[Speaker]

[Title]

[Company]

Identity management integration options for Office 365

Identity for Microsoft cloud services

User

Microsoft AccountEx: alice@outlook.com

User

Organizational AccountEx: alice@contoso.com

Microsoft Account Microsoft Azure Active Directory

Office 365 Identity Models

Federated identitySynchronized identityCloud identity

On-premisesdirectory

Zero on-premises servers

On-premisesdirectory

Directory sync with password sync

On-premisesidentity

Between zero and three additional on-premises servers depending on the number of users

On-premisesidentity

Between two and eight on-premises servers and networking configuration depending on the sign-in availability requirements

Directory syncFederation

Identity Synchronization and Federation

On-Premises

Identity Provider

Federated sign-in

Windows Azure Active Directory

WS-Federation

WS-Trust

SAML 2.0

MetadataShibboleth

Graph API

Directory

Synchronize accounts

Exchange Web Access

SharePoint Online

Exchange Mailbox Access

Outlook, Lync, Word, etc

Authentication

Auth

ori

zati

on

Passive

Auth

Active

Auth

Cloud identity model

On-premisesdirectory

User accountsUser Cloud identity

Synchronized identity modelPassword hashes

User accounts

On-premisesdirectory

DirSync Tool

User

Sig

n-o

n

Synchronized identity

Before installing DirSync Active Directory remediation

IdFix

Forest functional level Windows Server 2003

Multiple forests Not DirSync Azure AD Sync or Forefront Identity Manager 2010

Directories other than Active Directory Not DirSync Works with Office 365 – Identity program

IdFix – DirSync AD RemediationIdentifies and remediates AD object

issues that will fail Office 365 DirSync

Queries all domains in the authenticated forest via LDAP

Provides a list and can export/import values (CSV)

Confirmation of each edit with undo/rollback functionality and logging

Critical system objects are skipped where editing could cause issues

What errors does IdFix look for?

Duplicate proxyAddresses

Invalid characters in attributes

Over length attributes Format errors in

attributes Use of non-routable

domains Blank attribute that

requires a value

mailNickName proxyAddresses sAMAccountName targetAddress userPrincipalName

Errors Validated Attributes

DirSync topology and number of servers A domain controller collocated install isn’t recommended But it is supported and you can install DirSync on the DC

One server is most common DirSync installs SQL Express for replication data You can install with dedicated SQL Server and can use HA for SQL Server

Consider using Azure To avoid any on-premises servers you can deploy to Azure IaaS

Use the DirSync road map Read the docs, but skip the Microsoft Deployment Readiness Toolkit

DirSync installation and review Be aware of directory object limits

A new tenant can sync up to 50,000 directory objects Register a vanity domain and it is increased to 300,000 objects

Add DNS domains to Office 365 Add these prior to syncing to preserve UPN

Sync now Expect about 1 hour per 5,000 objects

Check event logs EventVwr

Password expiry for the sync account Assign Office 365 licenses

Other DirSync considerations High availability

Can Backup and reinstall

Filtering DirSync By OU

Security of hashes One way hashes (of hash) Not reversable Sent to Azure AD on SSL

On-premisedirectory

Azure AD

Hash

Extra Securit

y

User

Password

Password hash sync security We typically get questions about the security of synchronizing

passwords from banking and finance customers The password hash that we get from AD is not reversible to get

the users password Hashes are mathematical functions that are nearly impossible

to reverse. The result of the hash algorithm is called a digest We further process it with a one way hash SHA256 algorithm We connect over SSL to the Azure AD service and send the

resulting hash of the hash This enables Azure AD to validate the users password when

they log in More details at

http://social.technet.microsoft.com/wiki/contents/articles/18096.dirsyncwindows-azure-ad-password-sync-frequently-asked-questions.aspx

Choosing between DirSync and AAD Sync Beta available

Includes password hash sync Includes password write-back with

Azure AD Premium license Can filter objects by OU Supports use of dedicated SQL

Server install or SQL Express The setup wizard can be run

multiple times for configuration changes

Released and supported in production

Includes sync from multiple forests including merging duplicate users in these forests

** In addition to AD, can sync from LDAP v3, SQL Server and CSV data

** Enables selective OU sync with using UX in the setup. Compared to DirSync which requires PowerShell configuration

** Enables transforming of attributes using UX in the setup

Planned to replace DirSync in the future

Preview cannot be upgraded to later release

DirSync Azure AD Sync Services

** NOT IN BETA

Beta available

DemoConfiguring Azure AD Sync

Federated identity model

AD FS

Password hashes

User accounts

On-premisesdirectory

DirSync Tool

User

Authentication

Authentication

Sig

n-o

n

Federated identity

Password Sync Backup for Federated Sign-InThis new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.

