Office 365 deployment checklists

(1)

Chapter 128

Office 365 deployment checklists

This document provides some checklists to help you make sure that you install and

configure your Office 365 deployment correctly and with a minimum of issues. The

checklists are in the following functional sections:

"Deployment workflow overview" on page 128-1013

"Active Directory checklist" on page 128-1014

"Office 365 checklist" on page 128-1016

"Directory Synchronization checklist" on page 128-1019

"Samsung SDS EMM User Suite checklist" on page 128-1023

"Samsung SDS EMM for Office 365 checklist" on page 128-1024

(2)

Deployment workflow overview

We recommend that at each deployment stage, you get your deployment working and test

and verify that data is handled correctly before you move on to the next deployment stage.

For example, even if you’re using provisioning, it’s a good practice to first configure your

Office 365 application for SSO and configure the account mapping to verify that SSO

works.

Depending on how many users you have, you may also find that it’s useful to migrate your

users in batches rather than all at once.

Deployment workflow for the deprecated Office 365 application

(3)

Active Directory checklist

# Checklist items Notes

AD1 Map or list of your Active Directory topology, and be sure to include the following:

• Multiple domains • Multiple forests • Child domains • Untrusted domains

Later, when you configure Samsung SDS EMM User Suite, you’ll need this list to verify that each domain in each forest has a login suffix.

AD2 Have you specified an alternative UPN suffix for users?

If you have an alternate UPN specified and you plan on using automatic user provisioning, you’ll need to edit the

provisioning script slightly to accommodate your alternate UPN suffix. For instructions, see Configuring Office 365 to synchronize users from a different domain.

Note: If you’re using an older version of the Office 365

application (without provisioning), you’ll need to continue using the login suffixes that you created.

If you’ve added alternative UPN suffixes in Active Directory, you must also create a login suffix in Admin Portal for each of the alternative UPN suffixes.

Example:

For example, consider the following example configuration: • Domain name = acme.com

• Alternative UPN suffix = wileycoyote.com The login suffix would be as follows: • login suffix = wileycoyote.com

With the login suffix, a user can log in either with [email protected] or [email protected].

Additional information:

For more details about using login suffixes, see https:// emm2.samsungknox.com/vfslow/lib/docs///samsung/ adminref/index.html#context/cloudhelp/cloud-admin-mod-del-login-aliases

(4)

Active Directory checklist

AD3 Have you set up a test domain in Active Directory?

It’s a best practice to set up a test domain and use it to go through the Office 365 configuration process before you configure or alter your production deployment.

When setting up a test domain, keep in mind the following: • You must add and verify a publicly addressable domain in

Office 365.

• If you use a local domain (one that doesn’t have a publicly valid suffix), you must add an alternate domain and an alternate UPN suffix in Active Directory that matches the publicly addressable domain (suffix) in Office 365. AD4 Do you have untrusted domains? If you have untrusted domains, on-premise Exchange servers,

and are going to use automatic user provisioning, you’ll need to select the domain that the on-premise Exchange server belongs to when you configure provisioning.

When you install a cloud connector in an untrusted domain, the cloud service creates a login suffix for that domain for you automatically.

(5)

Office 365 checklist

If you’re already using ADFS with Office 365, you can ignore many of these setup tasks

because you’ve already completed them as part of your ADFS setup. The tasks that you can

probably ignore are designated with a check mark (

√

).

Note

If you are migrating from an on-premise Office or Exchange deployment to a new

Office 365 deployment, Samsung has partnered with some consulting groups that can offer

planning, implementation, and migration services for Office 365. For details, please contact

Samsung Sales.

# Checklist items Notes ADFS

can ignore

Off1 Your Office 365 account allows federation. Plans A, E, G, M allow federation. For details, see "Supported Office 365 account types" on page 129-1036.

√

Off2 Is your Office 365 Managed or Federated currently?

If you’re using Office 365 in managed mode, that means that it authenticates users with their user name and passwords.

If you’re using Office 365 in federated mode, that means that you have ADFS installed, configured, and running successfully. With ADFS, many of the setup tasks listed herein are already completed.

√

Off3 Your domains are validated and registered in Office 365. If you haven’t done this yet, it can take up to 72 hours to complete.

For details, see "Creating and verifying a domain in

Office 365" on page 129-1037.

√

Off4 You have configured the DNS settings correctly for Office 365 domain ownership validation and registration.

For details, see "Creating and verifying a domain in Office 365" on page 129-1037 and http://

onlinehelp.microsoft.com/en-us/office365-enterprises/ jj554758.aspx

√

Off5 You have set the default domain correctly. The default domain must be the one that uses the onmicrosoft.com domain.

