Most of the talk about cloud security and cloud identity has been directed at the cloud service provider and applications, and the various methods your company can use to provide single sign-on (SSO) and identity security working with these apps. At the same time, we shouldn’t neglect the state of our own identity and access management (IAM) infrastructure. Is it ready to handle the new requirements and challenges that federation and cloud services will put on it? Fortunately, there’s a free tool available to help you assess this.
Preparing your identity and access infrastructure to interact with web services via federation is a topic worthy of exploring in some detail, which I’ll be doing in an upcoming article. In this column, I want to focus on a utility Microsoft developed to make migration to its Office 365 SaaS suite easier. The Microsoft Office 365 Deployment Readiness Tool (a name apparently untouched by anyone in Marketing)—currently in beta—does exactly what the name says: It analyzes different aspects of your current environment to determine if there are any major road blocks to deploying Office 365.
What the Tool Does
Whether or not you’re planning to use Office 365, don’t stop reading! Everyone with an Active Directory (AD) forest should run this tool as a free, quick, and easy way to check the consistency of his or her AD data. It’s also a great tool for system integrators to run a quick check on a customer’s AD environment to quickly gauge the complexity of what they’re getting into.
The Office 365 Deployment Readiness Tool makes assessments in seven sections: Domains, User Identity and Account Provisioning, Exchange Online, Lync Online, SharePoint Online, Client and End User Experience, and Network. Which assessments you care about depends on which, if any, Office 365 components you’re planning to deploy. If you’re just looking to run the tool against your forest to see what errors it flags, you’ll care about the Domains, User Identity and Account Provisioning assessments. Because this is a column about enterprise identity, we’ll focus on these assessments.
Designed by former Microsoft Consulting Services engineers, the tool performs a comprehensive suite of tests against your AD and SSO environment. One of the main purposes of the AD-related assessments is to check how well your AD implementation would work with Office 365’s Directory Synchronization Tool. DirSync is a critical Office 365 component, running on a dedicated server in your environment, that integrates your on-premises directory information—users, groups, and contacts—with the Office 365 infrastructure in the cloud. With DirSync, you make all changes to your users, groups, and contacts in your own AD environment, and the updates are synchronized with the Office 365 cloud. DirSync is also necessary to provide an SSO experience for your users.
The first questions you should ask about this tool are, “How intrusive is it?” and “Does it require any administrative rights?” The answer to the first question is: No, it’s not intrusive. It’s been tested with customers who have very large AD installations of more than 300,000 users, so it scales to large environments without interfering with daily operations. The answer to the second question is: No…ish. Read on for more detail.
Running the tool is simple; in fact, it’s disconcertingly simple. When you unzip and run office365deploymentreadinesstool.exe, you expect the Welcome screen of the tool’s installation wizard. But there’s no welcome screen: The tool has already begun analyzing your environment. (It feels vaguely like malware.)