Directory, filter what gets synchronized and run DirSync several times. Do you want to enable two-way Directory Synchronization between Active Directory and Office 365? DirSync is installed and running successfully. You must be an Enterprise Administrator or equivalent in order to install DirSync. For details on filtering DirSync, see http:// msexchangeguru.com/2012/08/10/office-365-2/ In most cases, you ll use the Directory Synchronization tool to synchronize attributes from Active Directory to Office 365. However, there may be some cases where you want to have two-way synchronization. For example, if you have a hybrid setup (on-premise Exchange servers in addition to Office 365), you ll want to use two-way synchronization. For more details, see http://technet.microsoft.com/en-us/ library/hh852469.aspx. Verify that DirSync is running successfully by looking at the following: Users are being correctly synced into Active Directory. Are changes to users in Office 365 supposed to sync back to Active Directory user accounts? Are changes to uses in Active Directory supposed to sync up to Office 365 user accounts? In Office 365, are the user account attributes correct? In the majority of cases, DirSync synchronizes user data from Active Directory to Office 365. However, you can configure DirSync to do two-way synch at any time. Note: Previous versions of DirSync (prior to version 6567.0018) could not be installed on the domain controller. Current versions allow you to install DirSync on the domain controller. If you do so, you must log off after installing DirSync and then log back on before you run DirSync. Chapter 27 Office 365 deployment checklists 38

Directory Synchronization checklist DS11 DS12 DS13 Do you have multiple forests in your Active Directory architecture? If so, are you using Microsoft s Federated Identity Management (FIM)? After DirSync runs: Users in Office 365 are activated. Users in Office 365 are assigned licenses, (Existing Office 365 customers only, managed accounts only) Can your Office 365 users log in to the Office 365 portal successfully? The Centrify identity platform handles multiple forests by having you install DirSync in each forest. If you are using Microsoft s FIM solution, please contact Microsoft Support for assistance. There are two different ways to handle federated identities in multiple forests: you can install the Microsoft Directory Synchronization tool in each forest, or you can use Microsoft s FIM solution (contact Microsoft for details). Note: If you had a single forest when you first configured ADFS but now wish to add one or more forests, then be sure to install additional Directory Synchronization tools as needed. For details, see Creating Office 365 user accounts by synchronizing with Active Directory. Active your Office 365 users before configuring Centrify Identity Service. If your users cannot log in to the Office 365 portal, make sure that you fix that issue before moving on to installing and configuring Centrify for Office 365. Although, after you ve installed and configured Centrify for Office 365, that s when it s most important whether or not users can log in to the Centrify user portal and launch Office 365. ADFS can ignore on the Microsoft Readiness toolkit This list gives you an idea of some things to be aware of about the Microsoft Readiness toolkit or some of the main things that the toolkit looks for. For more information about how your Active Directory needs to be set up, see http:// technet.microsoft.com/en-us/library/hh852478.aspx. Run the Readiness toolkit from within your domain, preferably with Domain Administrator permission or the equivalent. Office 365 can only go up to 50,000 objects in the tenant. If you have more objects than that, contact Microsoft support for a quota increase. The toolkit finds leading or trailing spaces in user attributes, such as the First Name and Last Name. The toolkit finds illegal characters or blank values in Active Directory objects and Exchange. The toolkit looks for the display name value; the display name must be present and not blank on security groups, otherwise the groups do not synchronize. Cloud Manager user s guide 39

Directory Synchronization checklist As a best practice, it s good to align the UPN with the primary SMTP address to make it easy for end users and also to minimize support calls. Note When the SMTP name space doesn t match the Office 365 name space suffix portion, it will use onmicrosoft.com. Windows servers and desktops must be specified versions or newer. The toolkit determines how many domains, forests, and transitive trusts exist. The toolkit looks for duplicate GUIDs in multi-forest environments. Chapter 27 Office 365 deployment checklists 40

