office 365 identity

Core identity scenarios

Deep dive on federation and synchronization

2 3Identity management overview

1Additional features

4

Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.

Determining which actions an authenticated entity is authorized to perform on the network

User

Microsoft AccountEx: alice@outlook.com

User

Organizational AccountEx: alice@contoso.com

Microsoft Account Organizational Account

Directorystore

Authentication platform

Windows Azure Active Directory

Core identity scenarios

Cloud Identity

OAuth2

SAML-P

WS-Federation

Metadata

Graph API

Directory & Password Sync

OAuth2

SAML-P

WS-Federation

Metadata

Graph API

Directory Synchronization Options

Suitable for small/medium size organizations with AD or Non-ADPerformance limitations apply with PowerShell and Graph API provisioning

PowerShell requires scripting experience

PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)

PowerShell & Graph API

Suitable for Organizations using Active Directory (AD)Provides best experience to most customers using AD

Supports Exchange Co-existence scenarios

Coupled with ADFS, provides best option for federation and synchronization

Supports Password Synchronization with no additional cost

Does not require any additional software licenses

Suitable for large organizations with certain AD and Non-AD scenariosComplex multi-forest AD scenarios

Non-AD synchronization through Microsoft premier deployment support

Requires Forefront Identity Manager and additional software licenses

Federated Identity

OAuth2

SAML-P

WS-Federation

Metadata

Graph API

Cloud Identity

no integration to on-premises directories

Directory & Password Synchronization*

Integration without federation*

Federated Identity

Single federated identity and credentials

Federation options

Suitable for educational organizations j

Recommended where customers may use existing non-ADFS Identity systems

Single sign-on

Secure token based authentication

Support for web clients and outlook only

Microsoft supported for integration only, no shibboleth deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

Shibboleth (SAML*)Works with AD & Non-AD

Suitable for medium, large enterprises including educational organizations

Recommended option for Active Directory (AD) based customers

Single sign-on

Secure token based authentication

Support for web and rich clients

Microsoft supported

Phonefactor can be used for two factor auth

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Works with AD

Suitable for medium, large enterprises including educational organizations

Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD

Single sign-on

Secure token based authentication

Support for web and rich clients

Third-party supported

Phonefactor can be used for two factor auth

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Verified through ‘works with Office 365’ program

Works for Office 365 Hybrid Scenarios

Works with AD & Non-AD

Federation with Identity Partners

Verified by MicrosoftReuse Investments

Program for third party identity providers to interoperate with Office 365

Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365

Identity RoadmapShibboleth (SAML) Support Available nowNew Works with Office 365 Partners Ping, Optimal IDM, Okta, IBM

available nowNovell, CA and Oracle in 1H CY2013

DirSync for Multi-forest AD Available now thru’ MCS and PartnersSync Solution for Non-AD using FIM Available now thru’ MCS and PartnersPassword Synchronization for AD 1H CY2013Broader SAML Support 1H CY2013

Windows Azure Active Directory

User

Cloud IdentityEx: alice@contoso.com

Cloud IdentityEx: alice@contoso.com

Identity managed in Windows Azure AD single sign-on for Office 365 and other cloud services federated with single cloud identityISV Applications or SAAS providers can integrate using APIs on Windows Azure ADCurrently in Technical Preview

Cloud identity + directory synchronizationSingle sign on + directory synchronization

Contoso customer premises

ADMS Online Directory

Sync LyncOnline

SharePoint Online

Exchange Online

Active Directory Federation Server

2.0

Trust

IdP

IdP

Understanding client authentication path

Lync 2010/Office Subscription

Active Sync

Corporate Boundary

Exchange Online

AD FS 2.0Server

MEX

Web

Active

AD FS 2.0 Proxy

MEX

Web

Active

Outlook 2010/2007IMAP/POP

UsernamePassword

UsernamePassword

OWAInternal

Lync 2010/Office Subscription

Outlook 2010/2007IMAP/POP

OWAExternal

UsernamePassword

Active Sync

UsernamePassword

Basic auth proposal: Pass

client IP, protocol, device name

Web Clients• Office with SharePoint

Online• Outlook Web Application

Remember me =Persisted Cookie

Exchange Clients• Outlook• Active Sync/POP/IMAP• Entourage

Can save credentials

Rich Applications (SIA)• Lync• Office Subscriptions• CRM Rich Client

Can save credentials

Federated Identities(domain joined)

Cloud Identity

No Prompt

Username and Password

Online ID

AD credentials

Federated Identities(non-domain joined)

Username and Password

AD credentials

Username

Username and PasswordOnline ID

AD credentials

Username and PasswordAD credentials

Username and Password

Username and PasswordOnline ID

AD credentials

Username and PasswordAD credentials

Authentication flow (passive/web profile)Identity federation

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online orSharePoint Online

Active Directory

Customer Microsoft Online Services

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Authentication flow (MEX/rich client profile)Identity federation

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Lync Online

Active Directory

Customer Microsoft Online Services

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Customer Microsoft Online Services

Active flow (Outlook/Active Sync) always externalIdentity federation

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Proxy

Exchange Online

Active Directory

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Basic Auth CredentilasUsername/Password

• Open source software package providing similar functionality as ADFS (e.g. SSO, Authentication, SAML 2.0)

• Popular implementation of SAML 2.x with Higher Education institutions world-wide

• Shibboleth is managed by the Shibboleth Consortium (http://www.shibboleth.net/index.html)

• Latest version is 2.3.6

• Setup a SAML 2.0 federation between Office 365 and their Shibboleth IdP

• Deploy DirSync for user provisioning with AD and deploy MSOMA+FIM for user provisioning from non-AD

Shibboleth 2.x IdP

Non-AD

Contoso.edu

Shibboleth 2.x IdP

Fabrikam.eduMSOMA + FIM AD MSOMA + FIM

Email Rich ClientsWeb Client

Block all external access to Office 365 based on the IP address of the external clientBlock all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online

Windows Azure Active Directory

User

Multi-forest AD support is available through Microsoft-led deploymentsMulti-forest DirSync appliance supports multiple dis-joint account forestsFIM 2010 Office 365 connector supports complex multi-forest topologies

On-Premises IdentityEx: Domain\Alice

Federation using ADFS

AD

DirSync on FIM

AD

AD

Windows Azure Active Directory

User

Preferred option for Directory Synchronization with Non-AD SourcesNon-AD support with FIM is available through Microsoft-led deploymentsFIM 2010 Office 365 connector supports complex multi-forest topologies

On-Premises IdentityEx: Domain\Alice

Federation using Non-

ADFS STSOffice 365 Connector on FIM

Non-AD(LDAP)