understanding identity management with office 365
DESCRIPTION
As more companies leverage Office 365, identity management between on-premise and cloud has become a topic of increasing importance. Fortunately, Office 365 offers a wide range of different identity management options that you can select based on your organization’s needs and preferences. Join Perficient as we take a look at: What constitutes identity management in Office 365 Federation and synchronization options available with Office 365, including ADFS and DirSync with password synchronization Multi-forest deployments and deploying infrastructure using Windows AzureTRANSCRIPT
Understanding Identity Management with Office 365
Perficient is a leading information technology consulting firm serving
clients throughout North America.
We help clients implement business-driven technology solutions that
integrate business processes, improve worker productivity, increase
customer loyalty and create a more agile enterprise to better respond to
new business opportunities.
About Perficient
• Founded in 1997
• Public, NASDAQ: PRFT
• 2012 revenue of $327 million
• Major market locations throughout North America• Atlanta, Austin, Boston, Charlotte, Chicago, Cincinnati, Cleveland, Columbus, Dallas,
Denver, Detroit, Fairfax, Houston, Indianapolis, Minneapolis, New Orleans, New York, Northern California, Philadelphia, Southern California, St. Louis, Toronto, Washington D.C.
• Global delivery centers in China, Europe and India
• ~2,000 colleagues
• Dedicated solution practices
• ~85% repeat business rate
• Alliance partnerships with major technology vendors
• Multiple vendor/industry technology and growth awards
Perficient Profile
Business Solutions• Business Intelligence• Business Process Management• Customer Experience and CRM• Enterprise Performance Management• Enterprise Resource Planning• Experience Design (XD)• Management Consulting
Technology Solutions• Business Integration/SOA• Cloud Services• Commerce• Content Management• Custom Application Development• Education• Information Management• Mobile Platforms• Platform Integration• Portal & Social
Our Solutions Expertise
Our Microsoft Practice
6
Why Perficient for Office 365?
CertifiedOffice 365 CertifiedGold Certified MessagingO365 MVPRanked #1 of all Microsoft National Systems Integrators
ExperiencedHundreds of thousands users migratedPerformed first-ever migrations to Microsoft’s cloud solutionsIn-depth experience with complex, multi-national customers moving to O365
InnovativePublished O365 and Lync AuthorsMember of the Microsoft O365 Partner Advisory Council
Office 365
Exchange 2010
7
Shalini Pasupneti
Presenter Shalini Pasupneti is a Solution Architect in Perficient's Microsoft infrastructure practice focusing on Exchange and Office 365. Recently, she’s been guiding global and mid-size companies in their transition to Office 365. She holds an MCITP in both Exchange and Office 365.
Our Speaker
8
Understanding Identities and Single Sign On
Identity management deals with identifying individuals in a system and controlling access to the resources in that system
Integral components of identity and access management
Authentication Authorization
Common identity platform for organizational accounts
Directory
store
Authentication platform
Windows Azure Active
Directory
Windows Azure Active Directory is the underlying identity platform for various cloud services that use Organizational Accounts
Cloud Identity
Single identity in the cloud Suitable for small organizations with no integration to on-premises directories
Windows Azure Active Directory
On-Premises Identity
Directory Sync
Directory Synchronization
Single identitysuitable for medium and large organizations without federation
Windows Azure Active Directory
Federated Identity
On-Premises Identity
Federation
Single federated identity and credentials suitable for medium and large organizations
Windows Azure Active Directory
Directory Sync
Office 365 Identity
Cloud Identity
Rich experience with Office Apps
Ease of deployment, management and support
Lower cost as no additional servers are required On-Premises
High availability and reliability as all Identities and Services are managed in the cloud
Windows Azure Active Directory
User
Cloud IdentityEx: [email protected]
Identity Services
Authentication platform
DirectoryStore
Exchange Online
SharePoint Online
Lync Online
Cloud Identity
Rich experience with Office apps
Directory synchronization between on-premises and online
Identities are created and managed on-premises and synchronized to the cloud
Single identity and credentials but no single sign-on for on-premises and office 365 services
Reuse existing directory implementation on-premises
Windows Azure Active Directory
User
On-Premises IdentityEx: Domain\Alice
Directory Synchronization
Cloud IdentityEx: [email protected]
AD
Directory Synchronization
Identity Services
Authentication platform
Directory
Store
Exchange Online
SharePoint Online
Lync Online
On-Premise
Active Directory
DirSyncProvisioni
ng Platform
Directory Synchronization
• Active Directory Health• Prerequisites check (Readiness Tool)• IdFix
