Active Directory Integration with Microsoft Office 365Ross Adams & Jono LukProgram ManagersMicrosoft Corporation

OSP321

Session Objectives

Architecture for Office 365 and other servicesIntegration OptionsPlanning for Directory IntegrationSingle Sign on ExperienceHow Single sign on worksOptions for strong authentication

Windows Azure Active Directory

Password policy controls for Cloud AccountsPassword never expirePassword complexity can be turned offCustom password policies for expiry/notification

Single sign On with corporate credentials Role-based administration:

Five administration rolesCompany Admin Billing AdminUser Account Admin Help Desk AdminService Support Admin

Windows Azure Active Directory Provisioning

ManualSimple Web based user interfaceBulk import of userBest for small customers

ScriptablePowerShell module for windowsProgrammable New REST based APILimited attribute set/object types

AutomatedDirectory Synchronization with delta Full fidelity of attributes and object typesOptimized for large object sets

Office Subscription

Services

Contoso customer premises

Architecture and Integration Options1. No Integration2. Directory Data Only3. Directory and Single sign-on (SSO)

ADMS Online

Directory Sync

Windows Azure Active Directory

Provisioningplatform

LyncOnline

SharePoint Online

Exchange Online

Active Directory Federation Server

2.0

Trust

IdPDirectory

Store

Admin Portal/PowerShell

Authentication platform

Office 365 Desktop Setup

IdP

Why Directory and SSO Integration

Single place for managementUser and groups including security groupsPasswordsPassword policies

Support for Enterprise Single Sign onSupport for Hybrid environments for services such as Exchange OnlineOptions for Strong Authentication (e.g. Smart cards)

Integration Comparison1. No Integration

Appropriate for• Smaller orgs without AD

on-premises

Pros• No servers required on-

premises

Cons• No SSO• No 2FA• 2 sets of credentials to

manage with differing password policies

• IDs mastered in the cloud

2. Directory Only

Appropriate for• Medium/Large orgs with AD

on-premises

Pros• Users and groups mastered

on-premises• Enables co-existence

scenarios

Cons• No SSO• No 2FA• 2 sets of credentials to

manage with differing password policies

• Single server deployment

3. Directory and SSO

Appropriate for• Larger enterprise orgs with

AD on-premises

Pros• SSO with corporate cred• IDs mastered on-premises• Password policy controlled

on-premises• 2FA solutions possible• Enables hybrid scenarios• Location isolation

Cons• High availability server

deployments required

General Integration Requirements

Active Directory Forest Functionality level 2003 Windows 2008 for AD FS 2.0 and SSOWindows 2003 or above for Directory Synchronization

Depreciated 32 Bit (Windows 2003)Recommended 64 Bit (Windows 2008 and above)

Support VirtualizationSingle Forest

Multiple domains in a single the forestMulti forest support through premier engagement

Preparing for Directory integration and SSO

Design for a high availability of AD FS 2.0 servicesEvery User must have a UPNUPN suffix must match a validated domain in Office 365UPN Character restrictions

Only certain characters allows: Letters, numbers and .-_!#^~No dot before @ symbol (for example ross.adams@contoso.com is allowed but ross.adams.jr.@contoso.com isn’t)

Users need use UPN to logon to Office 365 AppsOffice 365 Deployment Readiness Tool checks all of these and more

Directory Integration Validations

Licensed UsersAll Proxy Address (SMTP/SIP) must be against a verified domainAddresses dropped during licensingUPN not updated automatically for Cloud ID based Users

Must be updated manuallyWill update automatically when domain is converted to Single Sign on

Unlicensed UsersSMTP Proxy Address can be against non-verified domainsSIP Address must match a verified domain

Drop if not valid

Verifying after Sync will add the removed proxy address back

Background process

Directory Sync Setup Options

1 Way Sync from AD to CloudProvisions users, DLs, Security Groups and contactsCan move to 2 Way Sync lateron-premises master for all objects and properties

2 Way Sync from AD to Cloud and Cloud to ADRequired for Hybrid Deployments e.g. co-existence with Exchange online and Exchange on-premisesCannot move back to 1 way syncCloud becomes master for certain properties (safe senders, mail co-existence, UM)

Directory Sync configuration options

Sync’s all objects with some exceptionsDoes not Default accounts (Administrator etc)Does not sync System Objects

