I had several ADFS and Single Sign On (SSO) questions from a large university in northern California proceeding with Office 365 for Education for faculty, staff and students.

What servers do I need to accommodate single sign on (SSO) aka Federated ID?

The following on premises servers are needed to accommodate SSO with Office 365:

• ADFS 2.0 Proxy Servers (2 minimum for redundancy)
• ADFS 2.0 servers (2 minimum for redundancy)
• DirSync Server

Do we require ADFS proxies or can I just deploy an ADFS internal server?

Technically, you can get away with just ADFS servers and no proxy servers for Federated ID, we recommend you deploy ADFS proxies to protect your ADFS servers and to allow for client access restriction capabilities such as denying access to email when off campus or IP filtering.

Can I use TMG or UAG instead of an ADFS proxy server?

Currently, it is slated to be supported however the documentation is still being developed. In some cases, such as IP filtering, an ADFS proxy is still required in conjunction with UAG or TMG     There is some initial documentation here.

Is there an order they need to be installed?

Yes, configure ADFS and federated ID first and then Directory Sync Server. You would think it is the other way however things run better when ADFS is configured prior to Dirsync.

Do I need full blown SQL Server with ADFS?

It depends on how you are going to implement ADFS and the total number of ADFS servers deployed. If you require stretched ADFS this requires full blown SQL to accommodate this scenario or if you require more than 5 ADFS servers WID cannot scale beyond that number of ADFS servers.  See here for the differences between WID and SQL with ADFS or here for topology choices for ADFS.

What versions of SQL are supported?

WID, SQL 2008 R2, SQL 2012.

How many ADFS servers do I need for Federated ID?

Each ADFS server scale varies depending on load frequency such as will everyone be logging within a 15 minute interval or spread over an hour. This answer can range from 2 ADFS servers for 15,000 users with high availability with high load or many more users depending on your load frequency.

See the ADFS sizing calculator here to help narrow it down.

Can I enable geo-redundancy with ADFS?

Yes, it is possible to enable this with SQL mirroring/Replication to an alternate datacenter along with geoaware load balancers.

What happens if ADFS is unavailable?

ADFS is required to access Office 365 when using Federated ID (SSO). You want to ensure you have redundant ADFS proxies and ADFS servers to reduce any downtime to the cloud.

What type of hardware do I need for ADFS?

Make sure you do not underspec your ADFS servers as it does require some horsepower to run effectively:

Federation Service Server

· Dual Quad Core 2.27GHz (8 cores)

· 16GB RAM

· Gigabit Network

Federation Service Proxy Server

· Quad Core 2.24GHz (4 cores)

· 4GB RAM

· Gigabit Network

Where can I get more information on deploying ADFS?

There is a good ADFS deployment guide here and a O365 ADFS deployment checklist here.

This was a question from a university in Utah looking to deploy students on Office 365 and keep their faculty staff with on prem Exchange 2010.

What does Exchange Hybrid deployment mean?

Exchange Hybrid deployment means you want to maintain rich coexistence with Exchange Online and an Exchange on premises installation.

What versions of Exchange server support Hybrid deployment?

Exchange 2010, Exchange 2007, Exchange 2003.

What functionality do you get with Exchange Hybrid deployment?

When you configure Exchange Hybrid mode you enable the following rich coexistence:

• Mail routing between on-premises and cloud-based Exchange organizations
• Mail routing with a shared domain namespace. For example, both on-premises and cloud-based organizations use the @contoso.edu SMTP domain.
• A unified global address list, also called a “shared address book”
• Free/busy and calendar sharing between on-premises and cloud-based Exchange organizations

• Centralized control of mail flow. The on-premises organization can control mail flow for the on-premises and cloud-based organizations.
• A single Outlook Web App URL for both the on-premises and cloud-based Exchange organizations
• The ability to move existing on-premises mailboxes to the cloud-based organization or offboard back to on prem

• Centralized mailbox management using the on-premises Exchange Management Console (EMC)

• Message tracking, MailTips, and multi-mailbox search between on-premises and cloud-based organizations

What infrastructure do I need to enable Exchange hybrid deployment?

