slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Microsoft Office 365 Directory Synchronization and Federation Options PowerPoint Presentation
Download Presentation
Microsoft Office 365 Directory Synchronization and Federation Options

Loading in 2 Seconds...

play fullscreen
1 / 42

Microsoft Office 365 Directory Synchronization and Federation Options - PowerPoint PPT Presentation


  • 209 Views
  • Uploaded on

OFC-B317. Microsoft Office 365 Directory Synchronization and Federation Options. Paul Andrew Ross Adams Aanchal Saxena. Agenda. 1. 2. 3. 4. 5. 6. Identity for Microsoft cloud services. Microsoft Account. Windows Azure Active Directory. Organizational Account Ex: alice@contoso.com.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Microsoft Office 365 Directory Synchronization and Federation Options' - sef


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
microsoft office 365 directory synchronization and federation options

OFC-B317

Microsoft Office 365 Directory Synchronization and Federation Options

Paul Andrew

Ross Adams

Aanchal Saxena

agenda
Agenda

1

2

3

4

5

6

identity for microsoft cloud services
Identity for Microsoft cloud services

Microsoft Account

Windows Azure Active Directory

Organizational Account

Ex: alice@contoso.com

Microsoft Account

Ex: alice@outlook.com

User

User

office 365 identity models
Office 365 Identity Models

Cloud identity

Federated identity

Synchronized identity

Zero on-premises servers

Federation

Directory sync

On-premisesidentity

On-premisesidentity

On-premises

directory

On-premises

directory

Directory sync with password sync

Between zero and three additional on-premises servers depending on the number of users

Between two and eight on-premises servers and networking configuration depending on the sign-in availability requirements

choose the simplest model for your needs
Choose the simplest model for your needs
  • Change between models as needs change
  • Choose cloud
    • if no on-premises directory
    • if there is on-premises directory restructuring
    • if you are in pilot with Office 365
  • Password hash sync means federation is not required just to have the same password on the cloud
  • Choose password hash sync unless you have one of the scenarios that requires federation
scenarios for identity federation model existing infrastructure
Scenarios for identity federation modelExisting infrastructure
  • You already have an AD FS Deployment
  • You already use a Third Party Federated Identity Provider
  • You use Forefront Identity Manager 2010

Technical requirements

  • You have Multiple Forests in your on-premises AD
  • You have an On-Premises Integrated Smart Card or Multi-Factor Authentication (MFA) Solution
  • Custom Hybrid Applications or Hybrid Search is Required
  • Web Accessible Forgotten Password Reset

Policy requirements

  • You Require Sign-In Audit and/or Immediate Disable
  • Single Sign-On is Required
  • Require Client Sign-In Restrictions by Network Location or Work Hours
  • Policy preventing Synchronizing Password Hashes to Azure AD
identity synchronization and federation
Identity Synchronization and Federation

Passive Auth

Windows Azure Active Directory

WS-Federation

Authentication

SharePoint Online

WS-Trust

Metadata

Exchange Web Access

Shibboleth

Authorization

Active Auth

Exchange Mailbox Access

Graph API

SAML 2.0

Outlook, Lync, Word, etc

Federated sign-in

Synchronize accounts

On-Premises

Identity Provider

Directory

agenda1
Agenda

1

2

3

4

5

6

dirsync on a domain controller or in azure
DirSync on a domain controller or in Azure
  • You can use DirSync with no additional on-premises servers
  • DirSync on DC
    • Includes SQL Server Express
    • SQL Server and DC has resource contentions
    • Suitable for small deployments not more than 10,000 users
  • DirSync on Azure paper
    • Avoids on-premises servers
    • http://technet.microsoft.com/en-us/library/dn635310(v=office.15).aspx
dirsync high availability
DirSync high availability
  • DirSync runs on one server
  • Backup SQL Server
  • Backup encryption keys
  • Cold standby of DirSync server
  • Restore SQL, encryption keys
    • Instructions http://www.microsoft.com/en-us/download/details.aspx?id=42524
password hash sync security
Password hash Sync Security
  • We typically get questions about the security of synchronizing passwords from banking and finance customers
  • The password hash that we get from AD is not reversible to get the users password
  • We further process it with a one way hash SHA256 algorithm
  • We connect over SSL to the Azure AD service and send the resulting hash of the hash
  • This enables Azure AD to validate the users password when they log in
  • More details at
    • http://social.technet.microsoft.com/wiki/contents/articles/18096.dirsyncwindows-azure-ad-password-sync-frequently-asked-questions.aspx
password write back
Password Write-back

