Microsoft Office 365 Directory Synchronization and Federation OptionsPaul AndrewRoss AdamsAanchal Saxena

OFC-B317

AgendaOverview Identity Management in Office 365

Synchronization Topics

Federation Topics

Integration of SAML/OAUTH with Office

Works with Office 365 – Identity program

Troubleshooting Identity Management

1

2

3

4

6

5

Identity for Microsoft cloud services

User

Microsoft AccountEx: alice@outlook.com

User

Organizational AccountEx: alice@contoso.com

Microsoft Account Windows Azure Active Directory

Office 365 Identity Models

Federated identitySynchronized identityCloud identity

On-premisesdirectory

Zero on-premises servers

On-premisesdirectory

Directory sync with password sync

On-premisesidentity

Between zero and three additional on-premises servers depending on the number of users

On-premisesidentity

Between two and eight on-premises servers and networking configuration depending on the sign-in availability requirements

Directory syncFederation

Change between models as needs changeChoose cloud

if no on-premises directoryif there is on-premises directory restructuringif you are in pilot with Office 365

Password hash sync means federation is not required just to have the same password on the cloudChoose password hash sync unless you have one of the scenarios that requires federation

Choose the simplest model for your needs

1. You already have an AD FS Deployment2. You already use a Third Party Federated Identity Provider3. You use Forefront Identity Manager 2010

Technical requirements4. You have Multiple Forests in your on-premises AD5. You have an On-Premises Integrated Smart Card or Multi-Factor

Authentication (MFA) Solution6. Custom Hybrid Applications or Hybrid Search is Required7. Web Accessible Forgotten Password Reset

Policy requirements8. You Require Sign-In Audit and/or Immediate Disable9. Single Sign-On is Required10. Require Client Sign-In Restrictions by Network Location or Work Hours11. Policy preventing Synchronizing Password Hashes to Azure AD

Scenarios for identity federation modelExisting infrastructure

Identity Synchronization and Federation

On-Premises

Identity Provider

Federated sign-in

Windows Azure Active Directory

WS-Federation

WS-Trust

SAML 2.0

MetadataShibboleth

Graph API

Directory

Synchronize accounts

Exchange Web Access

SharePoint Online

Exchange Mailbox Access

Outlook, Lync, Word, etc

Authentication

Au

thori

zati

on

Passive

Auth

Active Auth

AgendaOverview Identity Management in Office 365

Synchronization Topics

Federation Topics

Integration of SAML/OAUTH with Office

Works with Office 365 – Identity program

Troubleshooting Identity Management

1

2

3

4

6

5

You can use DirSync with no additional on-premises servers

DirSync on DCIncludes SQL Server ExpressSQL Server and DC has resource contentionsSuitable for small deployments not more than 10,000 users

DirSync on Azure paperAvoids on-premises servershttp://technet.microsoft.com/en-us/library/dn635310(v=office.15).aspx

DirSync on a domain controller or in Azure

DirSync runs on one serverBackup SQL ServerBackup encryption keysCold standby of DirSync serverRestore SQL, encryption keys

Instructions http://www.microsoft.com/en-us/download/details.aspx?id=42524

DirSync high availability

We typically get questions about the security of synchronizing passwords from banking and finance customersThe password hash that we get from AD is not reversible to get the users passwordWe further process it with a one way hash SHA256 algorithmWe connect over SSL to the Azure AD service and send the resulting hash of the hashThis enables Azure AD to validate the users password when they log inMore details at

http://social.technet.microsoft.com/wiki/contents/articles/18096.dirsyncwindows-azure-ad-password-sync-frequently-asked-questions.aspx

Password hash Sync Security

Password Write-backWhat is itPart of AAD PremiumOnly via Self-service password reset

How do I enable itAdmin needs to turn-on the feature using DirSync PSH commandlet:

Enable-OnlinePasswordWriteBack

When does it write backCloud authenticated (managed) user and password sync is enabledOn-premises SSO authenticated (federated) user

SecurityAll communication takes place over SSLRegistration of public/private key pairs for transport and encryption, you keep the private keys

Azure AD SyncWhat’s includedPossible to reduce set of attribute sync’d based on the servicesSupport for a number of Multi forest scenariosEasier management for filtering objects via simple UXSupport for attribute mapping rules via a simple UX

What’s missingPassword sync Password write backHybrid configuration, i.e. no write back today

What’s comingProduction Support, i.e. not for Production todaySupport for other directories, such as LDAP, SQL or CSV

http://social.technet.microsoft.com/wiki/contents/articles/24061.aadsync-scenario-overview.aspx

Options:Forefront Identity Manager 2010

Supports multiple forests with additional work

Azure AD Sync ServicesSupports multiple forests and in preview nowDisparate forestsFull Mesh, i.e. Gal SyncAccount and resource forest

