PowerShell Script to copy Exchange GUID from Office 365 to Exchange On-prem User.

When users are been migrated from On-Prem to Office 365 using some third party tool then the on-prem user object’s Exchange GUID gets rested to “00000000-0000-0000-0000-000000000000" . This will cause problem when we need to move back the mailbox to on-prem for some reason.  Below is the code which helps to validate the On-prem users which Exchange GUID and copy back the Exchange GUID properties from Online mailbox to the Exchange On-prem user.

Set-ADServerSettings -ViewEntireForest 1
"Remotemailbox" > c:\temp\myremotemailbox.csv
get-remotemailbox  -resultsize unlimited  | %{
$upn = $_.UserPrincipalName
$proxy = $_.EmailAddresses.ProxyAddressString
$exchGuid = $_.ExchangeGuid

$mailboxlist = @()
$found = $false
    foreach($pro in $Proxy)
    {
        If($pro -like "X500:/o=ExchangeLabs/*")
        {
        $found = $true
        }
    }
    if($found -eq $true)
    {
        $upn >> c:\temp\myremotemailbox.csv
    }
    if($exchGuid -eq "00000000-0000-0000-0000-000000000000")
    {
       
        $upn >> c:\temp\myremotemailbox.csv
   
    }
}

$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session –allowclobber

$csvimport = Import-Csv C:\temp\myremotemailbox.csv
"userprincipalname,legacyExchangeDN,ExchangeGuid" > c:\temp\rmbresult.csv
Foreach($csv in $csvimport)
{
$rmaibox = $csv.remotemailbox
$mailbox = get-mailbox $rmaibox | select userprincipalname,legacyExchangeDN,ExchangeGuid
$mailbox.userprincipalname + "," + $mailbox.legacyExchangeDN + "," + $mailbox.ExchangeGuid >> c:\temp\rmbresult.csv
}

remove-PSSession $Session

$finalRM = Import-csv C:\temp\rmbresult.csv
foreach($final in $finalRM)
{
$upn = $final.userprincipalname
$eguid = $final.ExchangeGuid
$x = "X500:"  +  $final.legacyExchangeDN

if($upn -ne "")
{
get-remotemailbox $upn | Set-reMotemailbox -exchangeguid $eguid -CustomAttribute3 "Account Verified for X500-GUID" -EmailAddresses @{Add=$x}

}
}

Publishing Exchange and ADFS Server for Office 365 using IIS ARR Server

I found this article series extremely helpful where you want to publish Exchange and also want to publish ADFS servers for Office 365 SSO using  free IIS Application Request Routing proxy server.

 

Part 1 : Reverse Proxy for Exchange Server 2013 using IIS ARR
Part 2: Reverse Proxy for Exchange Server 2013 using IIS ARR
Part 3: Reverse Proxy for Exchange Server 2013 using IIS ARR
Part 4: IIS ARR as a Reverse Proxy and Load balancing solution for O365 Exchange Online in a Hybrid Configuration

 

Happy Reverse proxy

Office 365 Hybrid Configuring Using Windows Azure – Part 6

I tried to keep this article series as brief as possible and cover end-to-end configuration of Exchange and Office 365. This should give you a complete understanding to take the base on-premises exchange environment and integrate with the Office 365 in the hybrid mode.

This is the final and last part of this article series. We will continue with the discussion on the topics mentioned below.

I. Provisioning Office 365 mailbox from on-premises Exchange Admin center

II. Accessing provisioned mailbox using Single Sign On(SSO)

III. Migrating mailbox from on-premises to Office 365

Other part of the Articles can be found at below link

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 2

Office 365 Hybrid Configuring Using Windows Azure – Part 3

Office 365 Hybrid Configuring Using Windows Azure – Part 4

Office 365 Hybrid Configuring Using Windows Azure – Part 5

Provisioning Office 365 mailbox from Exchange Admin Center

It is recommended to provision all the mailbox for both on-premises and Office 365 through On-premises Exchange Admin Center.

1. Login to on-Premises Exchange admin Center

2. Click on recipients -> mailboxes and click on ‘ + ‘ to select ‘Office 365 mailbox’

1

3. Provide all the necessary new user details and save to create the mailbox in Office 365

2

4. This will create an AD object at on-premises active directory and create the mailbox at Office 365. Given below is a reference snapshot of Exchange EAC with the new Office 365 mailbox.

