Office 365 deploym. ployment checklists. Chapter 27

(1)

29 29 29 29

Chapter 27

Office 365 de

Office 365 deploym

ploym

ployment checklists

ploym

ent checklists

This document provides some checklists to help you make sure that you install and

configure your Office 365 deployment correctly and with a minimum of issues. The

checklists are in the following functional sections:

"Deployment workflow overview" on page 27-30

"Active Directory checklist" on page 27-33

"Office 365 checklist" on page 27-35

"Directory Synchronization checklist" on page 27-37

"Centrify Identity Service checklist" on page 27-41

"Centrify for Office 365 checklist" on page 27-42

(2)

Deployment workflow overview

Chapter 27 Chapter 27 Chapter 27

Chapter 27 • Office 365 deployment checklists 30303030

Deployment workflow over

Deployment workflow overview

view

(3)

Cloud Manager user’s guide 31313131

We recommend that at each deployment stage, you get your deployment working and test

and verify that data is handled correctly before you move on to the next deployment stage.

For example, even if you’re using provisioning, it’s a good practice to first configure your

Office 365 application for SSO and configure the account mapping to verify that SSO

works.

Depending on how many users you have, you may also find that it’s useful to migrate your

users in batches rather than all at once.

Deployment workflow for the depre

Deployment workflow for the deprecated Office 365 application

cated Office 365 application

(4)

(5)

Active Directory checklist

Active Directory che

Active Directory checklist

cklist

#### Checklist itemsChecklist itemsChecklist itemsChecklist items NotesNotesNotesNotes AD1 Map or list of your Active Directory topology,

and be sure to include the following: • Multiple domains

• Multiple forests • Child domains • Untrusted domains

Later, when you configure Centrify Identity Service, you’ll need this list to verify that each domain in each forest has a login suffix.

AD2 Have you specified an alternative UPN suffix for users?

If you have an alternate UPN specified and you plan on using automatic user provisioning, you’ll need to edit the provisioning script slightly to accommodate your alternate UPN suffix. For instructions, see Configuring Office 365 to synchronize users from a different domain.

Note NoteNote

Note: If you’re using an older version of the Office 365 application (without provisioning), you’ll need to continue using the login suffixes that you created.

If you’ve added alternative UPN suffixes in Active Directory, you must also create a login suffix in Cloud Manager for each of the alternative UPN suffixes.

Example ExampleExample Example:

For example, consider the following example configuration: • Domain name = acme.com

• Alternative UPN suffix = wileycoyote.com The login suffix would be as follows: • login suffix = wileycoyote.com

With the login suffix, a user can log in either with [email protected] or [email protected].

Additional information: Additional information:Additional information: Additional information:

For more details about using login suffixes, see https://

cloud.centrify.com/vfslow/lib/docs///adminref/index.html#context/ cloudhelp/cloud-admin-mod-del-login-aliases

For more information on how to configure the alt UPN, see http:// technet.microsoft.com/library/jj151831.aspx. and http:// technet.microsoft.com/en-us/library/cc772007.aspx.

(6)

Active Directory checklist

AD3 Have you set up a test domain in Active Directory?

It’s a best practice to set up a test domain and use it to go through the Office 365 configuration process before you configure or alter your production deployment.

When setting up a test domain, keep in mind the following: • You must add and verify a publicly addressable domain in Office

365.

• If you use a local domain (one that doesn’t have a publicly valid suffix), you must add an alternate domain and an alternate UPN suffix in Active Directory that matches the publicly addressable domain (suffix) in Office 365.

AD4 Do you have untrusted domains? If you have untrusted domains, on-premise Exchange servers, and are going to use automatic user provisioning, you’ll need to select the domain that the on-premise Exchange server belongs to when you configure provisioning.

When you install a cloud connector in an untrusted domain, the cloud service creates a login suffix for that domain for you automatically.

(7)

Office 365 checklist

Office 365 che

Office 365 checklist

cklist

If you’re already using ADFS with Office 365, you can ignore many of these setup tasks

because you’ve already completed them as part of your ADFS setup. The tasks that you can

probably ignore are designated with a check mark (

√

).

Note Note Note

Note

If you are migrating from an on-premise Office or Exchange deployment to a new

Office 365 deployment, Centrify has partnered with some consulting groups that can offer

planning, implementation, and migration services for Office 365. For details, please contact

Centrify Sales.

