1. No category

Centrify for Office 365 Deployment
Guide
Abstract
This document is a step by step configuration guide to deploy Office 365 with Centrify Identity Service
for Federation and is intended for IT professionals with basic understanding of computing systems.
© 2014 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 1
CENTRIFY O365
DEPLOYEMNT GUIDE
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, email addresses, logos, people, places and events depicted herein are fictitious, and
no association with any real company, organization, product, domain name, e-mail address, logo,
person, place or event is intended or should be inferred. Complying with all applicable copyright laws
is the responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Centrify Corporation.
Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Centrify, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
© 2015 Centrify Corporation. All rights reserved.
Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize,
DirectSecure and DirectManage are trademarks of Centrify Corporation in the United States and/or
other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 2
CENTRIFY O365
DEPLOYEMNT GUIDE
Contents
Contents ............................................................................................................ 3
Overview ........................................................................................................... 4
Where will your identities live? ................................................................... 4
Prepare Your Centrify Identity Service Environment...................................... 5
Add Your UPN Domain to Office 365 ........................................................... 5
Connect Centrify with Office 365 and Synchronize Active Directory User IDs .... 6
Validate Synchronization and Verify Federation in a Test Environment ............ 6
Prerequisites: .................................................................................................... 7
Configure Office 365 .......................................................................................... 7
Federating Centrify User Suite with O365 ........................................................ 15
How to delete users from O365 using PowerShell ........................................... 32
How to Contact Centrify ................................................................................... 33
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 3
CENTRIFY O365
DEPLOYEMNT GUIDE
Overview
Many people are moving to an Office 365 environment to simplify control and maintenance of some of
their core systems. These benefits can include the following:

Overtime reduced for technical staff’s support for email systems.

Reduction in on-premises storage requirements.

Reduction in on-premises hardware requirements.

Improved availability of service and redundancy (99.9% up SLA).

Less concern for individual mailbox storage requirements.

The ability to have a hybrid exchange model for hosting mailboxes locally, for situations where
the hosted solution may not work.

Single Sign-on (SSO) federated to your on premises Active Directory (AD).

And last but not least, automated provisioning of users from AD.
But before you run out and sign up for Office 365 and implement SSO, there are some best practices
and considerations you should review. This document will highlight the key things you should know
before you go to an Office 365 federated environment.
Where will your identities live?
For most of you going to Office 365, you probably have an on premises Active Directory environment.
Some of you may use SSO vendors which require you to replicate all of your AD identities to their
cloud service. Centrify feels that this is an unnecessary step that forces customers to give up a degree
of control, is less secure, and forces vendor lock-in. Some SSO solutions require you to have up to
eight different servers to provide the same functionality that Centrify can achieve with our Identity
Service Cloud Connectors that can be deployed on existing servers. We believe that your FTE
identities should stay on premise and that your 3rd party or contractor identities should live
separately.
We provide our Cloud User Identity Service for just that hybrid scenario. We provide a model that
addresses the complete application end-user life-cycle. We handle the process from on-boarding to
application authorization for both mobile and web, and when the time comes you have a single point
of de-provisioning.
Having said that, this is a great opportunity to do some AD cleanup and make sure you are ready for
a federated Office 365 environment.
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 4
CENTRIFY O365
DEPLOYEMNT GUIDE
UPNs and Domain name
One of the things that AD brought us was the ability to have non-routable local domain suffixes such
as “mycompany.local”. This is a great security practice and reduces the ability to hack from the
outside. But guess what? Before you can go to Office 365 or federate to AD you need to use an
Internet-resolvable domain name as the suffix in each user’s username. If you have a .local domain
you now need to add the Internet routable domain UPN suffix to Office 365 and AD. Don’t worry it’s
easy to add a UPN suffix. Here are the steps.

Open Active Directory Domains and Trusts.

In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.