For details, see "Setting the default domain" on page

129-1039.

√

Off6 Your Office 365 account can handle the number of Active Directory objects that you have.

If your have more than 50,000 Active Directory objects, please contact Microsoft support for a quota increase. For more information about preparing Active Directory, go here:

http://technet.microsoft.com/en-us/library/ hh852478.aspx

√

Off7 The Office 365 administrator account is one that is <domain>.onmicrosoft.com, and the account is not in Active Directory.

You need this administrator account to be outside of Active Directory in case you need to revert your Office 365 account back to user password authentication or if you need to make any configuration changes, such as changing your certificate or Issuer name.

(6)

Off8 You can successfully log in to the Office 365 administrator portal with your Office 365 administrator credentials.

If you can’t log in to the Office 365 administrator portal, contact Microsoft support.

Off9 The Office 365 user account email domain matches the Active Directory user’s UserPrincipalName (UPN) attribute.

In order for Directory Synchronization to work, the UPN in Active Directory must match the user’s email domain in Office 365.

√

Off1 0

If at all possible, use and register a test domain. Make sure that you set up and register the domain in Office 365. Off1

1

List the related Microsoft components that you plan to use with Office 365:

• Email (web access) • Outlook (thick client) • SharePoint online • Lync/Skype for Business • Office Online

• CRM

• CRM Outlook plugin • Yammer (coming soon)

Depending on which components you plan to use, there may be some additional configurations to perform. After all the setup tasks are complete, you’ll need to test the thick clients.

Off1 2

If you plan on using Office 365 for email, will you be using a hybrid deployment?

A hybrid deployment is one where you use one or more on-premise Exchange servers in addition to the cloud-based Office 365.

If you have a hybrid deployment, sometimes there are questions about pointing the MX record to the on-premise Exchange server (in the domain DNS settings in office 365). You can leave the MX record pointing to the on-premise server instead of changing it to point to Office 365.

Off1 3

Are users only in Office 365, or are they synchronized from Active Directory?

If your users are only in Office 365, be sure that DirSync does two-way synchronization to migrate the user info into Active Directory. By default, DirSync synchronizes from Active Directory to Office 365, but it can do two-way synchronization.

For details, see "Creating Office 365 user accounts by synchronizing with Active Directory" on page 129-1052.

√

(7)

Off1 4

If you’re using ADFS, did you purchase Office 365 from a third party?

If so, is that third party ok with you migrating to use Samsung SDS EMM User Suite as your IdP?

If you purchased Office 365 from a third-party, understand that you configure your Office 365

application to use one identity provider. You cannot use some pieces of Office 365 in one provider and other pieces with Samsung SDS EMM User Suite. Off1

5

In the Office 365 administrator portal, Active Directory synchronization is enabled.

Whether you’re using automatic provisioning or DirSync, you need to enable synchronization in the Office 365 administrator portal.

For details, see Creating Office 365 user accounts by synchronizing with Active Directory and Enabling directory synchronization for cloud users.

√

(8)

Directory Synchronization checklist

This section covers tasks related to setting up DirSync for use with Office 365. The current

Samsung SDS EMM for Office 365 with provisioning support does not require you to use

DirSync. However, this section applies to you if your deployment scenario involves any of

the following features:

You’re currently using DirSync, either with or without ADFS, and you haven’t yet

migrated to using Samsung SDS EMM for Office 365.

You’re currently using DirSync with an earlier version of Samsung SDS EMM for Office

365. You’ll need to make sure that you upgrade to the latest version of DirSync before

moving on to the next deployment section.

Note

_{You can continue using the v1 version of Samsung SDS EMM for Office 365 that uses}

DirSync; however, that version will be deprecated in the future.

If you’re already using ADFS with Office 365, you can ignore many of these setup tasks

because you’ve already completed them as part of your ADFS setup. The tasks that you can

probably ignore are designated with a check mark (

√

).

If you’re not using DirSync currently, you can move on to the next deployment section.

can ignore

DS1 Windows Azure Active Directory sign-in assistant downloaded and installed.

For details, see "Preparing to install the Microsoft Directory Synchronization tool" on page 129-1035.

√

DS2 Windows Azure Active Directory module for

Powershell hot fix downloaded and installed.

√

DS3 Microsoft Active Directory Synchronization

tool downloaded.

√

DS4 If you already had DirSync installed, is

DirSync used only to synchronize the passwords?

Verify that DirSync is configured to synchronize all desired attributes.

