Office 365 IdentityPresenter: Pham Dinh HuyMicrosoft Office 365

Agenda

Overview of Identity Management in Office 365

Synchronize Identity Model (DirSync)

2 3

Explain Azure Active Directory

1

Federated Identity Model (SSO)

455

Azure Active Directory Explained

The current reality…

EC2

On-Premises Private Cloud

Managed devices

Self-service Single sign on

•••••••••••

Username

Identity as the control plane

Simple connection

Cloud

SaaSAzure

Office 365Publiccloud

Other Directories

Windows ServerActive Directory

On-premises

Microsoft Azure Active Directory

Connect and Sync on-premises directories with Azure.

Your Directory on the cloud

Azure Active Directory Connect

*

Microsoft AzureActive Directory

Other Directories

PowerShell

LDAP v3

SQL (ODBC)

Web Services ( SOAP, JAVA, REST)

*

Overview Identity Management in Office 365

Office 365 Identity Management

Cloud IdentityDirectory

Synchronization 

Single identitysuitable for medium and large organizations without federation

Federated Identity

Single federated identity and credentials suitable for medium and large organizations

Single identity in the cloud Suitable for small organizations with no integration to on-premises directories

The end to end Microsoft Stack

On-Premises

Active Directory Federation Services

Active Directory Federation Services

Windows Azure Active Directory

WS-Federation

WS-Trust

Windows Active Directory

DirSync

Exchange Web Access

SharePoint Online

Outlook, Lync, Word, etc

Identity Synchronization with password hash

sync

Identity Synchronization

AD FS

Delivering a seamless user authentication experience

User attributes are synchronized using Identity Synchronization services including a password hash, Authentication is completed against Azure Active Directory

Microsoft Azure

User attributes are synchronized using Identity Synchronization tools, Authentication is passed back through federation and completed against Windows Server Active Directory

Microsoft Azure

Synchronize Identity Model (Recommend)

Password Sync: What it is Feature of DirSync – synchronizes user password hashes from on-premises AD to Windows Azure AD

Enables users to log to Windows Azure AD services using the same username/password as on-prem AD

Part of DirSyncNo additional softwareNo changes to domain controllers, no reboots

12

Password Sync: What it is Easier, less-expensive alternative to AD FS Single Sign-On, but not the same thingNo redirection to on-prem authenticationNo token exchange between the on-premises environment and the

cloudAuthentication takes place in the cloud

Only for single-forest scenario

13

Password Sync: How it works Security considerations

Synchronizes hashes from on-premises AD to Azure ADNever see or store plaintext passwords

Password Policy considerationsDefer to on-premises password policiesOn-premises complexity policies override cloud policies for

synchronized usersPasswords of synchronized users “never expire” in the cloud

14

Deploying Directory Synchronization

15

Manage DirSync

Activate Users

Sync Directori

es

Setup DirSync

Activate DirSync

Prepare for

DirSync

Typical steps in deploying the Windows Azure Directory Synchronization tool

Enable password sync

Initial password sync

Password handling during activation

Force a full sync Monitor events

Synchronization

16

Microsoft Online Services

Logon Enabled User Object (Unlicensed)Mail-Enabled User (not Mailbox-Enabled)ProxyAddresses: SMTP: John.Doe@contoso.com smtp: John.Doe@contoso.onmicrosoft.comTargetAddress: John.Doe@contoso.com

On-premises

Active Directory

DirSyncOnline

Directory

DirSync Web

Service

SharePoint Online

Live ID

Exchange Online

Lync Online

Sync Cycle Step 1:Import Users, Groups,and Contacts from source Active Directory forest

Sync Cycle Step 2:Imports Users, Groups, and Contacts from Microsoft Online Services via AWS

Sync Cycle Step 3:Export Users, Groups, and Contacts that do not already exist in Microsoft Online Services

