Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
jsclmedave

Administrator
Registered:
Posts: 455
Reply with quote  #1 
Looking for recommendations for understanding -

  •  ADFS On Premises / Hybrid mix - O365
  • Best Practices
  • Known Issues
  • How To's
  • What About The O365 Exchange side of the house?
  • How do we best utilize our GLOBAL Domain O365 footprint with ADFS?
  • How to setup ADFS for our Global Domain that does not take hours to update

Asking for work colleagues that are diving in head first and have a LOT of questions...


I can post some of their questions here as applicable...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 883
Reply with quote  #2 
First off, the O365 links.

To select the model of login you wish to use:
https://blogs.office.com/2014/05/13/choosing-a-sign-in-model-for-office-365/

To configure ADFS and single Sign-on
https://blogs.technet.microsoft.com/canitpro/2015/09/11/step-by-step-setting-up-ad-fs-and-enabling-single-sign-on-to-office-365/

To answer the specific questions.

ADFS On Premises / Hybrid mix - O365
Depending on what your trying to achieve, how well you infrastructure is etc, you can put ADFS on prem or in Azure.
On-prem ADFS, if it fails or if it looses internet connectivity you cannot log in
Azure based ADFS, if Azure fails or Azure RG looses internet connectivity you cannot log in. Surprisingly Azure machines can go down a lot.
Build a farm if a lot of people will use this!

Best Practices
Its fairly well documented, following the docs and ADFS deployment docs.
Use good certs, test Chrome/ IE/ Edge/ Firefox/ Opera and any other browser you use or may use.
!!!!This next bit is damn important!!!!
Document the browsers you support/ test.
!!!! This last bit is damn important!!!

Known Issues
ADFS is rock solid.
Azure AD Connect is like a moving target it gets updated so often.
!!!!This next bit is damn important!!!!
If you have a lot of users, have a test subscription and upgrade that first, blah blah blah
!!!! This last bit is damn important!!!

How To's
The MS documentation sites generally lag at least 3 weeks behind the deployed code.
Check O365 or Azure portal for new docs.
subscribe to the Azure RSS Feed and at least read each heading
https://azure.microsoft.com/en-us/blog/feed/

What About The O365 Exchange side of the house?
Azure AD Connect will bring your users up to Azure AD.
Buy the Exchange Pro Office 365 for IT Pros Book.
Buy its updates, best most reliable source of info on the subject I've found.
http://exchangeserverpro.com/office-365-for-exchange-professionals/

How do we best utilize our GLOBAL Domain O365 footprint with ADFS?
Not sure, how many people/ objects you talking about.
Replication takes time, even on a local machine to a local machine.
!!!!This next bit is damn important!!!!
If you have a lot of users, have a test subscription and upgrade that first, blah blah blah
!!!! This last bit is damn important!!!

How to setup ADFS for our Global Domain that does not take hours to update
What length is the piece of string that smells of the colour purple.
See previous answer.
A test subscription does not need to have Azure or O365 licenses for all that many people


Now for my own observations.
You can't just jump in with a global company and 'move to Azure' based on some previous conversations.
Get a copy of AD, reset all the passwords, strip out all the admin accounts and important/ high value accounts.
Check it again.
Then move a subset of users to a DC in Azure by either deleting all the others or whatever means you desire.
From the DC in Azure do your testing to a test subscription, ADFS/ Azure AD Sync.
Work out the kinks, find the nested groups that can't and won't move.
Find the mad stuff that just won't go up.
Don't expect Azure AD to run GPO.
Don't expect Azure AD to be fool proof when you mix in ADFS and Azure AD Sync.
After you've all the kinks worked out, move the domain back to on-premise test servers and work out he networking issues/ connectivity.
You may have Express Route, which should make life easier.
But if you are using Site to Site VPN, that also fails every now and then.

Then once you have that lot of kinks worked out, move a small production test group and then start rolling.

Or hire Ton and I and we'll go do it for you.


Edits
Don't remember putting in the red...Removing it.


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
jsclmedave

Administrator
Registered:
Posts: 455
Reply with quote  #3 
THANKS JOE!!!
__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
jsclmedave

Administrator
Registered:
Posts: 455
Reply with quote  #4 
Resurrecting this thread since SO much has changed since it was originally posted...

Once again Links for ADFS to work with Azure and 0365 AND AWS...


A specific topic came up with the browser side.

"We want to be able to federate to another company's WebSite so that we can use our AD credentials to log into their WebSite.  Example: Internal employees need to be able to access external "Work Day" (AWS).  We want to be able to log into that site with our AD credentials."






__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 883
Reply with quote  #5 
Several methods - try this first
__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
jsclmedave

Administrator
Registered:
Posts: 455
Reply with quote  #6 
Quote:
Originally Posted by wobble_wobble
Several methods - try this first



Thanks Joe!  Seems like Azure is changing weekly and is hard to keep up even when you can focus on it daily.  Having to peek at it once a month is horrible...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 883
Reply with quote  #7 
Understatement...

I'm doing Skype for Business Airlift next week - wonder how out of date that is already.
Apparently SfB Airlift is the new term for training....


With the rise of self-driving vehicles, it’s only a matter of time before we get a country song where a guy’s truck leaves him too.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 273
Reply with quote  #8 
Quote:
Originally Posted by wobble_wobble

With the rise of self-driving vehicles, it’s only a matter of time before we get a country song where a guy’s truck leaves him too.


Sweet Alice Chalmers reloaded...

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.