We require an Exchange 2010 CAS Sp1 server to be installed on prem to enable a hybrid deployment. This will also require an extension of the Active Directory schema during the installation of Exchange 2010. Additionally, we require a DirSync server to be installed to maintain a synchronized address book between on prem and the cloud. 

Here is a diagram depicting a customer with Exchange 2007 on prem and wanting a Hybrid deployment in addition to single sign on:

Do I need to purchase a license for the Exchange 2010 hybrid server on prem?

No, if you have a production tenant for Exchange Online you can request a hybrid server product key via Online Support to license the hybrid server. Read more here.

Where can I find more details about hybrid deployment?

See my previous blog post here for some useful links on step by step information on hybrid deployments.

Hi folks,

Around a year ago,the Kentucky Department of Education (KDE) rolled out Live@edu to their 174 school districts to much acclaim. We have just completed the formal case study on this fantastic state-wide implementation. I know you will all want to read more, here is an excerpt to whet your appetite :)

The Kentucky Department of Education (KDE) provides services to the 174 school districts across the state and sought to improve communication and collaboration for teachers and students. KDE upgraded from Microsoft Exchange Server 2003 to a cloud-based Microsoft Outlook Live solution, available through Microsoft Live@edu and powered by Microsoft Exchange Server 2010. KDE conducted the upgrade to 700,000 mailboxes overnight, giving individual districts choices in how to structure their messaging. The upgrade relieves KDE staff, students, and teachers from mailbox size limitations and gives them the flexibility to extend the learning environment. KDE has reduced its management burden and increased system reliability because the messaging environment is maintained in the cloud by Microsoft, and it has avoided U.S.$6.3 million in costs over a four-year period.

The scale of this is still stunning one year later, and a demonstration of what customers are able to do today with Microsoft technology, and a great customer like KDE!

Jonny

Schools and universities sometimes ask me to tell them all about how moving onto our cloud offerings like Office 365, Live@edu, Azure, Dynamics CRM Online, and so on, can support their green initiatives.  This is a story I am always excited to tell as I can get my geek on with topics including virtualiztion, IT-PACs, xUE metrics, and of course the latest and greatest software and services from Microsoft!

Microsoft runs our public cloud services out of a collection of inter-connected datacenters that are dispersed around the world, including several locations in the US.  The group within our company that runs these datacenters is called Microsoft Global Foundation Services.  There is an excellent datacenter video tour you can watch that is a little mind-blowing :)

GFS has a significant environmental focus, their mission is to "lead the datacenter industry in energy efficiency, reducing waste, and using recycled resources wherever possible".  Our GFS team recently did a study in partnership with Accenture where we examined the environment benefits of moving to the cloud. We found that depending on the size of the deployment, customers could reduce energy use and carbon emissions by between 30% and 90% when comparing cloud services with on-premises equivalents.  Why is this?  The study identified 4 areas:

• Dynamic provisioning – customers provision only what they need, they do not have to worry about, or pay for excess capacity.
• Multi-tenancy – this is the ability to share applications between many customers.  In Live@edu, for example, we have many millions of faculty, staff and student users sharing the same hardware and application instances.  Logically we securely separate them into separate domains, but physically, they co-exist.
• Maintain higher utilization – an individual school will have unique peak utilization periods during the day, if the institution is running infrastructure to support this on-premises, there will be times in the day when utilization is very low.  In moving to the cloud, we can balance different customers’ peak periods so that we maintain a much higher average.
• Cutting edge datacenter design – Microsoft is an industry leader in this area, and our investments are cutting edge with respect to how we think holistically about the datacenter as the server, and how we manage it.  A simple example of this would be cooling with fans.  On a typical CPU, it would have a dedicated fan, in our datacenter building we would have additional fans to cool the rooms the servers are in.  If we think about the datacenter as a server, you might come to the conclusion that you could remove all of those individual CPU fans, and through clever air-flow design, deploy fans that service multiple CPUs.  In this case, server cost would come down, and infrastructure costs would go up, but overall, total costs would come down.  Tangible savings that we can pass onto our schools and colleges.

