Hi, I've just been told by the head that our new email system must be in place in 2 weeks.
I've said that's not possible due to my own limitations of knowledge and other work commitments.
Can I get some pointers please?
I have created an account some time back and manually added users but obviously these can be simply deleted.
I'd like staff take up to be high, one issue will be the ever increasing moan about password changing.
My worry is staff will not use whatever I supply unless SSO is introduced.
I've read as much as I can, now my head hurts!
I do not want to be reliant on our servers / connection for email login which I gather is the case with ADFS?
Is there a way around this? What exactly is Dirsync, is that added after ADFS?
Is Windows Azure going to be the answer - is there something in the pipeline? Should I convince our head to wait? What might the costs be?
I really have so much on at the moment that I do not need this added to everything else.
There is an expectation that these things 'can just happen' that I'm sure we all have to cope with - it's getting a tad too much now.
It's just me here with a lot of staff who only just manage to change a print cartridge - but still that entails considerable moaning!
Also if I do manage to get SSO set up and a sync with our AD I assume I am able to choose with users have email accounts and which do not?
I've just finished getting our Office 365 with SSO setup, and its taken a while to fumble my way through it! 2 weeks is possible if you know the system but if you are like me (had no prior knowledge of O365) then I would expect it to take longer.
To answer some of your questions:
1) Dirsync will synchronise your AD accounts into Office 365, it will not however transfer any kind of password information. I believe it can be run without ADFS in place and will just keep your accounts up to date when new users join the school. You will have to provide passwords to users, activate their accounts AND assign them user licenses. This can be a pain and is probably best done via Powershell for bulk users
2) There is a paid-for feature offered by a third party company which will remove the need for installing ADFS on your network for SSO (will have to search my previous posts for it). They basically host a virtual DC for you which replicates with your onsite DC. If your schools internet connection goes down, users can still authenticate with their hosted DC
3) If you get ADFS setup for SSO, yes you can pick which users have email access or not. You do this via the license assignment in 365. When you view the Exchange properties of a user you can assign them a licence. If, like me, you choose the completely free A2 Education package then you would select whether the user had a Student A2 license or a Faculty A2 license. Within that are tick-box options as to what features you give them, namely Exchange (email), SharePoint (Skydrive Pro), Office Web Apps (for editing directly within Skydrive) and Lync. If you don't tick it, they don't get it! I have only rolled out email so far with a view to add Skydrive at a later date.
If you need some guidance on the ADFS / SSO stuff I will try and provide the info for what I did (you will NEED to obtain an SSL certificate for the server hosting ADFS!!)
I admit, much of the time I spent on it was getting the SSO to work correctly. Doing as mentioned above would be much quicker! You can then fine-tune rules and policies etc over time rather than inside your 2 week window
You can use Powershell to set passwords to never expire. Copied from O365 help documentation:
Set a password to never expire
1.Connect to Windows PowerShell by using your company admin credentials.
2.Do one of the following:
To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:
Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $true
To set the passwords to never expire for all the users in an organization, run the following cmdlet:
Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true
That's cool cheers - although password changes does make sense. Perhaps till we do setup a sync with both usernames and passwords a static password would be fine.
Just a thought though, if I create users without using dirsync if/when I do want to setup SSO or just a sync of usernames and passwords (which would be more than fine for us here to be honest) and sync from AD will new accounts be created, or will it see those AD users already exist and sync with them?
Should I run dirsync without ADFS for now, which will at the very least sync users?
Pre-existing users that match an AD record will be 'adopted' by DirSync if and when you start using it. If I remember correctly it matches on the email address field.
Personally I had a new virtual server with DirSync up and running within a day, and that was with the added complication of using Server 2012 for the first time. The docs make it look daunting (like almost all MS technical documentation) but once you actually sit down and do it, implementing DirSync without SSO is pretty straightforward.