Directory Synchronization with cutover migration

Question

Hi,

I am planning to deploy Cutover migration and have some questions (Using Exchange 2010):

1. I need to maintain Active Directory on premises after I do Cutover migration. At what stage I have to implement AD FS 2.0 and Directory Synchronization tools. Is it after Cutover migration batch successfully synced before routing emails directly to Office 365 or it is after MX record change. 
2. Can you please confirm, after I install Microsoft Online Service Directory Sync tool. I believe I can manage user account through Active Directory on premises. 
3. Can I change the password for on-premises network and Office 365 using Active Directory Sync or I need to use Password Sync enabled feature. I need to allow users to change their Active Directory password through 365. What method should I use "Password synchronization" and "Password write-back" or just the password sync. 
4. Please confirm if I enable Password synchronization in AD Sync, I can't use SSO (Single Sign-on) only mean Office 365 Business Essential users need to login to access their webmails.
5. Do I need AD FS 2.0 to install ADSync tool even without SSO.
6. Please assist me to the right direction "create empty mail-enabled" security group in Office 365" during cutover migration.
7. How to copy across distribution groups and room mailboxes in cutover process.

Thanks,

Mitesh

Answer 1

Hi Mitesh,

You can deploy SSO/ADFS/DirSync after the migration batch is completed and MX is changed. For the other queries, please check my answers below:

 Q: Please confirm if I enable Password synchronization in AD Sync, I can't use SSO (Single Sign-on) only mean Office 365 Business Essential users need to login to access their webmails.

 A: Password sync is a feature included in AAD Sync, which won’t affect ADFS/SSO (ADFS is a way to achieve SSO). When you have DirSync/AAD Sync and SSO/ADFS enabled, users will be authenticated via the on-premises AD. If SSO/ADFS is not enabled, then users can use the credentials (synced from the on-premises via DirSync/AAD Sync/Password) to sign in Office 365 against Office 365 instead of the on-premises AD.

 Q: Do I need AD FS 2.0 to install AAD Sync tool even without SSO.

 A: As I’ve said above, ADFS is a way to achieve SSO, so if you don’t intent to deploy SSO, then you don’t need to deploy ADFS. AAD Sync/DirSync is required in SSO/ADFS, but we can use AAD Sync/DirSync independently.

Q: Please assist me to the right direction "create empty mail-enabled" security group in Office 365" during cutover migration.

A: If you already have the mail-enabled security groups created in the on-premises Exchange server, then they will be migrated to Exchange Online automatically via the cutover migration batch. If not, then we can create the group directly in EAC (Exchange Admin Center) via: https://outlook.office365.com/ecp/. (EAC--recipients—groups).

Q: How to copy across distribution groups and room mailboxes in cutover process.

A: Distribution groups and room mailboxes will be migrated to Exchange Online automatically via the cutover migration batch. If you don’t see the room mailboxes are migrated, you can convert the room mailboxes to user mailboxes first in the on-premises Exchange server before migrating, then convert them back in Exchange Online after the migration is completed.

Answer 2

Hi Mitesh,

Have you checked the information above? Please post back at your convenience if you need further assistance.

Answer 3

Q1. cont " it’s recommended that you deploy SSO/ADFS/DirSync after the cutover migration is completed."

Is it after MX record change or after the migration batch successfully synced (before modify MX record)?

If you could also reply to my questions 4 - 7.

Thanks,

Mitesh Sudan

Answer 4

Hi MiteshSudan,

I’ll try to answer your questions in turn:

Q: I need to maintain Active Directory on premises after I do Cutover migration. At what stage I have to implement AD FS 2.0 and Directory Synchronization tools. Is it after Cutover migration batch successfully synced before routing emails directly to Office 365 or it is after MX record change.

A: it’s recommended that you deploy SSO/ADFS/DirSync after the cutover migration is completed. For the details, please refer to: https://community.office365.com/en-us/w/exchange/835.cutover-exchange-migration-and-single-sign-on.

Q:  Can you please confirm, after I install Microsoft Online Service Directory Sync tool. I believe I can manage user account through Active Directory on premises.

A: Yes, after the on-premises users are linked with the Office 365 users, we can manage the user accounts via the on-premises AD. If you want to manage the Exchange related attributes, you will need to maintain at least one Exchange server for the management purpose in the on-premises.

Q:  Can I change the password for on-premises network and Office 365 using Active Directory Sync or I need to use Password Sync enabled feature.

A: If you have ADFS/SSO enabled, all the federated users are authenticated via the on-premises, which the users will need to use the on-premises credentials to log into Office 365. If you don’t have ADFS/SSO enabled and you only have DirSync/AAD Sync deployed, then we will need to enable the password sync feature in order to sync the on-premises credentials to Office 365.