slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Microsoft Office 365: Identity and Access Solutions PowerPoint Presentation
Download Presentation
Microsoft Office 365: Identity and Access Solutions

Loading in 2 Seconds...

play fullscreen
1 / 25

Microsoft Office 365: Identity and Access Solutions - PowerPoint PPT Presentation


  • 271 Views
  • Uploaded on

SESSION CODE: SECOFC310. Toby Knight Michael Mahoney Technology Specialist Solution Architect Microsoft Microsoft. Microsoft Office 365: Identity and Access Solutions. Describe the different Identity Options Explain the Identity Architecture and Features

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Microsoft Office 365: Identity and Access Solutions' - kirtana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
microsoft office 365 identity and access solutions

SESSION CODE: SECOFC310

Toby Knight Michael Mahoney

Technology Specialist Solution Architect

Microsoft Microsoft

Microsoft Office 365: Identity and Access Solutions

(c) 2011 Microsoft. All rights reserved.

session objectives
Describe the different Identity Options

Explain the Identity Architecture and Features

Describe how federated authentication works

Describe the various deployment scenarios

Questions

Session Objectives
office 365 identity features
Office 365 Identity features
  • Password policy controls for Microsoft Online IDs
  • Single sign-on with corporate credentials
  • Directory Synchronization updates
  • Role-based administration: Five administration roles
      • Company Admin
      • Billing Admin
      • User Account Admin
      • HelpDesk Admin
      • Service Support Admin
  • “Admin on behalf of” for support partners
identity options
Microsoft Online IDs

Microsoft Online IDs + Microsoft Online Services Directory Synchronization

Single Sign On + Directory Synchronization

Identity Options

Microsoft Online Services

Identity Services

Exchange

Online

Authentication platform

Trust

Contoso customer premises

Active Directory Federation Server 2.0

Admin Portal/

PowerShell

IdP

SharePoint

Online

IdP

Directory

Store

Provisioning

platform

MS Online Directory Sync

AD

Lync

Online

Office 365 Desktop Setup

identity options comparison
Identity options comparison

1. MS Online IDs

2. MS Online IDs + Dir Sync

3. Federated IDs + Dir Sync

  • Appropriate for
    • Smaller orgs without AD on-premise
  • Pros
    • No servers required on-premise
  • Cons
    • No SSO
    • No 2FA
    • 2 sets of credentials to manage with differing password policies
    • IDs mastered in the cloud
  • Appropriate for
    • Medium/Large orgs with AD on-premise
  • Pros
    • Users and groups mastered on-premise
    • Enables co-existence scenarios
  • Cons
    • No SSO
    • No 2FA
    • 2 sets of credentials to manage with differing password policies
    • Single server deployment
  • Appropriate for
    • Larger enterprise orgs with AD on-premise
  • Pros
    • SSO with corporate cred
    • IDs mastered on-premise
    • Password policy controlled on-premise
    • 2FA solutions possible
    • Enables co-existence scenarios
  • Cons
    • High availability server deployments required
sign on experience
Sign on Experience
  • Office 365 Desktop setup required for rich clients
    • Installs client and operating system updates to enable best sign-on experience
    • Not required for Web kiosk scenarios (e.g. OWA)
  • Passwords prompts
    • Can be saved for rich applications, can remain “signed in” for web applications
    • Will prompt again when the password changes or expires
  • Single Sign Prompts
    • Can bypass prompts by using “Smart Links”. Still requires password for non-domain joined machines.
    • Prompt for User Name must be in UPN format for realm discovery
    • None Domain Joined Machines prompted for both Username Realm Discover and password (Active Directory credentials)
sign on experience sso vs online ids summary
Sign On ExperienceSSO vs. Online IDs Summary

Outlook Web Application

SharePoint Web Application

ActiveSync, POP, IMAP, Entourage

Office 2010, or

Office 2007 SP2

Outlook 2007 or 2010

Lync Online

Win7/Vista/XP

Win 7/Vista/XP

Win7/Vista/XP

Each session

Each session

Each session

Each session

Once at setup

MS Online IDs

Online ID

Online ID

Online ID

Online ID

Online ID

SSO IDs

(domain joined)

No prompt

Each session

No prompt

Each Session

Each Session

AD credentials

AD credentials

AD credentials

AD credentials

AD credentials

SSO IDs

(non-domain joined)

Each session

Each session

Each session

Each session

Each Session

AD credentials

AD credentials

AD credentials

AD credentials

AD credentials

single sign on details

Single Sign on Details

Setup

Authentication flows

Deployment scenarios

Identity federation rollout

single sign on setup for new domains
Microsoft Online PowerShell Module for Windows

Connect to AD FS 2.0 and Microsoft Office 365

Add Domain (returns details for proof of ownership)

Add Domain

Single Sign on Setup for New domains

Microsoft Online Services

Identity Services

Authentication platform

Contoso customer premises

Trust

Active Directory Federation Server 2.0

Admin Portal/

PowerShell

Update

  • Add Trust
  • Claim Rules
  • User Source ID = AD ObjectGUID

Directory

Store

Provisioning

platform

Required

Cname

MSOL PowerShell Module

Add Domain

  • Verify-Domain
  • Active/Mex/Passive
  • Token certs Current/Next
  • Brand URI etc
single sign operations
Add a Sub domain for Single Sign On

Convert a domain to Single Sign On

Used to convert a Standard domain to Single Sign on

Convert a domain from Single Sign on to Standard

Should be used with caution, may require users to get a new password.