• Topology • Single forest• Multiple forest
• Security• Firewalls, permissions
• 64-bit only• Object filtering required• SQL Express or full SQL (+50k objects)
Deployment Considerations
• Customers can exclude objects from synchronizing to Office 365
• Scoping can be done at the following levels:
• AD domain-based
• Organizational unit-based
• User attribute based
• Additional filtering capabilities will become available with the O365 Connector
• Preventing the synchronization of specific attributes is not supported
Scoping and Filtering for Synchronization
Directory Synchronization Write-Back
Attribute Feature
SafeSendersHashBlockedSendersHashSafeRecipientHash
Filtering Coexistence enables on-premises filtering using cloud safe/blocked sender info
msExchArchiveStatus Cloud ArchiveAllows users to archive mail to the Office 365 service
ProxyAddresses (cloudLegDN) Mailbox off-boardingEnables off-boarding of mailboxes back to on-premise
cloudmsExchUCVoiceMailSettings Voicemail coexistenceEnables on-premises mailbox users to have Lync Server 2010 in the cloud
Rich experience with Office Apps
Directory synchronization between on-premises and online
Identities are created and managed on-premises and synchronized to the cloud
Single identity and password credentials but no single sign-on for on-premises and Office 365 services
Reuse existing directory implementation on-premises
Password Synchronization
Windows Azure Active Directory
User
On-Premises IdentityEx: Domain\Alice
Directory Synchronization with one way Password Hash
Cloud IdentityEx: [email protected]
AD
Windows Azure Active Directory Sync Tool
• The tool is downloaded from the Office 365 admin portal
• Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it
• Synchronizes user passwords from on-premises AD to Azure AD (Office 365)
• Respects on-premises password policies
• Can’t sync passwords for Federated Users, but can co-exist
SAML2Identity Provider
More Details on TechNet: http://aka.ms/sync
Windows Azure Active Directory
User
On-Premises IdentityEx: Domain\Alice
Federation using Non-ADFS STS
Office 365 Connector on FIM
Non-AD(LDAP)
Non-AD Synchronization
Preferred option for Directory Synchronization with Non-AD Sources
Non-AD support with FIM is available through Microsoft-led deployments
FIM 2010 Office 365 connector supports complex multi-forest topologies
• Single identity and sign-on for on-premises and Office 365 services
• Identities mastered on-premises with a single point of management
• Directory synchronization to synchronize directory objects into Office 365
• Secure token based authentication
• Client access control based on IP address with ADFS
• Strong factor authentication optionsfor additional security with ADFS
Windows Azure Active Directory
User
On-Premises IdentityEx: Domain\Alice
Federation
AD
Non-AD
Directory Synchronization
or
Federated Identity
User objects must have a value for UPN in on-premises Active Directory
UPN domain suffix must match a verified domain in Office 365Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified domain and is used if UPN does not match a verified domain
Users must switch to using UPN to logon to Office 365Not domain\username
UPN must have valid charactersOffice 365 Deployment Readiness Tool will verify that on-premises objects have valid characters
Deployment Considerations for UPN
Windows Server 2008 or Windows Server 2008 R2/2012 Active Directory Forest Functionality level 2003 PowerShell Web Server (IIS) .Net 3.5 SP1 Windows Identity Foundation Publicly registered domain name Public certificate (wild card supported but not recommended) High availability, load balanced design Choice between windows internal database or SQL
Federated Identity Requirements
Customer Microsoft Online Services
User Source
ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123 Auth Token
UPN:[email protected] ID: 254729
Authentication Flow (Passive/Web)
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online orSharePoint Online
Active Directory
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Online Services
User Source
ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123
Auth TokenUPN:[email protected] ID: 254729
Basic Auth CredentialsUsername/Password
Active Flow (Outlook/Active Sync)
Two-factor authenticationRequires ADFS Proxy Sign-in Page or other proxies like TMG/UAG
Client Access Policies (ADFS)Requires ADFS UR1http://support.microsoft.com/kb/2607496
ADFS Customization
Client access control
Part of ADFS
Limit access to Office 365 based on network connectivity (internet versus intranet)
Block all external access to Office 365 based on the IP address of the external client
Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked
Block all external access to Office 365 except for passive browser-based applications such as Outlook Web Access or SharePoint Online
ADFS Customization
Active Directory Federation Services
* Azure AD offers some basic 2FA features that are available with ADFS deployment on-premises. ADFS can support a larger set of 2FA/Strong Authentication options.
