This article is a continuation of Planning for Hybrid Cloud Deployments.
Working through provisioning of a new Office 365 tenant doesn’t take much effort. The real effort is in the planning of the key components of your O365 tenancy. In this blog series, we are going to cover the important items to take into consideration when planning your O365 tenancy, particularly when it comes to hybrid environments. We will briefly cover hybrid O365 scenarios and what components to be aware of. Late in the series, I will dive a bit deeper into specific hybrid scenarios. As usual, along the way I will be sure to highlight the lessons learned and pitfalls to be aware of.
In most cases, it’s safe to say that organizations will not need more than one O365 tenant. There are some special cases where this is a requirement. This article will not cover multi-tenant O365 scenarios. If multiple O365 tenants are required, there will need to be some additional planning around domains, synchronizing users into multiple tenancies, and the impact on other O365 services. The TechNet article found here covers the pros and cons of single and multiple tenant O365 deployments.
The first step in planning your O365 deployment is to perform some discovery around your current IT infrastructure and enterprise applications. For example, you will want to identify all on-premises applications such as Exchange, SharePoint, and Skype for Business that may have integration points into some of the other O365 services. These integration points could potentially have an impact on the deployment of your O365 tenant. Pay special attention to the authentication approach that is selected for users. User authentication is one of those early planning decision items that needs to consider some of the integration points with other on-premises applications mentioned above. Take inventory and make sure that if you are integrating your on-premises environment with O365 that you meet the O365 requirements for each of the following:
- Active Directory
- Network architecture and DNS domains
- Mail routing
- Authentication solutions
- Mail archiving and compliance
- Network bandwidth
- Hardware and software for Azure AD Connect and possibly ADFS deployment
- Mail archiving and compliance
Here is a great O365 deployment checklist which adds much more detail to the inventory which should be taken of the current environment. The table in the checklist includes inventory tasks and overall questions that should be discussed prior to your organization’s deployment. This is particularly true with organizations who want to leverage on-premises investments in a hybrid scenario.
Organizations who want to continue to leverage their existing on-premises technologies and leverage O365 will require hybrid configuration. One of the single most important decisions to be made early with any hybrid configuration is around identity model authentication. Will users be required to enter their credentials when using any of the O365 services when they are connected to the internal network? Unfortunately, there isn’t a universal answer to this question. The answer to this question depends on your organizational requirements will dictate which Azure AD sign-in option that is chosen.
O365 sign-in options
Choosing an identity model is the foundation for your organization’s O365 implementation. Azure AD is the underpinning directory service used by Office 365 to provide access to services. An Azure AD tenant is attached to a single Office 365 tenant. Here are a couple questions that should be asked when planning your O365 identity implementation:
- Will existing users be migrated into Azure AD?
- If the organization is currently using Active Directory on-premises will users be synced using Azure AD Connect?
- Will new users be created directly in O365 or created in the local AD and synced to O365?
- What kind of sign-in experience do we want for users accessing O365 services?
- Is single sign on (SSO) required when authenticating to O365 services?
Below is a list of the different identity models that are available for configuration using Azure AD connect. Seamless SSO can be used with the password synchronization and pass-through authentication options below. Seamless SSO automatically signs users in when they are using corporate devices connected to your internal corporate network.
Hashes of user passwords are synchronized from on-premises AD to Azure AD. Passwords are never sent or stored in Azure AD in clear text. Users accessing Azure AD resources (O365 services) will be able to use their corporate account to access these services.
Pass-through authentication (PTA)
User passwords are not stored in Azure AD in any form. This model uses an agent that is installed on an on-premises domain-joined machine. The agent performs all the heavy lifting and does not require any inbound ports to be open to the internet. You can enable seamless SSO on corporate domain-joined machines on the corporate network.
Federated SSO with Active Directory Federation Services (ADFS)
This option requires ADFS infrastructure for more complex environments with multiple domains authenticating to Azure AD. Users accessing O365 services from the corporate network will not have to enter passwords when switching between applications.
Each identity model has its own benefits and limitations. Pass-through authentication is somewhat of a new capability which provides organizations who do not want to store user passwords in the cloud an option. I am not going to cover how PTA works in-depth but a quick search on your favorite search engine will return some great resources and documentation.
If an organization already has invested in an ADFS infrastructure, federated SSO with ADFS is the way to go. The other two options do not require any additional, potentially redundant infrastructure. Azure AD
Connect can be installed on a domain-joined server in your current on-premises environment. Once the installation has completed the Azure AD Connect tool can be used to configure seamless SSO and user sign-in authentication. Azure AD Connect is also used to connect to Azure AD and synchronize on-premises AD directories.
Once users begin synchronizing to Azure AD and the authentication option has been chosen, the next big planning item is identifying what hybrid capabilities your organization would like to use. For example, a common question that should be asked is: “What applications will be kept and used on-premises and which workloads and applications will be migrated to the cloud?” This blog series will focus on the hybrid SharePoint capabilities with O365 and the questions and decisions that need to be made around the hybrid implementation. In the next article in this series we will dive into the different hybrid deployment options for SharePoint 2013/2016 on-premises. Such topics as authentication topology, hybrid taxonomy, hybrid auditing, and cloud hybrid sites and search.
If you are interested in deploying a hybrid system, but do not know where to start, engage B&R's Architects to help provide a detailed analysis and design supporting your deployment requirements.