What is it

Part of AAD Premium

Only via Self-service password reset

How do I enable it

Admin needs to turn-on the feature using DirSync PSH commandlet:

Enable-OnlinePasswordWriteBack

When does it write back

Cloud authenticated (managed) user and password sync is enabled

On-premises SSO authenticated (federated) user

Security

All communication takes place over SSL

Registration of public/private key pairs for transport and encryption, you keep the private keys

azure ad sync
Azure AD Sync

What’s included

Possible to reduce set of attribute sync’d based on the services

Support for a number of Multi forest scenarios

Easier management for filtering objects via simple UX

Support for attribute mapping rules via a simple UX

What’s missing

Password sync

Password write back

Hybrid configuration, i.e. no write back today

What’s coming

Production Support, i.e. not for Production today

Support for other directories, such as LDAP, SQL or CSV

http://social.technet.microsoft.com/wiki/contents/articles/24061.aadsync-scenario-overview.aspx

sync multiple ad forests
Sync multiple AD forests

Options:

  • Forefront Identity Manager 2010
    • Supports multiple forests with additional work
  • Azure AD Sync Services
    • Supports multiple forests and in preview now
    • Disparate forests
    • Full Mesh, i.e. Gal Sync
    • Account and resource forest
  • Consolidate forests into one
    • http://technet.microsoft.com/library/cc974332.aspx
office 365 connector for forefront identity manager 2010 r2
Office 365 Connector for Forefront Identity Manager 2010 R2
  • Suitable for large organizations with certain AD and Non-AD scenarios
    • Complex multi-forest AD scenarios
    • Non-AD synchronization
    • Requires Forefront Identity Manager and additional software licenses
  • Requirements
    • Forefront Identity Manager 2010 R2
    • Windows Azure Active Directory Connector for FIM 2010 R2
    • http://technet.microsoft.com/library/dn511001.aspx
choosing between dirsync and aad sync
Choosing between DirSync and AAD Sync
  • Includes password hash sync
  • Includes password write-back with Azure AD Premium license
  • Can filter objects by OU
  • Supports use of dedicated SQL Server install or SQL Express
  • The setup wizard can be run multiple times for configuration changes
  • Released and supported in production
  • Includes sync from multiple forests including merging duplicate users in these forests
  • ** In addition to AD, can sync from LDAP v3, SQL Server and CSV data
  • ** Enables selective OU sync with using UX in the setup.
  • ** Enables transforming of attributes using UX in the setup
  • Allows for limiting the attributes sync’d to the cloud
  • Planned to replace DirSync in the future
  • Preview cannot be upgraded to later release

Preview available

DirSync

Azure AD Sync Services

** NOT IN PREVIEW

dirsync one directory to multiple tenants
DirSync one directory to multiple tenants
  • You can install dirsync more than once in the same forest, but on different machines
  • You need to handle conflicts
    • A domain can only be validated in on tenant, i.e. for use with Email and UPN
    • Sub domains can be used in different tenants
  • You should look at how you filter your user sets
    • OU
    • Domain
    • Attribute
cross tenant collaboration
Cross tenant collaboration
  • We don’t recommend multiple tenants for the same organization
  • There will not be a consolidated Global Address List
    • Could create users from one tenant as contacts in the other
  • SharePoint access across tenants must use External Sharing
  • Free busy federation between tenants is possible
  • Lync presence and calling between tenants is possible
  • There are third party tools (not Microsoft) tools that can merge tenants
agenda2
Agenda