Password Sync SSO with AD FS
Same password to access resources
Can control password policies on-premises
Support for two factor authentication *No password re-entry if on premises
Client access filtering
Authentication occurs in on premises directory
Single Sign-On Experience
Cloud Identity Federated Identity
(domain joined computer)Federated Identity
(non-domain joined computer)
Microsoft Outlook® 2010 on Windows® 7 Sign in each session Sign in each session Sign in each session
Outlook 2007 on Windows 7 Sign in each session Sign in each session Sign in each session
Outlook 2010 or Outlook 2007 on Windows Vista® or Windows XP
Sign in each session Sign in each session Sign in each session
Exchange ActiveSync® Sign in each session Sign in each session Sign in each session
POP, IMAP, Microsoft Outlook for Mac 2011
Sign in each session Sign in each session Sign in each session
Web Experiences: Office 365 Portal / Outlook Web App / SharePoint Online / Office Web Apps
Sign in each browser session No Prompt Sign in each browser session
Office 2010 or Office 2007 using SharePoint Online
Sign in each SharePoint Online session Sign in each SharePoint Online Session Sign in each SharePoint Online Session
Lync Online Sign in each session No prompt Sign in each session
Outlook for Mac 2011 Sign in each session Sign in each session Sign in each session
User Experience
Windows Azure Active Directory
User
On-Premises IdentityEx: Domain\Alice
Federation using ADFS
AD
DirSync on FIM
AD
AD
Multi-forest AD
FIM 2010 Office 365 connector supports complex multi-forest topologies
Multi-forest DirSync appliance supports multiple dis-joint account forests
Multiple exchange organizations currently not supported
Number Active
Directory forests
See consolidation whitepaper
UseSingle Forest
DirSync
UseOffice 365 Connector
UseMulti Forest
DirSync
Need on-premises org consolidation
Number Exchange
Orgs
“Disjoint” Account Forests?
“Disjoint” account forests and exchange
org accessed by accounts in the same
forest?
Want to consolidate
single forest?
After consolidation
Single (1)
Multiple (>1)
Yes
None (0)Multiple (>1)
Start
After consolidation
No
Single (1) Yes
Yes
No
No
Multi-forest Decision Flowchart
Cloud Identity
Directory Sync
Password Sync
Graph API FIM Single Sign-On
Org size Small All All Large Large Large
Control of attributes in directory
Least control Full control via on-premises directory
Full control via on-premises directory
Can control core attributes and select optional
Can control core attributes and select optional
Full control via on-premises directory
Source of authority Cloud On-premises On-Premises Cloud On-premises On-premises
Hardware requirements
No on-premises hardware required
Windows Server OS for DirSync appliance
Windows Server OS for DirSync appliance
Machine to run Powershell jobs on
Federated Identity Manager with office 365 Connector
DirSync applianceADFS (or other STS) deployment
Login experience Disjoint username, password for on-premises and cloud
Enter credentials twice
Disjoint username, password for on-premises and cloud
Enter credentials twice
Same username, password for on-premises and cloud
Enter credentials twice
Disjoint username, password for on-premises and cloud
Enter credentials twice
Disjoint username, password for on-premises and cloud
Enter credentials twice
Same username, password for on-premises and cloud
Login once if on-premises
1 2 3 4 5 6
Identity Integration Options
Suitable for educational organizations
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
Shibboleth (SAML)Works with AD & Non-AD
Suitable for medium, large enterprises including educational organizations
Recommended option for Active Directory (AD) based customers
Single sign-on
Secure token based authentication
Support for web and rich clients
Microsoft supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Works with AD
Suitable for medium, large enterprises including educational organizations
Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD
Single sign-on
Secure token based authentication
Support for web and rich clients
Third-party supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Works for Office 365 Hybrid Scenarios
Works with Office 365 - Identity
Federation Options
Questions?
Customized Microsoft Training for IT Pros & End Usersbit.ly/1cy8WV5
Win an Xbox One!perficient.com/sharepointxbox
Our Microsoft blogblogs.perficient.com/microsoft
10.16 How Lamar Created an Engaging & Mobile Website
bit.ly/18Sfa0O
10.15 Agile BI: How to Deliver More Value in Less Time
bit.ly/17lsd7H
Connect with Perficient