Some deployments have installed DirSync already but configured it so that it synchronizes the passwords only. If this is your situation, you don’t have to re-install DirSync but you do need to configure it differently so that it synchronizes most attributes.

Whether or not DirSync synchronizes passwords doesn’t affect federation.

For details about password synchronization, see

(9)

DS6 Your Active Directory system meets or exceeds the DirSync and Office 365 requirements.

Use the Microsoft Deployment Readiness toolkit to make sure that your Active Directory system meets or exceeds the requirements. The tool will indicate what fixes you need to make, if any.

For details, see "Preparing to install the Microsoft Directory Synchronization tool" on page 129-1035. See "Notes on the Microsoft Readiness toolkit" on page 128-1021.

√

DS7 Prior to installing DirSync, ensure that the UPN of Active Directory user accounts matches the domain in Office 365 portal.

√

DS8 If you have more than 10,000 objects in Active Directory, filter what gets synchronized and run DirSync several times.

For details on filtering DirSync, see http:// msexchangeguru.com/2012/08/10/office-365-2/ DS9 Do you want to enable two-way Directory

Synchronization between Active Directory and Office 365?

In most cases, you’ll use the Directory

Synchronization tool to synchronize attributes from Active Directory to Office 365. However, there may be some cases where you want to have two-way synchronization.

For example, if you have a hybrid setup (on-premise Exchange servers in addition to Office 365), you’ll want to use two-way synchronization.

For more details, see http://technet.microsoft.com/ en-us/library/hh852469.aspx.

√

DS1 0

DirSync is installed and running successfully. You must be an Enterprise Administrator or equivalent in order to install DirSync.

Verify that DirSync is running successfully by looking at the following:

• Users are being correctly synced into Active Directory.

• Are changes to users in Office 365 supposed to sync back to Active Directory user accounts? • Are changes to uses in Active Directory supposed

to sync up to Office 365 user accounts? • In Office 365, are the user account attributes

correct?

In the majority of cases, DirSync synchronizes user data from Active Directory to Office 365. However, you can configure DirSync to do two-way synch at any time.

Note: Previous versions of DirSync (prior to version

6567.0018

)

could not be installed on the domain controller. Current versions allow you to install DirSync on the domain controller. If you do so, you must log off after installing DirSync and then log back on before you run DirSync.

√

(10)

Notes on the Microsoft Readiness toolkit

This list gives you an idea of some things to be aware of about the Microsoft Readiness

toolkit or some of the main things that the toolkit looks for.

For more information about how your Active Directory needs to be set up, see http://

technet.microsoft.com/en-us/library/hh852478.aspx.

Run the Readiness toolkit from within your domain, preferably with Domain

Administrator permission or the equivalent.

Office 365 can only go up to 50,000 objects in the tenant. If you have more objects than

DS1 1

Do you have multiple forests in your Active Directory architecture?

If so, are you using Microsoft’s Federated Identity Management (FIM)?

The Samsung cloud servicehandles multiple forests by having you install DirSync in each forest. If you are using Microsoft’s FIM solution, please contact Microsoft Support for assistance.

There are two different ways to handle federated identities in multiple forests: you can install the Microsoft Directory Synchronization tool in each forest, or you can use Microsoft’s FIM solution (contact Microsoft for details).

Note: If you had a single forest when you first

configured ADFS but now wish to add one or more forests, then be sure to install additional Directory Synchronization tools as needed.

√

DS1 2

After DirSync runs:

Users in Office 365 are activated. Users in Office 365 are assigned licenses,

For details, see Creating Office 365 user accounts by synchronizing with Active Directory.

Active your Office 365 users before configuring Samsung SDS EMM User Suite.

√

DS1 3

(Existing Office 365 customers only, managed accounts only)

Can your Office 365 users log in to the Office 365 portal successfully?

If your users cannot log in to the Office 365 portal, make sure that you fix that issue before moving on to installing and configuring Samsung SDS EMM for Office 365.

Although, after you’ve installed and configured Samsung SDS EMM for Office 365, that’s when it’s most important whether or not users can log in to the Samsung SDS EMM user portaland launch Office 365.

√

(11)

The toolkit looks for the display name value; the display name must be present and not

blank on security groups, otherwise the groups do not synchronize.

Note

_{As a best practice, it’s good to align the UPN with the primary SMTP address to make}

it easy for end users and also to minimize support calls.

When the SMTP name space doesn’t match the Office 365 name space suffix portion, it

will use onmicrosoft.com.

Windows servers and desktops must be specified versions or newer.