Directory Sync can be turned off but takes timeOptions that can’t be changed

Scoping the attribute setSync timeframe is every 3 hours

Sign in Experience for Single Sign OnRich/Web clients

Rich clients applications with Microsoft Online Sign In Assistant.Lync Online, Office Subscriptions, CRM OnlineIntegrated experience on a domain joined PC on the corporate networkClient connects directly to AD FS 2.0 server or proxy

Web based applicationsSharePoint Online, OWA, Office Rich Applications (Word, PowerPoint etc) Prompts for username for realm discovery

Can be bypassed “Keep me signed in”, still required to authenticate to AD FS.Client connects directly to AD FS 2.0 server or proxyIntegrated auth to AD FS on domain joined PC on the corporate networkSmart links can help with username prompt for example http://www.outlook.com/contoso.com

Sign in Experience for Single Sign On Exchange Online

Outlook/IMAP/Active Sync/EntourageOften refereed to Exchange Proxy authenticationBasic credentials relayed through Exchange to AD FS proxy active end pointPrompts for both username and password but can be savedSupport for rules to control access based on Client IP/Device type/Exchange Endpoint filtering

Sign On Experience with SSOWeb Clients• Office 2010, Office

2007 SP2 with SharePoint Online

• Outlook Web Application

Remember last user

Exchange Clients• Office 2010, Office

2007 SP2 • Active Sync/POP/IMAP• Entourage

Can save credentials

Rich Applications (SIA)• Lync Online• Office Subscriptions• CRM Rich Client

Can save credentials

SSO IDs (domain joined)

MS Online IDs

No Prompt

Username and Password

Online ID

AD credentials

SSO IDs (non-domain joined)

Username and Password

AD credentials

Username

Username and PasswordOnline ID

AD credentials

Username and Password

AD credentials

Username and Password

Username and PasswordOnline ID

AD credentials

Username and Password

AD credentials

Identity Integration/SSO Details

MS Online business scenarios always use WS-*WS-Federation for passive clientsWS-Trust provides support for rich client authenticationIdentity federation supported through AD FS 2.0

SAML 1.1 TokenIssuer URI : Used to locate the domain for certificate verifcationUser Source Address : Unique, never changing identifier of the userUserPrincipalName (UPN) : Name the user uses to logon

Client to End Points usage

Lync 2010/Office Subscription

Active Sync

Corporate Boundary

Exchange Online

AD FS 2.0Server

MEX

Web

Active

AD FS 2.0 Proxy

MEX

Web

Active

Outlook 2010/2007IMAP/POP

UsernamePassword

UsernamePassword

OWAInternal

Lync 2010/Office Subscription

Outlook 2010/2007IMAP/POP

OWAExternal

UsernamePassword

Active Sync

UsernamePassword

Basic auth proposal: Pass

client IP, protocol, device name

Client Access Filtering

Enabled through client issuance rules in AD FS 2.0Targeted at blocking external access scenarios for Outlook

Block all external access Allow external access for specific mail clients (Active Sync, POP/IMAP)Allow external access to web applications (OWA, SharePoint)

Requires ADFS ProxyAllow external access for specific groups of users

No granularity on limiting Lync Online/Office Subscription services externally

i.e. any rule above blocks access3rd Party Proxies are required additional work see http://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx

Identity FederationAuthentication flow (Passive/Web profile)

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online orSharePoint Online

Active Directory

Customer Microsoft Online Services

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Identity FederationAuthentication flow (MEX/Rich Client Profile)

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Lync Online

Active Directory

Customer Microsoft Online Services

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Customer Microsoft Online Services

Identity FederationActive flow (Outlook/Active Sync) Always external

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online

Active Directory

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Basic Auth CredentilasUsername/Password

Single Forest AD Structures and ConsiderationsStructure Description Considerations

Matching domains Internal Domain and External domain are the same i.e. contoso.com

No special requirements

Sub domain Internal domains is a sub domain of the external domain i.e. corp.contoso.com

Requires Domains registered in order, primary then sub domains

.local domain Internal domain is not publicly “registered” i.e. contoso.local

Domain ownership can’t be proved, must use a different domain• Requires all users to get new

UPN • Use SMTP address if possible• Smart Card issues

Multiple distinct UPN suffixes in single forest

Mix of users having login UPNs under different domains i.e. contoso.com & fabrikam.com