3new

5. The newly created object at on-premises has to be synced with Office 365. Scheduled synchronization happens every 3 hours. Follow the steps given below to force the directory synchronization immediately and allow users to login with the new accounts.

a. Login to the Dirsync server – Krisdirsync.cloudapp.net with the admin credentials

b. Access windows explore and navigate to the path “%programfiles%\Windows Azure Active Directory Sync”

c. Double-click on DirSyncConfigShell.psc1 to open a Windows PowerShell window with the cmdlets loaded.

d. In the Windows PowerShell window, type Start-OnlineCoexistenceSync, and then press ENTER

4new

6. With force synchronization, we should be able to see the new account at Office 365 portal and given below is the reference screen shot.

These accounts need to be activated and assigned the license to allow users to login to their mailbox. Select the required ‘synced with Active Directory’ user and click on ‘Active Synced user’

5new

7. Active the user by specifying the user location , assigning the required licenses and click on ‘Next’

6

8. The ‘Send result in email’ page is to send the mailbox creation with password detail to the authorized person. Since we have synced the objects from active directory, passwords are not reset for the users. Click on ‘Active’ to active the mailbox.

7

9. The ‘Results’ page has the mailbox activation confirmation with the message ‘The password wasn’t reset because its user’s password is synced with your on-premises’

8

Accessing provisioned mailbox using Single Sign on (SSO)

1. Login to the client machine and connect to the Office 365 portal via explore. Sign in with the new account rajesh.kumar@checkwhatsin.com and use the TAB key

9

2. Office 365 portal will check for ‘checkwhatsin.com’ SSO configuration and it will immediately redirect to the organization sign-in page

10

3. Input the domain\username and password and click on ‘Sign In’ to authenticate

11

4. The welcome page is ‘Get started with Office 365 page’, with all the necessary information to connect to Outlook, Outlook Web App, installing Office client software’s setting up the mobile device etc.

Click on ‘Outlook’ on the top ribbon to access the Outlook Web App

12

5. Shown below is the new and first look for users Outlook Web App

13

Migrating mailbox from on-premises to Office 365

The idea of having a hybrid environment is to have some or the majority of mailboxes in Office 365 and others in on-premises. Let understand how to migrate users from on-premises to Office 365 and understand as to how they continue to access their emails

1. Connect to the Exchange on-premises EAC with Organization admin credentials

2. The Mailbox Replication Proxy (MRSProxy) service is installed on every Microsoft Exchange Server Client Access server. MRSProxy helps to facilitate cross-forest move requests and it runs on the local Exchange Client Access server. However, MRSProxy is disabled by default.

3. To Enable MRS Proxy select Servers -> Virtual directories -> Double click on “EWS (Default Web Site)”

14

4. Select ‘Enable MRS Proxy endpoint’. This is the important configuration to allow cross forest migration of users from on-premises to Office 365.

15

5. Identify the user for the migration to Office 365 and click on “To Exchange Online” under ‘Move Mailbox’ to start the move mailbox wizard.

16

6. Confirm the migration endpoint with the Remote MRS Proxy server. Internet facing CAS server with MRS proxy enabled is Krisexch.cloudapp.net and the Internet alias name for the same is mail.checkwhatsin.com. Specific the ‘Remote MRS proxy server’ and click on ‘Next’

17

7. Specify the ‘New migration batch name’, ‘Target delivery domain’ name and other necessary details. In our case, Target delivery domain is ‘checkwhatsin.mail.onmicrosoft.com’. Specify the same and click on ‘Next’

18

10. Specify the account to deliver the batch competition status report. Also select the preferred option to start and complete the batch. Click on ‘New’ to start the migration batch

19

11. Click on ‘Yes’ to go to the migration dashboard to see the status of the migration batch.

20

12. This will automatically redirect the page to Office 365 Migration page with details of the migration batch status as syncing.

Syncing: The migration batch has been started, and mailboxes in the migration batch are being actively migrated.

21

13. Once synchronization of the selected mailbox is completed, click on ‘Complete this migration batch’ to perform the final migration process.

22

14. Confirm with ‘Yes’ to start the process.

23

15. Wait for the completed status to make sure the mailbox is migrated from on-premises to office 365.

24

16. Once mailbox is migrated to Office 365, users should start to use the Office 365 portal to connect to Outlook Web App application. Users can still connects to on-premises OWA portal to connect to the Office 365 OWA

25

17. Once you login to on-premises OWA, it determines the location of the mailbox in Office 365 and specifies the Office 365 portal URL to access their mailbox.

26

18. Click on the link to open then the new Office 365 authenticate page. This URL can be saved in the favorites for the further usage. Enter the user email address and press the Tab key

27

19. Since, Federated SSO is configured for the domain checkwhatsin.com, it will redirect to the on-premises reverse proxy server for authentication

28

20. Once authenticated using on-premises credentials, it will redirect back to Office 365 OWA page

29

21. Accessing Office 365 OWA seems to be a bit completed with the redirection happening forth and back in the hybrid mode. It is not the same experience for outlook users and user can continue to access the same profile and OST without changing the profile configuration

22. Once the migration is completed, the user will lose connection and it prompts the user to restart outlook.

23. When outlook is started again, it will prompt for the basic authentication popup. Input the user UPN(username@checkwhatsin.com) and password then click on ‘OK’

30

24. This will allow outlook to communicate, authentic and connect office 365 for email access. Below snap has the details of outlook with ‘Connected to Exchange server’ status.

