luca bandinelli senior program manager microsoft identity management integration options for office...
TRANSCRIPT
Luca Bandinelli
Senior Program Manager
Microsoft
Identity management integration options for Office 365
Office 365 Identity Models
Federated identitySynchronized identityCloud identity
On-premisesdirectory
Zero on-premises servers
On-premisesdirectory
Directory sync with password sync
On-premisesidentity
Between zero and three additional on-premises servers depending on the number of users
On-premisesidentity
Between two and eight on-premises servers and networking configuration depending on the sign-in availability requirements
Directory syncFederation
Identity Synchronization and Federation
On-Premises
Identity Provider
Federated sign-in
Windows Azure Active Directory
WS-Federation
WS-Trust
SAML 2.0
MetadataShibboleth
Graph API
Directory
Synchronize accounts
Exchange Web Access
SharePoint Online
Exchange Mailbox Access
Outlook, Lync, Word, etc
Authentication
Auth
ori
zati
on
Passive
Auth
Active
Auth
Cloud identity modelhttp://portal.office.com
On-premisesdirectory
User accountsUser Cloud identity
Synchronized Identity Model
Password hashes
User accounts
User
Sig
n-o
n
Synchronized identityAAD Sync
On-premisesdirectory
Before installing AAD Synchttp://aka.ms/aadsync Active Directory remediation
Run IdFix
Verify DNS domains with Office 365 Add these prior to syncing to preserve UPN
Directories other than Active Directory Works with Office 365 – Identity program Will be added soon to AAD Sync
One server is most common Domain controller is Okay Separate SQL Server is Okay up to 100,000 directory objects You can install to Azure IAAS
Migrating from DirSync or FIM 2010 Uninstall / Reinstall Side by side install with object review
Forest functional level Windows Server 2003
What errors does IdFix look for?
Duplicate proxyAddresses
Invalid characters in attributes
Over length attributes Format errors in
attributes Use of non-routable
domains Blank attribute that
requires a value
mailNickName proxyAddresses sAMAccountName targetAddress userPrincipalName
Errors Validated Attributes
Out of box configuration
• Single forest– Same as DirSync
• Multi-forest configurations– Fully-mesh, Account-resource forest
– One or multiple Exchange organizations with hybrid Exchange
– Group membership for security groups with ForeignSecurityPrincipals (FSPs)
• Assumptions– User will have only one enabled user account
– User will have only one mailbox
– The best data quality for a user is where Exchange is located
• Passwords– Password (hash) Sync and password write-back
Review the configuration Installation logs
%windir%\temp\aadsync
Synchronization Rules Depending on if Exchange and Lync is present in AD, different rules
will be generated Depending on Exchange version attributes will be removed as
needed Only selected services will have outbound rules to AAD Attributes you selected to not be included are removed from the
outbound rules to AAD
Introducing the Sync Rule Editor A “Resource Kit Tool” to view, change and add Sync Rules
AAD Sync installation review Be aware of directory object limits
A new tenant can sync up to 50,000 directory objects Register a vanity domain and it is increased to 300,000 objects
Sync now Expect about 1 hour per 5,000 objects
Password expiry for the sync account Assign Office 365 licenses High availability
Can Backup and reinstall
Filtering AAD Sync By Domain and OUs By attributes
Password hash sync security Password hash AD DS
It is not reversible toget the users password
A Hash Hashes are mathematical
functions that are nearly impossibleto reverse
The result of the hash algorithm iscalled a digest
Additional Processing We further process it with a one way hash SHA256 algorithm Connections are only to the Azure AD service Connections are SSL encrypted
Enables Azure AD to validate the users password when they log in
Azure AD
Hash
Extra Securit
y
User
Password On-premises
directory
Choosing between DirSync and AAD Sync
Includes password hash sync Linked from the Office 365
Admin Portal
Also has password hash sync Includes sync from multiple forests including
merging duplicate users in these forests In addition to AD, can sync from LDAP v3,
SQL Server coming soon Enables selective OU sync with using UX in
the setup. Compared to DirSync which requires PowerShell configuration
Enables transforming of attributes using UX in the setup
Planned to replace DirSync in the future Preview cannot be upgraded to later release
DirSync Azure AD Sync Services
Federated identity model
AD FS
Password hashes
User accounts
User
Authentication
Authentication
Sig
n-o
n
Federated identity
On-premisesdirectory
AAD Sync
Password Sync Backup for Federated Sign-In
This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.