On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.
Prepare Your Centrify Identity Service Environment
If you are not already a Centrify customer it’s easy to get started with a trial at
http://www.centrify.com/saas/trial.asp. Centrify will also come on site and show you how to set
everything up for your proof of concept. Here is a great video from our CTO Paul Moore that shows
how the Cloud Identity service works. One note is that our proxy service has been renamed to Cloud
Connector. https://www.youtube.com/watch?v=ZTzJStHnahA
If you are a customer or you have signed up for our 30-day trial, the first thing you will get is a set of
credentials to administer the Cloud Identity Service. When you log in, the first thing to do is change
your administrator password and be sure to use a complex password. From there you will need to
install a cloud connector on any member server in your domain. It can be a physical server or
virtualized. You can have as many as you like and can have them distributed across your global
enterprise. You can find a short 5-minute video of the process here.
Add Your UPN Domain to Office 365
The earlier example used a publicly resolvable domain name of contoso.com with an internal Active
Directory domain of yourcompany.local. Your domain can be anything. The Active Directory name
doesn’t need to align with the external domain you use for e-mail addresses, although doing so
makes things easier for users to remember.
If the publicly resolvable domain name you choose isn’t already linked to Office 365, do so via the
Microsoft Online Services Portal. Click Domains in the Admin console and then select Add a Domain.
The wizard will prompt you for the domain name, and then give you one of two options for
authenticating ownership. You’ll need to add either a TXT or MX record to the publicly accessible DNS
server hosting the domain.
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 5
CENTRIFY O365
DEPLOYEMNT GUIDE
It can take anywhere from 15 minutes to 72 hours for the update to fully propagate, so it might take
a while before you can complete the validation process. Validation affirms to Office 365 that you own
the domain name your clients will later use to authenticate. You don’t need to have any servers within
this domain for federation to function. All you need to complete this step is the domain itself that you
can resolve from the Internet. You can find the “how to” video here.
Connect Centrify with Office 365 and Synchronize Active Directory User IDs
Now it’s time to configure Office 365 to federate user authentication. This process entrusts your
internal Active Directory domain with authenticating users, while letting Office 365 merely trust your
domain’s authentication response. That’s the cool thing about federation—no passwords are ever
transferred between ADFS and Office 365, it’s just a secure token exchange.
While federation removes the need to send passwords between Active Directory and Office 365, it still
requires that you continuously synchronize user accounts. You can perform this synchronization
manually and then edit each user to assign a license profile, or you can use the Centrify Identity
Service to not only synchronize users but provision them also.
Below are all three of Centrify’s Office 365 federation and provisioning “how to” videos that will take
you through all of the above necessary steps. Each video is about 5 minutes long.

Part I: https://www.youtube.com/watch?v=fsl1yGaXjsg

Part II: https://www.youtube.com/watch?v=8HZCrn7t9S8

Part III: https://www.youtube.com/watch?v=eYcQEw1qZ7k
Validate Synchronization and Verify Federation in a Test Environment
As with all projects it is best to validate in a test environment. You can easily sign up for a separate
O365 trial and use a sub domain or your externally routable domain, e.g. centrify.mydomain.com.
Centrify allows you to assign applications to individual users or groups of users so you can test with
pilot groups and then roll out to the entire enterprise.
Centrify’s online help system can help if you run in to any issues. And don’t forget to check out
Centrify’s SaaS community site for some additional resources.
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 6
CENTRIFY O365
DEPLOYEMNT GUIDE
Prerequisites:

Must have publicly resolvable Domain

Must have access to DNS Server to add / modify records for publicly resolvable domain

