Okta receives many questions about Office 365. In an effort to provide a single repository of best practices and roll out recommendations, we have put together the following list.
Okta's Top 10 Office 365 rollout recommendations:
1. Ensure that expectations of what the Single Sign On experience delivers are properly set. Please reference http://support.microsoft.com/kb/2535227 where Microsoft states: "Not all federated user authentication experiences are without a credential prompt. In certain scenarios, it is by design and expected that federated users are prompted to enter their credentials." 2. Ensure that Microsoft’s prerequisites for single sign on are followed; in particularly: 3. Setting all the users’ UPN’s to match their Primary SMTP address in Active Directory and have these changes replicated to both Okta and Office 365 4. The UPN must be set and known by the user 5. The UPN domain suffix must be under the domain that the customer chooses to set up for single sign-on 6. The domain chosen for federation must be registered as a public domain with a domain registrar or within your own public DNS servers 7. Fixing any existing users whose office 365 UPN does not match their on premise UPN and primary SMTP address 8. In preparing for Single Sign-On, with the rich clients, we have found that it helps to flush your Credential Manager immediately before turning SSO on or changing from another IDP to Okta 9. Ensure that the default domain in Office 365 has been set to the onmicrosoft.com domain. You cannot Federate a real domain if it is set to be the default domain in the office 365 tenant 10. All customers preparing for an Office 365 deployment should assess their readiness using OnRamp, cf. https://onramp.office365.com/onramp/ and following all of its recommendations. OnRamp thoroughly evaluates the almost all aspects of your infrastructure and provided recommendations for remediation For larger, complex deployments, consider running the Microsoft Assessment and Planning (MAP) Toolkit: The MAP toolkit is an agentless, automated, multi-product planning and assessment tool that generates detailed readiness assessment reports with extensive hardware and software information. Consider leveraging the IDFix tool to resolve problems with attributes the other readiness tools identity: This is a tool specifically focused on discovering and updating attributes within your internal identity store to meet the standards required by Office 365. It can be downloaded from: http://www.microsoft.com/en-us/download/details.aspx?id=36832 Be absolutely sure everything is prepared for single sign on. Converting a domain back to Standard Authentication is a disruptive process involving resetting users passwords en masse. Once Single Sign On has been enabled, it is almost ALWAYS less disruptive to troubleshoot the SSO problems rather than Convert the domains back to standard authentication Customers should leverage a free trial of Office 365 connected to a test AD/Exchange environment that mirrors production whenever possible, especially to model hybrid deployment scenarios Thoroughly model and plan hybrid Exchange deployment scenarios using pilot deployment groups and free trials taking into account technical and non-technical factors as hybrid exchange deployment mode will most impact the length of your Office 365 migration