31

25. We can connect to ‘Outlook Connection Status’ to verify the Office 365 connection. We should be able to see the connection proxy server as outlook.office365.com, which are office 365 servers.

32

With this we have come the end of the article series. I suppose if you want to learn Office 365 and configure Hybrid, then this is one of the best and easiest ways to learn it. Hope you have got some sound understanding as to how to build and configure Office 365 hybrid environment using Windows Azure.

It was a great experience for me to work on this article series and hope it will help you greatly to deploy and configure Office 365 hybrid mode in the production environment.

Other part of the Articles can be found at below link

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 2

Office 365 Hybrid Configuring Using Windows Azure – Part 3

Office 365 Hybrid Configuring Using Windows Azure – Part 4

Office 365 Hybrid Configuring Using Windows Azure – Part 5

Office 365 Hybrid Configuring Using Windows Azure – Part 5

We are almost done with the preparation of the environment to work in the hybrid mode. In this part, we will be performing the final configuration of enterprise on-premises Exchange servers and Office 365 to work in the hybrid mode.

Given below is a list of activities to be performed in this series:

I. On-premises hybrid configuration verification and tweaking

II. Office 365 hybrid configuration verification and tweaking

Other part of the Articles can be found at below link

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 2

Office 365 Hybrid Configuring Using Windows Azure – Part 3

Office 365 Hybrid Configuring Using Windows Azure – Part 4

Office 365 Hybrid Configuring Using Windows Azure – Part 6

On-premises hybrid configuration verification and tweaking

Hybrid configuration has made the necessary configuration changes in the on-premises exchange organization and Office 365. Let us verify some of these configurations and also make necessary changes to suit the requirement.

1. Login go krisexch.green.com with the organization admin credential and connect to the Exchange admin center.

2. Click on Mail flow -> Email address policies. Hybrid configuration wizard updates the email address policy with the secondary email address as alias@checkwhatsin.mail.onmicrosoft.com. Hence forth every mailbox object created will also get the secondary email address stamped with the domain checkwhatsin.mail.onmicrosoft.com

1

3. Click on mail flow -> accepted domains. We should see that the new entry checkwhatsin.mail.onmicrosoft.com has added an accepted domain and it is marked ‘Authoritative’.

2

4. Authoritative accepted domain is to allow exchange organization to accept emails and deliver them within the exchange organization. This is not the desired configuration at on-premises for the domain checkwhatsin.mail.onmicrosoft.com. Since it is the authority’s domain at Office 365, change the checkwhatsin.mail.onmicrosoft.com as internal relay.

Internal Relay: If the target mailbox resides locally, then it will be delivered. If the target mailbox is in a remote organization, then it will use a send connector to route email to the remote office 365 domain.

3new

5. Let us verify the connector to send an email to Office 365. The hybrid configuration creates a new “Outbound to Office 365” connector to route emails to the remote Office 365 domain.

To verify the same, click on mail flow -> send connectors.

4new

6. Hybrid configuration does not make any configuration changes or additions to the receive connector to accept email from Office 365. Default <Servername> receive connector  will be used to accept email on port 25 from Office 365

6

7. Organization sharing settings allow everyone in the organization to share free/busy and calendar information between the federated exchange organizations.

7

Office 365 hybrid configuration verification and tweaking

Hybrid configuration has made some necessary configuration changes in the Office 365 to work with exchange on-premises organization. It allows the mail flow, free/busy and other calendar information between the organizations.

Let us verify some of the configuration and make the necessary changes, if required.

1. Connect to the ‘Office 365 Exchange admin center’ and click on ‘mail flow’ -> ‘accepted domains’.

2. Hybrid configuration adds the new authoritative accepted domain as checkwhatsin.com

8

3. Authoritative accepted domain is to allow exchange organization to accept emails and deliver them within the exchange organization. This is not the desired configuration for the domain checkwhatsin.com. Since, its authoritative domain is at on-premises domain.

In the Part 4 of the article series, we have changed checkwhatsin.com MX record to point to Office 365. If checkwhatsin.com is marked ‘Authoritative’, then only will it deliver to the target mailbox in Office 365. If it is not able to find the target mailbox in office 365, then it will send an NDR message to the sender

This is not the desired configuration since, all the mailbox for checkwhatsin.com is residing on on-premises. Hence, it has to be set to ‘Internal relay’. If the target mailbox is not found in Office 365 then, it will be routed to the on-premises exchange organization, via an outbound connector

9

4. Hybrid configuration also creates Inbound and outbound connects at Office 365 to send /receive email from premises exchange servers.

