1 2 3 |
<a href="https://marcoschiavon.net/exchange-2016-hybrid-deployment---part-one/">Exchange 2016 Hybrid deployment - Part one</a> <a href="https://marcoschiavon.net/exchange-2016-hybrid-deployment---part-two/">Exchange 2016 Hybrid deployment - Part two</a> <a href="https://marcoschiavon.net/exchange-2016-hybrid-deployment---part-three/">Exchange 2016 Hybrid deployment - Part three</a> |
Fallowing my recent post (https://marcoschiavon.net/migrate-from-exchange-2010-13-to-exchange-2016-part-four/) where we leaved our environment just upgrade/migrated to Exchange 2016 now we want to deploy an Office 365 hybrid deployment .
Before we start, there are several requirements to accomplished the SSO experience both for browsers and the Apps like Outlook/Office.
First, we need to ensure the the fallowing urls aren’t inspected by any “man in the middle” device like the deep inspection of a firewall .
- mscrl.microsoft.com HTTP/80
- *.verisign.com HTTP/80
- *.entrust.net HTTP/80
- *.windows.net HTTPS/443
- secure.aadcdn.microsoftonline-p.com HTTPS/443
- *.microsoftonline.com HTTPS/443
- autologon.microsoftazuread-sso.com HTTPS/443
- aadg.windows.net.nsatc.net HTTPS/443
Secondly , we need to place a GPO that adds these urls in the “intranet zone”:
- https:// aadg.windows.net.nsatc.net
- https:// autologon.microsoftazuread-sso.com
Location :
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page
Edit the “site to zone assignment List”
The number in the right fallow this table:Zone {Zone ID}
Local intranet 1
Trusted sites 2
Internet 3
Restricted sites 4
Nb: if you want to avoid “the gray out” of the internet settings fallow the guide of Alan Burchill
Another thing to do is to enable “Modern Authentication” to permit the SSO for Apps like Outlook, Office 365, Teams and so on.
Connect to your tenant with Power Schell
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true -Verbose
Get-OrganizationConfig | Format-Table -Auto Name,OAuth*
First, we need to register our domain on 365 and wen it’s done, we can proceed.
Connect to https://portal.office365.com, go to Azure section and download the AD Connect
Install it , agree it
Select customize and then install
Select “password hash Sync” and “Enable single sing-on”
Enter global Azure credential
Connect to your AD
Let the wizard to do itself the creation of the AD Account used for the periodic sync ..
Now select next
As we see below, the domain labincloudres.com isn’t verified jet
Now, we can continue..
In our case the AD forest is labincloudres.local and we have also the upn labincloudres.com. For this reason , we need to flag the option below to continue.
Select the OU or the all forest to sync (we will filter after) that you want to sync
Leave default
Add a user group that you’ve created before ( in my case sync_Users_to_365) and resolve it
In this case i also add Exchange (we need to hybrid Exchange also ..)
Enter Ad Admin account
If you want enable staging mode and install
Common warnings
We continue on the next post…..
1 |
<a href="https://marcoschiavon.net/exchange-2016-hybrid-deployment---part-two/">Exchange 2016 Hybrid deployment - Part two</a> |