Planning, prerequisites and firewall ports for your Microsoft Teams integration

Architecture overview

The Pexip Teams Connector must be deployed in Microsoft Azure. The Teams Connector handles all Teams communications and meeting requests from the Pexip Infinity platform and passes them on to the Microsoft Teams environment.

The dedicated Pexip Teams Connector application ensures control and ownership for organizations with stringent regulatory compliance requirements.

The diagram below shows the Teams Connector components that are deployed in Azure, and how they interact with the Pexip Infinity platform and Microsoft Teams. The Azure Virtual Machine scale set (VMSS) allows the Pexip application to run across a group of identical, load balanced VMs. You do not have to set up these Azure components individually — they are all created as part of the Teams Connector deployment process.

Pexip Infinity platform

While the Teams Connector must be deployed in Microsoft Azure, the Pexip Infinity platform can be installed in any supported environment such as on-premises or in a public or hybrid cloud (which would typically be Microsoft Azure when integrating with Microsoft Teams).

Pexip Infinity has a close integration with Microsoft Teams and uses Teams APIs and Microsoft SDKs to provide Infinity’s interoperability features. Even though Pexip strives to maintain backwards compatibility between older versions of Pexip Infinity and the latest release of Microsoft Teams, to ensure compatibility with the latest updates to Teams we recommend that you aim to keep your Pexip Infinity deployment up-to-date with the latest Pexip Infinity software release. If, for example, you have a large Pexip deployment for non-Teams related services, and you have stringent upgrade procedures meaning that you do not always keep your Infinity software up-to-date with the latest release, you may want to consider deploying a second instance of the Pexip Infinity platform that is dedicated to your Teams interoperability requirements, and which can be managed separately and upgraded more frequently.

See Pexip Infinity installation guidelines for complete information about all of the platforms into which you can deploy the Pexip Infinity platform, and Configuring Pexip Infinity as a Microsoft Teams gateway for specific instructions about how to integrate Pexip Infinity with the Teams Connector.

Preparing your Azure environment, regions and capacity planning

This section lists the various preparation steps you must perform before starting your Teams Connector installation into Azure.

Obtain an Azure subscription and an Azure tenant ID

Ensure that you have an Azure subscription and an Azure tenant ID for your Teams Connector deployment.

Most of the installation steps can be performed by somebody with Contributor permissions for the Azure subscription. However, there is one step that the Owner of the Azure subscription must perform (see Azure permissions requirements for more information).

Decide Azure deployment region(s) and check quota

Decide in which Azure region you want to deploy the Teams Connector. Large enterprises may want to install a Teams Connector in multiple regions.

• The Azure region must support Automation and Fs series instance types.

  See Azure automation for more information about Automation, and Azure product availability by region.

• Ensure that you have sufficient resource quota and capacity for your region and instance types.

  By default, Azure Resource Manager virtual machine cores have a regional total limit and a regional per series limit, that are enforced per subscription. Typically, for each subscription, the default quota allows up to 10-20 CPU cores per region and 10-20 cores per series.

  The allocated quota may be increased by opening a support ticket with Microsoft via the Azure Portal. Based on your capacity requirement, you should request a quota increase for your subscription. Ensure that you request a sufficient number of CPU cores. Each Teams Connector instance will use 4 vCPU of type Fs-series. Thus, for example, if 6 Teams Connector instances are required, then the quota must be increased to 4 cores x 6 Fs-series instances = 24 CPU cores of type Fs-series. However we strongly recommend that you request a quota covering more than the minimum, such as 40 cores, to allow for an increase in the future. It may take a number of days for the quota increase request to be processed. For more information see https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits.

Capacity planning

Contact your Pexip authorized support representative to discuss your call capacity requirements, and how many Teams Connector instances are required.

For information about the Pexip Infinity resources required to route calls to the Teams Connector, see Gateway calls to Microsoft Teams.

Network and certificate requirements

This diagram shows how the main elements in a Microsoft Teams integration communicate with each other and how the connection between each element is validated/authenticated.

• You must have one or more publicly-reachable Conferencing Nodes. Those nodes:

  • can be Transcoding Conferencing Nodes or Proxying Edge Nodes
  • can have static NAT and/or dual network interfaces, as the Teams Connector is treated as a lineside connection.
• The public-facing Conferencing Nodes always communicate with the Teams Connector via public IP, even if they are within the same Azure tenant.
• The Teams Connector communicates with the Microsoft Teams (O365) backend via public IP; all traffic stays within the Microsoft network.