1

2

3

4

5

6

federation protocols and auth types
Federation protocols and auth types
  • WS-Federation
    • Supported by ADFS
    • For passive authentication
  • WS-Trust
    • Supported by ADFS
    • For active authentication
  • Shibboleth (SAML 1.1)
    • An identity provider used in education that uses a custom version of SAML 1.1
    • Passive authentication only
    • Includes ECP for Outlook authentication
  • SAML 2.0
    • A common federation protocol
    • For passive authentication only so similar to WS-Federation
  • Active Directory Authentication Library (OAUTH)
    • Library for common access to Azure AD, ADFS, and Azure ACS.
  • Passive Authentication
    • SharePoint Online
    • Outlook Web Access
    • Office 365 portal
  • Active Authentication
    • Office Sign-in Assistant
    • Office 365 ProPlus licensing
    • Word, Excel, PowerPoint connecting to SharePoint Online
    • Outlook, Lync
    • OneDrive for Business sync
slide22

Backup Password Hash Sync

Password Sync Backup for Federated Sign-In

This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.

May take up to 2hrs to take effect

User accounts

Federated identity

DirSync Tool

AD FS

On-premises

directory

slide23
Alternate Login ID removing dependency on User Principal Name (UPN)

The reliance on UPN has been removed and you can now select an alternate login ID for use with Office 365 and Azure AD in general. Use of UPN will still be the default. Through configuration you can select the Mail attribute or any other attribute in your on-premises Active Directory.

This works with either synchronized identity or federated identity.

slide24
Demo

Alternate login id

federate multiple domains in a tenant
Federate multiple domains in a tenant
  • A User Profile Name (UPN) is the sign-in ID that customers use. Eg: ArneA@contoso.com
  • Each DNS address you use in a UPN can be federated to an identity provider
  • Synchronized accounts can also be used
  • Azure AD uses the UPN DNS to do home realm discovery to a federated identity provider
  • Home realm discovery can be shortcut with URLs like this:
    • https://login.microsoftonline.com/whr=contoso.net
    • https://contoso.sharepoint.com
agenda3
Agenda

1

2

3

4

5

6

sync options for a saml idp
Sync options for a SAML IDP
  • Using AD then directory Sync works for you
  • Can’t sync (non AD)
    • Script user creation via PowerShell or Azure AD
    • Directory GRAPH (RESTful interface)
  • Future support from AAD Sync for non AD sources
  • FIM 2010 via supported connectors
saml p 2 0 federation
SAML-P 2.0 federation
  • Sign-in federation
  • SAML-P 2.0 passive auth
    • Equivalent to WS-Federation and used for web based applications
    • No equivalent for WS-Trust so Office clients applications cannot be used
  • Office client support passive auth end of 2014
  • SAML-P federation guidance
    • http://technet.microsoft.com/en-us/library/dn641269.aspx
  • Use of AD FS to interface to SAML provider
    • Wont enable Office client active authentication due to double hop
office desktop passive auth
Office desktop client sign-in with passive auth

Previously the Office Sign-In Assistantrequired WS-Trust

Passive authentication works with WS-Federation and SAML 2.0

Availability

Announced on February 10, 2014

Details at http://blogs.office.com

Planned for later in 2014

What is it?

