This is a quick guide how to set up Office 365 according to Microsoft best practice. This is what the setup looks like:

This is what you need:

• Windows Server 2008 R2 for DirSync.
• Windows Server 2008 R2 for ADFS federation. This can be a domain controller.
• Windows Server 2008 R2 for ADFS federation proxy in DMZ. This can be an IIS.
• Account to log into these machines. This account needs to be local admin to be able to install DirSync and ADFS.
• Account that is member of Enterprise Admins. This account is needed to configure DirSync. A service account, MSOL_AD_SYNC, is created in Users container.
• Active Directory service account for ADFS, e.g. ADFS2SVC.
• SSL certificate for ADFS, e.g. fs.powerkjell.com. This certificate needs to be added to IIS of both ADFS and ADFS proxy servers.
• External DNS record for fs.powerkjell.com to point at ADFS proxy. In internal DNS it should point at internal ADFS.

Information about setting up DirSync: http://technet.microsoft.com/en-us/library/hh967642.aspx

• Remember to check your environment using Microsoft Deployment Readiness Tool and to activate DirSync using https://portal.microsoftonline.com. This may take up to 24 hours to apply. Read more about preparations here: http://technet.microsoft.com/en-us/library/jj151831.aspx
• Create a sync account in Office 365 and set the alternative e-mail address to a monitored address for catching DirSync errors.
• Do not start DirSync immediately in case you need to configure DirSync: http://technet.microsoft.com/en-us/library/hh967629.aspx
• Make sure you understand mapped attributes: http://support.microsoft.com/kb/2256198/en-us

Read more about SSO with ADFS: http://technet.microsoft.com/en-us/library/hh967628.aspx

• Make sure you have the service account created.
• Make sure you have the SSL certificate available.
• You may need an account with higher priviledges when configuring ADFS on first server, since it creates a container in Active Directory.
• Make sure DNS records are correct. ADFS proxy needs to finns ADFS on fs.powerkjell.com.
• Run the Powershell commands to create a trust to Office 365 from ADFS (not ADFS proxy).

According to the recommendations from Microsoft you need load balanced ADFS and ADFS proxy servers, which means they should be at least two on each side.

Good luck!

This checklist is for the Live@edu to Office 365 for education transition, with FIM agent and Single sign-on using federation.

• Create a testdomain.
• Add a public domain, such as test.yourdomain.com.
• Configure the FIM agent for the test domain and create a few accounts. Make sure the UPN is the same in your AD as in Office 365 (e.g. test.yourdomain.com).
• Set up SSO with ADFS or Shibboleth.
• Verify the functionality.
• Upgrade the Live@edu domain.
• Make sure the UPN is correct for the upgraded users or fix it with Powershell.
• Switch the FIM agent to the former Live@edu domain.
• Configure the federation for the former Live@edu domain.
• Kill the test domain.

Most of this information is collected at the community, and it is recommended to read the section about Single sign-on.