#### Checklist itemsChecklist itemsChecklist itemsChecklist items NotesNotesNotesNotes ADFS can ADFS can ADFS can ADFS can ignore ignoreignore ignore Off1 Your Office 365 account allows federation. Plans A, E, G, M allow federation. For details, see "Supported

Office 365 account types" on page 28-53.

√

Off2 Is your Office 365 Managed or Federated currently?

If you’re using Office 365 in managed mode, that means that it authenticates users with their user name and passwords. If you’re using Office 365 in federated mode, that means that you have ADFS installed, configured, and running successfully. With ADFS, many of the setup tasks listed herein are already completed.

√

Off3 Your domains are validated and registered in Office 365. If you haven’t done this yet, it can take up to 72 hours to complete.

For details, see "Creating and verifying a domain in Office 365" on page 28-54.

√

Off4 You have configured the DNS settings correctly for Office 365 domain ownership validation and registration.

For details, see "Creating and verifying a domain in Office 365" on page 28-54 and http://onlinehelp.microsoft.com/en-us/ office365-enterprises/jj554758.aspx

√

Off5 You have set the default domain correctly. The default domain must be the one that uses the onmicrosoft.com domain.

For details, see "Setting the default domain" on page 28-56.

√

Off6 Your Office 365 account can handle the number of Active Directory objects that you have.

If your have more than 50,000 Active Directory objects, please contact Microsoft support for a quota increase.

For more information about preparing Active Directory, go here:

http://technet.microsoft.com/en-us/library/hh852478.aspx

√

Off7 The Office 365 administrator account is one that is <domain>.onmicrosoft.com, and the account is not in Active Directory.

You need this administrator account to be outside of Active Directory in case you need to revert your Office 365 account back to user password authentication or if you need to make any configuration changes, such as changing your certificate or Issuer name.

For details, see "Creating Office 365 user accounts by synchronizing with Active Directory" on page 28-69. Off8 You can successfully log in to the Office 365

administrator portal with your Office 365 administrator credentials.

(8)

Office 365 checklist

Off9 The Office 365 user account email domain matches the Active Directory user’s UserPrincipalName (UPN) attribute.

In order for Directory Synchronization to work, the UPN in Active Directory must match the user’s email domain in Office 365.

√

Off10 If at all possible, use and register a test domain. Make sure that you set up and register the domain in Office 365.

Off11 List the related Microsoft components that you plan to use with Office 365:

• Email (web access) • Outlook (thick client) • SharePoint online • Lync/Skype for Business • Office Online

• CRM

• CRM Outlook plugin • Yammer (coming soon)

Depending on which components you plan to use, there may be some additional configurations to perform. After all the setup tasks are complete, you’ll need to test the thick clients.

Off12 If you plan on using Office 365 for email, will you be using a hybrid deployment?

A hybrid deployment is one where you use one or more on-premise Exchange servers in addition to the cloud-based Office 365.

If you have a hybrid deployment, sometimes there are questions about pointing the MX record to the on-premise Exchange server (in the domain DNS settings in office 365). You can leave the MX record pointing to the on-premise server instead of changing it to point to Office 365.

Off13 Are users only in Office 365, or are they synchronized from Active Directory?

If your users are only in Office 365, be sure that DirSync does two-way synchronization to migrate the user info into Active Directory. By default, DirSync synchronizes from Active Directory to Office 365, but it can do two-way synchronization. For details, see "Creating Office 365 user accounts by synchronizing with Active Directory" on page 28-69.

√

Off14 If you’re using ADFS, did you purchase Office 365 from a third party?

If so, is that third party ok with you migrating to use Centrify Identity Service as your IdP?

If you purchased Office 365 from a third-party, understand that you configure your Office 365 application to use one identity provider. You cannot use some pieces of Office 365 in one provider and other pieces with Centrify Identity Service. Off15 In the Office 365 administrator portal, Active

Directory synchronization is enabled.

Whether you’re using automatic provisioning or DirSync, you need to enable synchronization in the Office 365 administrator portal.

For details, see Creating Office 365 user accounts by synchronizing with Active Directory and Enabling directory synchronization for cloud users.

√

(9)

Directory Synchronization checklist

Directory Synchronizatio

Directory Synchronization checklist

n checklist

This section covers tasks related to setting up DirSync for use with Office 365. The current

Centrify for Office 365 with provisioning support does not require you to use DirSync.

