Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6028: Getting Started with Office 365 and the Centrify Identity Service - Configuration Overview

Centrify Identity Service, App Edition ,   Centrify Identity Service, App Plus ,  

27 February,17 at 04:37 PM

Applies to: Centrify Identity Service



This document provides some checklists to help make sure that you install and configure your Office 365 deployment correctly and with a minimum of issues. Centrify customers using Office 365 in cloud-only or federated identity models are recommended to review our complete online documentation prior to any federation migration as this guide may not cover all deployment scenarios.
 
The following sections are recommended to be performed in the order listed to help ensure a smooth and successful deployment. It is important to verify each section has been completed before attempting to federate any Office 365 tenant and provision user accounts. Each process step includes online help links to guide administrators through the deployment process.

Note: Failure to perform and validate each of the below configuration tasks and object attribute cleanup steps may cause a significant negative effect on the deployment process.



Contents:

          Section One:     Prepare the Office 365 tenant
          Section Two:     Prepare Active Directory for SSO
          Section Three:  Prepare the Centrify tenant
          Section Four:    Configure Centrify for Office 365 - Federation with Active Directory
          Section Five:     Configure Centrify for Office 365 - User provisioning
          Section Six:       Verify Setup and user communication
          Section Seven:  Troubleshooting
 
With Centrify Identity Service, administrators can deploy Office 365 so that installation of ADFS in not required. The Centrify service handles the authentication and communication with your Active Directory system automatically. You can provide single sign-on (SSO) to users in Active Directory, LDAP, the Centrify Directory, or any combination of those sources.

After configuring Office 365 with Centrify, users can access Office 365 from the user portal either from a web browser or a mobile device. Users can also use Outlook and Lync/Skype for Business using their Office 365 credentials. Let’s get started!



Section One: Prepare the Office 365 tenant

The Office 365 work or school account that you use for these procedures needs to be a member of the Office 365 Global admin role. This a requirement for Office 365 federation and may not be necessarily for all other Office 365 services. For more information about permissions in Office 365, see Permissions in Office 365.


Administrators must complete the Office 365 setup process to ensure the registered domain(s) display a status of "Setup Complete" in the Office 365 admin portal. Centrify recommends if at all possible, use and register a test Office 365 domain for any POC or evaluation work before federating a production domain. It is also recommended you create Office 365 administrator accounts using a unique name and domain suffix that does not match any Active Directory user accounts if the domain is to be federated. You need this administrator account to be outside of Active Directory in case you need to revert your Office 365 account back to user password authentication or if you need to make any configuration changes, such as changing your certificate or Issuer name. If already using ADFS with Office 365 at your organization, many of the below steps may have been previously completed such as enabling directory synchronization.

Note: Use of Office 365 administrator accounts that match on-premise Active Directory users is not supported using Centrify.

A setup video is available on the Centrify Community summarizing the below steps.

 
EnvironmentSection One Tasks: Prepare the Office 365 Tenant Instruction
Office 365

Tenant Setup


 
Create an Office 365 administrator account that does not match any Active Directory-based account name.
(example: admin@<company>.onmicrosoft.com)
Help
Ensure the Office 365 account license tier supports federation and directory synchronization.Help
Ensure all Office 365 domain(s) are verified and display a status of "Setup Complete" in the Office 365 admin portal.Help
Set the default domain in the Office 365 admin portal to be <company>.onmicrosoft.com.Help
Enable directory synchronization for provisioning.Help
Ensure Skype for Business is enabled.Help
 

Section Two: Prepare Active Directory for SSO

 

It’s a good time to start planning your Office 365 communication to end users and ensure that Active Directory is prepared for Single Sign-On before attempting to deploy or federate any Office 365 domain.

Be sure to prepare and validate user and group object attributes for displayName, mail, proxyAddresses, sAMAccountName & userPrincipalName (UPN) are unique across all domains you plan to use with Office 365.

Administrators should also ensure that all updates and service packs are applied to desktop applications such as Microsoft Office before Office 365 deployment. For Microsoft applications downloaded directly from the Office 365 tenant, these updates are downloaded automatically from Microsoft. DNS Autodiscover records will also need to be created for desktop applications such as Outlook to connect with Office 365.
User-added image
A setup video is available on the Centrify Community summarizing the below steps.
 