Must have Office 365 account with at least one License

Must have Centrify Cloud Tenant
Configure Office 365
1. Log on to Office Portal
2. Click on Domains
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 7
CENTRIFY O365
DEPLOYEMNT GUIDE
3. Click on add Domains
4. Click on Let’s get started
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 8
CENTRIFY O365
DEPLOYEMNT GUIDE
5. Enter your Domain name and click on Next
6. If your Domain is register with GoDaddy (like in my example) you can simply sign into
GoDaddy and let the wizard modify/add the DNS records needed for Domain verification.
It is beyond the scope of this document to explore all variations of DNS servers and how
to configure such. After completing the DNS Wizard / manually adding the TXT record
needed for Domain verification you’ll see a confirmation about Domain Ownership.
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 9
CENTRIFY O365
DEPLOYEMNT GUIDE
7. If this is the first time / domain you are setting up O365 you’ll be prompted to change
the default admin email address. You can skip this step.
8. You’ll be prompted to add Users. You can Skip this step
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 10
CENTRIFY O365
DEPLOYEMNT GUIDE
9. At the “Update DNS records” prompt click on “Next”
10. Depending on your license you can use Outlook and Lync services. Select which services
you want to enable and click on Next
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 11
CENTRIFY O365
DEPLOYEMNT GUIDE
11. Add the DNS records provided by O365. In my example I am using GoDaddy as DNS
service provider and will add those records automatically.
12. After adding the records click on Finish
13. If all settings are correct you will see the following screen
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 12
CENTRIFY O365
DEPLOYEMNT GUIDE
14. Expand User on the left side and click on Active Users
15. Click on Active Directory synchronization: Set up| at the top of the page
16. Click on Activate in “3 Active Directory synchronization”
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 13
CENTRIFY O365
DEPLOYEMNT GUIDE
17. Confirm any prompts
18. Done
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 14
CENTRIFY O365
DEPLOYEMNT GUIDE
Federating Centrify User Suite with O365
1. Log on to your Cloud Manager
2. Click on the Roles Tab
3. Click on Add Role
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 15
CENTRIFY O365
DEPLOYEMNT GUIDE
4. Enter a Name and Description for your Role
5. Example: O365-Users / Role for user access and license assignment for Office 365
6. Click OK to close the Add Role dialog
7. Click on the Apps tab
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 16
CENTRIFY O365
DEPLOYEMNT GUIDE
8. Click Add Web Apps
9. In the Add Web Apps dialog search for Office 365
10. Click on Add for “Office 365 WS-Fed + Provisioning”
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 17
CENTRIFY O365
DEPLOYEMNT GUIDE
11. Confirm any dialog and click on Close on the Add Web Apps dialog
12. NOTE: The Office 365 Application dialog will open automatically
13. Enter the Office 365 Admin Username and Password on the first screen
14. NOTE: You must use the Admin Credentials of the Default domain.onmicrosoft.com to log
on.
15. Click on Verify
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 18
CENTRIFY O365
DEPLOYEMNT GUIDE
16. Select the Domain you want to federate from the Office 365 Domains
17. From the Actions dropdown menu select Federate
18. NOTE: The default domain cannot be federated
19. Click Yes on the information dialog
20. NOTE: Federation can take up to 2 min
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 19
CENTRIFY O365
DEPLOYEMNT GUIDE
21. Click on Save
22. Click on User Access on the left side
23. Select the Role you created in step 3 to be assigned to Office 365 user access
24. Click on Save
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 20
CENTRIFY O365
DEPLOYEMNT GUIDE
25. Click on Provisioning on the left side
26. Select Enable Provisioning
27. Under Role Mappings click on Add
28. Select the Role add in step 3 to be associated with the License assignment
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 21
CENTRIFY O365
DEPLOYEMNT GUIDE
29. Select the License you want to associate with the Role
30. Click Done
31. Click Save
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 22
CENTRIFY O365
DEPLOYEMNT GUIDE
32. Click on the Users tab
33. Click on Add User
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 23
CENTRIFY O365
DEPLOYEMNT GUIDE
34. Configure the User
a)
b)
c)
d)
e)
Enter the logon name
Select the correct Domain name from the Suffix dropdown menu
Enter the email address
Enter and verify the password
Uncheck the Require password change at next logon (in this training exercise)
35. Scroll down and enter the display name
36. Click Create User
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 24
CENTRIFY O365
DEPLOYEMNT GUIDE
37. Click on Roles
38. Double Click your previously created Office 365 Role
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 25
CENTRIFY O365
DEPLOYEMNT GUIDE
39. Click on Members on the left side and click on Add
40. Enter the logon name into the search field
41. Select the User
42. Click on Add
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 26
CENTRIFY O365
DEPLOYEMNT GUIDE
43. Click on Save
44. Click Assigned Applications on the left side
45. Click Add
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 27
CENTRIFY O365
DEPLOYEMNT GUIDE
46. Select Office 365
47. Click Add
48. Click Save
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 28
CENTRIFY O365
DEPLOYEMNT GUIDE
49. Click on the Users tab
50. Select the User you just added to the Office 365 Role
51. Select Sync all Apps from the Action dropdown menu
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 29
CENTRIFY O365
DEPLOYEMNT GUIDE
52. Click Close
53.
54.
55.
56.
57.
Log on to your Office 365 administrative Portal
Expand the Users tree on the left side
Click on Active Users
Select the newly provisioned user
As you can see on the right side a license and email address has been provisioned for the
user
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 30
CENTRIFY O365
58.
59.
60.
61.
DEPLOYEMNT GUIDE
Open a new browser and go to cloud.centrify.com
Log on as the newly provisioned User
Click on the Office 365 application tile
Office will open in a new browser window
62. Done
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 31
CENTRIFY O365
DEPLOYEMNT GUIDE
How to delete users from O365 using PowerShell
When going through testing and evaluating Office 365 sometimes the same users are added and
removed from Office 365, however Office 365 has security mechanisms in place that the user is not
actually deleted. When removing the user from the user database the user is first placed in a
suspended mode where only the license and the right to log on is removed. In that state the user
remains in the “Active User” list on Office 365 for 30 days. At the end of the 30 days the user is then
moved to the “Recycle Bin” where the user will remain for another 90 days.
Office will deny to add the same user name since the SID for the new user with the same username
added to Office 365 is different from SID of the user who is in a suspended mode but has the same
user name. Office 365 detects the “new user” as a different user with the same username and thus
flags it as a duplicate denying the user to be added. Office 365 will deny to add “new” users with the
same username if a user with the same name is in the “Active Users” list as well as in the “Recycle
Bin”.
Since it doesn’t make for very efficient testing if one has to wait 120 days to reuse the same
username one can permanently delete users in real time from the Office 365 “Active User” list and
“Recycle Bin” using Windows Azure Power Shell commands.
1. Install Azure Power Shell
https://technet.microsoft.com/library/jj151815.aspx
2. Install Microsoft Online Services Sign-In Assistant 7.0 or greater
http://www.microsoft.com/en-us/download/details.aspx?id=28177
3. Install the Microsoft Online Services Module
Microsoft Online Services Module for Windows PowerShell (32-bit version)
Microsoft Online Services Module for Windows PowerShell (64-bit version)
4. Copy the folders called MSOnline and MSOnline Extended from the source
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\
to the folder
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\
5. Open Azure Power Shell and run the following commands…