However, this section applies to you if your deployment scenario involves any of the

following features:

You’re currently using DirSync, either with or without ADFS, and you haven’t yet

migrated to using Centrify for Office 365.

You’re currently using DirSync with an earlier version of Centrify for Office 365. You’ll

need to make sure that you upgrade to the latest version of DirSync before moving on to

the next deployment section.

Note Note Note

Note

_{You can continue using the v1 version of Centrify for Office 365 that uses DirSync;}

however, that version will be deprecated in the future.

If you’re already using ADFS with Office 365, you can ignore many of these setup tasks

because you’ve already completed them as part of your ADFS setup. The tasks that you can

probably ignore are designated with a check mark (

√

).

If you’re not using DirSync currently, you can move on to the next deployment section.

#### Checklist itemsChecklist itemsChecklist itemsChecklist items NotesNotesNotesNotes ADFS can ADFS can ADFS can ADFS can ignore ignore ignore ignore DS1 Windows Azure Active Directory sign-in assistant

downloaded and installed.

For details, see "Preparing to install the Microsoft Directory Synchronization tool" on page 28-51.

√

DS2 Windows Azure Active Directory module for Powershell hot fix downloaded and installed.

√

DS3 Microsoft Active Directory Synchronization tool downloaded.

√

DS4 If you already had DirSync installed, is DirSync used only to synchronize the passwords?

Verify that DirSync is configured to synchronize all desired attributes.

Some deployments have installed DirSync already but configured it so that it synchronizes the passwords only. If this is your situation, you don’t have to re-install DirSync but you do need to configure it differently so that it synchronizes most attributes.

Whether or not DirSync synchronizes passwords doesn’t affect federation.

For details about password synchronization, see http:// blogs.technet.com/b/educloud/archive/2013/06/03/new- azure-active-directory-sync-tool-with-password-sync-is-now-available.aspx.

√

DS5 For the server that hosts DirSync, all preparatory tasks have been completed.

(10)

DS6 Your Active Directory system meets or exceeds the DirSync and Office 365 requirements.

Use the Microsoft Deployment Readiness toolkit to make sure that your Active Directory system meets or exceeds the requirements. The tool will indicate what fixes you need to make, if any.

See "Notes on the Microsoft Readiness toolkit" on page 27-39.

√

DS7 Prior to installing DirSync, ensure that the UPN of Active Directory user accounts matches the domain in Office 365 portal.

√

DS8 If you have more than 10,000 objects in Active Directory, filter what gets synchronized and run DirSync several times.

For details on filtering DirSync, see http:// msexchangeguru.com/2012/08/10/office-365-2/ DS9 Do you want to enable two-way Directory

Synchronization between Active Directory and Office 365?

In most cases, you’ll use the Directory Synchronization tool to synchronize attributes from Active Directory to Office 365. However, there may be some cases where you want to have two-way synchronization.

For example, if you have a hybrid setup (on-premise Exchange servers in addition to Office 365), you’ll want to use two-way synchronization.

For more details, see http://technet.microsoft.com/en-us/ library/hh852469.aspx.

√

DS10 DirSync is installed and running successfully. You must be an Enterprise Administrator or equivalent in order to install DirSync.

Verify that DirSync is running successfully by looking at the following:

• Users are being correctly synced into Active Directory. • Are changes to users in Office 365 supposed to sync

back to Active Directory user accounts?

• Are changes to uses in Active Directory supposed to sync up to Office 365 user accounts?

• In Office 365, are the user account attributes correct? In the majority of cases, DirSync synchronizes user data from Active Directory to Office 365. However, you can configure DirSync to do two-way synch at any time. Note:

Note: Note:

Note: Previous versions of DirSync (prior to version 6567.0018

)

could not be installed on the domain controller. Current versions allow you to install DirSync on the domain controller. If you do so, you must log off after installing DirSync and then log back on before you run DirSync.

√

(11)

Notes on th

Notes on the Microsoft Readiness toolkit

e Microsoft Readiness toolkit

This list gives you an idea of some things to be aware of about the Microsoft Readiness

toolkit or some of the main things that the toolkit looks for.

For more information about how your Active Directory needs to be set up, see http://

technet.microsoft.com/en-us/library/hh852478.aspx.

Run the Readiness toolkit from within your domain, preferably with Domain

Administrator permission or the equivalent.

