Chat now with support
Chat with Support

Reference Materials for Migration 8.14 - Migrating to Microsoft Office 365

Introduction BeforeYou Begin Migration to Microsoft Office 365 Post-Migration Activities Tracking the Migration Progress Hybrid Migration Scenarios Advanced Migration Topics Troubleshooting Migration to Microsoft Office 365

Supporting Single Sign-On (SSO) using Migration Manager

Supporting Single Sign-On (SSO) using Migration Manager

Single Sign-On (SSO) technology provides users an ability to login to trusted Active Directory domain or Microsoft Office 365 under the same credentials that they use in Active Directory where they reside. If you already have Active Directory Federation Services (AD FS) deployed in your organization and plan to migrate your Exchange environment to Office 365, you can implement SSO for Microsoft Office 365. Migration Manager for Active Directory is capable to ease the process of configuring SSO during migration to Microsoft Office 365. It can create users in federated domain or move existing users to federated domain within Microsoft Office 365 subscription; such users are capable of logging in through Single Sign-On as soon as they get a Microsoft Office 365 account.

Implementing SSO by means of Migration Manager for Active Directory allows getting the following benefits for mailbox migration over common scenario that includes using Microsoft Azure AD Connect:

  • Mail migration from multiple Exchange organizations
  • Online migration from Exchange 2003
  • Item-by-item migration with ability to safely rollback changes

Caution: Rollback tasks that move accounts from a federated domain to a non-federated domain (or the other way around) complete with errors. To avoid this issue, perform an explicit migration to a non-federated (or federated, respectively) domain first, and then perform the rollback task.

If you plan to implement SSO using Migration Manager for Active Directory, note that Active Directory Federation Services (AD FS) 2.0 must be deployed in your organization.

Note: If Microsoft Azure AD Connect already provisioned user accounts in Microsoft Office 365 or is managing them, then you can still support SSO and take advantage of using Migration Manager for mail migration in some environment configurations. For more information, refer to the Interoperating with Microsoft Azure AD Connect section.

The following figure denotes overall environment configuration with SSO implemented using Migration Manager:

Migration Manager for Active Directory supports basic environment configuration where Active Directory and Exchange organization are located in the same forest as well as more sophisticated environment configuration with separate authentication and Exchange resource forests.

Specific for each environment configuration steps that should be taken to migrate to Microsoft Office 365 while taking advantage of Single Sign-On are described below.

Basic Migration Scenario

If your Active Directory and Exchange organization reside in the same forest, then to migrate to Microsoft Office 365 with support of Single Sign-On you need to perform the following steps:

  1. Ensure that AD FS 2.0 is deployed in your environment. Do not start directory synchronization using Microsoft Azure AD Connect. If synchronization is already started make sure that the tool does not manage user accounts planned to be migrated using Migration Manager.
  2. Provision user accounts in Microsoft Office 365 using Migration Manager for Active Directory (Microsoft Office 365) console. Directory Migration Agent will set up SSO support automatically. Note that you need to use the default mapping template.

  1. Synchronize calendars and migrate mailboxes using Migration Manager for Exchange.

Users can log in through Single Sign-On as soon as they get a Microsoft Office 365 account.

After mail data is migrated and mailboxes are switched, you can enable Microsoft Azure AD Connect to keep user accounts synchronized.

ERF Migration Scenario

With Migration Manager you can migrate from an environment with separate authentication and Exchange resource forests (ERF) to Microsoft Office 365 to Microsoft Office 365 while taking advantage of Single Sign-On. Migration Manager for Active Directory features special migration templates for that. To migrate to Microsoft Office 365 with support of Single Sign-On you need to perform the following steps:

  1. Ensure that AD FS 2.0 is deployed in your environment. Do not start directory synchronization using Microsoft Azure AD Connect.
  2. Provision user accounts in Microsoft Office 365 using Migration Manager for Active Directory (Microsoft Office 365) console. Note that you need to migrate accounts twice:
    1. First, you should synchronize or migrate users from Exchange resource forest using the ERF mapping template. That lets you populate the Office 365 Global Address List (GAL) from the Exchange resource forest.
    2. Second, you need to migrate (or synchronize) users from Active Directory authentication forest using the Activate SSO mapping template. That template enables federation between the authentication forest and the Office 365 subscription.

