If you are deploying ADFS with Office 365, we have a federation metadata update tool available which we strongly strongly recommend you to deploy with any ADFS deployment used for federation with Office 365.  This update tool will automatically update the Office 365 service using update-msolfederateddomain cmdlet when the ADFS token signing certificate renews on an annual basis. If you do not run this tool as a daily scheduled task on the ADFS server, you will have to manually monitor this token signing certificate renewal on the ADFS server by another means.  I put together a quick FAQ below about this tool:

 

Where do I get the update tool to install on my ADFS server?

Link to the Federation Metadata update tool is here.

What happens if I don’t install this tool?

The risk of not running the federation metadata update tool is an end-user outage (token signing certificate expires once a year) will likely occur unless you manually monitor your ADFS servers for renewed token signing certificates.

 

Do I have to run this update tool on every ADFS server?

The update tool script only has to run on ONE ADFS server not every server. It will then run as a scheduled task once a day and check for metadata changes. If found, it will update Office 365 automatically.

What if I have multiple UPNs serviced by ADFS?

You need to obtain a list of all of your Federated domains by running the Get-MsolDomain command. Then, edit the single instance of the .ps1 file, included with the federation metadata update tool, located in C:\Office365-Scripts so that Update-MsolFederatedDomain is executed for each of the Federated domains in your tenant (add an additional execution line for each domain in your list). Be sure to utilize the -SupportMultiple domain parameter in the Update-MsolFederatedDomain cmdlet if you have multiple top-level Federated domains.

 

Can you provide me more technical details behind the ADFS Token Signing certificate renewal?

ADFS 2.0 has a featured called AutoCertificateRollover which renews ADFS certificates once a year. AutoCertificateRollover (ACR) generates 2 brand new certs annually. One of those certs, the token signing certificate, signs ALL assertions leaving your federation server. If Office 365 doesn’t know about that brand new token-signing cert, your entire organization will fail to sign in to any O365 resource. You can maintain this yourself with manual checking or utilize the federation metadata tool provided which will check for this change and update the Office 365 service automatically.

First I'd like to give a shout out to Dmitrii who recently provided instructions on updating the FBA to support ADFS. I used his blog entry as a source to update my installation. I did have some minor changes but the original blog can be found here.

By default with Office 365 you have WIA (Windows Integrated Authorization) for ADFS to validate your claim against AD. I changed the default type to Forms Based Authentication and detailed the steps below.

The major changes I needed included background, helpdesk information since O365 can't be customized, and getting rid of my unsightly naming convention with my ADFS. It was a long name and it appeared on my sign in page.

I started with my FormsSignin.aspx page.

I wanted my screen to look like this:

The following files have control over the Forms Signin:

• Inetpub\adfs\ls\web.config
• Inetpub\adfs\ls \FormsSignIn.aspx
• Inetpub\adfs\ls \FormsSignIn.aspx.cs
• Inetpub\adfs\ls\App_GlobalResources\CommonResources.resx
• Inetpub\adfs\ls\App_GlobalResources\CommonResources.en.resx (and many other language files, if you need to present it in those languages)
• Inetpub\adfs\ls\MasterPages\StyleSheet.css
• Inetpub\adfs\ls\MasterPages\MasterPage.master
• Inetpub\adfs\ls\MasterPages\MasterPage.master.cs
  On the following diagram I’ll point out what area in the Forms SignIn page is controlled by what configuration file.