Import-Module MSOnline

$cred = get-credential
NOTE: When prompted, enter the admin credentials for the Office 365 Account managing the domain from which you
want to delete a user

Connect-MSOLService –credential $cred

Remove-MsolUser –UserPrincipalName [email protected]
NOTE: To point out the obvious, the user here has to be within a managed domain of the admin credentials that you
used to log on in step 5b

Remove-MsolUser –UserPrincipalName <account id> -RemoveFromRecycleBin
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 32
CENTRIFY O365
DEPLOYEMNT GUIDE
6. Sample output
PS C:\> $cred = get-credential (A second window will open to enter the
credentials)
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\> Connect-MSOLService –credential $cred
PS C:\> Remove-MsolUser –UserPrincipalName [email protected]
Confirm
Continue with this operation?
[Y] Yes
[N] No
[S] Suspend
[?] Help (default is "Y"): Y
PS C:\> Remove-MsolUser –UserPrincipalName [email protected] RemoveFromRecycleBin
Confirm
Continue with this operation?
[Y] Yes
[N] No
[S] Suspend
[?] Help (default is "Y"): Y
PS C:\>
How to Contact Centrify
North America
Europe, Middle East, Africa
(And All Locations Outside EMEA)
(EMEA)
Centrify Corporation
Centrify EMEA
785 N. Mary, Suite 200
Lilly Hill House
Sunnyvale, CA 94085
Lilly Hill Road
United States
Bracknell, Berkshire RG12 2SJ
United Kingdom
Sales:
+1 (408) 542-7500
Sales:
+44 (0) 1344 317950
Online: www.centrify.com/contact
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 33