EnvironmentSection Two Tasks: Prepare Active Directory for SSO Instruction
Active Directory

SSO Setup
Match the on-premises UPN attribute domain suffix with the Office domain to be federated.Help
Match the on-premises UPN attribute with the proxyaddresses attribute for best user experience.Help
Verify user & group object attributes for displayNamemail, proxyAddresses, sAMAccountName & userPrincipalName are unique across all domains in use with Office 365.Help
Review best practices for synchronizing (migrating) users and mailboxes if planning to move mailboxes from Microsoft Exchange or other sources.Help
Create Active Directory DNS cname and srv records for client Autodiscover if using desktop applications such as Microsoft Office.Help
Configure web browsers for silent authentication using IWA.Help
Ensure all Office desktop applications have the latest Windows updates and service packs.Help
Plan your end-user communications around production changes and how to get help.Help


Section Three: Prepare the Centrify tenant

Administrators that leverage Centrify to provide Office 365 authentication and provisioning features must first register for a tenant and perform some initial configuration steps within the Centrify Admin Portal and install a connector within Active Directory.

After linking your source directory with Centrify, it’s time to think about adding some roles to allow user access. By default, all uses will have access to the Centrify User portal but no applications will be visible unless the user belongs to at least one application role.


Admin Portal roles are sets of user accounts and are similar in context to Active Directory groups.  You use roles to assign applications, permissions, and policies to sets of users. Users can be members of multiple roles. It is recommended to create role names that are easy to identify and include the application name and license type. As example, users that access Office 365 using an E3 license could belong to a role named “Office 365 Users – E3 License”.

Note: You should configure one or more connectors within Active Directory to provide continuous up time for identity platform services. Install additional Centrify Connectors for load balancing and failover. If the connector service is stopped or the host on which the connector is installed has a network failure and is unable to communicate with the identity service, user login will be impacted.

 
EnvironmentSection Three Tasks: Prepare the Centrify Tenant Instruction
Centrify Admin Portal

Tenant Setup
Register for a Centrify tenant at https://www.centrify.com/free-trial/identity-service-form/ and login to the Centrify Admin Portal.Register
Download and install the Centrify Connector service on a Windows server running 2008R2 or higher. Help
Create login suffix entries for all Active Directory and Office 365 domains in portal Settings.Help
Download and deploy trusted root IWA certificate to client computers for IWA using HTTPS.Help
Enter a Corporate IP range in portal Settings (required for Skype/Lync).Help
Create Centrify Roles for Office 365 users by license type.Help
Verify successful login to the Centrify User Portal (https://cloud.centrify.com/my) using IWA.Help
Configure policy to deliver ActiveSync profiles to enrolled mobile devices (optional)Help


Section Four: Configure Centrify for Office 365 - Federation with Active Directory

Centrify recommends performing federation changes during off-peak production hours whenever possible to avoid any interruptions to end users. It is critical to ensure user login to the Centrify portal using IWA over HTTPS is working and that user communication has been completed prior to changing federation settings.


Before federating your Office 365 domain with Centrify and changing its status from "Managed" to "Federated", make sure you have a clear understanding of how the federation change will appear to new users or users currently accessing Office 365 using OWA or Outlook.

Users attempting to log in directly to the Office 365 web portal will be redirected to the Centrify User Portal for authentication. If IWA using HTTPS is working correctly (or the user logs in manually), users will be authenticated and directed back to the Office 365 OWA interface. This is expected behavior and why validating successful login to the Centrify User Portal using IWA is extremely important to ensure a seamless user experience.


Outlook users may experience password prompts if DNS Autodiscover records for Office 365 have not been created in Active Directory or if the Windows Credential store on the local client falls out of sync with Active Directory. Ensuring Autodiscover records have been added prior to federation and clearing any saved credentials (as needed) for Outlook that may be out of sync with Active Directory will help minimize these issues.

Note: If you decide to disable domain federation between Office 365 and Centrify, there can be a delay from 1-4 hours within the Office 365 service before the domain status changes from “Federated” back to “Managed” status and is expected behavior per Microsoft.

 
EnvironmentSection Four Tasks: Configure Centrify for Office 365 - Federation with Active DirectoryInstruction
Centrify Admin Portal

App Setup - Federation
Add the Office 365 WS-Fed+Provisioning template from the Centrify app catalog.Help
Enter and verify the Office 365 global administrator credentials. 
Select the domain that you want to federate with Centrify or take ownership of a domain that is already federated.
Configure User access by selecting Roles created for Office 365.
Configure authentication policy (optional).