1. Modify web.config and bring forward Forms to be first authentication type:

<microsoft.identityServer.web>

<localAuthenticationTypes>

<add name="Forms" page="FormsSignIn.aspx" />

<add name="Integrated" page="auth/integrated/" />

<add name="TlsClient" page="auth/sslclient/" />

<add name="Basic" page="auth/basic/" />

1. Modify the global.asax.cs and FormsSignIn.aspx.cs to add UPN into FBA.

http://social.technet.microsoft.com/wiki/contents/articles/4184.aspx

1. Background. Modify StyleSheet.css from this:
   body
   {
   background-color: #ffffff;
   color:#222222;
   font-size: 0.8em;
   font-weight: normal;
   font-family: "Segoe UI", Verdana, Tahoma, Arial, sans-serif;
   margin: 0px;
   background-repeat: repeat-x;
   background-image: url(../App_Themes/Default/header_background.png);
   }
   To this:
   body
   {
   background-color: #ffffff;
   color:#222222;
   font-size: 0.8em;
   font-weight: normal;
   font-family: "Segoe UI", Verdana, Tahoma, Arial, sans-serif;
   margin: 0px;
   background-repeat: repeat-x;
   background-image: url(../App_Themes/Default/custombackground.gif);
   }
2. . Header. First, in MasterPage.master move the following code
   <div class="Header">
   <asp:Label ID="PageTitleLabel" runat="server"></asp:Label>
   </div>
   From being in front of the
   <%
   string logoPath =
   System.Web.Configuration.WebConfigurationManager.AppSettings[ "logo" ];
   if( !String.IsNullOrEmpty( logoPath ) )
   {
   %>
   <div class="GroupXLargeMargin">
   <img src="<%= logoPath %>" alt="logo" />
   </div>
   <%
   }
   %>
   To be behind it, so it looks like this:
   <%
   string logoPath =
   System.Web.Configuration.WebConfigurationManager.AppSettings[ "logo" ];
   if( !String.IsNullOrEmpty( logoPath ) )
   {
   %>
   <div class="GroupXLargeMargin">
   <img src="<%= logoPath %>" alt="logo" />
   </div>
   <%
   }
   %>
   <div class="Header">
   <asp:Label ID="PageTitleLabel" runat="server"></asp:Label>
   </div>
   Second, update StyleSheet.css Header to look like this:

.Header

{

color: 000000;

padding: 8px 0 5px 0;

margin-bottom: 1px;

font-size: 200%;

font-weight:bold;

position:relative;

left:184px;

top:-63px;

}

1. To replace the "Sign In" I had to make changes to for And finally, replace “Sign In” text in both CommonResources files for the FormsSignInPageTitle text label to be “Welcome to the Microsoft EDU STU team”.

</data>

<data name="FormsSignInPageTitle" xml:space="preserve">

<value>Welcome to the Microsoft EDU STU team</value>

</data>

1. STS Title. This is your STS server name. To hide it you can do the following:
   a. In MasterPage.master page change the following code
   <div class="TextSizeXLarge">
   <asp:Label ID="STSLabel" runat="server"></asp:Label>
   </div>
   To look like this:
   <div class="STSTitleNotVisible">
   <asp:Label ID="STSLabel" runat="server"></asp:Label>
   </div>
   b. In StyleSheet.css create new code for STSTitleNotVisible to be this:
   .STSTitleNotVisible
   {
   visibility:hidden;
   }
2. To introduce new text in the main section update FormsSignIn.aspx file with new Label Texts and introduce that text to the CommonResources files.
   a. In FormsSignIn.aspx make <asp:Content section to look like this:

div class="GroupXLargeMargin"><asp:Label Text="<%$ Resources:CommonResources, FormsSignInHeader%>" runat="server" /></div>

<table class="UsernamePasswordTable">

<tr>

<td>

<span class="Label"><asp:Label Text="<%$ Resources:CommonResources, UsernameLabel%>" runat="server" /></span>

</td>

<td>

<asp:TextBox runat="server" ID="UsernameTextBox" ></asp:TextBox>

</td>

<td class="TextColorSecondary TextSizeSmall">

<asp:Label Text="<%$ Resources:CommonResources, UsernameExample%>" runat="server" />

</td>

</tr>

<tr>

<td>

<span class="Label"><asp:Label Text="<%$ Resources:CommonResources, PasswordLabel%>" runat="server" /></span>

</td>

<td>

<asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password" ></asp:TextBox>

</td>

<td>&nbsp;</td>

</tr>

<tr>

<td></td>

<td colspan="2" class="TextSizeSmall TextColorError">

<asp:Label ID="ErrorTextLabel" runat="server" Text="" Visible="False"></asp:Label>

</td>

</tr>

<tr>

<td colspan="2">

<div class="RightAlign GroupXLargeMargin">

<asp:Button ID="SubmitButton" runat="server" Text="<%$ Resources:CommonResources, FormsSignInButtonText%>" OnClick="SubmitButton_Click" CssClass="Resizable"/>

