[speaker] [title] [company] identity management integration options for office 365
TRANSCRIPT
[Speaker]
[Title]
[Company]
Identity management integration options for Office 365
Identity for Microsoft cloud services
User
Microsoft AccountEx: [email protected]
User
Organizational AccountEx: [email protected]
Microsoft Account Microsoft Azure Active Directory
Office 365 Identity Models
Federated identitySynchronized identityCloud identity
On-premisesdirectory
Zero on-premises servers
On-premisesdirectory
Directory sync with password sync
On-premisesidentity
Between zero and three additional on-premises servers depending on the number of users
On-premisesidentity
Between two and eight on-premises servers and networking configuration depending on the sign-in availability requirements
Directory syncFederation
Identity Synchronization and Federation
On-Premises
Identity Provider
Federated sign-in
Windows Azure Active Directory
WS-Federation
WS-Trust
SAML 2.0
MetadataShibboleth
Graph API
Directory
Synchronize accounts
Exchange Web Access
SharePoint Online
Exchange Mailbox Access
Outlook, Lync, Word, etc
Authentication
Auth
ori
zati
on
Passive
Auth
Active
Auth
Cloud identity model
On-premisesdirectory
User accountsUser Cloud identity
Synchronized identity modelPassword hashes
User accounts
On-premisesdirectory
DirSync Tool
User
Sig
n-o
n
Synchronized identity
Before installing DirSync Active Directory remediation
IdFix
Forest functional level Windows Server 2003
Multiple forests Not DirSync Azure AD Sync or Forefront Identity Manager 2010
Directories other than Active Directory Not DirSync Works with Office 365 – Identity program
IdFix – DirSync AD RemediationIdentifies and remediates AD object
issues that will fail Office 365 DirSync
Queries all domains in the authenticated forest via LDAP
Provides a list and can export/import values (CSV)
Confirmation of each edit with undo/rollback functionality and logging
Critical system objects are skipped where editing could cause issues
What errors does IdFix look for?
Duplicate proxyAddresses
Invalid characters in attributes
Over length attributes Format errors in
attributes Use of non-routable
domains Blank attribute that
requires a value
mailNickName proxyAddresses sAMAccountName targetAddress userPrincipalName
Errors Validated Attributes
DirSync topology and number of servers A domain controller collocated install isn’t recommended But it is supported and you can install DirSync on the DC
One server is most common DirSync installs SQL Express for replication data You can install with dedicated SQL Server and can use HA for SQL Server
Consider using Azure To avoid any on-premises servers you can deploy to Azure IaaS
Use the DirSync road map Read the docs, but skip the Microsoft Deployment Readiness Toolkit
DirSync installation and review Be aware of directory object limits
A new tenant can sync up to 50,000 directory objects Register a vanity domain and it is increased to 300,000 objects
Add DNS domains to Office 365 Add these prior to syncing to preserve UPN
Sync now Expect about 1 hour per 5,000 objects
Check event logs EventVwr
Password expiry for the sync account Assign Office 365 licenses
Other DirSync considerations High availability
Can Backup and reinstall
Filtering DirSync By OU
Security of hashes One way hashes (of hash) Not reversable Sent to Azure AD on SSL
On-premisedirectory
Azure AD
Hash
Extra Securit
y
User
Password
Password hash sync security We typically get questions about the security of synchronizing
passwords from banking and finance customers The password hash that we get from AD is not reversible to get
the users password Hashes are mathematical functions that are nearly impossible
to reverse. The result of the hash algorithm is called a digest We further process it with a one way hash SHA256 algorithm We connect over SSL to the Azure AD service and send the
resulting hash of the hash This enables Azure AD to validate the users password when
they log in More details at
http://social.technet.microsoft.com/wiki/contents/articles/18096.dirsyncwindows-azure-ad-password-sync-frequently-asked-questions.aspx
Choosing between DirSync and AAD Sync Beta available
Includes password hash sync Includes password write-back with
Azure AD Premium license Can filter objects by OU Supports use of dedicated SQL
Server install or SQL Express The setup wizard can be run
multiple times for configuration changes
Released and supported in production
Includes sync from multiple forests including merging duplicate users in these forests
** In addition to AD, can sync from LDAP v3, SQL Server and CSV data
** Enables selective OU sync with using UX in the setup. Compared to DirSync which requires PowerShell configuration
** Enables transforming of attributes using UX in the setup
Planned to replace DirSync in the future
Preview cannot be upgraded to later release
DirSync Azure AD Sync Services
** NOT IN BETA
Beta available
DemoConfiguring Azure AD Sync
Federated identity model
AD FS
Password hashes
User accounts
On-premisesdirectory
DirSync Tool
User
Authentication
Authentication
Sig
n-o
n
Federated identity
Password Sync Backup for Federated Sign-InThis new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.
