Jakob Østergaard Nielsen, Cloud Solution Architect, EG A/S

Identity in A World of CloudIdentity management with Azure Active Directory and Office 365

© EG A/S 2

About me..

Jakob Østergaard NielsenCloud Solution Architect, EG A/S

Expertise:Office 365, Microsoft Azure, Certifikat Service/PKI. Federation Service, Exchange, Active Directory.

MCSE: Communication | MCSA: Office 365 | MCTS: Exchange | MCSA: Windows Server 2012R2

Contact me:E-mail: jakos@eg.dkBlog: mistercloudtech.comTwitter: twitter.com/JakobONielsenPhone: +45 7260 2378/+45 2085 9156

© EG A/S 3

Agenda

Identity models

How to choose and identity model

Identity Synchronization tools

Azure AD Connect

Password sync and Federated identity

Azure Active Directory applications

SourceAnchor and account matchning

AD Sync Recommendations

On-Premises

Private Cloud

Managed devices

The current reality…

Cloud

SaaSAzure

Office 365Publiccloud

Other Directories

Windows ServerActive Directory

On-premises

Microsoft Azure Active Directory

Identity as the foundation

© EG A/S 6

Office 365 Identity Models

Federated identitySynchronized identityCloud identity

Zero on-premises servers

Directory sync with password sync

On-premisesidentity

Between zero and three additional servers on-premise depending on the number of users

On-premisesidentity

Between two and eight servers on-premise and networking configuration depending on the sign-in availability requirements.

Directory syncFederation

Identity Synchronization and Federation

On-Premises

Azure Active Directory

WS-Federation

WS-Trust

SAML 2.0

MetadataShibboleth

Graph API

Directory

Synchronize accounts

Exchange Web Access

SharePoint Online

Exchange Mailbox Access

Outlook, Skype4B, etc

Authentication

Auth

ori

zati

on

Passive

Auth

Active

Auth

Identity Provider

Federated sign-in

Cloud Identity Model

Cloud identity model

“In Cloud”

Sign-in

UserCloud identity

http://portal.office.com

Authentication

© EG A/S 10

Synchronized Identity Model

Synchronized Identity Model

Password hashes

User accounts

User

Sig

n-o

n

Synchronized identity

Azure AD Sync On-premise

directory“SameSign-On”A

uth

enti

cati

on

Password hash sync securityAD Account password is hashed twice

Twice through one-way hash algorithmNot reversible to get users passwordResult of the hashes is synced

Additional securityConnections are SSL encryptedConnections are only to the Azure AD

Enables validationAzure AD can validate the users password when they log in

AzureAD

Hash x 2

EncryptSHA-256SSL

Account Password

On-premise

directory

Azure AD Sync

Choosing between sync tools

DirSync Azure AD Connect All the features from

DirSync

Support sync from multiple AD forests incl. merge of duplicate accounts to one Office 365 tenant.

Support sync from LDAP v3, SQL ID store (pending)

Installs prerequisite software components during install

Upgrade from DirSync with uninstall/install

Azure AD Sync Will include all features from

DirSync and Azure AD Sync (announced)

Installer options to deploy Azure AD Sync with password sync and optionally ADFS

Will support Azure AD Premium features (password, device, group writeback, +…)

Released in GA on June 24, 2015

Still default Sync tool linked from the Office 365 Admin Portal

Only support for sync from single AD forest.

Supports object filtering (Domain, OU, attribute)

Remains supported following Microsoft Online Services Support Lifecycle Policy (12 months) - properly after AAD Connect GA*

Azure AD Connect – Identity Bridge

Box

Citrix

Concur

GoToMeeting

Concur

Docusign

Azure AD Connect

(sync + sign on)

Active Directory

LDAPdirectorie

s

Other identity stores

DropBox

Google apps

Jive

Salesforce

Servicenow

Workday

…

Your CustomApps

CommonSign on

Azure AD

Azure AD Connect with Express Settings

Use one tool instead of manyGet up and running quickly (5 clicks)Start here, then scale up or add optionsCustom options to address more complex scenarios

DemoAzure AD Connect

Get up and running with:Most common, simple optionsSingle AD forestSynchronization of all on-premise objectsPassword synchronization of all usersCreates default on-premise service accountCreates default cloud service account with tailored roleEnterprise admin requirement in on-premise ADGlobal admin requirement in CloudSetup sync with AD Connector for on-premise AD and Azure Connector for Azure AD

Azure AD Connect with Express Settings

Customize settings allows more advanced optionsSupports multi-forest synchronizationSupport for Hybrid scenarios and/or Single Sign-On using ADFSDeploy pilot users using filtering of domain, OU or attributeAssign custom lower privileges service accountSync selected users using filtering (OU, domain, group, attribute)Postpone initial full sync (‘staging mode’)Support Azure AD premium features: - writeback of passwords, users, groups, and devices from the cloudWindows 10 Computer sync to Azure ADSync of custom and directory extension attributes

Azure AD Connect

Making hybrid identity simple

Azure AD Connect

Azure Active Directory Connect

Deployment assistant for identity bridge components.

Simplified deployment of Federation components

Health – Operations and monitoring of all Azure AD Connect components

Sync Services

DirSync

Azure AD Sync

FIM + Azure AD

Connector ADFS

ADFSHealth

Federated Identity Model

Federated identity model

AD FS

User

Security token

Authentication

Sig

n-o

n

Federated identity

On-premisesdirectory

Azure AD Sync

Password hashes

User accounts

Redirection

For alternatives to on-premise ADFS, both ADFS and WAP can be hosted in Azure, or using a hosting partner.