• The Teams Connector supports connections over TLSv1.2 only, and does not support RC2, RC4, DES and 3DES ciphers.

In summary, the certificate usage principles are:

• The Teams Connector and Pexip Infinity validate the connection in both directions by TLS client certificate validation. This means that every certificate’s Enhanced Key Usage properties must be set for both server and client authentication.

  

• Public-facing Conferencing Nodes must have a valid publicly-signed PEM-formatted certificate (typically with a .CRT or .PEM extension).
• The Teams Connector must have a publicly-signed PFX-formatted certificate. Multiple names/certificates are required if deploying Teams Connectors in several regions.

Obtaining and preparing the TLS certificate for the Teams Connector

You must install on the Teams Connector a TLS certificate that has been signed by an external trusted CA (certificate authority).

You need to have this certificate available before you install the Teams Connector.

The certificate must be in Personal Information Exchange Format (PFX), also known as PKCS #12, which enables the transfer of certificates and their private keys from one system to another. It must use RSA keys.

1. Decide on the FQDN (DNS name) you will use for the Teams Connector load balancer in Azure that will front the Teams Connector deployment e.g. pexip-teamsconn-eu.teams.example.com.

   • This FQDN is what you will use as:

     • the value of $PxTeamsConnFqdn in the variables initialization script
     • the certificate’s subject name
     • the DNS name you will configure in Pexip Infinity (Call Control > Microsoft Teams Connectors > Address Of Teams Connector) later in the process.
   • It can use the same domain space as your Pexip Infinity deployment, or your Teams deployment, or it can use an altogether different domain. In all cases you always need to create the necessary DNS CNAME record(s) and public certificates for the chosen domain.
   • If you intend to deploy other Teams Connectors in other Azure regions, you will need a different DNS name for each Teams Connector and a certificate that matches that identity. You can use a single certificate for this, containing Subject Alternative Name (altNames attribute) entries for all of the regional Teams Connectors.
   • It can be a wildcard certificate, where the wildcard character (‘*’) is the only character of the left-most label of a DNS domain name. Note that Pexip supports RFC 6125 — this means that if you are using subdomains then, for example, a wildcard certificate of *.example.com would match foo.example.com but not bar.foo.example.com or example.com.

   Note that if you subsequently need to replace the certificate that you have installed, you will need to redeploy the Teams Connector.

2. Request a certificate for that name and generate the certificate in PFX format. Any intermediate certificates must also be in the PFX file.

You can use the Pexip Infinity Management Node to generate a certificate signing request (CSR).

You can use the Pexip Infinity Management Node to convert PEM certificates to PFX format (or vice versa), by uploading a PEM-formatted certificate and then downloading it again in PFX format. When downloading you can also include the private key and all necessary intermediate certificates in the PFX bundle.

Ensuring Conferencing Nodes have suitable certificates

The Conferencing Nodes (typically Proxying Edge Nodes) that will communicate with the Teams Connector must have TLS certificates installed that have been signed by an external trusted CA (certificate authority). If a chain of intermediate CA certificates is installed on the Management Node (to provide the chain of trust for the Conferencing Node‘s certificate) those intermediate certificates must not include any HTTP-to-HTTPS redirects in their AIA (Authority Information Access) section.

We recommend that you assign a “pool name” to all of the Conferencing Nodes that will communicate with the Teams Connector. The pool name should be used as a common Subject name on the certificate that is uploaded to each of those Conferencing Nodes. The certificate should also contain the individual FQDNs of each of the nodes in the pool as a Subject Alternative Name on the certificate. This pool name can then be specified on the Teams Connector (the $PxNodeFqdns variable in the initialization script) as the name of the Conferencing Nodes that it will communicate with.

This approach makes it easier to add extra Conferencing Nodes into the pool as they will all present the same certificate/subject name to the Teams Connector. If you add a new Conferencing Node with a name that is not configured on the Teams Connector you will have to redeploy the Teams Connector and specify the new names.

See Certificate and DNS examples for a Microsoft Teams integration for more information and examples about certificates, DNS records and using a “pool name” for Conferencing Nodes.

Firewall ports for the Teams Connector and NSG rules

The following table lists the ports/protocols used to carry traffic between the Teams Connector components and Microsoft Teams (O365), your public-facing Conferencing Nodes (typically Proxying Edge Nodes) and any management networks.

