+ Post New Thread
Results 1 to 4 of 4
Cloud Services Thread, Office365 / SSO Advice in Technical; Hello all, I wondered if anybody else was in a similar situation to ourselves as we have just upgraded from ...
  1. #1

    Join Date
    Jan 2011
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Red face Office365 / SSO Advice

    Hello all,

    I wondered if anybody else was in a similar situation to ourselves as we have just upgraded from Live@EDU to Office365 and I am after some advice.

    For Live@EDU we provisioned user accounts manually via CSV - this was ok as we were staging our rollout and only had two year groups with accounts. Now we have upgraded to Office365 we are looking to move over all staff / students (~1600) - due to the volume, it would be much easier to manage if we were able to sync via AD.

    Current setup - MSOL accounts (A123@schooldomain.co.uk)

    Internal domain - (school.local)

    Internal account names UPN example - 13ASmith@school.local

    I've read the guide and I understand that we add our Office365 domain as an additional UPN - but how do we map AD accounts to current MSOL accounts - if they have different names?

    Also for new provisioned accounts - internal usernames are staff codes, such as: SH whereas their e-mail address would need to be a.smith@schooldomain.co.uk.

    What is the best way to go about organising this 'migration' - I don't want it to affect current accounts - but I want it to create new accounts for staff / students that don't currently have a 365 account.

    Not sure if I have explained this well - I am just starting this process and I want to ensure I have a clear picture in my head before continuing.

    Many thanks.

  2. #2

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,037
    Thank Post
    160
    Thanked 908 Times in 712 Posts
    Blog Entries
    3
    Rep Power
    270
    Hi Tom,

    First of all you would not be able to authenticate against Windows Azure AD (Office 365) with your .local UPN because the domain part would not be verified in office 365 and cannot be due to it being internal only. so all of your user accounts UPN needs to be changed to the one you use in office 365 i.e. schooldomain.co.uk

    If I was you I would take the following approach:

    - Add your schooldomain.co.uk as a UPN within Active Directory Domains & Trusts
    - Login to your Office 365 Portal and Enable SSO for your primary domain schooldomain.co.uk
    - Install DirSync on a Domain Member Server, go through the DirSync Configuration Wizard and then start the sync between OnPremise AD & Windows Azure AD

    Once this has been completed you will find that all of your user accounts will now appear in Office 365, and they will contain the correct UPN. To authenticate against Office 365 you will use the UPN to authenticate & the password for the user accounts that they previously had all being well.

    If you then wish to add Single Sign On into the mix, you will need to built your AD FS Infrastructure and then when you have done this you will need to convert your domain to a federated domain and then this will enable you to authenticate using your active directory UPN & Password.

    These changes will not affect your Internal Logon Services because your users won't be using the UPN to authenticate internally i imagine, they would just be using there normal username and password.

    The only thing I would say be careful off, is if the user accounts within Office 365 already have the schooldomain.co.uk as the primary user name then you just need to make sure that it sync's up correctly, you might have to run some powershell commands to convert these domains properly but in theory it should recognize the match and sync up.

    The username that people will normally be using won't be a problem, as Office 365 only cares about the UPN which I would always try and make the same as the Primary SMTP Address. This is assuming your users logon with the Pre-Windows 2000 Username & don't already use there UPN to logon to internal systems.

    I hope that helps, rather quick reply but if you have any question feel free to respond and i will get back to you.

    Thanks,
    James.
    Last edited by EduTech; 24th March 2013 at 06:19 PM.

  3. 2 Thanks to EduTech:

    IT-Tom (25th March 2013), RabbieBurns (25th March 2013)

  4. #3
    jamesbmarshall's Avatar
    Join Date
    Feb 2010
    Location
    Reading, UK
    Posts
    500
    Thank Post
    26
    Thanked 222 Times in 153 Posts
    Rep Power
    84
    Quote Originally Posted by IT-Tom View Post
    I've read the guide and I understand that we add our Office365 domain as an additional UPN - but how do we map AD accounts to current MSOL accounts - if they have different names?
    Because you've already got users provisioned in Office 365 you'll have to go through a process of "soft matching" those existing accounts with your local AD accounts when you run DirSync for the first time. In order to ensure everything ties up correctly you need to make sure that the UPNs of the existing users in AD match up with the accounts provisioned in Office 365.

    Adding, or changing a UPN suffix in AD is fairly simple but be aware that you might have internal services that rely on UPN that may break as a result of changing - you should ensure that altering your UPN suffix will not disrupt any other services. In most cases, it's fine.

    Quote Originally Posted by IT-Tom View Post
    Also for new provisioned accounts - internal usernames are staff codes, such as: SH whereas their e-mail address would need to be a.smith@schooldomain.co.uk.
    It is possible for users in Office 365 to have a different logon name to their primary SMTP address. Their logon name, i.e. their UPN, will have to match up with what is in the local AD, but you can set the mail attribute to be different. See: List of attributes that are synced to Windows Azure Active Directory and attributes that are written back to the on-premises Active Directory Domain Services.

    Quote Originally Posted by IT-Tom View Post
    What is the best way to go about organising this 'migration' - I don't want it to affect current accounts - but I want it to create new accounts for staff / students that don't currently have a 365 account.
    As long as you ensure there are no odd duplicates, and that your local UPNs match up exactly with the corresponding existing users in Office 365 you should be ok. If you want help I'd definitely recommend reaching out to a Microsoft partner. Identity can be a complicated thing to get your head around, and our partners have a wealth of experience and expertise that can help!

    Before you do anything, I'd strongly recommend you run and digest the results of this tool: Microsoft Office 365 Deployment Readiness Tool - Downloads - Office 365 - Microsoft Office 365 Community.

  5. Thanks to jamesbmarshall from:

    IT-Tom (25th March 2013)

  6. #4

    Join Date
    Jan 2011
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thank you for the advice guys - going to have a proper look at this over Easter - hopefully get it all up and running!

SHARE:
+ Post New Thread

Similar Threads

  1. Curriculum Vitae - Any good advice?
    By tarquel in forum Educational IT Jobs
    Replies: 42
    Last Post: 5th January 2010, 08:59 PM
  2. CMIS / EPortal Advice
    By stitch in forum MIS Systems
    Replies: 18
    Last Post: 9th October 2007, 09:27 PM
  3. Sophos advice needed please.
    By Kyle in forum How do you do....it?
    Replies: 6
    Last Post: 1st February 2006, 09:40 PM
  4. Podcasts..................advice and help.
    By Kyle in forum How do you do....it?
    Replies: 3
    Last Post: 16th January 2006, 11:31 PM
  5. Job title/role/descritption opinions advice?
    By tosca925 in forum How do you do....it?
    Replies: 6
    Last Post: 16th October 2005, 03:06 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •