Planning for Hybrid Integration with O365

This article is a continuation of Planning for Hybrid Cloud Deployments.

Working through provisioning of a new Office 365 tenant doesn’t take much effort. The real effort is in the planning of the key components of your O365 tenancy. In this blog series, we are going to cover the important items to take into consideration when planning your O365 tenancy, particularly when it comes to hybrid environments. We will briefly cover hybrid O365 scenarios and what components to be aware of. Late in the series, I will dive a bit deeper into specific hybrid scenarios. As usual, along the way I will be sure to highlight the lessons learned and pitfalls to be aware of.

In most cases, it’s safe to say that organizations will not need more than one O365 tenant. There are some special cases where this is a requirement. This article will not cover multi-tenant O365 scenarios. If multiple O365 tenants are required, there will need to be some additional planning around domains, synchronizing users into multiple tenancies, and the impact on other O365 services. The TechNet article found here covers the pros and cons of single and multiple tenant O365 deployments.

The first step in planning your O365 deployment is to perform some discovery around your current IT infrastructure and enterprise applications. For example, you will want to identify all on-premises applications such as Exchange, SharePoint, and Skype for Business that may have integration points into some of the other O365 services. These integration points could potentially have an impact on the deployment of your O365 tenant. Pay special attention to the authentication approach that is selected for users. User authentication is one of those early planning decision items that needs to consider some of the integration points with other on-premises applications mentioned above. Take inventory and make sure that if you are integrating your on-premises environment with O365 that you meet the O365 requirements for each of the following:

  • Active Directory
  • Network architecture and DNS domains
  • Mail routing
  • Authentication solutions
  • Mail archiving and compliance
  • Network bandwidth
  • Certificates
  • Hardware and software for Azure AD Connect and possibly ADFS deployment
  • Mail archiving and compliance

Here is a great O365 deployment checklist which adds much more detail to the inventory which should be taken of the current environment. The table in the checklist includes inventory tasks and overall questions that should be discussed prior to your organization’s deployment. This is particularly true with organizations who want to leverage on-premises investments in a hybrid scenario.

Organizations who want to continue to leverage their existing on-premises technologies and leverage O365 will require hybrid configuration. One of the single most important decisions to be made early with any hybrid configuration is around identity model authentication. Will users be required to enter their credentials when using any of the O365 services when they are connected to the internal network? Unfortunately, there isn’t a universal answer to this question. The answer to this question depends on your organizational requirements will dictate which Azure AD sign-in option that is chosen.

O365 sign-in options

Choosing an identity model is the foundation for your organization’s O365 implementation. Azure AD is the underpinning directory service used by Office 365 to provide access to services. An Azure AD tenant is attached to a single Office 365 tenant. Here are a couple questions that should be asked when planning your O365 identity implementation:

  1. Will existing users be migrated into Azure AD?
  2. If the organization is currently using Active Directory on-premises will users be synced using Azure AD Connect?
  3. Will new users be created directly in O365 or created in the local AD and synced to O365?
  4. What kind of sign-in experience do we want for users accessing O365 services?
  5. Is single sign on (SSO) required when authenticating to O365 services?

Identity Models

Below is a list of the different identity models that are available for configuration using Azure AD connect. Seamless SSO can be used with the password synchronization and pass-through authentication options below. Seamless SSO automatically signs users in when they are using corporate devices connected to your internal corporate network.

Password synchronization

Hashes of user passwords are synchronized from on-premises AD to Azure AD. Passwords are never sent or stored in Azure AD in clear text. Users accessing Azure AD resources (O365 services) will be able to use their corporate account to access these services.

Pass-through authentication (PTA)

User passwords are not stored in Azure AD in any form. This model uses an agent that is installed on an on-premises domain-joined machine. The agent performs all the heavy lifting and does not require any inbound ports to be open to the internet. You can enable seamless SSO on corporate domain-joined machines on the corporate network.

Federated SSO with Active Directory Federation Services (ADFS)

This option requires ADFS infrastructure for more complex environments with multiple domains authenticating to Azure AD. Users accessing O365 services from the corporate network will not have to enter passwords when switching between applications.

Each identity model has its own benefits and limitations. Pass-through authentication is somewhat of a new capability which provides organizations who do not want to store user passwords in the cloud an option. I am not going to cover how PTA works in-depth but a quick search on your favorite search engine will return some great resources and documentation.

If an organization already has invested in an ADFS infrastructure, federated SSO with ADFS is the way to go. The other two options do not require any additional, potentially redundant infrastructure. Azure AD

Connect can be installed on a domain-joined server in your current on-premises environment. Once the installation has completed the Azure AD Connect tool can be used to configure seamless SSO and user sign-in authentication. Azure AD Connect is also used to connect to Azure AD and synchronize on-premises AD directories.

Once users begin synchronizing to Azure AD and the authentication option has been chosen, the next big planning item is identifying what hybrid capabilities your organization would like to use. For example, a common question that should be asked is: “What applications will be kept and used on-premises and which workloads and applications will be migrated to the cloud?” This blog series will focus on the hybrid SharePoint capabilities with O365 and the questions and decisions that need to be made around the hybrid implementation. In the next article in this series we will dive into the different hybrid deployment options for SharePoint 2013/2016 on-premises. Such topics as authentication topology, hybrid taxonomy, hybrid auditing, and cloud hybrid sites and search.