Source address	Source port	Destination address	Destination port	Protocol	Notes
Conferencing Nodes
Conferencing Nodes	33000–39999 *	Teams Connector load balancer Teams Connector instance	443	TCP	Signaling
Conferencing Nodes	40000–49999 *	Teams Connector instance	50000-54999	UDP	Call media
Teams Connector components
Teams Connector instance	ephemeral	Microsoft Teams (O365)		TCP	Signaling
Teams Connector instance	ephemeral	Conferencing Nodes	443	TCP	Signaling
Teams Connector instance	50000-54999	Conferencing Nodes	40000–49999 *	UDP	Call media
Teams Connector instance	55000-59999	Microsoft Teams (O365)		UDP	Call media
Teams Connector instance	ephemeral	OCSP responder	80	TCP	Certificate revocation checking
Teams Connector instance	ephemeral	Windows update servers	80/443	TCP	Windows updates
Microsoft Teams (O365)
Microsoft Teams (O365)		Teams Connector load balancer	10000-10399 10500-10899 11000-11399	TCP	Signaling
Microsoft Teams (O365)		Teams Connector instance	55000-59999	UDP	Call media
Management
Management workstation		Teams Connector load balancer	50000-50399	TCP	Only enabled for any workstation addresses specified during Teams Connector installation
		Teams Connector instance	3389
Client application viewing the meeting invitation
		Conferencing Nodes †	443	TCP	Access to Alternative Dial Instructions
* Configurable via the Media port range start/end, and Signaling port range start/end options (see About global settings). † The Conferencing Nodes referenced in the InstructionUri for the “Alternate VTC dialing instructions”.

Teams Connector Network Security Group (NSG)

A Network Security Group that supports these firewall requirements is created automatically in Azure as a part of the Teams Connector installation process, and is assigned to each Teams Connector instance. Note that the NSG includes:

• Rules used for internal traffic within the Teams Connector that is forwarded from the load balancer to the instances (to ports 10100, 10101 and 20100) — these ports do not need to be opened between the Conferencing Nodes / Microsoft Teams and the Teams Connector.
• An “RDP” rule (priority 1000): if the $PxMgmtSrcAddrPrefixes installation variable contains addresses, this rule allows RDP access to the Teams Connector instances from those addresses. If no addresses are specified then a Deny rule is created (so that you can add addresses and allow it later if required).

You must also allow the relevant ports through any of your own firewalls that sit between the Teams Connector components and your public-facing Conferencing Nodes and management networks.

You may need to modify some of the NSG rules in the future if you subsequently add more Conferencing Nodes to your Pexip Infinity platform, or change the addresses of any management workstations.

Additional deployment information

The following features are provided/enabled automatically as part of the deployment process:

• VMSS (virtual machine scale set) disk encryption is enabled by default. The keys are stored in an Azure Key Vault. Note that the disk encryption can affect performance for approximately 30 minutes after the deployment has finished.
• Access keys for the storage account that is used for logging are managed by Azure Key Vault and are automatically regenerated every 90 days (not configurable).

Configure Teams for Education

Microsoft Teams is a digital hub that brings conversations, meetings, files, and apps together in one place. Because Teams is built on Office 365, schools benefit from integration with their familiar Office apps and services. It delivers enterprise-grade security and compliance that is extensible and customizable to fit the needs of every school.

With Microsoft Teams, your school or institution can create collaborative classrooms, connect in professional learning communities, communicate with school staff, coordinate research across institutions or more easily facilitate student life efforts like clubs or extracurricular activities – all from a single experience in Office 365 for Education.

Microsoft Teams for Education comes with all the powerful communication and collaboration tools that are available to other Teams users. Click here to configure Teams for your school.

Unique Teams capabilties for education users:

1. A simplified Teams view that provides a simpler way to navigate and reduces visual distractions.

2. OneNote Class Notebooks are built into every class team, allowing teachers to organize interactive lessons and deliver personalized learning right from Teams.

3. End-to-end assignment management in Teams enables teachers to move quickly and effortlessly from creation and distribution to grading and feedback.