Federated identity
Backup Password Hash Sync
User accounts
AD FS
AAD Sync
On-premisesdirectory
ADFS is Also Easy Use trained and experienced deployment staff
Use Azure AD Connect Tool Read all the TechNet Deployment Guidance
http://technet.microsoft.com/en-us/library/jj205462.aspx
Only implement the Office 365 requirements The only certificate required is the SSL certificate
Prepare with firewall update permissions
Change between models as needs change Cloud Identity to Synchronized Identity
Deploy DirSync Hard match or soft match of users
Synchronized Identity to Federated Identity Deploy AD FS Can leave password sync enabled as backup
Federated identity to Synchronized Identity PowerShell Convert-MsolDomainToStandard Takes 2 hours plus 1 additional hour per 2,000 users
Synchronized Identity to Cloud Identity PowerShell Set-MsolDirSyncEnabled Takes 72 hours and you can monitor with Get-MsolCompanyInformation
Choose the simplest model for your needs This is our recommendation
Cloud Identity is the simplest model Choose cloud when
You have no on-premises directory There is on-premises directory restructuring You are in pilot with Office 365
Choose synchronized identity if you have an on-premises directory Password hash sync means federation is not
required just to have the same password on the cloud
Same sign-on – the username and password is the same in the cloud as on-premises
Single sign-on – you log on to the PC and no password is required for cloud services
Save credentials for later uses Windows Credential Manager
Outlook does not support Single sign-on
Choose password hash sync unless you have one of the scenarios that requires federation
Scenarios for choosing federationExisting infrastructure1. You already have an AD FS Deployment2. You already use a Third Party Federated
Identity Provider3. You use Forefront Identity Manager
2010
Scenarios for choosing federationTechnical requirements4. You have an On-Premises Integrated
Smart Card or Multi-Factor Authentication (MFA) Solution
5. Custom Hybrid Applications or Hybrid Search is Required
6. Web Accessible Forgotten Password Reset
Scenarios for choosing federationPolicy requirements7. You Require Sign-In Audit and/or
Immediate Disable8. Single Sign-On minimizing prompts is
Required9. Require Client Sign-In Restrictions by
Network Location or Work Hours
10.Policy preventing Synchronizing Password Hashes to Azure AD
Office 365 federation optionsADFS Third party
WS-*Shibboleth (SAML 1.1) SAML 2.0
Suitable for medium, large enterprises including educational organizations
Recommended option for Active Directory (AD) based customers
Single sign-on
Support for web and rich clients
Microsoft supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Suitable for medium, large enterprises including educational organizations
Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD
Single sign-on
Support for web and rich clients
Third-party supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Suitable for educational organizations
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
For organizations that need to use SAML 2.0
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no identity provider deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
What is it?Qualification of third party identity providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used.
Program RequirementsPublished Qualification RequirementsPublished Technical Integration DocsAutomated Testing ToolSelf Testing work by PartnerPredictable and Shorter Qualification
http://aka.ms/ssoproviders
Works with Office 365 – Identity program WS-Trust & WS-
FederationActive Directory with ADFS Flexibility to reuse
existing identity provider investments
Confidence that the solution is qualified by Microsoft
Coordinated support between the partner and Microsoft
Shibboleth
RadiantOne
Customer Benefits
SAML (passive auth)
Summary Choose the simplest model for your needs Change between models as needs change Cloud identity model when there is no on-premises directory
Synchronized identity model for most organizations
Federated identity model for one of the scenarios
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.