I had several ADFS and Single Sign On (SSO) questions from a large university in northern California proceeding with Office 365 for Education for faculty, staff and students.

What servers do I need to accommodate single sign on (SSO) aka Federated ID?

The following on premises servers are needed to accommodate SSO with Office 365:

• ADFS 2.0 Proxy Servers (2 minimum for redundancy)
• ADFS 2.0 servers (2 minimum for redundancy)
• DirSync Server

Do we require ADFS proxies or can I just deploy an ADFS internal server?

Technically, you can get away with just ADFS servers and no proxy servers for Federated ID, we recommend you deploy ADFS proxies to protect your ADFS servers and to allow for client access restriction capabilities such as denying access to email when off campus or IP filtering.

Can I use TMG or UAG instead of an ADFS proxy server?

Currently, it is slated to be supported however the documentation is still being developed. In some cases, such as IP filtering, an ADFS proxy is still required in conjunction with UAG or TMG     There is some initial documentation here.

Is there an order they need to be installed?

Yes, configure ADFS and federated ID first and then Directory Sync Server. You would think it is the other way however things run better when ADFS is configured prior to Dirsync.

Do I need full blown SQL Server with ADFS?

It depends on how you are going to implement ADFS and the total number of ADFS servers deployed. If you require stretched ADFS this requires full blown SQL to accommodate this scenario or if you require more than 5 ADFS servers WID cannot scale beyond that number of ADFS servers.  See here for the differences between WID and SQL with ADFS or here for topology choices for ADFS.

What versions of SQL are supported?

WID, SQL 2008 R2, SQL 2012.

How many ADFS servers do I need for Federated ID?

Each ADFS server scale varies depending on load frequency such as will everyone be logging within a 15 minute interval or spread over an hour. This answer can range from 2 ADFS servers for 15,000 users with high availability with high load or many more users depending on your load frequency.

See the ADFS sizing calculator here to help narrow it down.

Can I enable geo-redundancy with ADFS?

Yes, it is possible to enable this with SQL mirroring/Replication to an alternate datacenter along with geoaware load balancers.

What happens if ADFS is unavailable?

ADFS is required to access Office 365 when using Federated ID (SSO). You want to ensure you have redundant ADFS proxies and ADFS servers to reduce any downtime to the cloud.

What type of hardware do I need for ADFS?

Make sure you do not underspec your ADFS servers as it does require some horsepower to run effectively:

Federation Service Server

· Dual Quad Core 2.27GHz (8 cores)

· 16GB RAM

· Gigabit Network

Federation Service Proxy Server

· Quad Core 2.24GHz (4 cores)

· 4GB RAM

· Gigabit Network

Where can I get more information on deploying ADFS?

There is a good ADFS deployment guide here and a O365 ADFS deployment checklist here.

This was a question from a university in Utah looking to deploy students on Office 365 and keep their faculty staff with on prem Exchange 2010.

What does Exchange Hybrid deployment mean?

Exchange Hybrid deployment means you want to maintain rich coexistence with Exchange Online and an Exchange on premises installation.

What versions of Exchange server support Hybrid deployment?

Exchange 2010, Exchange 2007, Exchange 2003.

What functionality do you get with Exchange Hybrid deployment?

When you configure Exchange Hybrid mode you enable the following rich coexistence:

• Mail routing between on-premises and cloud-based Exchange organizations
• Mail routing with a shared domain namespace. For example, both on-premises and cloud-based organizations use the @contoso.edu SMTP domain.
• A unified global address list, also called a “shared address book”
• Free/busy and calendar sharing between on-premises and cloud-based Exchange organizations

• Centralized control of mail flow. The on-premises organization can control mail flow for the on-premises and cloud-based organizations.
• A single Outlook Web App URL for both the on-premises and cloud-based Exchange organizations
• The ability to move existing on-premises mailboxes to the cloud-based organization or offboard back to on prem

• Centralized mailbox management using the on-premises Exchange Management Console (EMC)

• Message tracking, MailTips, and multi-mailbox search between on-premises and cloud-based organizations

What infrastructure do I need to enable Exchange hybrid deployment?

We require an Exchange 2010 CAS Sp1 server to be installed on prem to enable a hybrid deployment. This will also require an extension of the Active Directory schema during the installation of Exchange 2010. Additionally, we require a DirSync server to be installed to maintain a synchronized address book between on prem and the cloud. 

Here is a diagram depicting a customer with Exchange 2007 on prem and wanting a Hybrid deployment in addition to single sign on:

Do I need to purchase a license for the Exchange 2010 hybrid server on prem?

No, if you have a production tenant for Exchange Online you can request a hybrid server product key via Online Support to license the hybrid server. Read more here.

Where can I find more details about hybrid deployment?

See my previous blog post here for some useful links on step by step information on hybrid deployments.