Section Five: Configure Centrify for Office 365 - User provisioning

Administrators can use Centrify to provision and license users, contacts and group objects without the need to install anything extra, such as the Microsoft Azure Directory Synchronization tool. In addition, Centrify for Office 365 + Provisioning can synchronize and provision users from Active Directory, LDAP, and the Centrify Directory Service. Centrify provisioning does not replicate any AD password information into the cloud. AD-authentications that go through Centrify are always performed within the domain environment via the Centrify Connector.

 
By default, Centrify will provision the userPrincipalName attribute for the Office 365 username. Microsoft recommends matching the UPN and proxyAddresses primary SMTP attribute to provide the best SSO user experience and prevent user confusion. Centrify can be customized for environments where these attributes cannot be modified but these options should be used only by advanced users when best practices cannot be followed.

If using Microsoft Exchange in a hybrid configuration to provide on premise mailboxes and plan to migrate user data to Office 365, it is important to complete user mailbox migration before attempting to license the user object in Office 365 using Centrify provisioning. Office 365 will not assign a license or a default SMTP address for any user object where an Exchange mailbox is still present and migration has not completed. This Microsoft restriction helps prevent split-mailbox scenarios and is expected behavior.

 
The Hybrid Exchange Support option within the Centrify provisioning settings is required for full extended user attribute sync and to provision non-user objects. It is recommended to enable Hybrid support even if Exchange server is not in use. Failure to enable this option may prevent specific user attributes such as proxyAddresses from provisioning with Office 365.

Note: Please contact Centrify Support if planning to provision users using a custom Source Anchor that does not use the local Active Directory user object Immutable ID

 
EnvironmentSection Five Tasks: Configure Centrify for Office 365 - User provisioningInstruction

Centrify Admin Portal

App Setup - Provisioning
Enable the provisioning option (Preview Mode is selected by default). 
Enable the "Hybrid Exchange Support" option (recommended even if not using Exchange in hybrid mode).
Determine if existing Office 365 accounts should be overwritten (merged) or retained.
Assign Role and license mappings for Office 365.
Perform a full preview synchronization or test manual sync for specific user accounts and review the sync report for accuracy.
Configure deprovisioning rules based on current employee offboarding procedures.Help
Modify the advanced provisioning script if needed to link AD objects (Optional).Help
Exclude AD objects from synchronizing if neededHelp
Change provisioning mode from "Preview" to "Live Mode" when ready to enable production sync.Help


Section Six: Verify Setup and user communication

After completing the above setup and validation steps, the Office 365 domain should now be in a "Federated" status and user objects should be synchronized with the desired source directory. Users should be able to access Office 365 directly using the Microsoft Online portal, Centrify user portal, desktop application or mobile device.

 
Verify the following actions can be performed and communicate the planned changes to your users. Be sure to include user instruction how to request assistance from your helpdesk.

Note: Mobile device users will receive a login screen when launching the native, mobile Office 365 applications and is expected behavior.

 
EnvironmentSection Six Tasks: Verify Setup and user communicationInstruction
Office 365
Validation
Verify users can login to the Office 365 application and can access each tab in Office 365 from both inside and outside of the corporate LAN. 
All users can log in with SP-initiated authentication directly to the Microsoft online portal and are redirected to Centrify for IWA login.
Online services such as Office online, CRM online and SharePoint work as expected.
Active Directory
Validation
Users on both PC and Mac computers can use Outlook, Lync / Skype and other Microsoft desktop applications without issue.
End-user communications have been sent.Help
ActiveSync on mobile devices is working as expected. (Optional).Help


Section Seven: Troubleshooting

To diagnose any issues with your Office 365 deploymentrelated to authentication, configuration, policy restrictions or provisioning, please review article KB-6198: Office 365 Troubleshooting Workflow.



After completing the above setup and validation steps, the Office 365 domain should now be in a "Federated" status and user objects should be synchronized with the desired source directory. Users should be able to access Office 365 directly using the Microsoft Online portal, Centrify user portal, desktop application or mobile device.



For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Centrify Customer Portal at support.centrify.com.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.