Consolidate forests into onehttp://technet.microsoft.com/library/cc974332.aspx

Sync multiple AD forests

Suitable for large organizations with certain AD and Non-AD scenarios

Complex multi-forest AD scenariosNon-AD synchronizationRequires Forefront Identity Manager and additional software licenses

RequirementsForefront Identity Manager 2010 R2Windows Azure Active Directory Connector for FIM 2010 R2 http://technet.microsoft.com/library/dn511001.aspx

Office 365 Connector for Forefront Identity Manager 2010 R2

Choosing between DirSync and AAD Sync

Includes password hash sync

Includes password write-back with Azure AD Premium license

Can filter objects by OU

Supports use of dedicated SQL Server install or SQL Express

The setup wizard can be run multiple times for configuration changes

Released and supported in production

Includes sync from multiple forests including merging duplicate users in these forests

** In addition to AD, can sync from LDAP v3, SQL Server and CSV data

** Enables selective OU sync with using UX in the setup.

** Enables transforming of attributes using UX in the setup

Allows for limiting the attributes sync’d to the cloud

Planned to replace DirSync in the future

Preview cannot be upgraded to later release

DirSync Azure AD Sync Services

** NOT IN PREVIEW

Preview available

You can install dirsync more than once in the same forest, but on different machinesYou need to handle conflicts

A domain can only be validated in on tenant, i.e. for use with Email and UPNSub domains can be used in different tenants

You should look at how you filter your user sets

OUDomainAttribute

DirSync one directory to multiple tenants

We don’t recommend multiple tenants for the same organizationThere will not be a consolidated Global Address List

Could create users from one tenant as contacts in the other

SharePoint access across tenants must use External SharingFree busy federation between tenants is possibleLync presence and calling between tenants is possibleThere are third party tools (not Microsoft) tools that can merge tenants

Cross tenant collaboration

AgendaOverview Identity Management in Office 365

Synchronization Topics

Federation Topics

Integration of SAML/OAUTH with Office

Works with Office 365 – Identity program

Troubleshooting Identity Management

1

2

3

4

6

5

Federation protocols and auth typesWS-Federation

Supported by ADFSFor passive authentication

WS-TrustSupported by ADFSFor active authentication

Shibboleth (SAML 1.1)An identity provider used in education that uses a custom version of SAML 1.1Passive authentication onlyIncludes ECP for Outlook authentication

SAML 2.0A common federation protocolFor passive authentication only so similar to WS-Federation

Active Directory Authentication Library (OAUTH)

Library for common access to Azure AD, ADFS, and Azure ACS.

Passive AuthenticationSharePoint OnlineOutlook Web AccessOffice 365 portal

Active AuthenticationOffice Sign-in AssistantOffice 365 ProPlus licensingWord, Excel, PowerPoint connecting to SharePoint OnlineOutlook, LyncOneDrive for Business sync

Password Sync Backup for Federated Sign-InThis new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.

May take up to 2hrs to take effect

On-premisesdirectory

DirSync Tool

Federated identity

Backup Password Hash Sync

User accounts

AD FS

Alternate Login ID removing dependency on User Principal Name (UPN)The reliance on UPN has been removed and you can now select an alternate login ID for use with Office 365 and Azure AD in general. Use of UPN will still be the default. Through configuration you can select the Mail attribute or any other attribute in your on-premises Active Directory. This works with either synchronized identity or federated identity.

Demo

Alternate login id

A User Profile Name (UPN) is the sign-in ID that customers use. Eg: ArneA@contoso.com Each DNS address you use in a UPN can be federated to an identity providerSynchronized accounts can also be usedAzure AD uses the UPN DNS to do home realm discovery to a federated identity providerHome realm discovery can be shortcut with URLs like this:

https://login.microsoftonline.com/whr=contoso.nethttps://contoso.sharepoint.com

Federate multiple domains in a tenant

AgendaOverview Identity Management in Office 365

Synchronization Topics

Federation Topics

Integration of SAML/OAUTH with Office

Works with Office 365 – Identity program

Troubleshooting Identity Management

1

2

3

4

6

5

Using AD then directory Sync works for youCan’t sync (non AD)

Script user creation via PowerShell or Azure ADDirectory GRAPH (RESTful interface)

Future support from AAD Sync for non AD sourcesFIM 2010 via supported connectors

Sync options for a SAML IDP

Sign-in federationSAML-P 2.0 passive auth

Equivalent to WS-Federation and used for web based applicationsNo equivalent for WS-Trust so Office clients applications cannot be used