Get Properties of a domain configured for Single Sign on

Useful for trouble shooting/verification

Update Properties for a Single Sign on Domain

Required when items change such as Token signing certs

Single Sign Operations
identity federation authentication flow passive web profile
Identity FederationAuthentication flow (Passive/Web profile)

Customer

Microsoft Online Services

User

Source ID

Logon (SAML 1.1) Token

UPN:user@contoso.com

Source User ID: ABC123

Auth Token

UPN:user@contoso.com

Unique ID: 254729

identity federation authentication flow mex rich client profile
Identity FederationAuthentication flow (MEX/Rich Client Profile)

Customer

Microsoft Online Services

User

Source ID

Logon (SAML 1.1) Token

UPN:user@contoso.com

Source User ID: ABC123

Auth Token

UPN:user@contoso.com

Unique ID: 254729

identity federation active flow outlook active sync
Identity FederationActive flow (Outlook/Active Sync)

Customer

Microsoft Online Services

User

Source ID

Logon (SAML 1.1) Token

UPN:user@contoso.com

Source User ID: ABC123

Auth Token

UPN:user@contoso.com

Unique ID: 254729

Basic AuthCredentilas

Username/Password

identity details
Microsoft Online Services requirements

MS Online business scenarios always use WS-*

WS-Trust provides support for rich client authentication

Identity federation supported initially only through AD FS 2.0

Protocols supported

WS-*, SAML1.1

SAML-P coming later

Strong authentication (2FA) solutions

Web applications via ADFS Proxy sign in page or other proxies (UAG/TMG)

Rich Clients dependent on configuration

Identity Details
ad fs 2 0 deployment options
AD FS 2.0 deployment options

External

user

Active

Directory

AD FS 2.0 Server

Proxy

AD FS 2.0 Server

AD FS 2.0 Server

AD FS 2.0 Server

Proxy

Internal

user

Enterprise

DMZ

  • Single server configuration
  • AD FS 2.0 server farm and load-balancer
  • AD FS 2.0 proxy server or UAG/TMG

(External Users, Active Sync, Outlook)

preparing for identity federation
Preparing for Identity Federation
  • High availability design for AD FS 2.0
  • Every User must have a UPN
  • UPN suffix must match a validated domain in Office 365
  • UPN Character restrictions
    • Letters, numbers, dot, underscore or dash
    • No dot before @ symbol
  • Users may need to understand that they must use UPN to logon to Office 365 Apps
    • Can be hidden from users with smart links from domain machines
deployment options identity federation
Deployment options Identity federation
  • Domain conversion is a big switch.
  • Staged Rollout
    • Start with a Federated Domain and license users over time
  • Piloting Federation
    • Suitable for Existing production standard domain (running Directory Sync) containing production licensed users
    • Must use a different test domain, not sub-domain of an existing domain
    • Update Users UPN on premise to new Test domain
    • Must revert users back to a Managed domain at end of pilot
strong authentication
Currently supported scenarios

Sign in to desktop machine with smart cards.

i.e. Logon to workstation with smart card and then all connections are based on existing Kerberos tickets, no additional prompts for the smart card

Web Applications

Unsupported scenarios

Non-Domain Joined (rich apps)/Mobile applications

Strong Authentication
alternative proxies and strong authentication
Alternative Proxies and Strong Authentication
  • Number of options depending on needs
    • Rich Applications without strong authentication
    • Web apps with strong authentication (RSA etc)
    • OS/ActiveSync devices without strong authentication
  • Three options:
enrol in microsoft virtual academy today
Enrol in Microsoft Virtual Academy Today

Why Enroll, other than it being free?

The MVA helps improve your IT skill set and advance your career with a free, easy to access training portal that allows you to learn at your own pace, focusing on Microsoft technologies.

  • What Do I get for enrolment?
  • Free training to make you become the Cloud-Hero in my Organization
  • Help mastering your Training Path and get the recognition
  • Connect with other IT Pros and discuss The Cloud

Where do I Enrol?

www.microsoftvirtualacademy.com

Then tell us what you think. TellTheDean@microsoft.com

slide24

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarksin the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

(c) 2011 Microsoft. All rights reserved.

resources
Resources
  • www.msteched.com/Australia
    • Sessions On-Demand & Community
  • www.microsoft.com/australia/learning
  • Microsoft Certification & Training Resources
  • http://msdn.microsoft.com/en-au
    • Resources for Developers
  • http:// technet.microsoft.com/en-au
    • Resources for IT Professionals

(c) 2011 Microsoft. All rights reserved.