Luca Bandinelli

Senior Program Manager

Microsoft

Identity management integration options for Office 365

Office 365 Identity Models

Federated identitySynchronized identityCloud identity

On-premisesdirectory

Zero on-premises servers

On-premisesdirectory

Directory sync with password sync

On-premisesidentity

Between zero and three additional on-premises servers depending on the number of users

On-premisesidentity

Between two and eight on-premises servers and networking configuration depending on the sign-in availability requirements

Directory syncFederation

Identity Synchronization and Federation

On-Premises

Identity Provider

Federated sign-in

Windows Azure Active Directory

WS-Federation

WS-Trust

SAML 2.0

MetadataShibboleth

Graph API

Directory

Synchronize accounts

Exchange Web Access

SharePoint Online

Exchange Mailbox Access

Outlook, Lync, Word, etc

Authentication

Auth

ori

zati

on

Passive

Auth

Active

Auth

Cloud identity modelhttp://portal.office.com

On-premisesdirectory

User accountsUser Cloud identity

Synchronized Identity Model

Password hashes

User accounts

User

Sig

n-o

n

Synchronized identityAAD Sync

On-premisesdirectory

Before installing AAD Synchttp://aka.ms/aadsync Active Directory remediation

Run IdFix

Verify DNS domains with Office 365 Add these prior to syncing to preserve UPN

Directories other than Active Directory Works with Office 365 – Identity program Will be added soon to AAD Sync

One server is most common Domain controller is Okay Separate SQL Server is Okay up to 100,000 directory objects You can install to Azure IAAS

Migrating from DirSync or FIM 2010 Uninstall / Reinstall Side by side install with object review

Forest functional level Windows Server 2003

What errors does IdFix look for?

Duplicate proxyAddresses

Invalid characters in attributes

Over length attributes Format errors in

attributes Use of non-routable

domains Blank attribute that

requires a value

mailNickName proxyAddresses sAMAccountName targetAddress userPrincipalName

Errors Validated Attributes

DemoConfiguring Azure AD Sync

User (and contact) matching

1

2

1

2

1

2

Metaverse Connector Space

Out of box configuration

• Single forest– Same as DirSync

• Multi-forest configurations– Fully-mesh, Account-resource forest

– One or multiple Exchange organizations with hybrid Exchange

– Group membership for security groups with ForeignSecurityPrincipals (FSPs)

• Assumptions– User will have only one enabled user account

– User will have only one mailbox

– The best data quality for a user is where Exchange is located

• Passwords– Password (hash) Sync and password write-back

Review the configuration Installation logs

%windir%\temp\aadsync

Synchronization Rules Depending on if Exchange and Lync is present in AD, different rules

will be generated Depending on Exchange version attributes will be removed as

needed Only selected services will have outbound rules to AAD Attributes you selected to not be included are removed from the

outbound rules to AAD

Introducing the Sync Rule Editor A “Resource Kit Tool” to view, change and add Sync Rules

AAD Sync installation review Be aware of directory object limits

A new tenant can sync up to 50,000 directory objects Register a vanity domain and it is increased to 300,000 objects

Sync now Expect about 1 hour per 5,000 objects

Password expiry for the sync account Assign Office 365 licenses High availability

Can Backup and reinstall

Filtering AAD Sync By Domain and OUs By attributes

Password hash sync security Password hash AD DS

It is not reversible toget the users password

A Hash Hashes are mathematical

functions that are nearly impossibleto reverse

The result of the hash algorithm iscalled a digest

Additional Processing We further process it with a one way hash SHA256 algorithm Connections are only to the Azure AD service Connections are SSL encrypted

Enables Azure AD to validate the users password when they log in

Azure AD

Hash

Extra Securit

y

User

Password On-premises

directory

Choosing between DirSync and AAD Sync

Includes password hash sync Linked from the Office 365

Admin Portal

Also has password hash sync Includes sync from multiple forests including

merging duplicate users in these forests In addition to AD, can sync from LDAP v3,

SQL Server coming soon Enables selective OU sync with using UX in

the setup. Compared to DirSync which requires PowerShell configuration

Enables transforming of attributes using UX in the setup

Planned to replace DirSync in the future Preview cannot be upgraded to later release

DirSync Azure AD Sync Services

Federated identity model

AD FS

Password hashes

User accounts

User

Authentication

Authentication

Sig

n-o

n

Federated identity

On-premisesdirectory

AAD Sync

Password Sync Backup for Federated Sign-In

This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.