Datacenters these days are often measured in Megawatts.  When customers hear this for the first time, they begin to get an idea for the magnitude of the wizard behind the curtain. Customers that have a green agenda want to know how we power the magic efficiently; we think very broadly here.  Our datacenter in Qunicy, WA, is on the shores of the Columbia River and naturally is 100% powered 100% hydroelectricity.  An award winning datacenter that we built in Dublin, Ireland uses a free air cooling cooling system and purchases wind generated power from a local energy provider.

We don't just stop at power... If you ask someone to think about what a datacenter looks like, they typically think of huge concrete building with a bunch of servers in racks inside it.  Microsoft asked the question, do servers really need a building?  Concrete is not only expensive, it is also hard on the environment… it takes about a ton of carbon to make a ton of concrete.  To that end, our latest generation of datacenters are made up from what are essentially shipping containers of Pre-Assembled Components (IT-PACs) and these can reside outdoors with minimal weather protection.  IT-PACs come pre-assembled from our vendors, we drop it in, hook it up with network and water, provision it, and we are off the races.  Further than that, we strive to have these IT-PACs produced by our suppliers using local recyclable components, for example steel or aluminum.

A key metric that Microsoft tracks is PUE, or Power Usage Effectiveness.  PUE determines the energy efficiency of a data center by dividing the amount of power entering a data center by the power used to run the computer infrastructure within it.  For example, if you have 2 WATTS coming into a datacenter, and 1 of those WATTS is used to power servers, then PUE is 2.  We strive to lower this year over year, and we even incentivize our datacenter managers on this.  Right now, with our 4^th generation datacenters, we hope to be able to get into the 1.05 to 1.2PUE range; 1PUE is the theoretical minimum.

So what does the magic of Microsoft's software bring to the mix?  We use a wide range of our own technologies to drive efficiencies.  Windows Server offers advanced optics into resource utilization that can be monitored by our System Center product family, which in turn can be used to control how we most efficiently balance workloads and applications.  We also make extensive use of our virtualization solutions to reduce power consumption and floor space requirements dramatically.  These are all technologies that our customers can also get great benefit from on their own private clouds.

So all in all, I hope you agree we have a compelling approach and ever-evolving roadmap that gives our education customers what they need.  I would be happy to answer any questions.

Jonny

All the leaves are brown…

Ok, so maybe they’re still a little green. Either way the busy summer holidays are now over and the long march to Christmas begins. Naturally this means that network managers have nothing to do for 3 months, right?

For those who have just deployed Live@edu, or for those who are planning it over the next few weeks and months let me tell you about your new friend, Windows PowerShell! There are lots of things you can do in Live@edu’s Exchange Control Panel but there are some things that require you roll up your sleeves and pull out the trusty old command prompt; dynamic distribution groups, for example. Getting to grips with Windows PowerShell is vital to squeezing every drop of awesome out of your Live@edu deployment!

Before you begin!

Before you can begin using Windows PowerShell there are a few things you need consider; like are you using the correct version? Have you installed Windows Remote Management (WinRM)? The great news is that if you’re running Windows 7, or Windows Server 2008 R2 you don’t have to install anything as the Windows Management Framework is already installed. If not, then take a look at the Outlook Live Help step-by-step guide on how to install everything you need to begin managing your Live@edu tenant.

Connecting

Once you’ve got everything installed and configured, it’s time to connect to your tenant – pro tip: rather than type these out every time, why not bundle them up into a little script you can run?

$LiveCred = Get-Credential

<Type in the credentials of an account in your tenant>

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection

Import-PSSession $Session

With a little bit of luck, once you are connected, you should have something that looks a little similar to the picture above. From here you can being to use the cmdlets that are available to manage the service.

A full reference of what’s available can be found on the Outlook Live Help site. A great starting point is the “get-help” cmdlet – if you ever want to know what something does, get-help is your friend.

Disconnecting

It is important to remember to properly disconnect Windows PowerShell from the server-side session. So before you close the window remember to run the following:

Remove-PSSession $Session

If you close the Windows PowerShell window without disconnecting from the server-side session, your connection will remain open for 15 minutes. Your account can only have three connections to the server-side session at one time.