Office 365 can only go up to 50,000 objects in the tenant. If you have more objects than

that, contact Microsoft support for a quota increase.

The toolkit finds leading or trailing spaces in user attributes, such as the First Name and

Last Name.

The toolkit finds illegal characters or blank values in Active Directory objects and

Exchange.

The toolkit looks for the display name value; the display name must be present and not

blank on security groups, otherwise the groups do not synchronize.

DS11 Do you have multiple forests in your Active Directory architecture?

If so, are you using Microsoft’s Federated Identity Management (FIM)?

The Centrify identity platformhandles multiple forests by having you install DirSync in each forest. If you are using Microsoft’s FIM solution, please contact Microsoft Support for assistance.

There are two different ways to handle federated identities in multiple forests: you can install the Microsoft Directory Synchronization tool in each forest, or you can use Microsoft’s FIM solution (contact Microsoft for details). Note

Note Note

Note: If you had a single forest when you first configured ADFS but now wish to add one or more forests, then be sure to install additional Directory Synchronization tools as needed.

√

DS12 After DirSync runs:

Users in Office 365 are activated. Users in Office 365 are assigned licenses,

For details, see Creating Office 365 user accounts by synchronizing with Active Directory.

Active your Office 365 users before configuring Centrify Identity Service.

√

DS13 (Existing Office 365 customers only, managed accounts only)

Can your Office 365 users log in to the Office 365 portal successfully?

If your users cannot log in to the Office 365 portal, make sure that you fix that issue before moving on to installing and configuring Centrify for Office 365.

Although, after you’ve installed and configured Centrify for Office 365, that’s when it’s most important whether or not users can log in to the Centrify user portaland launch Office 365.

√

(12)

Note Note Note

Note

As a best practice, it’s good to align the UPN with the primary SMTP address to make

it easy for end users and also to minimize support calls.

When the SMTP name space doesn’t match the Office 365 name space suffix portion, it

will use onmicrosoft.com.

Windows servers and desktops must be specified versions or newer.

(13)

Centrify Identity Service checklist

Centrify Identity Service

Centrify Identity Service ch

ch

cheeeecklist

cklist

#### Checklist itemsChecklist itemsChecklist itemsChecklist items NotesNotesNotesNotes C1 Each domain in each forest must have a login suffix

created for it. The Office 365 domain needs to have the login suffix.

For more details, see the login suffix topic in the Cloud Manager help.

https://cloud.centrify.com/vfslow/lib/docs///adminref/ index.html#context/cloudhelp/cloud-admin-mod-del-login-aliases

C2 For the domain where you’ve installed the cloud connector(s), make sure that the domain is either listed in Office 365 or you’ve created a login suffix for the domain.

So, if your cloud connector is on the domain redshirts.com, that domain isn’t listed in Office 365 as one of your domains, and you want users to log in using redshirts.com, create a login suffix called “redshirts.com”.

For more details about using login suffixes, see https:// cloud.centrify.com/vfslow/lib/docs///adminref/

index.html#context/cloudhelp/cloud-admin-mod-del-login-aliases

C3 When switching to Centrify for Office 365, it’s a good practice to set aside about 6 hours. Email and Office 365 service may be down during this time while you configure.

When making changes to production deployments, be sure to do so during off-peak hoursduring off-peak hoursduring off-peak hours.during off-peak hours

C4 Is the cloud connector running ok?

• Can the cloud connector connect to the cloud service successfully?

C5 Can all users log in to the user portal?

Check a user account from each domain and forest to make sure that the user can log in to the user portal.

If you have specified one or more alternate UPN suffixes, make sure that users can log in using each UPN suffix.

If a user can’t log in, most of the time this is because of an issue with how the login suffixes are set up.

It’s best to test all user accounts - have each of your users try to log in.

For more details about using login suffixes, see https:// cloud.centrify.com/vfslow/lib/docs///adminref/

index.html#context/cloudhelp/cloud-admin-mod-del-login-aliases

C6 After you’re set up with Centrify for Office 365 but before

beforebefore

(14)

Centrify for Office 365 checklist

Centrify for Office 365

Centrify for Office 365 che

che

checklist

che

cklist

Creating an applicati

Creating an application that opens SharePoint Online directly

on that opens SharePoint Online directly

If you want your users to have an application in their user portal that they can click to go

directly to SharePoint, you can add a generic bookmark application to provide that access

without requiring users to sign-in again.