Single Sign-On for web apps, can also use Azure AD Access Control Service (ACS) as Secure Token Service (STS).

Password Sync Backup for Federated Sign-In

Password sync backup for Office 365 federated sign-inprovides the option to switch a federated domain to synchronized domain in the event of on-premise outages or Internet access disruption.

Federated identity

Backup Password Hash Sync

User accounts

AD FS

Azure AD Sync

On-premisesdirectory

How to choose an identity model

Federated identitySynchronized identityCloud identity

Zero on-premises servers

Directory sync with password sync

On-premisesidentity

On-premisesidentity

Directory syncFederation

Choosing Password Sync or ADFS for Sign-On

• Choose simplest model that will fit business requirements

• Cloud identity when no on-premise AD exist

• Password sync for standard on-premise AD integrations

• Federated identity for the following scenarios:

Organization already have ADFS or another federation serviceHybrid integration with Cloud services (Exchange/SharePoint/Skype4B/..)Password prompts from domain joined computers must be minimized (SSO)Security Policy require Sign-In Auditing and/or Immediate Disable of accountsSecurity policy prohibits sync of password hashes to Azure ADClient sign-in restrictions by Network Location or Work HoursConditional Access for both on-premise and cloud resourcesUse FIM/MIM for the on-premise identity managementOn-premise Multi-Factor Authentication or Smart Card support for sign in

Change between models as needs change

Cloud Identity to Synchronized IdentityDeploy DirSync / Azure AD Sync / Azure AD Connect

Hard match or soft match of users

Synchronized Identity to Federated IdentityDeploy AD FS and configure a trust between ADFS and Azure AD

PowerShell: Convert-MsolDomainToFederated

Leave password sync enabled as backup

Federated identity to Synchronized IdentityPowerShell: Convert-MsolDomainToStandard

Takes 2 hours plus 1 additional hour per 2,000 users

Synchronized Identity to Cloud IdentityPowerShell: Set-MsolDirSyncEnabled

Takes 72 hours - monitor with PowerShell: Get-MsolCompanyInformation

Azure AD Connect: Federated Sign on

Active Directo

ry

Azure AD

SaaS Apps

UserDevic

e

Sign on

Fir

ew

all

Fir

ew

all

AD FS Web Applicatio

n Proxy

Making ADFS EasierGet familiar with the TechNet Deployment Guidance

Implement the ADFS and Office 365 requirements

Public SSL Certificate is required for ADFS/WAP

Use Azure AD Connect for easier deployment

Add Support for Multiple Domains during cloud federation

Change Token-Signing and Token-Decrypting certificates expiration

Currently ~2500 SaaS cloud apps

Integrate with Azure AD

Single Sign-On support

Central provisioning in Azure

User provisioning with local AD groups using Azure AD Premium

Full SaaS cloud app list at:Azure Active Directory Marketplace

Azure Active Directory applications

SourceAnchor (ImmutableID)Base64 encoding of on-premise account objectGUIDStatic (“Immutable”) during entire lifetime of an objectSourceAnchor value cannot (easily!) be changed after object is created in AAD !When the Immutable attribute is first selected, it CANNOT be changed!Recommended: ObjectGUID, EmployeeIDAvoid: mail, userPrincipalName

UserPrincipalNameThe default logon attribute of users login to Cloud servicesKeep default ! – don’t change if at all possibleChanging to another attribute is not supported with Hybrid Office 365 enabled

SourceAnchor and UserPrincipalName

Account matching

Hard matchFirst attempt; hard match based on ObjectGUID

Soft matchIf unsuccessful; attempt soft match based on Primary SMTP address

IMPORTANTBe sure all SMTP domains are validated in tenant before activating directory synchronizationIf neither objectGUID nor SMTP match can be made, a new object will be created in Azure AD.Reactivation of AD Sync overwrites all changes in Azure AD since last sync-> Perform backup of cloud user data before reactivation !

Directory Synchronization

IMPORTANTBefore activating AD Sync, be sure directory cleanup is completed !

Primary SMTP address must be unique in the entire enterprise

No duplicate proxyAddresses must exist

All UPNs and SMTP addresses must be correctly formatted

Only supported management tool is on-prem Exchange Admin Center/Shell

When the Immutable attribute is first selected, it CANNOT be changed !

Common multi-forest topologies

Forests with GALSyncUsers and Contacts should join on mail attribute and be represented only once.

Account-Resource forestsOne or many Account forests with enabled accounts and one Resource forest with disabled accounts. Joined on objectSID and msExchMasterAccountSID.

Separate forestsEach object in every forest will be represented in Azure AD.

Summary

Choose the simplest identity model for your requirements

Cloud identity for no on-premise AD

Synchronized identity for basic setup – add more later

Federated identity for additional requirements

Identity models can be changed as requirements change

Azure AD Connect will be the new primary sync tool

Easier ADFS deployment still needs preparation

Azure AD applications integration and Single Sign-On

Plan ImmutableID and Matching attributes ahead

Directory Synchronization require proper AD cleanup

© EG A/S 37

Questions !

© 2014 EG A/S. All rights reserved.

The content of this material, including the text, images and other graphics and their arrangement, are copyrighted by EG A/S or its affiliated, associated or related companies. EG A/S makes no warranties, express, implied or statutory, as to the informationin this presentation.