On-premisesdirectory
DirSync Tool
Federated identity
Backup Password Hash Sync
User accounts
AD FS
ADFS is Also Easy Use trained and experienced deployment staff Use Azure AD Connect Tool
https://microsoft.sharepoint.com/teams/OfficeOnRamp/wiki/Pages/Azure-Active-Directory-Connect-Tool.aspx
Read all the TechNet Deployment Guidance http://technet.microsoft.com/en-us/library/jj205462.aspx
Only implement the Office 365 requirements The only certificate required is the SSL certificate
Prepare with firewall update permissions
DemoAzure AD Connect for AD FS
How to choose an identity model
?
Change between models as needs change Cloud Identity to Synchronized Identity
Deploy DirSync Hard match or soft match of users
Synchronized Identity to Federated Identity Deploy AD FS Can leave password sync enabled as backup
Federated identity to Synchronized Identity PowerShell Convert-MsolDomainToStandard Takes 2 hours plus 1 additional hour per 2,000 users
Synchronized Identity to Cloud Identity PowerShell Set-MsolDirSyncEnabled Takes 72 hours and you can monitor with Get-MsolCompanyInformation
Choose the simplest model for your needs This is our recommendation
Cloud Identity is the simplest model Choose cloud when
You have no on-premises directory There is on-premises directory restructuring You are in pilot with Office 365
Choose synchronized identity if you have an on-premises directory Password hash sync means federation is not
required just to have the same password on the cloud
Same sign-on – the username and password is the same in the cloud as on-premises
Single sign-on – you log on to the PC and no password is required for cloud services
Save credentials for later uses Windows Credential Manager
Outlook does not support Single sign-on
Choose password hash sync unless you have one of the scenarios that requires federation
Scenarios for choosing federationExisting infrastructure1. You already have an AD FS Deployment2. You already use a Third Party Federated
Identity Provider3. You use Forefront Identity Manager
2010
Scenarios for choosing federationTechnical requirements4. You have Multiple Forests in your on-
premises AD5. You have an On-Premises Integrated
Smart Card or Multi-Factor Authentication (MFA) Solution
6. Custom Hybrid Applications or Hybrid Search is Required
7. Web Accessible Forgotten Password Reset
Scenarios for choosing federationPolicy requirements8. You Require Sign-In Audit and/or
Immediate Disable9. Single Sign-On minimizing prompts is
Required10.Require Client Sign-In Restrictions by
Network Location or Work Hours
11.Policy preventing Synchronizing Password Hashes to Azure AD
Office 365 federation optionsADFS Third party
WS-*Shibboleth (SAML 1.1) SAML 2.0
Suitable for medium, large enterprises including educational organizations
Recommended option for Active Directory (AD) based customers
Single sign-on
Support for web and rich clients
Microsoft supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Suitable for medium, large enterprises including educational organizations
Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD
Single sign-on
Support for web and rich clients
Third-party supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Suitable for educational organizations
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
For organizations that need to use SAML 2.0
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no identity provider deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
What is it?Qualification of third party identity providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used.
Program RequirementsPublished Qualification RequirementsPublished Technical Integration DocsAutomated Testing ToolSelf Testing work by PartnerPredictable and Shorter Qualification
http://aka.ms/ssoproviders
Works with Office 365 – Identity program WS-Trust & WS-
FederationActive Directory with ADFS Flexibility to reuse
existing identity provider investments
Confidence that the solution is qualified by Microsoft
Coordinated support between the partner and Microsoft
Shibboleth
RadiantOne
Customer Benefits
SAML (passive auth)
Recent features change the landscape Jun 2013 Password hash sync added to DirSync Nov 2013 DirSync tool run on Domain Controllers Feb 2014 Multi Factor Authentication for Office
365 Apr 2014 Azure Active Directory Sync Services Apr 2014 Azure AD Premium Password Reset May 2014 Alternate Sign-In ID to UPN May 2014 DirSync backup for federated sign-in Dec 2014 Office client passive authentication
Summary Choose the simplest model for your needs Change between models as needs change Cloud identity model when there is no on-premises directory
Synchronized identity model for most organizations
Federated identity model for one of the 11 scenarios
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.