colabora - identity in a world of cloud - november 2015
TRANSCRIPT
Jakob Østergaard Nielsen, Cloud Solution Architect, EG A/S
Identity in A World of CloudIdentity management with Azure Active Directory and Office 365
© EG A/S 2
About me..
Jakob Østergaard NielsenCloud Solution Architect, EG A/S
Expertises:Office 365, Microsoft Azure, Certifikat Service/PKI. Federation Service, Exchange, Active Directory.
MCSE: Communication | MCSA: Office 365 | MCTS: Exchange | MCSA: Windows Server 2012R2
Contact me:E-mail: [email protected]: mistercloudtech.comTwitter: @MisterCloudTechPhone: +45 7260 2378/+45 2085 9156
© EG A/S 3
Agenda
Identity foundation Directory synchronization Account matching Before activating Directory
Synchronization Directory clean-up Immutable ID and sourceAnchor Troubleshooting Directory
synchronization
Identity FoundationThe Basics
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises
Microsoft Azure Active Directory
Identity as the foundation
Synchronized Identity ModelPassword hashes
User accounts
User
Sign
-on
Synchronized identityAzure
AD Sync On-premisedirectory“Same
Sign-On”Auth
entic
atio
n
Azure AD Connect – Identity Bridge
BoxCitrix ConcurGoToMeetingConcurDocusign
Azure AD Connect
(sync + sign on)
Active Directory
LDAPdirectorie
s
Other identity stores
DropBoxGoogle appsJiveSalesforceServicenowWorkday…
Your CustomApps
CommonSign on
Azure AD
Directory Synchronization
What’s it all good for
Directory SynchronizationSynchronization of directory objects (users, groups, and contacts) from your on-premises Active Directory environment to the Office 365/Azure AD
When user accounts are synchronized with the Office 365 directory for the first time, they are marked as non-activated.
Non-activated users cannot send or receive email, and don’t consume subscription licenses.
When ready to assign Office 365 subscriptions, activate users by assigning a valid license.
Directory SynchronizationDirectory synchronization is required for:
Single Sign-onSkype for Business coexistenceExchange Hybrid configuration:
Unified Global Address List (GAL)Unified user provisioning (require write-back to on-prem Active Directory)Move selected on-premise mailboxes to Office 365Safe senders and blocked senders replication to Office 365Basic delegation and send-on-behalf-of email functionality
Synchronization of photo thumbnails (require customization of AD Sync)Synchronization of conference rooms, and security groupsFiltering and scoping (require customization of AD Sync)
Directory Synchronization – Write-back
Two-way synchronization (write-back) is required for online archiving, configuring safe and blocked senders, and cloud voice mail
Write-back copies the relevant attributes from the Azure directory to the on-premise Active Directory.
Exchange Hybrid write-back is included.Write-back of other elements require Azure AD Premium subscription
Password, device, users, group
If security policy or general security concern blocks for write-back:Create standard domain service account (or gMSA) in your on-premises directory.Install/configure Azure AD Connect to use this service accountAssign the AD Sync service account write permissions only to the relevant attributes
Directory Synchronization – Write-back
Feature Description Write-Back–To attribute
Filtering CoexistenceWrites-back on-premises filtering and online safe/blocked sender data from clients.
SafeSendersHashBlockedSendersHashSafeRecipientsHash
Online archive Enables the organization to archive email in Office 365. msExchArchiveStatus
Mailbox removalEnables organization to move mailboxes from Office 365 back to the on-premises organization (offboarding).
ProxyAddresses(LegacyExchangeDN)(online LegacyDN) as X500
Enable Unified Messaging (UM) online voice mail
Enables integration of UM and Lync/Skype4B to indicate to Lync/Skype4B on-premises that the user has received voice mail in Office 365.
msExchUCVoiceMailSettings
Delegates Enables users to manage other users’ mailboxes PublicDelegates
Account matchingHard match
First attempt; hard match based on ObjectGUID
Soft matchIf unsuccessful; attempt soft match based on Primary SMTP address
Default logon attribute of users login to Cloud services
Stick to the default – don’t change the UPN after the initial sync.
Changing to another attribute is not supported with Hybrid enabled
UserPrincipalName
Before activating Directory Synchronization
Perform a complete directory clean-up
Add and verify all UPN and SMTP domains in Office 365Do not assign licenses before all user domains is verified!
Select a unique identifier for the Immutable attribute (aka sourceAnchor)
Special requirements for >50.000 AD objects (users, mail contacts, groups)
Verify on-premise Active Directory functional levels (Windows Server 2003)
Before activating Directory Synchronization
Be sure all SMTP domains are validated in tenant before activating directory synchronization
If neither objectGUID nor SMTP match can be made, a new object is created in Azure AD - using the default company.onmicrosoft.com domain.
Reactivation of AD Sync overwrites all changes in Azure AD since last sync-> Perform backup of cloud user data before reactivation !
Directory CleanupWarning note:
If you don’t perform directory cleanup before you start directory synchronization, this can have significant negative impact and complicate the deployment process of Office 365/Azure.
Remediation from a incomplete or bypassed directory synchronization may take days, or even weeks, to identifying object errors, resolving attribute issues, applying cleanup, and perform resynchronization.
Most often, the fastest solution is to delete all objects from Azure AD, purge the deleted object, complete a proper directory cleanup, and then perform an initial directory sync.
Directory CleanupConfigure UPN attribute to use a publically routable domain
Use IDFix to locate the basic issues (do not catch all issues!)Do not find cross-attribute collisions▪ UPN / proxyAddresses / mailnickname collisions▪ Attribute type issues – Linked mailboxes -> msExchRecipientTypeDetails
UPN and primary SMTP address must be unique in the entire enterprise
No duplicate proxyAddresses must existNo collisions between UPN and proxyAddresses!