The Inbound connector is to accept email from on-premises Exchange Send connectors for the recipients with the email address @checkwhatsin.mail.onmicrosoft.com

The Outbound connects is to send emails to on-premises exchange receive connector for the recipients with the email address @checkwhatsin.com

10

5. Office 365 Inbound connector can be tweaked to accept emails only from the specific on-premises exchange server and domain

The snapshot shown below has the details with sender domain set to checkwhatsin.com and sender IP address set to the IPaddress Exchange 2013 server. (It’s a Krisexch01.cloupdapp.net windows Azure IP address)

11

6. With this configuration , we should be able to send and receive emails between office 365 and on-premises exchange organization

Email flow from cloud on non-Premises

12

Mail flow from on-premises to cloud.

13

Thus, we have completely prepared and configured on-premises and Office 365 to work on a hybrid mode.

In the next and final part of the article service, we shall be trying to understand how to make provision for a mailbox in the hybrid mode, and in that series, how to migrate the mailbox from on-premises to Office 365

Other part of the Articles can be found at below link

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 2

Office 365 Hybrid Configuring Using Windows Azure – Part 3

Office 365 Hybrid Configuring Using Windows Azure – Part 4

Office 365 Hybrid Configuring Using Windows Azure – Part 6

Office 365 Hybrid Configuring Using Windows Azure – Part 4

In this part of the article series, we shall perform hybrid configuration. A hybrid deployment provides a unified email experience for your Office 365 deployment. It enables users who have mailboxes in their on-premises Exchange Server environment and users who have Exchange Online mailboxes to find one another in the global address list (GAL), and to send, receive, and reply to email, regardless of which system is hosting their mailbox.

Below is the list of activities performed in this article

I. Configure Hybrid between Exchange 2013 and Office 365

II. Add new DNS record to enable Office 365 to work with On-premises.

Other part of the Articles can be found at below link

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 2

Office 365 Hybrid Configuring Using Windows Azure – Part 3

Office 365 Hybrid Configuring Using Windows Azure – Part 5

Office 365 Hybrid Configuring Using Windows Azure – Part 6

Configure Hybrid between Exchange 2013 and Office 365

1. Login to the Exchange 2013 server KrisExch01.cloudapp.net

2. Before we start the hybrid configuration, we need to connect to both Exchange on-premises EAC and then connect to Office 365 console. Default Windows 2012 server Internet Explorer scripts blocks from accessing Office 365 consoles.

Given below is the fix for the same.

Internet Explore -> Internet Option -> Security -> Advance -> Add the below URL referenced in the snap.

1

3. Login to the Exchange EAC using Exchange organization admin account

2

4. Click on the Hybrid -> click on ‘Enable’ to start the hybrid configuration process.

3k

5. This will first prompt to login to Office 365, click on ‘Sign in to Office 365’

4

6. Login to Office 365 using the admin credentials. With this we have connected to both Office 365 and on-premises on the same console.

5

7. Finally, we are now ready to start the hybrid configuration. Click on ‘Enable’ again to start the Hybrid configuration wizard.

6

8. Select ‘Yes’ on ‘Set up Exchange Hybrid’ to confirm the hybrid configuration

7

9. Before we continue with the hybrid configuration, we need to re-confirm the Domain ownership. In the next page it prompts with the below statement.

“Before proceeding to the next step, copy the following tokens and create a TXT record for each token

On the public DNS to confirm domain ownership”

Login to Go Daddy for the domain checkwhatsin.com and create a TXT entry for the token. Wait for 5 minutes at the hybrid configuration wizard and click on ‘Next’ to continue

8

10. Below is the snapshot of the Go daddy with the TXT entry with the Token specified above

9

11. Since we do not have the edge transport server in our organization, select ‘Configure my Client Access and Mailbox servers for secure mail transport(typical)’ and click on ‘Next’

10

12. Choose one or more on-premises Client Access server to host receive connectors for secure bi-directional mail transport with Office 365. Since, we have only one Multirole server , select the server EXCH01 by using browse… button and click on ‘Next’

11

13. Choose one or more on-premises Mailbox server to host Send connectors for secure bi-directional mail transport with Exchange online. Since we have only one multirole server, use the ‘Browse’ button to select the server EXCH01 and click on ‘Next’ to continue

12

14. We need a valid certificate from trusted Certificate Authority for the secure mail transport between on-premises and Office 365. Exchange 2013 is already configured with wildcard certificate, select ‘Checkwhatsin’ certificate for the same. Click on ‘Next’ to continue

