Sign up for Office 365
Learn more about Office 365
Applies to: Live@edu Upgrade to Office 365
In Microsoft Office 365, single sign-on is implemented differently than in Microsoft Live@edu. In Office 365, single sign-on uses identity federation rather than the Live@edu SSO Toolkit.
There are two ways to implement federation:
Important: When you are ready to set up identify federation in Office 365, follow the process in this topic, rather than the general Office 365 instructions. The order of installing the tools is different, because your upgraded domain already has users.
Update the SSO Toolkit to maintain single sign-on access
Before the upgrade
After the upgrade
Set up AD FS 2.0 federation for Office 365
Set up Shibboleth federation for Office 365
An update to the Live@edu SSO Toolkit is available as an interim single sign-on solution in Office 365 for domains that are currently using the SSO Toolkit. The updated SSO Toolkit will be supported until December 31, 2014. At that point, you need to implement federation to continue having single sign-on functionality.
Important: The SSO Toolkit will stop working during the upgrade to Office 365 if you have not updated to version 4.5. Apply the update before the upgrade to prevent any interruption in single sign-on to Outlook Web App for your users during and after the upgrade, and to provide single sign-on access to Office 365 services.
The following table summarizes the user sign-in experience after updating the SSO Toolkit. Note that even after updating the SSO Toolkit, SSO access is not available after the upgrade for:
* SharePoint Online and Lync Online are available with plan A2 or higher.
** The changes take place at the Assign license step. During the upgrade, you can check which step of the upgrade you're on by going to the Live@edu Service Management Portal.
During the upgrade, each Live@edu account becomes two separate accounts. Because the upgrade changes the Microsoft accounts to be personal accounts rather than associated with your educational institution, you can no longer provide single sign-on access to SkyDrive and you can no longer set passwords for your users’ Microsoft accounts.
If you have not given your users their Live@edu password, provide your users with the following instructions:
Unlike in Live@edu, Office 365 has a default password expiration policy of 90 days and requires newly created users to reset their password on first sign-in by default.
Important In order to prevent your users from not being able to access Office 365 services, we recommend using Windows Azure Active Directory PowerShell for the following scenarios:
Users upgraded from Live@edu
For users upgraded from Live@edu, configure their passwords to never expire by using the Windows Azure Active Directory Set-MsolUser cmdlet.
Reset a user password
To reset a user password, use the Windows Azure Active Directory Set-MsolUserPassword cmdlet.
Create a new user in Office 365
To create a new user in Office 365, use the Windows Azure Active Directory New-MsolUser cmdlet.
For information about differences between using Windows PowerShell in Live@edu and Office 365, see Windows PowerShell.
The SSO Toolkit will only be supported on Office 365 until December 31, 2014, so you must implement federation before then.
There are two ways to implement federation:
Whether you plan to start using federation immediately after upgrading from Live@edu or to implement it later, we recommend that you first build and test federation with a trial Office 365 domain. After testing federation with a trial domain, you can quickly switch federation over to your production domain.
If you want to switch to federation immediately after the upgrade from Live@edu to Office 365, there are some tasks you can do prior to the upgrade to Office 365. Otherwise, all the federation set-up steps can be done after the upgrade to Office 365.
Important: If you are currently using the Live@edu SSO Toolkit, you must update the SSO Toolkit to version 4.5 before the upgrade from Live@edu to Office 365 to prevent there being a time period with no single sign-on service. This update is required even if you plan to switch to federation immediately after the upgrade.
Build and test Shibboleth on an Office 365 trial tenant.
1 out of 2 people found this post helpful.
Very helpful, thanks MS!
This is a useful high-level guide, but there's one aspect that is a little unclear to me: If you are implementing federation, is it necessary to set user account passwords to not expire? I'm assuming that this is only necessary if you are do not deploy AD FS immediately after the upgrade (i.e. within 3 months).