AZR320: Integration with Windows Azure AD and Office 365 – Identity and Access Management
• OSP126: An Introduction to Windows Azure Active Directory and Office 365
• AZR314: Integration with Windows Azure AD and Office 365 – Provisioning and Synchronization
• AZR320: Integration with Windows Azure AD and Office 365 – Identity and Access Management
• OSP269: A tour through integration scenarios with Windows Azure AD and Office 365
Directory Management
Managing directory data (on-
prem and cloud).
Access Management
Controlling the AuthN/Z of
users and other identities
We’re spending time here
Appropriate for
• Smaller to medium/large orgs
Pros
• No additional hardware
requirements
Cons
• No SSO
• No 2FA
• 2 sets of credentials to
manage with differing
password policies
• IDs mastered in the cloud
Appropriate for
• Larger enterprise orgs with AD
on-premises
Pros
• SSO with corporate cred
• IDs mastered on-premises
• Password policy controlled on-
premises
• 2FA solutions possible
• Client Access Filtering
Cons
• High availability server
deployments required
Contoso customer premises
AD
Azure Active
Directory Sync
Identity Services
Provisioning
platform
Lync
Online
SharePoint
Online
Exchange
Online
Active Directory
Federation Server 2.0
Trust
IdPDirectory
Store
Admin Portal/
PowerShell
Authentication
platform
Office 365 Desktop
Setup
Windows Azure Active Directory
IdP
Office
365 ProPlus
Use third-party identity providers to implement single sign-on
AD
ADFS
AD
ADFS 1
AD
ADFS 2
???
OnRamp for Office 365
• UPN constraints:• cannot have dot ‘.’ immediately preceding ‘@’• [email protected] valid
• [email protected] invalid
• cannot exceed 113 chars (64 for username, 48 for domain)
• cannot contain ! # $ % & \ * + - / = ? ^ _` { | } ~ < > ( )
• cannot have duplicate UPNs
• Connectivity Analyzer• Test your setup:
https://testconnectivity.microsoft.com/?tabid=client
http://www.outlook.com/contoso.com
Web Clients• Office 2010, Office 2007
SP2 with SharePoint
Online
• Outlook Web Application
Remember last user
Exchange Clients• Office 2010, Office 2007
SP2
• Active Sync/POP/IMAP
• Entourage
Can save credentials
Rich Applications (SIA)• Lync Online
• Office Subscriptions
• CRM Rich Client
Can save credentials
SSO IDs (on corp
network)
Cloud IDs
No Prompt
Username and Password
Cloud ID
AD credentials
SSO IDs (not on corp
network)
Username and Password
AD credentials
Username
Username and Password
Cloud ID
AD credentials
Username and Password
AD credentials
Username and Password
Username and Password
Cloud ID
AD credentials
Username and Password
AD credentials
http://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online or
SharePoint Online
Active Directory
Customer Windows Azure Active Directory
Logon (SAML 1.1) Token
Source User ID: ABC123
Auth Token
Unique ID: 254729
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Lync Online
Active Directory
Customer Windows Azure Active Directory
Logon (SAML 1.1) Token
Source User ID: ABC123
Auth Token
Unique ID: 254729
Customer Windows Azure Active Directory
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online
Active Directory
Logon (SAML 1.1) Token
Source User ID: ABC123
Auth Token
Unique ID: 254729
Basic Auth Credentilas
Username/Password
Structure Description Considerations
Matching domains Internal Domain and External domain are
the same i.e. contoso.com, and publically
routable
No special requirements. Good to go!
Register and verify them all.
Multiple (sub)
domains
Internal domain is a sub domain of the
external domain i.e. corp.contoso.com
Requires Domains registered in order,
primary then sub domains
.local domain Internal domain is not publicly “registered”
i.e. contoso.local
Domain ownership can’t be verified,
must use a different domain
• Requires all users to get new UPN
• Use SMTP address if possible
• Smart Card issues?
Multiple distinct UPN
suffixes in single
forest
Mix of users having login UPNs under
different domains
i.e. contoso.com & fabrikam.com
• Must use SupportMultipleDomain
switch in PowerShell when
configuring federation
• Sub domains require additional work
Multi Forest Multiple UPN Domains Register all domains. Same as Multiple
distinct UPN suffixes consideration
DMZINTRANET
AD FS
AD
DS
AD FS
Proxy
2FA
module
Access Application
Redirect to Authentication
platform
Types User Name
Generate SAML token
for authentication
platform
Redirect Back
Present ticket to
Application
Install 3rd party auth
provider ADFS proxy
2FA
Service
Authenticate 2FA
Authenticate 2FA
response
Smartcard Access
Other 2FA Access
Authentication
platform
Windows Azure Active Directory
DMZINTRANET
AD FS
AD
DS
AD FS
Proxy
2FA
Service
Authenticate 2FA
Allow internal Outlook via ADFS proxy
Send Creds to Exchange Proxy Auth
Evaluate Client
Access Rules, issue
SAML Token
Send Creds to Exchange Proxy Auth
Disable passive
pages on proxy
VPN
Connect to
internal network
Strong Auth VPN to internal network
Authentication
platform
Windows Azure Active Directory