</div>

</td>

<td>&nbsp;</td>

</tr>

</table>

<div class="GroupXLargeMargin">

<asp:Label Text="<%$ Resources:CommonResources, HomeRealmSelectionTextThree%>" runat="server" />

<a href="mailto:micore@edustl.com?subject=FEDERATION">Helpdesk@edustl.com</a>

<asp:Label Text="<%$ Resources:CommonResources, HomeRealmSelectionTextThreeHalf%>" runat="server" />

</div>

<div class="GroupXLargeMargin">

<asp:Label Text="<%$ Resources:CommonResources, HomeRealmSelectionTextFour%>" runat="server" />

</div>

</asp:Content>

1. b. Add the following to the CommonResouces files:

</data>

<data name="HomeRealmSelectionTextTwo" xml:space="preserve">

<value>NOTE: The following Identity Providers will let you into the application.</value>

</data>

<data name="HomeRealmSelectionTextThree" xml:space="preserve">

<value>Welcome to the demo site provided by the Microsoft Education STU Team. If you need assistance please contact </value>

</data>

<data name="HomeRealmSelectionTextThreeHalf" xml:space="preserve">

<value>- If we don't respond it's because we are busy with customers. Thank you and have a good day.</value>

</data>

<data name="HomeRealmSelectionTextFour" xml:space="preserve">

<value>If you believe that you have arrived at this page by accident, please close your web browser and try accessing the application webpage URL again in a new browser session.</value>

</data>

1. I didn't add a button like Dmitrii did so use his guidance for that sample.
2. Finally, to add the logo do the following:
   a. Modify web.config file by uncommenting code that specifies the name of the logo file and then place your logo file in the root folder of AD FS (Inetpub\adfs\ls\)
   b. In MasterPage.master change the following code
   <div class="GroupXLargeMargin">
   <img src="<%= logoPath %>" alt="logo" />
   </div>
   To look like this:
   <div class="CustomLogo">
   <img src="<%= logoPath %>" alt="logo" />
   </div>
   c. And finally, add new code to the StyleSheet.css:

.CustomLogo

{

margin-top:25px;

}

1. After doing all these changes, the default looking page looks like below.

Special thanks to the original contributer Dmitrii and to my partner in troubleshooting the code Michael Icore.

Over the last few months I’ve come across some fantastic resources to help customers deploy Office 365 more easily and more efficiently. I decided it was finally time to put a post together to bring all of those resources onto one page – I’ll keep adding to this as I find more useful or up to date material.

Everyone who is looking at deploying Office 365 for education will find a treasure trove of information buried in these links!

Documentation

Office 365 Service Descriptions

FOPE Service Description

FOPE User Guide

Office 365 Deployment Guide

Licence Scripting

Sample PowerShell Scripts for Office 365

 

Tools

Office 365 Deployment Readiness Tool

Microsoft Assessment & Planning Toolkit

Microsoft Remote Connectivity Analyser

Microsoft Online Services Speed Test Tool

Portals

Office 365 Trust Center

Office 365 Tech Center

Office 365 Community

Training

Office 365 Jump Start Videos

Administering Office 365 Jump Start Videos

Deploying Office 365 Jump Start Videos

Deployment

Find a Microsoft Partner

Sign Up Today!

As you may have seen our Office Team is targeting simultaneous releases of the Office 365 service, Office 2013 clients, SharePoint 2013, Exchange 2013, Lync 2013, Project 2013, and Visio 2013.  More information on these exciting releases can be found here:

The New Exchange Reaches RTM!

http://blogs.technet.com/b/exchange/archive/2012/10/11/the-new-exchange-reaches-rtm.aspx

Lync 2013 reaches RTM!

http://blogs.technet.com/b/lync/archive/2012/10/11/lync-2013-is-finished.aspx

SharePoint reaches RTM!

http://sharepoint.microsoft.com/blog/Pages/BlogPost.aspx?pID=1035

Office Division RTM’s Office

http://blogs.office.com/b/office-news/archive/2012/10/11/office-reaches-rtm.aspx

So you may be asking yourself, “should I move forward with Office 365 now or wait for the upgrade to take place?”  In the past the decision has often come down to your available resources, administrative readiness that is available, upgrade windows that align with academic years, and funding… just to name a few of the parameters. Additionally if you did decide to move forward with the current version of a server infrastructure, rather than waiting for the next version, most organizations locked this version for years in order to get the most out of their investment.  Office 365 changes this model, we will keep your organization current with the latest version of our productivity stack. 