• Must use SupportMultipleDomain switch in PowerShell

• Sub domains require additional work

Multi Forest Multiple AD Forest Premier engagement

Strong authentication approaches

Focuses on Strong authentication (e.g. Smart cards) for extranet accessTwo approaches possible

Only provide strong auth for web applications (e.g. OWA, SPO) by configuring/customizing AD FS 2.0 proxy

Rich clients cannot be supported

Use VPN to internal network as the gate to require 2FA access when connecting from outside the internal network

Will work for rich clients as well

Web applications only

Configure AD FS 2.0 proxy for smartcard access using in-box supportCustomize AD FS 2.0 proxy with 3rd party 2FA solutions

Use IIS HTTP module from 2FA provider to intercept & authenticate 2FA prior to providing AD username/pwd at forms login page in AD FS 2.0 proxy (RSA Example here)Customize AD FS 2.0 forms login page to add 2FA credential collection and authenticate to 2FA service via code behind

No support for Rich clients

Web Applications only

DMZINTRANET

AD FS

AD DS

AD FSProxy

2FA module

Access Application

Redirect to Authentication platformRedirect to IdP

Types User NameProvide AD/Smartcard credentials

Generate SAML token for authentication platform

Redirect Back

Present ticket to Application

Install 3rd party auth provider ADFS proxy

2FA Service

Redirect to Strong auth provider

Present strong credentials

Authenticate 2FA

Redirect to ProxyAuthenticate 2FA response

No support for rich client apps

Smartcard Access

Other 2FA Access

Authentication platform

Windows Azure Active Directory

Strong Auth VPN to internal network

Configure extranet access to always require VPN accessIntegrate 2FA with VPN providerAllow Internal Outlook traffic to authenticate with Client Access Policies and AD FS 2.0Optionally allow EAS traffic to authenticate via AD FS 2.0 proxy & Client Access PolicySupport for Rich Clients

2FA – Web Applications only

DMZINTRANET

AD FS

AD DS

AD FSProxy

2FA Service

Authenticate 2FA

Allow internal Outlook via ADFS proxy

Send Creds to Exchange Proxy Auth

Send AuthN request to ADFSEvaluate Client Access Rules, issue SAML Token

Send Creds to Exchange Proxy Auth

Disable passive pages on proxy

VPN

Connect to VPNProvide 2FA creds

Connect to internal network

Strong Auth VPN to internal network

Authentication platform

Windows Azure Active Directory

Questions

Related ContentCode Title Schedule

OSP221 Microsoft Office 365 for Enterprises 6/11/2012 3:00 PM

OSP305 The Modern Compatibility Process to Accelerate Microsoft Office Deployment 6/11/2012 4:45 PM

OSP321 Active Directory Integration with Microsoft Office 365 6/12/2012 10:15 AM

OSP224 Microsoft Office 365 Management and Deployment 6/12/2012 1:30 PM

OSP223 Microsoft Office 365 for Education 6/12/2012 3:15 PM

OSP303 Supporting Microsoft Office in an Enterprise Environment 6/12/2012 3:15 PM

OSP202 Microsoft Excel: A Web Development Tool? 6/12/2012 5:00 PM

OSP306 Microsoft Office Deployment for the Elite 6/13/2012 10:15 AM

OSP325 To the Cloud, from the Trenches: Best Practices for Migrating to Microsoft Office 365 6/13/2012 1:30 PM

OSP302 Building Integrated Microsoft Office 365, SharePoint Online, and Office Solutions Using BCS and LOB Data 6/13/2012 3:15 PM

OSP323 Microsoft Office 365 Security, Privacy, and Trust 6/13/2012 5:00 PM

OSP324 Microsoft Office 365 Service Reliability and Disaster Recovery 6/14/2012 8:30 AM

OSP304 Optimized Desktop Deployment Jeopardy Live Game Show 6/14/2012 1:00 PM

OSP222 Empowering Small Businesses: Microsoft Office 365 P-Suite 6/14/2012 4:30 PM

Related Resources

Office 365 TechCenter: technet.microsoft.com/Office365

Office Client TechCenter: technet.microsoft.com/officeOffice, Office 365 and SharePoint Demo Area Includes:

Office 365 IT Pro Command CenterOffice 365 Data Center Exhibit

Complete an evaluation on CommNet and enter to win!

Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

MS Tag

Scan the Tagto evaluate thissession now onmyTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.