Note Note Note

Note

The following procedure uses the Firefox web browser; you can use similar tools in

Chrome or other browsers.

To add a generic bookmark application for SharePoint Online:

1111

Install an HTTP header trace add-on in Firefox, such as Live HTTP Headers or SAML

tracer.

2222

Open the HTTP header trace Firefox add-on.

3333

Make sure that you’re not currently logged in to either Office 365 or your SharePoint

site.

You’ll need to capture some of the SAML token info that gets passed during login.

4444

Go to your custom SharePoint domain, which has the format of

mydomain.sharepoint.com

.

#### Checklist itemsChecklist itemsChecklist itemsChecklist items What there is to knowWhat there is to knowWhat there is to knowWhat there is to know CO1 If your users use Office online, Lync 2013/Skype for

Business, or SharePoint, be sure to trust the root cloud CA certificate.

You can use the root CA certificate that the cloud service provides for you with the cloud connector, or you can use your own.

For details, see "Trusting the root certificate for Lync 2013/ Skype for Business authentication" on page 29-78. CO2 Do you need to provide a direct link to SharePoint

from the user portal?

If needed, you can configure a generic browser application to point to your custom SharePoint URL and users won’t have to enter their login credentials again. You will need to trace some HTTP header data to get the correct URL. For details, see "Creating an application that opens SharePoint Online directly" on page 27-42.

C03 Are you using Lync 2013/Skype for Business or newer? If so, you need to set the Corporate IP Range in Cloud Manager.

C04 Disable any ADFS and DirSync installations that you no longer use.

Once you move from ADFS and use Centrify for Office 365 to handle identity authentication and domain federation, you don’t need to keep ADFS running. However, if you’re using ADFS for other purposes, it doesn’t impact the cloud service processes if you keep ADFS running.

(15)

Centrify for Office 365 checklist

You’ll be redirected to the user portal.

5555

Log in to the user portal.

Then you’ll be redirected back to your SharePoint domain.

6666

In the HTTP header trace Firefox add-on, look for the GET command that has an URL

that starts with “https://cloud.centrify.com/run?appkey=Office+365&customerid=”

If there are multiple URLs that look similar, pick one that has the cbcxt and also the wctx

in it.

For example:

https://cloud.centrify.com/ my?appkey=Office+365&customerid=AB123&cbcxt=&popupui=&vv=&username= adele.smith%40centrify.com&mkt=&lc=1033&wfresh=&wa=wsignin1.0&wtrealm=urn% 3afederation%3aMicrosoftOnline&wctx=wa%3dwsignin1%252E0%26rpsnv%3d3%26ct%3 d1393546930%26rver%3d6%252E1%252E6206%252E0%26wp%3dMBI%26wreply%3dhttps%25 3A%252F%252Fcentrify%252Esharepoint%252Ecom%252F%255Fforms%252Fdefault%252 Easpx%26lc%3d1033%26id%3d500046%26%26bk%3d1393546930%26LoginOptions%3d3

7777

Copy the entire URL and paste it into a plain text editor.

8888

In the text editor, remove everything in the URL from the “

cbcxt=

” up to “

wfresh=&

” just

before “

wa=wsignin1.0

”.

Using the example above you'll end up with:

https://cloud.centrify.com/ run?appkey=Office+365&customerid=AB123&wa=wsignin1.0&wtrealm=urn:federatio n:MicrosoftOnline&wctx=wa%3Dwsignin1%252E0%26rpsnv%3D2%26ct%3D1391061064%2 6rver%3D6%252E1%252E6206%252E0%26wp%3DMBI%26wreply%3Dhttps%253A%252F%252Fc entrify%252Esharepoint%252Ecom%252F%255Fforms%252Fdefault%252Easpx%26lc%3D 1033%26id%3D500046%26%26bk%3D1391061066%26LoginOptions%3D3

9999

In Cloud Manager, add a Generic Bookmark application with the above URL, and deploy

the application to all users.

Tip TipTip

Tip

Remember to give the application a custom name so that you know that it links to

SharePoint.

10

(16)

Centrify for Office 365 verification checklist

Centrify for Office 365

Centrify for Office 365 verificatio

verificatio

verification checklist

verificatio

n checklist

Centrify for Office 365

Centrify for Office 365 des

des

desktop checklist

des

ktop checklist

If you’re also deploying desktop and mobile access to Office 365, here are the things you

need to configure and verify.

