none
Hybrid Calendar sharing with AD FS RRS feed

  • Question

  • I am working on an implementation plan for Exchange hybrid as a migration path to Exchange Online with some unique organization political, as well as environmental challenges. There is also the possibility that a significant portion of their mailboxes may remain on-prem for an extended period of time (maybe years) so some things which I would typically allow to exist sub-optimally temporarily, may not be able to be ignored. It is a single Exchange 2013 server Exchange organization with 600 mailboxes. I can't remember which CU exchange is on currently, but it is my MO on Exchange to update it to the newest CU or RU which is at least 2-3 weeks old before doing any significant modifications or migrations in the Exchange Organization, so it will be assumed.

    I am trying to determine if AD FS is necessary. It would be ideal if AD FS was not needed - at least long term. They use shared calendars extensively, for users and room calendars. From a previous migration, I thought that I had a latent memory of setting up AD FS to solve some sort of cross-premises permissions problem, but couldn't quite remember what it was. (if it even existed?) From the documentation I am finding, it is not possible to edit a calendar on one side of the hybrid organization from the other in any configuration. I am 95% sure I did do this on another migration however, so it is bothering me - it is a problem not to mention if cross-premises editing is needed. I could also swear that I have read documentation in the past that AD FS provided some extra cross-prem permissions which dirsync alone does not. I have gone through a few forums and found references to articles which sounded like they had the answer to my question which were pulled - such as this one: https://technet.microsoft.com/en-us/library/hh852414.aspx?f=255&MSPPError=-2147217396It

    It has been a while since I have done a project which left a portion of mailboxes on-prem for an extended period of time, (the last I can remember finished in mid-2014) and haven't had to deal with this in a while. I don't have access to any hybrid environments either among any of my clients at the moment to test with.

    Does anyone know what I am talking about? Or am I remembering gibberish?

    Monday, March 21, 2016 1:40 AM

Answers

  • $TRUE

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by MS_MCSA Monday, April 4, 2016 6:37 PM
    Monday, March 28, 2016 9:57 PM

All replies

  • If you want cloud mailbox users to log on using their Active Directory credentials, you have two straightforward options, both of which require DirSync, the latest version now I think is named Windows Azure Active Directory Connect Sync.

    1.  AD FS requires cloud mailbox users to log on to on-premises Active Directory by the use of on-premises AD FS servers.

    1A.  A variant of the above is to implement the same function using a cloud service like Okta or Ping Identity.

    2. Enable password synchronization in the DirSync tool.  This synchronizes a hash of the user's password into Azure Active Directory, enabling the cloud to authenticate them directly, obviating the need for on-premises AD FS servers.  If you can get your Security people to buy into this one, it's the easiest to implement and removes a point of failure.

    There are more elegant solutions using Windows Azure beyond the scope of this answer.

    Neither is absolutely required if you don't mind having users log on with separate credentials for AD and Office 365, but not doing one of them will cause user confusion and possibly affect interoperability.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!



    Monday, March 21, 2016 7:17 AM
    Moderator
  • Agreed - that are reasons for using ADFS, but it is not a hard requirement.

    And a brand spanking new build of AAD Connect just dropped:

    https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-version-history/

    Released: 2016 March

    Fixed issues:

    • Made sure Express install cannot be used on Windows Server 2008 (pre-R2) since password sync is not supported on this operating system.
    • Upgrade from DirSync with a custom filter configuration did not work as expected.
    When upgrading to a newer release and there are no changes to the configuration, a full import/synchronization should not be scheduled

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, March 21, 2016 4:38 PM
  • So AD FS provides no additional permissions to calendars beyond hybrid only?
    Friday, March 25, 2016 11:07 PM
  • AD FS is an authentication service.  It does not grant any permissions.  It's a service that allows some service to perform authentication against your domain.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Saturday, March 26, 2016 4:44 AM
    Moderator
  • $TRUE

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by MS_MCSA Monday, April 4, 2016 6:37 PM
    Monday, March 28, 2016 9:57 PM
  • sorry I didn't get back to this earlier, have been sick the last few days.

    I finally remembered what I was thinking and was completely stuck on a few night a few nights ago - I was defending a design (which included ad fs) to a client who had a competing proposal from another consultant pitching skykick "hybrid" migration which has no cross-prem calendar sharing of any sort. It wasn't ad fs vs no ad fs, it was real hybrid vs fake hybrid.

    Thank you for being patient. I knew I had remembered something and it was bothering me - just was remembering the wrong thing. 

    Friday, April 1, 2016 9:56 PM
  • Good deal - thanks for circling back!

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, April 1, 2016 9:59 PM
  • How do I mark as resolved? I thought there used to be a button at the top of the post
    Friday, April 1, 2016 10:02 PM
  • There should, and I'm not seeing it either.

    Ed- can you see if there is anything up with the platform?  Can't see the mark as answer when signed in.


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, April 1, 2016 10:22 PM
  • Should work now. It was created as a discussion, not a question.

    Blog:    Twitter:   

    Friday, April 1, 2016 10:29 PM
    Moderator
  • It does - thanks Andy!

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, April 1, 2016 10:51 PM