Federated identity

Backup Password Hash Sync

User accounts

AD FS

AAD Sync

On-premisesdirectory

ADFS is Also Easy Use trained and experienced deployment staff

Use Azure AD Connect Tool Read all the TechNet Deployment Guidance

http://technet.microsoft.com/en-us/library/jj205462.aspx

Only implement the Office 365 requirements The only certificate required is the SSL certificate

Prepare with firewall update permissions

Change between models as needs change Cloud Identity to Synchronized Identity

Deploy DirSync Hard match or soft match of users

Synchronized Identity to Federated Identity Deploy AD FS Can leave password sync enabled as backup

Federated identity to Synchronized Identity PowerShell Convert-MsolDomainToStandard Takes 2 hours plus 1 additional hour per 2,000 users

Synchronized Identity to Cloud Identity PowerShell Set-MsolDirSyncEnabled Takes 72 hours and you can monitor with Get-MsolCompanyInformation

Choose the simplest model for your needs This is our recommendation

Cloud Identity is the simplest model Choose cloud when

You have no on-premises directory There is on-premises directory restructuring You are in pilot with Office 365

Choose synchronized identity if you have an on-premises directory Password hash sync means federation is not

required just to have the same password on the cloud

Same sign-on – the username and password is the same in the cloud as on-premises

Single sign-on – you log on to the PC and no password is required for cloud services

Save credentials for later uses Windows Credential Manager

Outlook does not support Single sign-on

Choose password hash sync unless you have one of the scenarios that requires federation

Scenarios for choosing federationExisting infrastructure1. You already have an AD FS Deployment2. You already use a Third Party Federated

Identity Provider3. You use Forefront Identity Manager

2010

Scenarios for choosing federationTechnical requirements4. You have an On-Premises Integrated

Smart Card or Multi-Factor Authentication (MFA) Solution

5. Custom Hybrid Applications or Hybrid Search is Required

6. Web Accessible Forgotten Password Reset

Scenarios for choosing federationPolicy requirements7. You Require Sign-In Audit and/or

Immediate Disable8. Single Sign-On minimizing prompts is

Required9. Require Client Sign-In Restrictions by

Network Location or Work Hours

10.Policy preventing Synchronizing Password Hashes to Azure AD

Office 365 federation optionsADFS Third party

WS-*Shibboleth (SAML 1.1) SAML 2.0

Suitable for medium, large enterprises including educational organizations

Recommended option for Active Directory (AD) based customers

Single sign-on

Support for web and rich clients

Microsoft supported

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Suitable for medium, large enterprises including educational organizations

Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD

Single sign-on

Support for web and rich clients

Third-party supported

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Verified through ‘works with Office 365’ program

Suitable for educational organizations

Recommended where customers may use existing non-ADFS Identity systems

Single sign-on

Support for web clients and outlook (ECP) only

Microsoft supported for integration only, no shibboleth deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

For organizations that need to use SAML 2.0

Recommended where customers may use existing non-ADFS Identity systems

Single sign-on

Support for web clients and outlook (ECP) only

Microsoft supported for integration only, no identity provider deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

What is it?Qualification of third party identity providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used.

Program RequirementsPublished Qualification RequirementsPublished Technical Integration DocsAutomated Testing ToolSelf Testing work by PartnerPredictable and Shorter Qualification

http://aka.ms/ssoproviders

Works with Office 365 – Identity program WS-Trust & WS-

FederationActive Directory with ADFS Flexibility to reuse

existing identity provider investments

Confidence that the solution is qualified by Microsoft

Coordinated support between the partner and Microsoft

Shibboleth

RadiantOne

Customer Benefits

SAML (passive auth)

Summary Choose the simplest model for your needs Change between models as needs change Cloud identity model when there is no on-premises directory

Synchronized identity model for most organizations

Federated identity model for one of the scenarios

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.