Assignments and weekly guardian e-mail digest

One of the new features related to Assignments is the weekly guardian e-mail digest which are weekly emails sent to students’ parents or guardians. The emails will contain information about assignments from the previous week and for the upcoming week, and will be sent over the weekend. The emails need to be set up and updated by the admins using the School Data Sync feature. SDS automatically populates classes for Teams with student rosters from the school’s student information system (SIS). The steps to enable this feature are:

1. Import parent contact information via Parent and Guardian Sync in SDS. Click here for instructions on how to enable Parent and Guardian Sync.

2. Turn on the Guardian Setting in the Microsoft Teams Admin Center Teams Admin Center, as the setting is turned off by default. This will enable teachers to send out a weekly digest. https://docs.microsoft.com/MicrosoftTeams/expand-teams-across-your-org/assignments-in-teams. Note that teachers can opt-out of the digest by deselecting the setting inside their own personal class team (Settings > Parent/Guardian Emails).

Click here to find more information on Assignments and related features you can turn on in the Admin center.

Related resources:

Click here for more information on Teams for Education.

Click here for more information on School Data Sync (SDS).

Next step:

Once you have configured Teams for Education and Assigments settings, you are ready to deploy Office 365.

Microsoft Store for Business and Education

Applies to

• Windows 10
• Windows 10 Mobile

Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school.

In this section

Deployment guide for Microsoft 365 Apps

• 06/09/2020
• 2 minutes to read
• • 
  • 

This guide helps IT Pros plan, deploy, and manage Microsoft 365 Apps in their enterprise environments.

Featured

• What’s new in Office deployment for IT Pros

• Overview of the Office cloud policy service

• Overview of the Office Customization Tool

• Assess your environment and requirements for deploying Microsoft 365 Apps

• Plan your enterprise deployment of Microsoft 365 Apps

• Remove existing MSI versions of Office when upgrading to Microsoft 365 Apps

• Use the Readiness Toolkit to assess application compatibility for Microsoft 365 Apps

• Microsoft FastTrack for Office

Deploy

Learn about your deployment options, how to deploy from a local source, and how to use Microsoft Endpoint Configuration Manager to deploy Microsoft 365 Apps.

• Deploy Microsoft 365 Apps from the cloud

• Deploy Microsoft 365 Apps from a local source

• Deploy with Configuration Manager (current branch)

Manage updates

Learn about the different update channels available for Microsoft 365 Apps and how to use Configuration Manager to manage updates.

 

• Overview of update channels for Microsoft 365 Apps

• Manage updates to Microsoft 365 Apps with Microsoft Endpoint Configuration Manager

• Change the Microsoft 365 Apps update channel for devices in your organization

• Release information for updates to Microsoft 365 Apps

What is Intune for Education?

Microsoft Intune for Education is a cloud-based, mobile device management (MDM) service for schools. It helps your teachers and students stay productive on classroom devices, and keeps school data secure.

With Intune for Education you can:

• Manage the desktop and mobile devices students use to access classroom data.
• Configure and assign the apps students use in the classroom.
• Control how students and teachers access and share classroom information.
• Apply school security requirements to devices and apps.

The Intune for Education portal is designed to include only the settings and workflows you need to manage iOS and Windows school devices. From the portal, you can view and take action on your device, user, and app inventory. Intune for Education also supports the Take a Test app, which allows teachers to assess student progress directly from classroom devices.

Sign up for Intune for Education

If you’re not already signed up with an Intune for Education account, learn how to get started. The article is for system administrators who are ready to sign up their school for an Intune subscription.

Manually add users to you Intune subscription

If you’re not using the Microsoft School Data Sync (SDS) service to import student and teacher records, you must manually add users to your Intune subscription. Students and teachers can be added through the Azure portal or through the Microsoft 365 portal. At the time of user setup, you’ll also want to grant admin permissions.

Supported OS and browsers

The full Intune management service supports many device operating systems. For school settings, like yours, we recommend using Intune for Education. Its portal is set up to specifically support Windows 10 and iOS school devices.

To view a complete list of Intune-supported web browsers and operating systems, see Supported operating systems and browsers in the Microsoft Intune documentation.

Configuring your Intune for Education tenant

Tenant refers to your organization’s instance of Intune for Education. Settings at a tenant-level affect your organization’s Intune subscription. Intune for Education has both General settings and iOS Device Management tenant settings.

General settings

The General page of tenant settings asks for your school’s IT contact and resource information. Most of this information is optional but is useful to provide an IT point of contact for students and faculty. For more information about editing general settings, see Edit general settings.

iOS Device Management settings

iOS Device Management settings ask for information about your Apple accounts. These settings are a requirement for organizations who wish to manage their iOS devices in Intune. Until you configure device management for iOS, you can’t see or manage iOS-related settings in the Intune for Education portal.