(12)

Samsung SDS EMM User Suite checklist

C1 Each domain in each forest must have a login suffix created for it. The Office 365 domain needs to have the login suffix.

For more details, see the login suffix topic in the Admin Portal help.

https://emm2.samsungknox.com/vfslow/lib/docs/// samsung/adminref/index.html#context/cloudhelp/cloud-admin-mod-del-login-aliases

C2 For the domain where you’ve installed the cloud connector(s), make sure that the domain is either listed in Office 365 or you’ve created a login suffix for the domain.

So, if your cloud connector is on the domain

redshirts.com, that domain isn’t listed in Office 365 as one of your domains, and you want users to log in using redshirts.com, create a login suffix called

“redshirts.com”.

C3 When switching to Samsung SDS EMM for Office 365, it’s a good practice to set aside about 6 hours. Email and Office 365 service may be down during this time while you configure.

When making changes to production deployments, be sure to do so during off-peak hours.

C4 Is the cloud connector running ok? • Can the cloud connector connect to the

cloud service successfully? C5 Can all users log in to the user portal?

Check a user account from each domain and forest to make sure that the user can log in to the user portal.

If you have specified one or more alternate UPN suffixes, make sure that users can log in using each UPN suffix.

If a user can’t log in, most of the time this is because of an issue with how the login suffixes are set up.

It’s best to test all user accounts - have each of your users try to log in.

(13)

Samsung SDS EMM for Office 365 checklist

Creating an application that opens SharePoint Online directly

If you want your users to have an application in their user portal that they can click to go

directly to SharePoint, you can add a generic bookmark application to provide that access

without requiring users to sign-in again.

Note

The following procedure uses the Firefox web browser; you can use similar tools in

Chrome or other browsers.

To add a generic bookmark application for SharePoint Online:

1 Install an HTTP header trace add-on in Firefox, such as Live HTTP Headers or SAML

tracer.

2 Open the HTTP header trace Firefox add-on.

3 Make sure that you’re not currently logged in to either Office 365 or your SharePoint

site.

You’ll need to capture some of the SAML token info that gets passed during login.

# Checklist items What there is to know

CO 1

If your users use Office online, Lync 2013/ Skype for Business, or SharePoint, be sure to trust the root cloud CA certificate.

You can use the root CA certificate that the cloud service provides for you with the cloud connector, or you can use your own.

For details, see "Trusting the root certificate for Lync 2013/Skype for Business authentication" on page 130-1062.

CO 2

Do you need to provide a direct link to SharePoint from the user portal?

If needed, you can configure a generic browser

application to point to your custom SharePoint URL and users won’t have to enter their login credentials again. You will need to trace some HTTP header data to get the correct URL. For details, see "Creating an application that opens SharePoint Online directly" on page 128-1024.

C0 3

Are you using Lync 2013/Skype for Business or newer? If so, you need to set the Corporate IP Range in Admin Portal.

C0 4

Disable any ADFS and DirSync installations that you no longer use.

Once you move from ADFS and use Samsung SDS EMM for Office 365 to handle identity authentication and domain federation, you don’t need to keep ADFS running. However, if you’re using ADFS for other purposes, it doesn’t impact the cloud service processes if you keep ADFS running.

(14)

Samsung SDS EMM for Office 365 checklist

4 Go to your custom SharePoint domain, which has the format of

mydomain.sharepoint.com

.

You’ll be redirected to the user portal.

5 Log in to the user portal.

Then you’ll be redirected back to your SharePoint domain.

6 In the HTTP header trace Firefox add-on, look for the GET command that has an URL

that starts with “https://cloud.samsungemm.com/

run?appkey=Office+365&customerid=”

If there are multiple URLs that look similar, pick one that has the cbcxt and also the wctx

in it.

For example:

https://cloud.samsungemm.com/ my?appkey=Office+365&customerid=AB123&cbcxt=&popupui=&vv=&username= adele.smith%40samsungemm.com&mkt=&lc=1033&wfresh=&wa=wsignin1.0&wtrealm=ur n%3afederation%3aMicrosoftOnline&wctx=wa%3dwsignin1%252E0%26rpsnv%3d3%26ct %3d1393546930%26rver%3d6%252E1%252E6206%252E0%26wp%3dMBI%26wreply%3dhttps% 253A%252F%252Fsamsungemm%252Esharepoint%252Ecom%252F%255Fforms%252Fdefault %252Easpx%26lc%3d1033%26id%3d500046%26%26bk%3d1393546930%26LoginOptions%3d 3

7 Copy the entire URL and paste it into a plain text editor.

8 In the text editor, remove everything in the URL from the “

cbcxt=

” up to “

wfresh=&

” just

before “

wa=wsignin1.0

”.