If you are interested in deploying a hybrid system, but do not know where to start, engage B&R's Architects to help provide a detailed analysis and design supporting your deployment requirements.


Let us help you develop a design that meets your needs

Planning for Hybrid Cloud Deployments

For organizations that don’t have any immediate strategic plans for a full migration to the public cloud but want to leverage some of the innovative cloud service offerings, there is a hybrid alternative available.  The hybrid cloud provides companies with a higher degree of flexibility without forcing a choice between either an on-premises or cloud model.  With minimal configuration, an organization can integrate their current enterprise on-premises applications with their choice of a la carte cloud services and products.  The time and infrastructure investment it takes to move to a hybrid cloud model is minuscule compared to the sheer value-add that Office 365 and Microsoft Azure bring to the table. 

Typically, Microsoft will release a new on-premises product every 2-3 years.  Compare that to a 3-6 month release cycle in Microsoft Azure or Office 365 (O365), and organizations quickly begin to see a product that is continually evolving.  In this post we are going to discuss why a move to a hybrid cloud model is a good first step in your organization's cloud adoption strategy.  This post is geared towards organizations who have already made on-premises investments in SharePoint 2013 / 2016 but want to leverage cloud services where it makes sense for the business.

Enabling the SharePoint Hybrid Cloud

Moving to a hybrid SharePoint environment will provide additional enhancements and integration points for on-premises installations of SharePoint 2013 and 2016.  In fact, Microsoft is now releasing on-premises feature packs for SharePoint 2016.  These feature packs contain cloud features and capabilities that can be deployed into your SharePoint 2016 on-premises environment.  This means that on-premises customers can enjoy product updates based on all the current innovative cloud service offerings happening in Microsoft Azure and Office 365.

Enabling the hybrid cloud doesn’t require lengthy investments or migration efforts.  It can be thought of as an add-on enhancement to your existing SharePoint implementation.  This is a win-win for organizations who are new to the cloud and would like to see what the cloud has to offer.  In most cases, companies can continue to leverage existing on-premises application deployments (SharePoint, Exchange, etc.) and cloud service add-ons together without impacting current SharePoint deployments.  If down the road you decide to begin migrating some on-premises workloads to the cloud you will already have positioned yourself to make that move more seamless.

The hybrid cloud is the integration of on-premises resources with cloud resources.  Organizations today with on-premises SharePoint 2013 / 2016 investments that are wondering how they can begin adopting the cloud should first think about adopting a hybrid cloud model.  With the hybrid cloud organizations can leverage the strengths of both on-premises and cloud workloads.  All the while providing a robust and consistent user experience for the users.

Planning Your Move

When planning a move to the hybrid cloud for SharePoint there are a few key areas that require special attention.  Your trusted Cloud Service Provider has the experience needed to guide your organization to the hybrid cloud model.  They should have the right questions lined up to ask in order to match the proposed SharePoint hybrid solutions to the business requirements.

With the proper planning, and with some of the new advancements from the Azure AD Connect onboarding tool, getting through the initial hybrid cloud setup is easier than it has ever been.  Listed below are a couple of important topics that should be discussed when planning and configuring on-premises hybrid connectivity:

  1. Azure / O365 tenant deployment planning
    1. Which Azure / O365 plan works best for my organization
    2. Domain name planning / routing
    3. Tenant name and administration delegation
  2. Integration of on-premises directories with Azure AD
    1. Will user passwords be synced up to Azure AD?
    2. Pass-through Authentication (PTA), provides the same corporate credential access to cloud based services.  This does not require a ADFS deployment.
    3. Is single sign on (SSO) between O365 / Azure and on-premises resources a requirement?  Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. 
    4. Is Active Directory Federations Services (ADFS) deployed currently?  If not Pass-through Authentication (PTA) w/ SSO enabled is a new option that should be evaluated.
  3. Authentication topology planning
    1. One-way Inbound
    2. One-way Outbound
    3. Bi-Directional Authentication
    4. Server to Server Authentication
  4. SharePoint hybrid cloud integration points
    1. Centralized user profile deployment
    2. OneDrive for Business deployment
    3. Hybrid search deployment
    4. Extranet website deployment
    5. Seamless on-premises disaster recovery environment in Azure
    6. Hybrid self-service site creation
    7. Enhanced hybrid auditing capabilities

In the next blog post of this Hybrid SharePoint series, I will begin to dive into each of the higher-level planning items mentioned above.  The first one up will be planning your organization's O365 tenant and choosing the best integration option for your organization's on-premises directories.

To assist in your planning process, be sure to download your free copy of the Hybrid SharePoint research report, sponsored by Microsoft, B&R Business Solutions, and other leading partners. And if you'd like to learn more about how B&R can help your organization move to the cloud, please contact us.


B&R can help you evaluate and plan for hybrid deployments!