13

15. Enter a fully qualified domain name for the on-premises exchange server to accept email from Exchange online Protection (EOP). In our scenario we have ‘KrisExch01.cloudapp.net’ as internet facing multi-role Exchange server and the internet alias name for the same is ‘mail.checkwhatsin.com’. Specify the same and click on ‘Next’

14

16. Hybrid configuration needs both on-premises and Office 365 account credentials with the permission of the ‘organization management’ permission. Enter the on-premises admin credentials and click on ‘Next’ to continue

15

17. Enter the Office 365 admin credentials and click on ‘Next’

16

18. Exchange Hybrid configuration settings are now completed. Click on ‘Update’ button to configure and enable the hybrid features between Enterprise and Office 365 organization.

17

19. This process may take several minutes to complete. Follow the status progress bar and wait for the configuration to be completed

18

20. Now with this execution, the hybrid configuration has been completed successfully.

19

Add new DNS record to enable Office 365 to work with On-premises

In this section, we shall switch back to Office 365 continue and complete the configuration where we had left at the end of the Part 1 of this article series. We will have to complete the domain configuration by making necessary changes at ‘Chechwhatsin.com’ DNS to allow Office 365 EOP to accept all emails for checkwhatsin.com and route the email based on the mailbox location in either Office 365 or On-premises.

1. Login to Office 365 console with Org admin credentials and click on ‘domains’ -> ‘Complete setup’

20

2. Click on ‘Start Step 3’ to ‘Set the domain purpose and DNS configuration’.

21

3. On set domain purpose page, select ‘Exchange online’ and ‘I plan to set up on-premises mailboxes to work with office 365 or make sure they’re protected with Exchange online protection’ and click on ‘Next’

22

4. On Configure connectors page click on ‘Done, go check’. It will verify the Office 365 Outbound connectors are set up correctly to work with on-premises exchange severs.

23

5. Since the hybrid configuration wizard has been completed successfully, we should get the message “we’ve successfully verified that an outbound connector is setup for checkwhatsin.com”.

Now we may need to perform Autodiscover and other connectivity test using ‘Microsoft Remote connectivity Analyzer’. As we have already performed this step at part 1 of the article series, we will skip this process.

Select ‘I’ve run the tool and confirmed that my configuration is correct’ and click on ‘Next’ to continue.

24

6. At ‘Add DNS records’ page, it has all the necessary steps to create the manual entry at the DNS. We need to add all the DNS record specified except the autodiscover. This will allow us to keep the existing autodiscover entry point to the on-premises solution. This will help to continue the outlook configuration even after the movement of mailbox from on-premises to Office 365.

It will also add new MX record which sends all internet email for checkwhatsin.com to Office 365 Exchange online protection (EOP).

25

7. Below are the DNS entries at Go daddy for each of the DNS configuration specified above with the exception of Autodiscover.

26

8. Once the DNS entry has been added, wait for the 15 min of replication time and click on ‘Done, go check’ button for office 365 to verify the DNS entry.

We should get the successful status on all additional Office 365 records and failure status for just autodiscover entry, as we did not make the DNS entry for ‘autodiscover’ to point to address ‘autodiscover.outlook.com’.

27

With this we have made all the necessary changes at the Office 365 end and on-premises exchange server to work with hybrid mode.

In the next part of the article, we will be verifying and performing the final configuration at both on-premises exchange and in Office 365 in the hybrid mode.

Other part of the Articles can be found at below link

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 2

Office 365 Hybrid Configuring Using Windows Azure – Part 3

Office 365 Hybrid Configuring Using Windows Azure – Part 5

Office 365 Hybrid Configuring Using Windows Azure – Part 6

Office 365 Hybrid Configuring Using Windows Azure – Part 3

In the first part of the article series, we have configured the windows Azure lab and office 365 account and in the second part, we had configured ADFS and ADFS Proxy server.

Now, in this part of the series we will be configuring Single Sign on (SSO) and Directory synchronization between the On-Prem and Office 365.

I. Configuring SSO between office 365 and Exchange 2013 On-Premises

II. Configuring Directory Synchronization between Office 365 and Exchange 2013 On-Premises

Other part of the articles are be found below

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 2

Office 365 Hybrid Configuring Using Windows Azure – Part 4

Office 365 Hybrid Configuring Using Windows Azure – Part 5

Office 365 Hybrid Configuring Using Windows Azure – Part 6

Configuring SSO between Office 365 and Exchange 2013 On-Prem

1. Connect to server krisadfs.cloudapp.net and login with the domain admin credentials.

2. ‘Microsoft online service sign-in Assistant’ is a prerequisite for installing ‘Windows Azure Active Directory Module’ to configuring Single Sign On

Download and perform the default installation of Microsoft Online Services Sign-In Assistant for IT Professionals

1

3. Login to the Office 365 portal using Internet Explorer and click on “users and group” on the left pane and click on Single Sign-on “Set up”

2

4. Scroll down to select Windows 64-Bit version of ‘Windows Azure Directory module for Windows PowerShell’. Click on ‘Download’ to get the file into the local computer.