All UPNs, SMTP and mailnickname attributes must be correctly formatted
Directory CleanupType of errors IDFix look for:
Errors validated AttributesDuplicate proxyAddresses mailNickNameInvalid characters in attributes proxyAddressesValues over allowed length sAMAccountNameFormat errors in attributes targetAddressUse of non-routable domains userPrincipalNameBlank attribute that requires a value
Directory CleanupUnexpected characters do not cause directory synchronization to fail
May log a warning
Invalid characters will cause directory synchronization to fail
Ensure on-premises directory attributes are properly prepared
Only supported management tool is on-prem Exchange Admin Center/Shell
Attributes to prepareAttribute Values Length Invalid charactersdisplayName Must not be blank 255 ? @ \ +givenName Syncronized. Not required 63 ? @ \ +Mail Must be unique in directory 255 [ \ ! # $ % & * + / = ? ^ ` { } ]mailNickname(Exchange alias)
Must be unique in directory 63 [ \ ! # $ % & * + / = ? ^ ` { } | ~ < > ( ) ‘ ; : , ] “ @ (space) front/end (.)
proxyAddresses Must be unique in directoryMust comply with SMTP standards
256 \ % & * + / = ? ‘ { } | < > ( ) ; : , [ ] “ (space)
sAMAccountName Must be unique in directory 20 [ \ “ | , / : < > + = ; ? * ]sn (surname) Syncronized. Not required 63 ? @ \ +targetAddress Must be unique in directory
Must comply with SMTP standards
255 \ % & * + / = ? ‘ { } | < > ( ) ; : , [ ] “ (space)
userPrincipalName Must be unique in directoryMust comply with SMTP standardsMust use public routable domain
113 (64+@+48)
\ % & * + / = ? ‘ { } | < > ( ) ; : , [ ] “ (space) front/end (.)/(&)/(@)
For most attributes it is not supported to use regional special characters
Immutable ID - SourceAnchor
Default immutable ID attribute is on-premises Active Directory objectGUIDSelected during Azure AD Connect configuration.After the initial sync, objects in Azure AD will have a Base64 encoding of the on-premise objectGUID written in the “ImmutableID” attributte.The Azure AD Sync metaverse have the value stored as “sourceAnchor”.
Immutable ID - SourceAnchor
Convert MS Online Directory Immutable ID to AD GUID: https://gallery.technet.microsoft.com/office/Covert-DirSyncMS-Online-5f3563b1
Static (“Immutable”) during entire lifetime of the on-premises objectAlso if moved to another AD forest!
SourceAnchor value cannot (easily!) be changed after object is created in AAD!
When the Immutable attribute is first selected, it CANNOT be changed !
Upgrade to Azure AD Sync allow a change of the sourceAnchor attribute.
Recommended: ObjectGUID (alternate; EmployeeID)
Avoid: mail, userPrincipalName
Immutable ID - SourceAnchor
Select alternate sourceAnchor carefully:Some objects might not have a value, like ”employeeID”:▪ Shared mailboxes, Conference rooms, Contractors/consultants, Substitutes workers
Special considerations for multi-forest environments:Attribute value must be unique across all forests!No ”SIDHistory” concept for objectGUIDUnique identifier must NOT contain the “@” symbol.Specify alternate unique identifier during AD Sync configurationChange of sourceAnchor attribute from objectGUID require change in ADFS▪ Selecting a non-default unique identifier will require change in the Office 365 Relying Party trust
Immutable ID - SourceAnchor
Immutable ID - SourceAnchor
1
2
1
2
1
2
Metaverse
Connector Space
Azure AD SyncTroubleshooting
Missing domain validationNot added domainNot completed validationDomain blocked by PowerBI, Yammer or other trial
Duplicate attribute values (“collisions”):Primary SMTP addresses with proxyAddressesUPN with proxyAddresses
Attribute formatting violationSpace, dashes, regional characters,
Missing/blank valuesUPN (Logon name), sAMAccountName, Not mail-enabled
Why do directory synchronization (mostly) fail?
Part of “Protected Groups” in on-premise Active DirectoryUPN has been changed after initial synchronizationObject moved to OU outside synchronization filterContact is hidden from Address Lists
(msExchHideFromAddressLists = True)Azure AD Sync service account password has expired
Set-MsolUser -UserPrincipalName [email protected] -PasswordNeverExpires $true
Synced user account deleted from Azure ADNo picked up by the Azure Active Directory connector again > 72 lockout period after hard delete Deleted account is placed in “Deleted Users” for 30 days, before being purged
Why do directory synchronization (mostly) fail?
Synchronization ManagerAAD Sync MetaverseADU – Custom search / Attribute EditorWindows Event logs
Application log▪ Filter on ADSync, Directory Synchronization, DirectorySyncClientCmd
Crimson Channel Log Windows Azure Active Directory Module for Windows PowerShell
Get-MsolUser | fl
Office 365 Support Assistant
Troubleshooting AD Sync issues
Summary Directory synchronization replicate information to Azure AD Directory synchronization is required by a range of services Write-back from Azure AD to on-prem AD can be configured Ensure proper directory clean up before starting AD sync Stick to default account matching options if at all possible Look out for proper formatting in all directory objects Most AD Sync errors can be tricky to find, but often quite easy to
fix A healthy AD Sync is required for a healthy integration with
Azure AD
© EG A/S 34
Questions !
© 2014 EG A/S. All rights reserved.
The content of this material, including the text, images and other graphics and their arrangement, are copyrighted by EG A/S or its affiliated, associated or related companies. EG A/S makes no warranties, express, implied or statutory, as to the informationin this presentation.