3. Federating with Online Services
Federation and federated
delegation are also used in a cross-premises scenario where an
organization hosts some mailboxes on-site and hosts others in the Exchange
Online service. Federated delegation via the MFG provides for free/busy
sharing, full calendar sharing, and mailbox moves between on-site
Exchange servers and Exchange online. Single Sign-On (SSO)
capability for mailboxes hosted in Exchange Online with your on-site
Active Directory credentials is provided via the MFG by deploying AD FS
version 2.0 on-site, in addition to the Microsoft Federation Gateway
federation trust configured in Exchange Server 2010. The relationship
between the various components of federation and Exchange Online is
depicted in Figure 5.
Another point to keep in mind is that the configuration of DNS for proof of ownership for federation is separate from that required when you create an accepted domain for your Exchange
Online tenant organization. Even if you have proven ownership for that
domain when configuring it as an accepted domain for Exchange Online, your DNS must still be updated with a TXT record for that domain for the purposes of federation.
Configuring an
organization relationship with your Exchange Online tenant organization
is similar to configuring one with any other external organization. When you create the organization
relationship with the New-OrganizationRelationship
cmdlet, the Exchange Online tenant domain that you specify must be
configured in the federation organization identifier for the Exchange
Online tenant organization. You must also configure an organization
relationship in the Exchange Online tenant organization for your
on-premise organization before federated delegation
can be used between your on-premises organization and the Exchange
Online tenant; this is the same requirement as for establishing federated delegation between your organization and any other external Exchange organization.
Matthias Leibmann
Program Manager, Microsoft, Redmond, WA
For federation with Exchange
Online in cross-premises scenarios, we recommend that you utilize a
sub-domain of "exchangedelegation.<your primary SMTP domain>" using the Set-FederatedOrganizationIdentifier
cmdlet with the AccountNamespace parameter to avoid namespace conflicts
with the Exchange Online tenant namespace. Then add <your primary SMTP domain> as an additional URI to the federated organization identifier using the Add-FederatedDomain cmdlet. You would set your account namespace as shown in this example:
Set-FederatedOrganizationIdentifier -AccountNamespace exchangedelegation. fabrikam.com -DelegationFederationTrust "name_of_trust"
Then you configure your primary SMTP domain, as shown in this example:
Add-FederatedDomain -DomainName fabrikam.com
Keep in mind that both your primary SMTP domain and the sub-domain configured with the AccountNamespace parameter require a TXT record for proof of ownership.
|
As with configuring any other
organization relationship, you can retrieve the necessary information
from the tenant organization via AutoDiscover and use it to create the
relationship with the Exchange Online tenant organization by piping the output of the Get-FederationInformation cmdlet to the New-OrganizationRelationship cmdlet as the following example shows:
Get-FederationInformation -DomainName <tenant domain> | New-OrganizationRelationship
-Name "Tenant Domain"
If the preceding command fails, Autodiscover may not be configured for the Exchange Online tenant organization. In that case, you can try configuring the organization relationship using the New-OrganizationRelationship cmdlet with the –TargetAutodiscoverEpr
parameter. If this is not successful, and the causes for AutoDiscover
not working are not possible to fix, as a last resort you may have to
specify the –TargetSharingEpr and –TargetApplicationUri parameters manually to successfully create the organization relationship.
Creating the
organization relationship in the Exchange Online tenant organization
for your on-premises organization is similar to the above; again, the
easiest approach is to obtain the information for the relationship with
the Get-FederationInformation cmdlet and pipe it to the New OrganizationRelationship cmdlet as the following example shows:
Get-FederationInformation -DomainName <on-premises domain> | New
OrganizationRelationship -Name "OnPremisesDomain"