3

5. Perform the default installation of ‘Windows Azure Active Directory Module for Windows PowerShell’ by clicking ‘Next’

4

6. Click on ‘Finish’ to complete the installation.

5

7. To configure federation between Office 365 and On-Premise, run the ‘Windows Azure Active directory PowerShell’ shortcut from the desktop

6

8. Connect to Office 365 by executing the PowerShell Connect-MSOLService’ cmdlet. This execution will prompt for the credentials. Input the credentials as admin@checkwhatsin.onmicrosoft.com with password and click on ‘OK’

7

9. Once it is connected to the Office 365, we can manage it using PowerShell. Execute the command given below to get the details of all the domain registered in Office 365.

Get-MSolDomain

8

10. We also get a detailed information of the domain by executing the command. Since, we have not configured federation yet, authentication status is as ‘Managed’ for the domain checkwhatsin.com. Once federation is configured between Office 365 and on-premises, then the authentication status will change from managed to federated for the domain checkwhatsin.com

Get-MSolDomain –Domainname Checkwhatsin.com |fl

9

11. The Convert-MSOLDomainToFederated cmdlet converts the specified domain from standard authentication to single sign-on. To convert the domain checkwhatsin.com as Federated, execute the command that is given below.

Convert-MSolDomaintoFederation –DomainName checkwhatsin.com

10

12. Successful execution details can be verified using the command given below and the screen has the authentication details changed to Federated.

Get-MSolDomain –Domainname Checkwhatsin.com |fl

11

13. To verify if the ADFS federation is working , access the office 365 portal page from the browser and input the user name as admin@chekcwhatsin.com and just hit the tab button

12

14. This should automatically start the redirection process

13

15. Finally, this should connect us to the URL https://sts.chekwhatsin.com for the user authentication prompt

14

With this we have successfully completed the configuration of SSO between On-prem and Office 365.

Configuring Directory Synchronization between Office 365 and Exchange 2013 On-Prem

DirSync (Directory Synchronization) is a tool in making copies of local on-premises directory object into the Office 365 environment in a hybrid cloud deployment. DirSync service synchronizes object only from on-premises to Office 365 and it runs for every three hours to publish the changes from the on-premises to Office 365.

In this section, we will create a service account to configure Dirsync server on the server krisdirsync.cloudapp.net

Creating and configuring Service account for DirSync

1. Login to the Office 365 portal with the organization admin account and click ‘users and groups’ from the left pane and click on + symbol to create a new account

15

2. Input the service account name and other necessary details and click on ’Next’

16

3. Select the Assign Role as ‘Global Administrator’ and input other details like ‘Alternative email address, ‘location’ and click on ‘Next’.

17

4. Since, this is a service account, it does not need a mailbox/license. Do not select any license and click on ‘Next’ to continue

18

5. Click on ‘Create’ button to create a new service account and send the service account details to the admin.

19

6. New account has to be logged in once to activate the account and set the new password. Hence, login to the Office 365 portal using the new service account

20

7. This will prompt us for a password change. Update the new password and re-confirm the same password. Click on ‘Save’ to set the new password for the service account.

21

8. Office 365 has a password expiration policy set on all the accounts. Service accounts needed comply with the password expiration policy and they have to be disabled. To disable the password expiration, connect to the Office 365 Windows Azure Active Directory module for PowerShell and execute the below PowerShell cmdlet to set the password never expires to $false.

Get-MsolUser –UserPinrcipalName svr-dirsync@checkwhatsin.onmicrosoft.com | set-MsolUser –PasswordNeverExpires $false

22

Configuring Directory Synchronization between Office 365 and Exchange 2013 On-Prem

1. Login to Directory Synchronization server krisdirsync.cloupdapp.net with the domain admin credentials

2. Install .net Framework 3.5 Features from add ‘Roles and features’ wizard or we can use the below PowerShell cmdlet to install the same

Install-WindowsFeature NET-Framework-Core

3. To start the active directory synchronization , connect to the office 365 portal from the browser and click on users and group and select Active Directory Synchronization :Set Up

23

4. Select ‘Activate’ button to ‘Activate Active Directory synchronization’

24

5. Confirm the activation process by clicking on the ‘Activate’ button again

25

6. Once it is activated, we should be able to download the Directory Sync tool to and save the copy desktop

26

7. Dirsync is a small executable file, which needs to be setup to synchronize from an on-premises Active Directory to Microsoft Office 365

27

8. Start the installation of Dirsync by double clicking on it and click on ‘Next’ at the Welcome page.

28

9. Accept the licenses, default installation path and click on ‘Next’ to continue

29

10. Click on ‘Finish’ to complete the installation and make sure to “Start Configuration Wizard now” is checked to start the configuration immediately.