Hi folks,

Around a year ago,the Kentucky Department of Education (KDE) rolled out Live@edu to their 174 school districts to much acclaim. We have just completed the formal case study on this fantastic state-wide implementation. I know you will all want to read more, here is an excerpt to whet your appetite :)

The Kentucky Department of Education (KDE) provides services to the 174 school districts across the state and sought to improve communication and collaboration for teachers and students. KDE upgraded from Microsoft Exchange Server 2003 to a cloud-based Microsoft Outlook Live solution, available through Microsoft Live@edu and powered by Microsoft Exchange Server 2010. KDE conducted the upgrade to 700,000 mailboxes overnight, giving individual districts choices in how to structure their messaging. The upgrade relieves KDE staff, students, and teachers from mailbox size limitations and gives them the flexibility to extend the learning environment. KDE has reduced its management burden and increased system reliability because the messaging environment is maintained in the cloud by Microsoft, and it has avoided U.S.$6.3 million in costs over a four-year period.

The scale of this is still stunning one year later, and a demonstration of what customers are able to do today with Microsoft technology, and a great customer like KDE!

Jonny

All the leaves are brown…

Ok, so maybe they’re still a little green. Either way the busy summer holidays are now over and the long march to Christmas begins. Naturally this means that network managers have nothing to do for 3 months, right?

For those who have just deployed Live@edu, or for those who are planning it over the next few weeks and months let me tell you about your new friend, Windows PowerShell! There are lots of things you can do in Live@edu’s Exchange Control Panel but there are some things that require you roll up your sleeves and pull out the trusty old command prompt; dynamic distribution groups, for example. Getting to grips with Windows PowerShell is vital to squeezing every drop of awesome out of your Live@edu deployment!

Before you begin!

Before you can begin using Windows PowerShell there are a few things you need consider; like are you using the correct version? Have you installed Windows Remote Management (WinRM)? The great news is that if you’re running Windows 7, or Windows Server 2008 R2 you don’t have to install anything as the Windows Management Framework is already installed. If not, then take a look at the Outlook Live Help step-by-step guide on how to install everything you need to begin managing your Live@edu tenant.

Connecting

Once you’ve got everything installed and configured, it’s time to connect to your tenant – pro tip: rather than type these out every time, why not bundle them up into a little script you can run?

$LiveCred = Get-Credential

<Type in the credentials of an account in your tenant>

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection

Import-PSSession $Session

With a little bit of luck, once you are connected, you should have something that looks a little similar to the picture above. From here you can being to use the cmdlets that are available to manage the service.

A full reference of what’s available can be found on the Outlook Live Help site. A great starting point is the “get-help” cmdlet – if you ever want to know what something does, get-help is your friend.

Disconnecting

It is important to remember to properly disconnect Windows PowerShell from the server-side session. So before you close the window remember to run the following:

Remove-PSSession $Session

If you close the Windows PowerShell window without disconnecting from the server-side session, your connection will remain open for 15 minutes. Your account can only have three connections to the server-side session at one time.

So, you want to publish your calendar?

In my last post I talked about how you could set up sharing free/busy information between two Live@edu environments but what about sharing your whole calendar with someone? When you click share in the calendar screen, by default, the options to publish the calendar to the Internet are greyed out. In this post I’ll show you how you can enable that, and limit the ability to only a subset of your users.

The end result being that you could enable this feature for your staff, and not for your students. This would allow members of staff in different schools to share their calendars with each other but would keep student calendars private. Cool, eh?

 PowerShell

As with many of the advanced features of Live@edu, we turn to PowerShell to make this happen. You need to connect to your tenant as an administrator in order to perform these configuration changes. To find out more about connecting to your tenant, take a look at the guide on Outlook Live Help.

Once connected, you’ll need to run the following command:

Enable-OrganizationCustomization

This isn’t always necessary, but in the Microsoft datacentres, certain objects are consolidated to save space. When you try to use Windows PowerShell to modify one of these objects for the first time, you may encounter the error message that tells you to run the Enable-OrganizationCustomization cmdlet. More information is available in the corresponding tech article on Outlook Live Help.

New Sharing Policy

Next, we need to create a new sharing policy to use specifically with a different group of users. To create the new policy, run the following command:

New-SharingPolicy -Name "Calendar Sharing Policy" -Domains "anonymous:calendarsharingfreebusysimple"

This should return something similar to:

Apply to Users

Next step is to apply this to a user – to do this to an individual, you can do:

set-mailbox <mailbox> -SharingPolicy "Calendar Sharing Policy"

You can review the sharing policy for a mailbox:

get-mailbox <mailbox> | Select-Object SharingPolicy

If you log in to Outlook Live as one of the users you’ve applied the change to you should now see that you can change the publishing settings for the calendar:

By selecting “Publish This Calendar to Internet” you can alter the publishing settings:

It is possible to write a simple PowerShell script that will apply this sharing policy to a number of users, making it easy to roll this out to your staff but keeping student calendars private.