User ObjectMailbox-EnabledProxyAddresses: SMTP: John.Doe@contoso.com

User

s on

ly

Mail-enabled

objects

Manage: Monitor App Log Events

17

Application Log, Event Source = Directory Synchronization

Password synchronization starts retrieving updated

passwords from the on-premises AD DS

Event ID 650Finished retrieving

updated passwords from on-premises AD DS

Event ID 651

success

Failed to retrieve updated passwords from

on-premises AD DS

Event ID 652

error

Manage: Monitor App Log Events

18

Application Log, Event Source = Directory Synchronization

Password synchronization starts informing Windows Azure AD that there are

no passwords to be synced

Event ID 653Finishes informing

Windows Azure AD that there are no passwords to

be synced

Event ID 654

success

Failed to inform Windows Azure AD that there are

no passwords to be synced

Event ID 655

error** This occurs every 30 minutes if no passwords have been updated on-premises

Manage: Monitor App Log Events

19

Application Log, Event Source = Directory Synchronization

Password synchronization detects password

changes and tries to sync it to Windows Azure AD

Event ID 656 User(s) whose password was successfully synced

Result : Success

Event ID 657

success

User(s) whose password was not syncedResult : Failed

error

** Lists at least 1 user, at most 50 users

Federated Identity Model (SSO)

Understanding Identities

• Separate credential from on-premises credential

• Authentication occurs via cloud directory service

• Password policy is stored in Office 365

• Does not require on-premises server deployment

• Same credential as on-premises credential

• Authentication occurs via on-premises directory service

• Password policy is stored on-premises

• Requires on-premises DirSync server

• Requires on-premises ADFS server

Cloud Identity Federated Identity

Understanding Identities

22

 

Cloud Identity Cloud Identity + DirSync Federated Identity

Scenario

Smaller organizations with or without on-premises Active Directory

Medium to Large organizations with Active Directory on-premises

Large enterprise organizations with Active Directory on-premises

Benefits

Does not require on-premises server deployment

“Source of Authority” is on-premises

Enables coexistence

Single Sign-On experience

“Source of Authority” is on-premises

2 Factor Authentication options

Enables coexistence

Limitations

No Single Sign-On

No 2 Factor Authentication options

Two sets of credentials to manage

Different password policies

No Single Sign-On

No 2 Factor Authentication options

Two sets of credentials to manage

Different password policies

Requires on-premises DirSync server deployment

Requires on-premises ADFS server deployment in high availability scenario

Requires on-premises DirSync server deployment

Understanding Identities Two types of Domains

Managed Domain Federated Domain

Domain ownership must be verified Must use publicly registered namespace (i.e. cannot use *.local, etc.)

Options for adding new domains: Microsoft Online Portal Microsoft Online Services Module for Windows PowerShell

23

Purpose Enables users to access both the on-premises and cloud-based organizations with a single user name and password

Provides users with a familiar sign-on experience

Allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools.

24

Benefits Policy Control

Access Control

Reduced Support Calls

Security

25

Deployment Considerations

26

Deployment Architecture Single internal/proxy server

Not recommended because it is not highly available ADFS Proxy is required for Basic Authentication (Active Profile)

endpoint 2+ internal/proxy servers with load balancers

27

Perimeter Network

ADFS 2.0Proxy

ActiveDirector

y

ADFS 2.0

ADFS 2.0ADFS 2.0

Proxy

Load balancer

Load balancer

Internal Network

Basic Authentication (Active Profile)

Passive Federation (Passive Profile)

Deployment Architecture

28

Number of users Minimum number of servers

Fewer than 1,000 users0 dedicated federation servers0 dedicated federation server proxies 1 dedicated NLB server

1,000 to 15,000 users2 dedicated federation servers2 dedicated federation server proxies

15,000 to 60,000 users

Between 3 and 5 dedicated federation serversAt least 2 dedicated federation server proxies

Deployment Topology ADFS can use Windows Internal Database or SQL WID has a limit of 5 servers per farm No imposed limit for SQL