Office desktop clients move to using ADAL

Active Directory Authentication Library

Uses OAUTH for passive authentication

Office desktop passive auth

Exchange Mailbox Access

Outlook, Lync, Word, etc

SAML 2.0

Windows Azure Active Directory

SAML 2.0

DirSync LDAP v3

LDAP v3 Directory

On-Premises

office client oauth authentication futures announced on feb 10 2014
Office client OAUTH authenticationFutures – Announced on Feb 10, 2014

Updated Office 2013 clients to support OAUTH and Multi-Factor Authentication

No need for App Passwords in updated clients

If you can authenticate in a web browser, then you can authenticate in Office clients

Outlook, Lync, Word, Excel, PowerPoint, PowerShell, SkyDrive Pro

Clients will also support

Federation Identity Providers using SAML 2.0 protocol

US DoD Common Access Card (CAC)

US Federal Personal Identity Verification card (PIV)

For release during CY 2014

the mfa flow

Azure Active Directory

Office 365

The MFA Flow

Secure Token Service

Federated tenant

Office makes a request to a service which supports new MFA flow

Service instructs Office to visit an STS which speaks a simple standards based protocol (OAuth)

Office instructs AD library to launch web browser control

MFA and federation magic happens transparent to Office

Office gets back simple tokens that it caches for future communication with its services

Office sends token to service

Do federated sign-in using SAML-P, WS-Fed, etc.

JWT token

4

6

Validate assertions

Hand back token for 365

5

JWT token

SAML token

Web Browser

2

www-authenticate: Bearer authorization_uri: https://login.windows.net

Auth against https://login.windows.net...

ADAL

3

Office Authentication

HTTP layer

1

Application code

Office

agenda4
Agenda

1

2

3

4

5

6

works with office 365 identity program
Works with Office 365 – Identity program

WS-Trust & WS-Federation

Customer Benefits

What is it?

Qualification of third party identity providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used.

Program Requirements

Published Qualification Requirements

Published Technical Integration Docs

Automated Testing Tool

Self Testing work by Partner

Predictable and Shorter Qualification

http://aka.ms/ssoproviders

Flexibility to reuse existing identity provider investments

Confidence that the solution is qualified by Microsoft

Coordinated support between the partner and Microsoft

Active Directory with ADFS

Okta

RadiantOne

SAML (passive auth)

*For representative purposes only.

Shibboleth

agenda5
Agenda

1

2

3

4

5

6

troubleshooting identity management
Troubleshooting Identity Management
  • DirSync troubleshooting
    • Use IdFix to correct directory errors prior to syncing
    • Clean duplicate SMTP/Proxy Addresses
    • Clean duplicate UPNs/non routable UPNs
    • Check Windows Event Viewer on DirSync server for errors
troubleshooting identity management1
Troubleshooting Identity Management
  • ADFS infrastructure
    • Use the Connectivity tool to verify your setup https://testconnectivity.microsoft.com/
    • Multiple Servers (or VM’s) are required
    • AD FS is a very broad and capable technology
      • You don’t need to implement every part of it for a small Office 365 tenant
      • Only need the SSL Certificate for small tenant, don’t need other certs
    • SSL Certificate is required for Web Application Proxy server
    • Port 443 is required to be open to the Web Application Proxy server
summary
Summary

1

2

3

4

5

6

related content
Related content
  • Breakout Sessions
    • DCIM-B301 Leveraging Your On-Premises Directory Infrastructure to Manage Your Microsoft Azure Active Directory Identities
    • OFC-B222 Introduction to Office 365 Identity Management
    • OFC-B327 Authentication Patterns for SharePoint 2013 and Office 365
    • DCIM-B382 Cloud Identity and Access Management: Azure Active Directory Premium
  • Related Certification Exams http://aka.ms/office365mcsa
    • 70-346 Managing Office 365 Identities and Requirements
    • 70-347 Enabling Office 365 Services
  • Microsoft Solutions Experience Location (MSE)
    • Paul Andrew : MSE Be Secure, after lunch tomorrow
  • Find Me Later At: http://twitter.com/pndrw
resources
Resources

Learning

  • Sessions on Demand
  • Microsoft Certification & Training Resources

http://channel9.msdn.com/Events/TechEd

www.microsoft.com/learning

msdn

TechNet

  • Resources for IT Professionals
  • Resources for Developers
  • http://microsoft.com/technet

http://microsoft.com/msdn

evaluate this session
Evaluate this session
  • Scan this QR code to evaluate this session.