Office 365 is fantastic in many ways and well worth the invested time and effort, but… just follow a few simple rules and it will be a lot easier for you.
Let me tell you, I learned the hard way. We were testing Office 365 before deployment and actually went as far as implementing Active Directory Federation Services (ADFS). It was an interesting journey due in part to the complexity and also at the time the lack of comprehensive documentation on setting up ADFS on Server 2012 R2. Without one or two solid well written sources to refer to, an admin is really going to have a tough time. Microsoft’s own documentation was spotty at best.
We setup ADFS to support SSO on the corporate network and later it was determined that SSO may cause problems with certain systems in the field so we disabled it. As we had tested DirSync before moving on the the “more robust” ADFS, we decided that DirSync was a better fit and while it was much much easier to implement, it is a nuisance to uninstall. ADFS was setup and working but there were too many errors and inconsistent behaviors. We involved Microsoft escalation engineers and one of them, although well intentioned, made a slight mess of our DNS for a minute there. After that experience we were ready to throw in the towel.
The decision was made to completely uninstall ADFS from our local servers but I did not disconnect the account from the Azure tenant (the link is setup with Powershell during the initial ADFS implementation). I was basing my actions on my DirSync experience, once you disable sync on the tenant and uninstall it on your server, it’s pretty much gone. So unbeknownst to me, the azure tenant was still expecting to communicate with the local servers and our account was essentially locked. As we no longer had the AD sync and did not retain any Global Administrator cloud-only accounts, the only way to unlock it was to contact Microsoft Support (again). Unless you have a Global Administrator account that is cloud-only, you will be unable to access a compromised account.
The tip of century for Office 365 from one of the Microsoft escalation engineers: have at least one Global Administrator account that is cloud-only so if something goes wrong you have a way out. And, you should set the cloud admin account password to never expire to avoid any issues when there is an outage or your account is compromised somehow. If the worst happens when your password is in need of a reset, it will not work when the only connection you have to your tenant is through Powershell without a way to reset the password. Gotcha! Also note that for security reasons the Microsoft support team has no access to your private account information either, therefore you are out of luck. The best they can do is send a reset email to the Global Admin account recovery email (if you get this far down the path you’d better hope you set that up correctly too).
How-to Set an Admin Password to Never Expire (Microsoft Article)
Connect to Windows PowerShell by using your admin credentials. Run the following cmdlet:
To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:
Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $true
Other best practices suggestions for deploying Office 365 in an enterprise environment:
- Setup 2 backup Global Admin cloud-only accounts (with the *.onmicrosoft.com ending) that are not regularly used by admins
- Avoid assigning valuable product licenses for these or other admin user accounts
- Set the backup Global Admin cloud-only accounts password to never expire
- Install Windows Azure Active Directory Sync (DirSync) to easily synchronize your AD
- Keep an eye on the default domain name that the system automatically generates for you when you setup your account
- Do not install OnRamp on a server, the tool should only be installed on a workstation