Office 365 and On-Premise with Federation and DirSync

Today I want to write about Office 365 and On-Premise with Federation and DirSync.
As I think functionality and typical questions are the most interesting for you, I want to focus on that.

The following picture shows the architecture of an Office 365 environment. It is connected to an On-Premise environment with a federation and a Directory Synchronization (DirSync).

Architecture: Run Office 365 and On-Premise parallely

User Administration between Office 365 and On-Premise Environments

How to set up new accounts?

Because of the federation between Office 365 and the On-Premise environment, the user administration remains in the On-Premise environment. DirSync automatically synchronizes new user accounts into the Office 365 environment. As soon as the attribute “mail” of the new account is filled, it can be allocated an Exchange license via the Office 365 administration. Thus, the account gets a working mailbox.

After setting up the account in the On-Premise environment, you have to wait for the next DirSync to finish
→ Afterwards, the account will show up in the Office 365 environment

How to maintain telephone- and address information?

DirSync does not only synchronize information of newly set up accounts but also changes done in the On-Premise environment. Address- and telephone-information are adapted in the On-Premise environment and synchronized via the DirSync into the Office 365 environment.
→ Changes automatically show up in the Outlook address book.

How to reset passwords?

Passwords are administrated in the On-Premise environment and have to be reset there as well. With the federation of Office 365 and On-Premise worlds there is no password synchronization. Password changes or the resetting of the passwords has to happen in the environment in which they are saved.
→ In the Active Directory of the On-Premise environment.

On-Premise Exchange Server

Is an On-Premise Exchange server still necessary? Should it not, what do I have to consider when uninstalling all On-Premise Exchange servers?

Do I still need an On-Premise Exchange Server?

According to Microsoft’s guidelines, one Exchange server should remain working. Exchange specific properties of the user accounts can thus be still maintained. Be very (!) careful with the uninstallation of the last Exchange server. With it, the Exchange attributes of the user accounts would disappear. This means that all mailboxes in the Office 365 environment would disappear too which, obviously, is undesirable. You can find further information in the next part of the article.

What will happen if I uninstall my last On-Premise Exchange Server?

With the integration of the DirSync, attributes, changes as well as deletions are synchronized between On-Premise and Office 365. Uninstalling the last On-Premise Exchange Server would mean deleting the Exchange attributes which would then be synchronized into the Office 365 environment and finally be deleted.

You don’t want to lose your mailboxes? Then you have several possibilities:

1. At least one Exchange Server should remain in the On-Premise world
2. Integrate an AD user administration with which Exchange attributes can be administered (e.g. FirstWare-Admin).
3. Shut down the last Exchange Server instead of uninstalling it.

Federation between Office 365 and On-Premise

On-Premise and Office 365 are now federated. But what happens when the federation server does not run anymore? This question and what has to be considered when wanting to remove the federation, are content of the last part.

What will happen if the Federation Server fails?

As soon as the Federation Server fails, logon to Office 365 is no longer possible. You have to restore the environment quickly so that your users have access again. For this case you should be clear about the architecture and failure scenarios before you migrate into the Office 365 environment.

How can the Federation be removed again?

The federation can be removed via the administration surface of Office 365, triggering the resetting of the passwords of all accounts in the Office 365 environment. New passwords are saved in a file and have to be given to users individually. For the users to be able to continue working with their old passwords the DirSync configuration has to be adapted and the password-synchronization activated.

Thus, the passwords from the On-Premise will be migrated into Office 365 after the next run and the users can access as usual. From this time on, the password-sync will be run regularly and password changes will also affect the Office 365 environment. However, you have to wait for the next DirSync to be finished.

(Source: Microsoft)

If you have questions or things to add, please write us a comment or send us a mail.