Office client support passive auth end of 2014SAML-P federation guidance

http://technet.microsoft.com/en-us/library/dn641269.aspx

Use of AD FS to interface to SAML providerWont enable Office client active authentication due to double hop

SAML-P 2.0 federation

Office desktop passive authOffice desktop client sign-in with passive auth

Previously the Office Sign-In Assistantrequired WS-Trust Passive authentication works with WS-Federation and SAML 2.0

AvailabilityAnnounced on February 10, 2014Details at http://blogs.office.comPlanned for later in 2014

What is it?Office desktop clients move to using ADALActive Directory Authentication LibraryUses OAUTH for passive authentication

On-Premises

SAML 2.0

Windows Azure Active Directory SAML 2.0

LDAP v3 Directory

DirSync LDAP v3

Exchange Mailbox Access

Outlook, Lync, Word, etc

Updated Office 2013 clients to support OAUTH and Multi-Factor Authentication

No need for App Passwords in updated clientsIf you can authenticate in a web browser, then you can authenticate in Office clientsOutlook, Lync, Word, Excel, PowerPoint, PowerShell, SkyDrive Pro

Clients will also supportFederation Identity Providers using SAML 2.0 protocolUS DoD Common Access Card (CAC)US Federal Personal Identity Verification card (PIV)

For release during CY 2014

Office client OAUTH authenticationFutures – Announced on Feb 10, 2014

The MFA Flow1. Office makes a request to a service

which supports new MFA flow2. Service instructs Office to visit an STS

which speaks a simple standards based protocol (OAuth)

3. Office instructs AD library to launch web browser control

4. MFA and federation magic happens transparent to Office

5. Office gets back simple tokens that it caches for future communication with its services

6. Office sends token to service

Azure Active

Directory

1

2www-authenticate: Bearer authorization_uri: https://login.windows.net

Federated

tenant

Secure Token

Service

4 Do federated sign-in using SAML-P, WS-Fed, etc.

SAML token

5 Validate assertions

Hand back token for 365JWT token

3 Auth against https://login.windows.net...

6 JWT token

Office

AgendaOverview Identity Management in Office 365

Synchronization Topics

Federation Topics

Integration of SAML/OAUTH with Office

Works with Office 365 – Identity program

Troubleshooting Identity Management

1

2

3

4

6

5

Works with Office 365 – Identity programWhat is it?Qualification of third party identity providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used.

Program RequirementsPublished Qualification RequirementsPublished Technical Integration DocsAutomated Testing ToolSelf Testing work by PartnerPredictable and Shorter Qualification

http://aka.ms/ssoproviders

*For representative purposes only.

WS-Trust & WS-Federation

Active Directory with ADFS Flexibility to reuse existing identity provider investments

Confidence that the solution is qualified by Microsoft

Coordinated support between the partner and Microsoft

Shibboleth

RadiantOne

Okta

Customer Benefits

SAML (passive auth)

AgendaOverview Identity Management in Office 365

Synchronization Topics

Federation Topics

Integration of SAML/OAUTH with Office

Works with Office 365 – Identity program

Troubleshooting Identity Management

1

2

3

4

6

5

DirSync troubleshootingUse IdFix to correct directory errors prior to syncingClean duplicate SMTP/Proxy AddressesClean duplicate UPNs/non routable UPNsCheck Windows Event Viewer on DirSync server for errors

Troubleshooting Identity Management

ADFS infrastructureUse the Connectivity tool to verify your setup https://testconnectivity.microsoft.com/ Multiple Servers (or VM’s) are requiredAD FS is a very broad and capable technology

You don’t need to implement every part of it for a small Office 365 tenantOnly need the SSL Certificate for small tenant, don’t need other certs

SSL Certificate is required for Web Application Proxy serverPort 443 is required to be open to the Web Application Proxy server

Troubleshooting Identity Management

SummaryOverview Identity Management in Office 365

Synchronization Topics

Federation Topics

Integration of SAML/OAUTH with Office

Works with Office 365 – Identity program

Troubleshooting Identity Management

1

2

3

4

6

5

Related content

Related Certification Exams http://aka.ms/office365mcsa

70-346 Managing Office 365 Identities and Requirements70-347 Enabling Office 365 Services

Breakout SessionsDCIM-B301 Leveraging Your On-Premises Directory Infrastructure to Manage Your Microsoft Azure Active Directory Identities OFC-B222 Introduction to Office 365 Identity ManagementOFC-B327 Authentication Patterns for SharePoint 2013 and Office 365 DCIM-B382 Cloud Identity and Access Management: Azure Active Directory Premium

Microsoft Solutions Experience Location (MSE)Paul Andrew : MSE Be Secure, after lunch tomorrow

Find Me Later At: http://twitter.com/pndrw

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.