30

11. Start the Windows Azure Active Directory Sync tool configuration wizard with the click ‘Next’ on the Welcome page.

31

12. Provide Office 365 admin credentials at ‘Windows Azure Active Directory Credentials’ and click on ‘Next’

32

13. Type on-premises domain admin credentials at ‘Active Directory Credentials’ page and click on ‘Next’

33

14. Since we are configuring Hybrid between Office 365 and on-premises, we need to make sure that the ‘Enable Hybrid Deployment’ is checked and then click on ‘Next’

34

15. We do not need a password sync for SSO configuration. We create object at on-premises Active Directory and provision mailbox for the on-premises objects at Office 365. Hence, make sure to ‘Enable password Sync’ is unchecked and click on ‘Next’

35

16. Wait for the ‘Configure complete’ status on the configuration page and click on ‘Next’

36

17. Click on ‘Finish’ at the wizard and make sure to select ’Synchronize your directories now’.

37

18. The active directory sync will immediately synchronize the objects from on-premises to Office 365. Then, click on ‘OK‘

38

19. Login to the Office 365 portal to verify the synchronization of On-prem objects as “Synced with Active Directory” at users and groups. Shown below is the reference snap with marked red has the details of the objects ‘Synced with Active Directory’

39

With this we have come to the end of this article series, where we have successfully configured SSO and Directory synchronization between on-premises and Office 365. We are almost ready with the Windows Azure environment to configure Hybrid setup.

In the next part we will be creating and configuring Hybrid between Windows Azure and Office 365.

Other part of the articles are be found below

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 2

Office 365 Hybrid Configuring Using Windows Azure – Part 4

Office 365 Hybrid Configuring Using Windows Azure – Part 5

Office 365 Hybrid Configuring Using Windows Azure – Part 6

Office 365 Hybrid Configuring Using Windows Azure – Part 2

In the first part of the article series, we created new windows Azure LAB, installed and configured a new domain controller and Exchange server. We also created additional windows 2012 Azure servers for ADFS, ADFS Proxy and Directory synchronization (DirSync). ADFS (Krisadfs.cloupdapp.net) and Dirsync (krisdrisync.cloudapp.net) are joined to the windows domain ‘checkwhatsin.com’. ADFS Proxy (krisadfsproxy.cloudapp.net) is not joined to the domain, since it is designed to be placed in DMZ

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 3

Office 365 Hybrid Configuring Using Windows Azure – Part 4

Office 365 Hybrid Configuring Using Windows Azure – Part 5

Office 365 Hybrid Configuring Using Windows Azure – Part 6

In this part of the article series, we will perform the activities shown below to configure Single Sign on (SSO). With single sign-on (SSO), users in your organization will be able to use their corporate credentials to access the Office 365 service offerings, thereby, removing the burden of managing multiple logon identities and passwords. Without an SSO, an Office 365 user would have to maintain separate user names and passwords.

I. Installation and configuration of ADFS server

II. Installation and configuration of ADFS proxy server

Installation and configuration of ADFS server

Active Directory Federation Services (AD FS) is a server role in Windows Server that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications over the life of a single online session. At the outset, we need to create a service account before configuring Exchange

1. Login to the Krisadc.cloudapp.net with the domain admin credentials

2. Using Active Directory users and computers, Create a new service account to configure ADFS federation server and set password never expires

Account name: svr-federation

1

3. Access DNS Manager and create a new ‘A’ record to point to the internal IP address of ADFS server.

2

4. Login to ADFS server Krishadfs.cloudapp.net with the domain credentials

5. ADFS server needs a Third Party CA Certificate. Since, we already have wild card certificate configured on the Exchange server, we will have to simply export it from the exchange server and import into the ADFS server

Export the wildcard certificate with the private key from the Exchange 2013 server and copy to the root (C:\) directory of the server krisadfs.cloudapp.net

6. Start the PowerShell on the server krisadfs.cloudap.net and execute the command given below. Type the certificate password which had been used to export the certificate. Given below is the command that imports the certificate into the local computer personal certificate folder

Certutil.exe –f –importpfx c:\checkwhatsin.pfx

3

7. Install Active Directory Federation Server is as simple as running a PowerShell command. Execute the below PowerShell cmdlet to install ADFS server

Add-WindowsFeature ad-federation-services

4

8. ADFS server need to be configured once is it installed. Start Server manager and click on the amber symbol -> click on ‘Run the AD FS management snap-in’ to configure it.