When configured as an ADFS farm, WID supports basic database redundancy via pull replication Primary server contains read/write copy Secondary servers check for updates every 5 minutes by default If primary fails, all secondary servers continue to process requests Secondary servers can become the primary

SQL supports failover clustering or mirroring

29

Deployment Considerations for UPN User objects must have a value for UPN in on-premises Active Directory

UPN domain suffix must match a verified domain in Office 365 Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified

domain and is used if UPN does not match a verified domain

Users must switch to using UPN to logon to Office 365 Not domain\username

UPN must have valid characters Office 365 Deployment Readiness Tool will verify that on-premises objects have

valid characters30

How does SSO work

Sign-in: How does SSO work

Fire

wall

Fire

wall

Start1. User accesses application

2. Redirected to Azure AD; User enters their login ID for HRD

3. Redirected to ADFS; desktop SSO on domain joined machine

4. Redirected to AAD; AAD validates user token and generates new token for app

5. User now has accesses to application

Intranet User

Sign-in: How does SSO work

Fire

wall

Fire

wall

Start

1. User accesses application

2. Redirected to Azure AD; User enters their login ID for HRD

3. Redirected to WAP; U/P or Cert Auth

4. Redirected to AAD; AAD validates user token and generates new token for app

5. User now has accesses to application

Extranet User

Client Endpoints Active Federation (MEX)

Applies to rich clients supporting ADFS Used by Lync and Office Subscription client Clients will negotiate authentication directly with on-premises ADFS server

Basic Authentication (Active Profile) Applies to clients authenticating with basic authentication Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web

Services Clients send “basic authentication” credentials to Exchange Online via SSL.

Exchange Online proxies the request to the on-premises ADFS server on behalf of the client

Passive Federation (Passive Profile) Applies to web browsers and documents opened via SharePoint Online Used by the Microsoft Online Portal, OWA, and SharePoint Portal Web clients (browsers) will authenticate directly with on-premises ADFS server

34

Client Endpoints

35

Lync 2010/Office Subscription

Active Sync

Corporate Boundary

Exchange Online

AD FS 2.0Server

MEX

Web

Active

AD FS 2.0 Proxy

MEX

Web

Active

Outlook 2010/2007IMAP/POP

UsernamePassword

UsernamePassword

OWAInternal

Lync 2010/Office Subscription

Outlook 2010/2007IMAP/POP

OWAExternal

UsernamePassword

Active Sync

UsernamePassword

Basic auth proposal: Pass

client IP, protocol, device name

Authentication Flow – MEX Profile

36

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Lync Online

Active Directory

Customer Microsoft Online Services

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Authentication Flow – Active Profile

37

Customer Microsoft Online Services

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Proxy

Exchange Online

Active Directory

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Basic Auth CredentilasUsername/Password

Authentication Flow – Passive Profile

38

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online orSharePoint Online

Active Directory

Customer Microsoft Online Services

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

SSO: Tips for a successful deployment

• Use Windows 2012 R2• Co-locate ADFS on domain controllers (no

IIS needed)• You don’t need SQL unless you are greater

than 90K users!• Use self-signed token signing certificates.

Deployment

• Deploy Web Application Proxy. Current Outlook/EAS need this to work.

• AAD uses federation metadata endpoint that is internet accessible to keep token signing cert information up to date.

• Don’t use sticky sessions on your Load Balancer

• Configure SNI on load balancer or use HTTP health probes (MS14-08)

Network

• Enable extranet soft account lockout• Enable MFA with smartcards, Azure MFA

or 3rd party MFA (SafeNet, RSA, Gemalto, LoginPeople …)

• Enable client access policies in the prescribed manner.

Security

• Ensure that SPN (HOST/adfs.contoso.com) is set on ADFS service account

• Customize illustration & logo to have a great end user experience

• Enable ‘Keep Me Signed In’ option for better SSO

Sign-In Experience

Scenarios

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.