A few points to consider -

1. All of our current Office 365 customers will be transitioning to the next version of Office 365.

2. The identity integration work that is built for the current version of Office 365 doesn’t change with the next version of Office 365.

3.  There is no data migration required from you in order to move to the next version of Office 365, that process will be handled in the backend and transparent to both you and your end users.

4.  You can setup a preview site to begin creating your training and professional development content here - http://www.microsoft.com/office/preview/en/office-365-enterprise.  The preview is completely disposable, and will not be transitioned into production.

5.  You can selectively roll out services today, for example if you want to just leverage Exchange Online and Lync Online you can, and move forward with SharePoint Online once you have been upgraded to the next version.

Why wait to talk advantage of the hosted platform that Microsoft makes available to our education institutions?  If you can think of any, we would be happy to discuss them with you. 

Are you planning and preparing for your upgrade to Office 365 from Live@edu?   You may already have been notified that your institution can begin the upgrade. If you haven’t received a notice yet but would like to proceed, contact Live@edu Support to request the upgrade today.   

Where can you find out more information about the upgrade?

1. Live@edu Upgrade Center and Live@edu Upgrade Wiki - mark these sites for all the information and links you need to manage your Live@edu upgrade to Office 365 for education.

2. Live@edu Support - Contact Live@edu Support for assistance during the upgrade process.

3. Getting Started with Office 365 - comprehensive reference on the Office 365 services, setup, features and administration

3. Office 365 Community Site - Stay current on Live@edu and Office 365 topics and get tips from IT peers in our forums, blogs, and wikis.

 

What Office 365 services will be enabled once the upgrade completes?

After the upgrade, your domain(s) will be subscribed to Exchange Online Plan 1, and all accounts will have a new 25GB Exchange Online mailbox. Your institution can now take advantage of new services with Office 365 for education plans  Subscribe to Office 365 for education Plan A2 for free and get SharePoint Online, Lync Online, and Office Web Apps. Students, teachers, and faculty can audio or video chat with one another, share documents, and collaborate in real time. Subscribe to Office 365 for education plans online at http://education.office365.com, or by licensing through your Microsoft Reseller.

 

What accounts will users have when the upgrade completes?

After the upgrade completes, users will have two accounts:

• A personal Microsoft account (formerly Windows Live ID) they can use to access SkyDrive, Messenger, and other Microsoft services, just as before with Live@edu
• A new Office 365 account enabled for email with Exchange Online

The Office 365 account will require a new password after the upgrade. Tell your Live@edu users in advance of the upgrade how to create this new password at https://eduupgrade.office365.com/.
This site lets end users create their own Office 365 password rather than rely on your institution’s help desk to create one for them. Learn more about Password Management and read about the Live@edu Upgrade to Office 365 for education in the Upgrade Help.

 

What assistance is available to prepare your environment for the upgrade?

Qualified Microsoft partners are available to assist with your preparations for the upgrade - to plan and deploy any required updates to servers or clients,  like the Office 365 Directory Synchronization server or Forefront Identity Manager server to automate provisoning, or Active Directory Federated Services for federated authentication with the cloud.   Find a deployment partner and contact them for more information on how they can assist with your upgrade.

 

What do you need to do to get started today?

1. Start promoting the upgrade with customizable templates. Download the End User Kit.

2. Complete the tasks in the before-upgrade checklist.

3. Contact Live@edu support to start the upgrade to Office 365 for education.

 

October 18th update:    the Live@edu upgrade team has just launched a site that allows you to walk through a demo of the upgrade process.  Go to http://www.office365demolabs.com and sign in with your LiveID. 

Let us know in the comments what you think, and any other resources that would be helpful to you.