For more information about setting up your device’s iOS device management settings, see Setup iOS device management.

Only delegated admins in Intune for Education are allowed to see and change tenant settings.

Does Intune for Education work on shared devices?

Intune for Education works with shared devices, and supports the management of multiple users on a single device. Students who share a device may have different apps and settings targeted to them. When students sign in to a device, they’ll see only the apps and settings assigned specifically to them.

Compatible resources and tools

You’ll have access to other Microsoft management tools such as:

• Microsoft Intune in the Azure portal, the full device, app, and user management experience
• Microsoft Azure Active Directory (Azure AD), the identity and access management system
• Microsoft School Data Sync
• Get started with Microsoft 365 Education

Use Intune for Education with Microsoft Education tools such as:

• Set up Microsoft 365 for business
• Windows 10 for Education
• Microsoft Store for Education
• Minecraft: Education Edition

Get started with Intune for Education

Import student records with Microsoft School Data sync. Configure school’s Windows devices with the Set up School PCs app, or sign in to Intune for Education to set up Apple management for your iOS devices.

From the dashboard, launch Express Configuration. Select a user or device group (such as students, teachers, or 2nd floor Computer Lab) and start assigning apps and settings.

Windows 10 for Education

 Learn

Windows 10 editions for education customers
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.

Compare each Windows edition
Find out more about the features and functionality we support in each edition of Windows.

Get Windows 10 Education or Windows 10 Pro Education
When you’ve made your decision, find out how to buy Windows for your school.

 Plan

Windows 10 configuration recommendations for education customers
Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.

Deployment recommendations for school IT administrators
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.

Get Minecraft Education Edition
Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.

Step 5: License Users

Licensing user accounts in Office 365 is important, because users can’t use any Office 365 services until their accounts have been licensed. There are three ways to license users:

1. Group-based licensing: Recommended Path

   Until now, licenses could only be assigned at the individual user level, which can make large-scale management difficult. With group-based licensing, administrators no longer have to write a complex PowerShell script that makes individual calls to the cloud service when a user joins or leaves a school. Instead, you can assign one or more product licenses to a group. Azure AD ensures that the licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses. When they leave the group, those licenses are removed. This licensing management eliminates the need for automating license management via PowerShell to reflect changes in the organization and departmental structure on a per-user basis. To use group-based licensing, you must have one of the following licenses:

   • Paid or trial subscription for Azure AD Basic

   • Paid or trial edition of Office 365 Enterprise E3 or Office 365 A3 and above

Click here for more information and deployment guidance on Group-based licensing.

2. Office 365 Powershell

   If you have more than 50 users, and do not have one of the licenses listed in option 1 above, you will have to use Office 365 PowerShell to efficiently assign licenses to unlicensed accounts, especially multiple accounts. Here are directions on how to license users with Powershell.

3. Management Portals

   If you have less than 50 users, you can use the Office 365 or Azure management portal to manage your licensing needs.

Next step: Once you have licensed users, you are ready to manage and configure your school’s devices.

Step 4: Sync your SIS using School Data Sync (SDS)

School Data Sync (SDS) is a free service in Office 365 for Education that reads the school and roster data from a school’s Student Information System (SIS). It creates Office 365 Groups for Exchange Online and SharePoint Online, class teams for Microsoft Teams and OneNote Class notebooks, school groups for Intune for Education, and rostering and SSO integration for many other third party applications. Key app integration scenarios that SDS enables include:

• Teams for Education – SDS enables automatic Class Team creation based on SDS-created O365 Groups and Rostering.
• OneNote Class Notebooks – SDS enables automated OneNote Class Notebook provisioning within Teams for Education. When enabled, each Class Notebook will have sections created and permissions set based on SDS class rostering data imported during sync.
• Exchange Online and SharePoint Online –SDS creates Office 365 Groups for online messaging, file sharing, and collaboration.
• Intune for Education – SDS creates schools-based Security Groups for granular device policy and can also provide automated bulk licensing of Intune for Education for all students and teachers synced.
• 3rd Party Apps – SDS integrates with numerous apps within the Microsoft Store and enables Rostering and Single Sign-On (SSO) app integration.