Using the example above you'll end up with:

https://cloud.samsungemm.com/ run?appkey=Office+365&customerid=AB123&wa=wsignin1.0&wtrealm=urn:federatio n:MicrosoftOnline&wctx=wa%3Dwsignin1%252E0%26rpsnv%3D2%26ct%3D1391061064%2 6rver%3D6%252E1%252E6206%252E0%26wp%3DMBI%26wreply%3Dhttps%253A%252F%252Fs amsungemm%252Esharepoint%252Ecom%252F%255Fforms%252Fdefault%252Easpx%26lc% 3D1033%26id%3D500046%26%26bk%3D1391061066%26LoginOptions%3D3

9 In Admin Portal, add a Generic Bookmark application with the above URL, and deploy

the application to all users.

(15)

Samsung SDS EMM for Office 365 verification checklist

Samsung SDS EMM for Office 365 desktop checklist

If you’re also deploying desktop and mobile access to Office 365, here are the things you

need to configure and verify.

V1 Users in each domain can log in to the Samsung SDS EMM user portal successfully. Administrators in each domain can also log in to Admin Portal successfully.

If a particular use cannot log in, verify that the login suffixes are configured correctly.

Note: At each deployment step, you need to make sure

that users can still log in successfully. So, even though you verified this before, it’s important to verify it again. V2 After you’ve successfully federated your

Office 365 account with the cloud service, verify that your users can do the following:

1 All users can log in to the user portal. 2 From the user portal, all users can launch the

Office 365 application successfully.

3 All users can also go directly to the Microsoft

online portal, log in with SP-initiated authentication, and test the Office 365 web access.

4 Users can access each tab in Office 365.

Note: To view your federation settings from the Office

365 Application Settings tab, select your federated domain and click Actions > Federation Settings.

VDT1 Outlook works (Windows desktop) If you have a hybrid Office 365 deployment, point the on-premise users to the on-premise Exchange server. VDT2 Lync/Skype for Business works (Windows

desktop)

If you’re deploying Lync 2013/Skype for Business, be sure to trust the root CA certificate on the cloud connector computer and set a corporate IP range. For details, see Configuring desktop and mobile clients for Office 365.

VDT3 Office online works, including SharePoint VDT4 CRM online and CRM Outlook plugin

(Windows desktop)

(16)

Samsung SDS EMM for Office 365 mobile checklist

Active Directory user password changes and Outlook and Lync/

Skype for Business

Sometimes, when a user changes her Active Directory password there can be connection

issues in either Microsoft Outlook or Lync/Skype for Business on Windows systems. This

can happen if the user had the desktop applications save the login credentials; the stale

credentials stay stored with the previous password.

To update the remove and update the password that Outlook or Lync/Skype for Business

uses:

1 In Windows, go Windows > Control Panel, and click Credential Manager.

2 If you see any credentials for Outlook or Lync/Skype for Business, open the credential

to expand its information, and click Remove from Vault.

3 Restart the computer.

Upon restart, the user logs in to the computer with her current and correct password.

Microsoft desktop applications renew their use of the user’s credentials to the correct and

current password.

Samsung SDS EMM for Office 365 mobile checklist

If you’re also deploying desktop and mobile access to Office 365, here are the things you

need to configure and verify.

VML 1

Set up policies to administer and manage mobile devices.

Note: If you have Office 365 users in both Active Directory and the cloud user service, you must use cloud policies for mobile device management.

(17)

Samsung SDS EMM for Office 365 mobile checklist

VML 2

Have your users enroll their mobile devices into the cloud service.

VML 3

Android and iOS,clients work in the following scenarios:

• Mobile browser with OWA

User logs in to the user portal in a mobile browser and launches the web-based version of Office 365 (OWA) in the mobile browser.

• Samsung mobile application with OWA

User logs in to the native, mobile Samsung application and then launches the web-based version of Office 365 in the mobile browser.

• Samsung mobile application with Office 365 mobile applications

User logs in to the native, mobile Samsung application and then launches a native, mobile Office 365 application.

When your Office 365 account is federated, the user gets a login screen when launching the native, mobile Office3 365 application. There are different applications for different devices.

• Mobile mail:

User adds their work account to their mobile device for email or email and calendar and contacts. Users can set up POP3, IMAP, or Exchange ActiveSync connections. You can administer Exchange Active Sync

connections by way of policies and Admin Portal settings.

•