On-premisesdirectory

DirSync Tool

Federated identity

Backup Password Hash Sync

User accounts

AD FS

ADFS is Also Easy Use trained and experienced deployment staff Use Azure AD Connect Tool

https://microsoft.sharepoint.com/teams/OfficeOnRamp/wiki/Pages/Azure-Active-Directory-Connect-Tool.aspx

Read all the TechNet Deployment Guidance http://technet.microsoft.com/en-us/library/jj205462.aspx

Only implement the Office 365 requirements The only certificate required is the SSL certificate

Prepare with firewall update permissions

DemoAzure AD Connect for AD FS

How to choose an identity model

?

Change between models as needs change Cloud Identity to Synchronized Identity

Deploy DirSync Hard match or soft match of users

Synchronized Identity to Federated Identity Deploy AD FS Can leave password sync enabled as backup

Federated identity to Synchronized Identity PowerShell Convert-MsolDomainToStandard Takes 2 hours plus 1 additional hour per 2,000 users

Synchronized Identity to Cloud Identity PowerShell Set-MsolDirSyncEnabled Takes 72 hours and you can monitor with Get-MsolCompanyInformation

Choose the simplest model for your needs This is our recommendation

Cloud Identity is the simplest model Choose cloud when

You have no on-premises directory There is on-premises directory restructuring You are in pilot with Office 365

Choose synchronized identity if you have an on-premises directory Password hash sync means federation is not

required just to have the same password on the cloud

Same sign-on – the username and password is the same in the cloud as on-premises

Single sign-on – you log on to the PC and no password is required for cloud services

Save credentials for later uses Windows Credential Manager

Outlook does not support Single sign-on

Choose password hash sync unless you have one of the scenarios that requires federation

Scenarios for choosing federationExisting infrastructure1. You already have an AD FS Deployment2. You already use a Third Party Federated

Identity Provider3. You use Forefront Identity Manager

2010

Scenarios for choosing federationTechnical requirements4. You have Multiple Forests in your on-

premises AD5. You have an On-Premises Integrated

Smart Card or Multi-Factor Authentication (MFA) Solution

6. Custom Hybrid Applications or Hybrid Search is Required

7. Web Accessible Forgotten Password Reset

Scenarios for choosing federationPolicy requirements8. You Require Sign-In Audit and/or

Immediate Disable9. Single Sign-On minimizing prompts is

Required10.Require Client Sign-In Restrictions by

Network Location or Work Hours

11.Policy preventing Synchronizing Password Hashes to Azure AD

Office 365 federation optionsADFS Third party

WS-*Shibboleth (SAML 1.1) SAML 2.0

Suitable for medium, large enterprises including educational organizations

Recommended option for Active Directory (AD) based customers

Single sign-on

Support for web and rich clients

Microsoft supported

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Suitable for medium, large enterprises including educational organizations

Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD

Single sign-on

Support for web and rich clients

Third-party supported

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Verified through ‘works with Office 365’ program

Suitable for educational organizations

Recommended where customers may use existing non-ADFS Identity systems

Single sign-on

Support for web clients and outlook (ECP) only

Microsoft supported for integration only, no shibboleth deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

For organizations that need to use SAML 2.0

Recommended where customers may use existing non-ADFS Identity systems

Single sign-on

Support for web clients and outlook (ECP) only

Microsoft supported for integration only, no identity provider deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

What is it?Qualification of third party identity providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used.

Program RequirementsPublished Qualification RequirementsPublished Technical Integration DocsAutomated Testing ToolSelf Testing work by PartnerPredictable and Shorter Qualification

http://aka.ms/ssoproviders

Works with Office 365 – Identity program WS-Trust & WS-

FederationActive Directory with ADFS Flexibility to reuse

existing identity provider investments

Confidence that the solution is qualified by Microsoft

Coordinated support between the partner and Microsoft

Shibboleth

RadiantOne

Customer Benefits

SAML (passive auth)

Recent features change the landscape Jun 2013 Password hash sync added to DirSync Nov 2013 DirSync tool run on Domain Controllers Feb 2014 Multi Factor Authentication for Office

365 Apr 2014 Azure Active Directory Sync Services Apr 2014 Azure AD Premium Password Reset May 2014 Alternate Sign-In ID to UPN May 2014 DirSync backup for federated sign-in Dec 2014 Office client passive authentication

Summary Choose the simplest model for your needs Change between models as needs change Cloud identity model when there is no on-premises directory

Synchronized identity model for most organizations

Federated identity model for one of the 11 scenarios

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.