Centrify Identity Service checklist Centrify Identity Service checklist cklist C1 Each domain in each forest must have a login suffix created for it. The Office 365 domain needs to have the login suffix. For more details, see the login suffix topic in the Cloud Manager help. https://cloud.centrify.com/vfslow/lib/docs///adminref/ index.html#context/cloudhelp/cloud-admin-mod-del-loginaliases C2 For the domain where you ve installed the cloud connector(s), make sure that the domain is either listed in Office 365 or you ve created a login suffix for the domain. So, if your cloud connector is on the domain redshirts.com, that domain isn t listed in Office 365 as one of your domains, and you want users to log in using redshirts.com, create a login suffix called redshirts.com. For more details about using login suffixes, see https:// cloud.centrify.com/vfslow/lib/docs///adminref/ index.html#context/cloudhelp/cloud-admin-mod-del-loginaliases C3 C4 C5 When switching to Centrify for Office 365, it s a good practice to set aside about 6 hours. Email and Office 365 service may be down during this time while you configure. Is the cloud connector running ok? Can the cloud connector connect to the cloud service successfully? Can all users log in to the user portal? Check a user account from each domain and forest to make sure that the user can log in to the user portal. If you have specified one or more alternate UPN suffixes, make sure that users can log in using each UPN suffix. When making changes to production deployments, be sure to do so during off-peak hours. If a user can t log in, most of the time this is because of an issue with how the login suffixes are set up. It s best to test all user accounts - have each of your users try to log in. For more details about using login suffixes, see https:// cloud.centrify.com/vfslow/lib/docs///adminref/ index.html#context/cloudhelp/cloud-admin-mod-del-loginaliases C6 After you re set up with Centrify for Office 365 but before you ve added and configured the Office 365 SaaS application: Make sure that your users can log in to the user portal successfully using their Office 365 email address. Cloud Manager user s guide 41

Centrify for Office 365 checklist Centrify for Office 365 checklist cklist CO1 If your users use Office online, Lync 2013/Skype for Business, or SharePoint, be sure to trust the root cloud CA certificate. CO2 Do you need to provide a direct link to SharePoint from the user portal? C03 C04 Are you using Lync 2013/Skype for Business or newer? If so, you need to set the Corporate IP Range in Cloud Manager. Disable any ADFS and DirSync installations that you no longer use. What there is to know You can use the root CA certificate that the cloud service provides for you with the cloud connector, or you can use your own. For details, see "Trusting the root certificate for Lync 2013/ Skype for Business authentication" on page 29-78. If needed, you can configure a generic browser application to point to your custom SharePoint URL and users won t have to enter their login credentials again. You will need to trace some HTTP header data to get the correct URL. For details, see "Creating an application that opens SharePoint Online directly" on page 27-42. Once you move from ADFS and use Centrify for Office 365 to handle identity authentication and domain federation, you don t need to keep ADFS running. However, if you re using ADFS for other purposes, it doesn t impact the cloud service processes if you keep ADFS running. With Centrify for Office 365, you don t need DirSync or any more. You can disable or uninstall it. Creating an application that opens SharePoint Online directly If you want your users to have an application in their user portal that they can click to go directly to SharePoint, you can add a generic bookmark application to provide that access without requiring users to sign-in again. The following procedure uses the Firefox web browser; you can use similar tools in Chrome or other browsers. Note To add a generic bookmark application for SharePoint Online: 1 Install an HTTP header trace add-on in Firefox, such as Live HTTP Headers or SAML tracer. 2 Open the HTTP header trace Firefox add-on. 3 Make sure that you re not currently logged in to either Office 365 or your SharePoint site. You ll need to capture some of the SAML token info that gets passed during login. 4 Go to your custom SharePoint domain, which has the format of mydomain.sharepoint.com. Chapter 27 Office 365 deployment checklists 42

Centrify for Office 365 checklist You ll be redirected to the user portal. 5 Log in to the user portal. Then you ll be redirected back to your SharePoint domain. 6 In the HTTP header trace Firefox add-on, look for the GET command that has an URL that starts with https://cloud.centrify.com/run?appkey=office+365&customerid= If there are multiple URLs that look similar, pick one that has the cbcxt and also the wctx in it. For example: https://cloud.centrify.com/ my?appkey=office+365&customerid=ab123&cbcxt=&popupui=&vv=&username= adele.smith%40centrify.com&mkt=&lc=1033&wfresh=&wa=wsignin1.0&wtrealm=urn% 3afederation%3aMicrosoftOnline&wctx=wa%3dwsignin1%252E0%26rpsnv%3d3%26ct%3 d1393546930%26rver%3d6%252e1%252e6206%252e0%26wp%3dmbi%26wreply%3dhttps%25 3A%252F%252Fcentrify%252Esharepoint%252Ecom%252F%255Fforms%252Fdefault%252 Easpx%26lc%3d1033%26id%3d500046%26%26bk%3d1393546930%26LoginOptions%3d3 7 Copy the entire URL and paste it into a plain text editor. 8 In the text editor, remove everything in the URL from the cbcxt= up to wfresh=& just before wa=wsignin1.0. Using the example above you'll end up with: https://cloud.centrify.com/ run?appkey=office+365&customerid=ab123&wa=wsignin1.0&wtrealm=urn:federatio n:microsoftonline&wctx=wa%3dwsignin1%252e0%26rpsnv%3d2%26ct%3d1391061064%2 6rver%3D6%252E1%252E6206%252E0%26wp%3DMBI%26wreply%3Dhttps%253A%252F%252Fc entrify%252esharepoint%252ecom%252f%255fforms%252fdefault%252easpx%26lc%3d 1033%26id%3D500046%26%26bk%3D1391061066%26LoginOptions%3D3 9 In Cloud Manager, add a Generic Bookmark application with the above URL, and deploy the application to all users. Tip Remember to give the application a custom name so that you know that it links to SharePoint. 10 In the user portal, click the newly created application to open SharePoint in a new window. Cloud Manager user s guide 43