Once you have identity integration with On-Premise AD, or you’re ready to create cloud-only Identity, your next step is to enable School Data Sync (SDS). SDS can be used to either create new cloud-only identities or evolve your existing identities for all users. Users will be evolved to “students” and “teachers”, and associated to “grade,” “school,” and other EDU specific attributes and associations.

SDS will also synchronize and create all of your classes in Office 365, for use as Office 365 Groups and Microsoft Class Teams. SDS will add teachers as class owners, and students as class members, based on the roster data stored in the SIS. Click here for the benefits of using SDS for IT Admins, Teachers, Students, SIS Vendors, App Vendors, and SIs.

Deploying School Data Sync

SDS offers two methods for directory sync and creation.

1. Sync from SIS using an API – Seamless API integration with several top SISes including PowerSchool, Infinite Campus, Classlink, Capita SIMS, and several others.
2. Sync from CSV Files – Any SIS which can export data to one of the three supported CSV formats (SDS CSV, OneRoster, and Clever format), can be synced via SDS.

School Data Sync requirements

1. An Office 365 Education tenant account (from Step 1)
2. Global Administrator Permissions (from Step 1)

Before deploying SDS, please go to the SDS Settings page to configure your global deployment settings.

The following links take you to deployment “how-to” articles for each available method.

How to deploy School Data Sync by using PowerSchool SIS API

How to deploy School Data Sync by using OneRoster API

How to deploy School Data Sync by using SDS format CSV files

How to deploy School Data Sync by using Clever format CSV files

How to deploy School Data Sync by using OneRoster format CSV files

Next step: Once you have synced your SIS using SDS, please proceed to Step 5 to License users.

Step 3: Sync your active directory

This article is meant for customers who intend to integrate an on-premise active directory with Office 365. If you do not need to integrate an on-premise directory, and intend to provision cloud-only identities, you can skip this step, and proceed to Sync your SIS with School Data Sync.

There are three ways to move your identities to Microsoft 365 Education.

1. AAD Connect with Password Hash Sync: Recommended Path

   The most efficient path to move from an on-premise active directory is using AAD Connect with Password Hash Sync for authentication. This path is easier and cheaper to deploy because you can use Azure AD Connect Express Settings. Express Settings is the default option and is used for the most commonly deployed scenarios. You will only have to manage one server and this path will give you seamless single sign-on, and cloud multi-factor authentication.

2. AAD Connect with Passthrough Authentication

   If you need to manage password authentication requests from your own on-premise active directory, you will still use AAD Connect, but you will need to use the Passthrough Authentication Option instead of Password Hash Sync. Azure Active Directory (Azure AD) Pass-through Authentication enables users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory. This path is for organizations wanting to enforce their on-premises Active Directory security and password policies.

3. Active Directory Federated Services (ADFS)

   If you need to have on-premise managed Multi-Factor Authentication (MFA), you will need to use Active Directory Federated Services (ADFS). When you choose this authentication method, Azure AD hands off the authentication process to the on-premises Active Directory Federation Services (AD FS) to validate the user’s password. We do not recommend this option unless you need federated single sign-on and on-premise password management. This path is more difficult and expensive, requires the management of multiple servers, and is only relevant for districts with complex security set-up and requirements.

View this document for additional context as to how to set up directory synchronization for Office 365.

If you’re still not sure which path to choose, use this guide for a comparison of the various Azure AD sign-in methods and how to choose the right sign-in method for your organization.

Next step: After you have completed syncing your active directory, please proceed to Step 4 to Sync your SIS with School Data Sync.

Step 2: Secure and configure your network

Some of the most common Office 365 performance issues are related to network configuration. Assessing your network configuration and applying network principals and best practices is a key step in ensuring the best possible Office 365 user experience.

Review Network Planning, Optimization, and Best Practices

The topic Office 365 network connectivity overview is a good place to start to understand the basic principles of Office 365 networking. Then, read Office 365 Network Connectivity Principles to understand how to optimize network performance.

You can also review the network planning, best practices, and optimization guides available at this link.

Configure Connectivity to Microsoft IPs and URLs

To move to Microsoft 365 Education, you need to enable network connectivity to the Microsoft cloud and services. Ensure that you configure your firewalls and network devices for connectivity to the IPs and URLs defined in the topic Managing Office 365 endpoints.

Next step: Once you have reviewed your network configuration and ensured that you are following the Office 365 Network Connectivity Principles, please proceed to Step 3 to Sync Your Active Directory.