Active Directory user passw

Active Directory user password changes and Outlook and Lync/Skype for

ord changes and Outlook and Lync/Skype for

Business

Sometimes, when a user changes her Active Directory password there can be connection

issues in either Microsoft Outlook or Lync/Skype for Business on Windows systems. This

#### Checklist itemsChecklist itemsChecklist itemsChecklist items NotesNotesNotesNotes V1 Users in each domain can log in to the Centrify user

portal successfully.

Administrators in each domain can also log in to Cloud Manager successfully.

If a particular use cannot log in, verify that the login suffixes are configured correctly.

Note: Note: Note:

Note: At each deployment step, you need to make sure that users can still log in successfully. So, even though you verified this before, it’s important to verify it again.

V2 After you’ve successfully federated your Office 365 account with the cloud service, verify that your users can do the following:

1111 All users can log in to the user portal.

2222 From the user portal, all users can launch the Office 365 application successfully.

3333 All users can also go directly to the Microsoft online portal, log in with SP-initiated authentication, and test the Office 365 web access.

4444 Users can access each tab in Office 365.

Note Note Note

Note: To view your federation settings from the Office 365 Application Settings tab, select your federated domain and click ActionsActionsActions > Federation SettingsActions Federation SettingsFederation SettingsFederation Settings.

#### Checklist itemsChecklist itemsChecklist itemsChecklist items NotesNotesNotesNotes

VDT1 Outlook works (Windows desktop) If you have a hybrid Office 365 deployment, point the on-premise users to the on-on-premise Exchange server.

VDT2 Lync/Skype for Business works (Windows desktop) If you’re deploying Lync 2013/Skype for Business, be sure to trust the root CA certificate on the cloud connector computer and set a corporate IP range. For details, see Configuring desktop and mobile clients for Office 365.

VDT3 Office online works, including SharePoint VDT4 CRM online and CRM Outlook plugin (Windows

desktop)

(17)

Centrify for Office 365 mobile checklist

can happen if the user had the desktop applications save the login credentials; the stale

credentials stay stored with the previous password.

To update the remove and update the password that Outlook or Lync/Skype for Business uses:

1111

In Windows, go Windows > Control Panel, and click Credential Manager.

2222

If you see any credentials for Outlook or Lync/Skype for Business, open the credential

to expand its information, and click Remove from Vault.

3333

Restart the computer.

Upon restart, the user logs in to the computer with her current and correct password.

Microsoft desktop applications renew their use of the user’s credentials to the correct and

current password.

Centrify for Office 365

Centrify for Office 365 mo

mo

mobile checklist

mo

bile checklist

If you’re also deploying desktop and mobile access to Office 365, here are the things you

need to configure and verify.

#### Checklist itemsChecklist itemsChecklist itemsChecklist items NotesNotesNotesNotes VML1 Set up policies to administer and manage mobile

devices.

Note: If you have Office 365 users in both Active Directory and the cloud user service, you must use cloud policies for mobile device management.

(18)

Centrify for Office 365 mobile checklist

VML2 Have your users enroll their mobile devices into the cloud service.

VML3 Android and iOS,clients work in the following scenarios:

•••• Mobile browser with OWAMobile browser with OWAMobile browser with OWAMobile browser with OWA

User logs in to the user portal in a mobile browser and launches the web-based version of Office 365 (OWA) in the mobile browser.

•••• CentrifyCentrifyCentrifyCentrify mobile application with OWA mobile application with OWA mobile application with OWA mobile application with OWA User logs in to the native, mobile Centrify application and then launches the web-based version of Office 365 in the mobile browser. •••• CentrifyCentrifyCentrifyCentrify mobile application with Office 365 mobile application with Office 365 mobile application with Office 365 mobile application with Office 365

mobile applications mobile applications mobile applications mobile applications

User logs in to the native, mobile Centrify application and then launches a native, mobile Office 365 application.

When your Office 365 account is federated, the user gets a login screen when launching the native, mobile Office3 365 application. There are different applications for different devices. •••• Mobile mail:Mobile mail:Mobile mail:Mobile mail:

User adds their work account to their mobile device for email or email and calendar and contacts. Users can set up POP3, IMAP, or Exchange ActiveSync connections. You can administer Exchange Active Sync connections by way of policies and Cloud Manager settings.