Centrify for Office 365 verification checklist Centrify for Office 365 verification checklist V1 Users in each domain can log in to the Centrify user portal successfully. Administrators in each domain can also log in to Cloud Manager successfully. V2 After you ve successfully federated your Office 365 account with the cloud service, verify that your users can do the following: 1 All users can log in to the user portal. 2 From the user portal, all users can launch the Office 365 application successfully. 3 All users can also go directly to the Microsoft online portal, log in with SP-initiated authentication, and test the Office 365 web access. 4 Users can access each tab in Office 365. If a particular use cannot log in, verify that the login suffixes are configured correctly. Note: At each deployment step, you need to make sure that users can still log in successfully. So, even though you verified this before, it s important to verify it again. Note: To view your federation settings from the Office 365 Application Settings tab, select your federated domain and click Actions > Federation Settings. Centrify for Office 365 desktop checklist If you re also deploying desktop and mobile access to Office 365, here are the things you need to configure and verify. VDT1 Outlook works (Windows desktop) If you have a hybrid Office 365 deployment, point the onpremise users to the on-premise Exchange server. VDT2 Lync/Skype for Business works (Windows desktop) If you re deploying Lync 2013/Skype for Business, be sure to trust the root CA certificate on the cloud connector computer and set a corporate IP range. For details, see Configuring desktop and mobile clients for Office 365. VDT3 VDT4 VDT5 Office online works, including SharePoint CRM online and CRM Outlook plugin (Windows desktop) Mac desktop clients for Office 365 and Lync/Skype for Business work Active Directory user password changes and Outlook and Lync/Skype for Business Sometimes, when a user changes her Active Directory password there can be connection issues in either Microsoft Outlook or Lync/Skype for Business on Windows systems. This Chapter 27 Office 365 deployment checklists 44

Centrify for Office 365 mobile checklist can happen if the user had the desktop applications save the login credentials; the stale credentials stay stored with the previous password. To update the remove and update the password that Outlook or Lync/Skype for Business uses: 1 In Windows, go Windows > Control Panel, and click Credential Manager. 2 If you see any credentials for Outlook or Lync/Skype for Business, open the credential to expand its information, and click Remove from Vault. 3 Restart the computer. Upon restart, the user logs in to the computer with her current and correct password. Microsoft desktop applications renew their use of the user s credentials to the correct and current password. Centrify for Office 365 mobile checklist If you re also deploying desktop and mobile access to Office 365, here are the things you need to configure and verify. VML1 Set up policies to administer and manage mobile devices. Note: If you have Office 365 users in both Active Directory and the cloud user service, you must use cloud policies for mobile device management. For information about setting policies, see Cloud Manager user s guide 45

Centrify for Office 365 mobile checklist VML2 VML3 Have your users enroll their mobile devices into the cloud service. Android and ios,clients work in the following scenarios: Mobile browser with OWA User logs in to the user portal in a mobile browser and launches the web-based version of Office 365 (OWA) in the mobile browser. Centrify mobile application with OWA User logs in to the native, mobile Centrify application and then launches the web-based version of Office 365 in the mobile browser. Centrify mobile application with Office 365 mobile applications User logs in to the native, mobile Centrify application and then launches a native, mobile Office 365 application. When your Office 365 account is federated, the user gets a login screen when launching the native, mobile Office3 365 application. There are different applications for different devices. Mobile mail: User adds their work account to their mobile device for email or email and calendar and contacts. Users can set up POP3, IMAP, or Exchange ActiveSync connections. You can administer Exchange Active Sync connections by way of policies and Cloud Manager settings. Chapter 27 Office 365 deployment checklists 46