Note: Using the ERF template, you make sure that federation with the separate authentication forest is not broken by ongoing GAL coexistence between the Exchange resource forest and the Microsoft Office 365 subscription.

  1. Synchronize calendars and migrate mailboxes using Migration Manager for Exchange.

Users can log in through Single Sign-On as soon as they get a Microsoft Office 365 account.

After mail data is migrated and mailboxes are switched, you can enable Microsoft Azure AD Connect to keep user accounts synchronized.

Interoperating with Microsoft Azure AD Connect

Interoperating with Microsoft Azure AD Connect

If Microsoft Azure AD Connect is already synchronizing user accounts with Microsoft Office 365 in your organization, you can still take an advantage of using Migration Manager for mail migration in certain environment configurations.

Note: Windows Azure Active Directory Sync (DirSync) and Azure AD Sync Azure AD Connect are also supported for this scenario. However, these tools are now deprecated by Microsoft and will reach end of support on April 13, 2017. So if still you use one of them, it is recommended to upgrade to Azure AD Connect.

Using Migration Manager along with Microsoft Azure AD Connect allows getting the following benefits for mail migration:

  1. Migrate mailboxes using Migration Manager for Exchange:
  • Ability to avoid excess steps in certain migration scenarios
  • Mail migration from multiple Exchange organizations
  • Online migration from Exchange 2003
  • Item-by-item migration with ability to safely rollback changes
  1. Process the Send on behalf, Send as, and Full Mailbox Access permissions.
  2. Support Single Sign-On (SSO) by means of Microsoft Azure AD Connect right from the beginning of migration.

Migration Manager is able to work with objects created and managed by Microsoft Azure AD Connect. However as majority of mail-related object attributes are already synced by the Microsoft Azure AD Connect, they are not meant to be synced by Migration Manager. The goal of Migration Manager in this case is to establish proper matching of objects, and also set location attributes and mail redirection settings for the objects so that mail migration using Migration Manager for Exchange could be performed.

The following restrictions apply in such configuration:

  • The Active Directory object that Microsoft Azure AD Connect treats as the source should be mail-enabled. This is typical for environments with a consolidated Active Directory forest or for environments with separate authentication and Exchange resource forests.
  • It is strongly recommended to use only the Empty Active Directory to Microsoft Office 365 mapping template during migrating objects and synchronizing directories. If you need to process specific permissions such as Send on behalf, add the corresponding mapping rules to the template.
  • If you experienced that X.400 addresses from the EmailAddresses attribute are not synced by Microsoft Azure AD Connect, then do not try to sync them using Migration Manager. They will not be synced properly even if you add the corresponding mapping rules to the mapping template.
  • If ongoing directory synchronization is established between forest where mailboxes reside and authentication Active Directory forest using Migration Manager for Active Directory or any other third-party synchronization tool, then it should be turned off while migrating to Microsoft Office 365. Otherwise, an additional domain should be set up in the Exchange organization for mail redirection using the Edit Mail Redirection Domain action item for the corresponding migration pair in Migration Manager for Active Directory (Microsoft Office 365) console.

Caution: The mailboxes to be migrated with Migration Manager reside in the domain you specify. The domain must be accessible from the Internet for mail delivery and must not be listed as an accepted domain for the Microsoft Office 365 tenant.

Note: Setting up the mail redirection domain ensures that mail can be successfully redirected from Microsoft Office 365 to the source Exchange organization.

Troubleshooting Migration to Microsoft Office 365

During the migration, a variety of issues may occur. This section describes some common problems and how to solve them, as follows:

Managing Migration Agent for Exchange

Migration Agent for Exchange is the central component in the Office 365 migration workflow. To manage the Migration Agent for Exchange, perform the following:

  1. In Agent Management of Migration Manager for Exchange, select the agent host where Migration Agent for Exchange (abbreviated to MAgE) is installed.
  2. Select the Migration Agent for Exchange entry in the agent list below.

  1. Use the commands in the Migration Agent for Exchange section of the Actions pane to control the agent and view its log.

Caution:

  • If the agent consistently fails to start, try reinstalling it. For that use the Repair Agent action item.
  • • Ensure that no more than three instances of Migration Agent for Exchange are used for migration to a single Microsoft Office 365 tenant.

Related Documents