5

9. It will open a new ADFS Snap-in page. Click on “AD FS federation server configuration Wizard” to start the configuration wizard.

6

10. To create new federation service, select ‘Create a new Federation service’ on the welcome page and click on ‘Next’

7

11. Select ‘New Federation Server Farm’ on the Development type page and click on ‘Next’

8

12. At the Federation Service Name page, select the SSL certificate as ‘Checkwhatsin’ and provide the Federation service name as ‘sts.checkwhatsin.com’ and click on ‘Next’

9

13. Input the ADFS service account ‘checkwhatsin\svr-federation’ and password at ‘Specify service Account’ page and click on ‘Next’

10

14. Verify details at the summary page and click on ‘Next’ to start the installation

11

15. Wait for the installation to be completed and make sure that the entire component configuration is finished and click on ‘Close’ to finish the installation.

12

16. To validate the successful installation, click on the below link and make sure you get the page displayed below image on the Internet Explorer

https://sts.chekcwhatsin.com/FederationMetadata/2007-06/FederationMetadata.xml

13

With this we have created and configured ADFS server and it is ready to use.

Installation and configuration of ADFS proxy server

The AD FS 2.0 Proxy is a service that brokers a connection between external users and internal AD FS 2.0 server. It acts as a reverse proxy and typically resides in your organization’s perimeter network (aka DMZ). Since the Krisadfsproxy.cloudapp.net is not a domain joined computer, it does not know to resolve nodes at the internal network. We need to create a host entry to resolve internal ADFS server.

1. Login to Krisadfsproxy.cloupdapp.net using the local admin credentials

2. Create a manual host entry to connect to point to the AD FS server

Access the ‘Hosts’ file using the notepad from the path C:\Windows\System32\drivers\etc\. Add a new entry to point to the ADFS server IP address with domain name sts.checkwhatsin.com

.14

3. ADFS Proxy server also needs a Third Party CA Certificate. Since, we already have wild card certificate on the Exchange server, we will just need to export it and configure on the ADFS server

Export the wildcard certificate with private key from the Exchange 2013 server and copy to the root (C:\) directory of the server krisadfs.cloudapp.net

4. Start the PowerShell on the server krisadfsproxy.cloudapp.net and execute the below command. Type the certificate password which was used to export the certificate. Shown below is the command that imports the certificate into the local computer personal certificate folder

c:\KrishnaCertutil.exe –f –importpfx c:\checkwhatsin.pfx

15

5. Configure the Imported certificate on the Internet Information Service (IIS) Manager

a. Start IIS from the control panel, select ‘Default Web Site’ and select ‘Bindings’ on the action pane

16

b. Click on ‘Add’ to add a new site binding. Make sure to select the type as “https” and “Checkwhatsin” for SSL certificate and click on “OK”.

17

c. Click on “Close” to finish the IIS configuration

18

6. Install ADFS proxy using the below PowerShell cmdlet

Add-WindowsFeature ADFS-Proxy

19

7. Post installation of ADFS Proxy, it needs to be configured. Start ‘Server Manager’ and click on the amber symbol and select ‘Run the AD FS Federation Server Proxy Configuration’

20

8. On the Welcome page of ‘AD FD Federation Server proxy configuration wizard’ click on ‘Next’

21

9. Specify Sts.checkwhatsin.com as the Federation Server name and click ‘Test Connection’ to get connection successful status. Click on ‘Next’ to continue

22

10. Input the ADFS service account credentials at the windows security credentials pop up and click on ‘OK’ to continue.

23

11. Verify the settings on the ‘Ready to Apply Page’ and click on ‘Next’ to start the configuration

24

12. Verify the ‘configuration results’ page with the successful completion status and click on ‘Close’

25

13. Since ADFS proxy server is the internet facing server and ADFS server is configured using STS.checkwhatsin.com as federation name. We need to create a CNAME record at DNS for STS.checkwhatsin.com to point it to ADFS proxy server ‘Krisadfsproxy.cloudapp.net’.

Below is the reference snap from Go Daddy DNS.

26

With this we have created and configured ADFS and ADFS Proxy server. We have also made all the necessary changes in configuration so as to deploy SSO.

In the next part of the article, we will be completing the configuration of SSO and Directory Sync between Office 365 and on-premises exchange server.

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 3

Office 365 Hybrid Configuring Using Windows Azure – Part 4

Office 365 Hybrid Configuring Using Windows Azure – Part 5

Office 365 Hybrid Configuring Using Windows Azure – Part 6