microsoft office 365 directory synchronization and federation options
DESCRIPTION
OFC-B317. Microsoft Office 365 Directory Synchronization and Federation Options. Paul Andrew Ross Adams Aanchal Saxena. Agenda. 1. 2. 3. 4. 5. 6. Identity for Microsoft cloud services. Microsoft Account. Windows Azure Active Directory. Organizational Account Ex: [email protected]. - PowerPoint PPT PresentationTRANSCRIPT
Microsoft Office 365 Directory Synchronization and Federation OptionsPaul AndrewRoss AdamsAanchal Saxena
OFC-B317
AgendaOverview Identity Management in Office 365
Synchronization Topics
Federation TopicsIntegration of SAML/OAUTH with Office
Works with Office 365 – Identity program
Troubleshooting Identity Management
1
2
3
4
6
5
Identity for Microsoft cloud services
User
Microsoft AccountEx: [email protected]
User
Organizational AccountEx: [email protected]
Microsoft Account Windows Azure Active Directory
Office 365 Identity Models
Federated identitySynchronized identityCloud identity
On-premisesdirectory
Zero on-premises servers
On-premisesdirectory
Directory sync with password sync
On-premisesidentityBetween zero and three additional on-premises servers depending on the number of users
On-premisesidentityBetween two and eight on-premises servers and networking configuration depending on the sign-in availability requirements
Directory syncFederation
Change between models as needs changeChoose cloud
if no on-premises directoryif there is on-premises directory restructuringif you are in pilot with Office 365
Password hash sync means federation is not required just to have the same password on the cloudChoose password hash sync unless you have one of the scenarios that requires federation
Choose the simplest model for your needs
1. You already have an AD FS Deployment2. You already use a Third Party Federated Identity Provider3. You use Forefront Identity Manager 2010
Technical requirements4. You have Multiple Forests in your on-premises AD5. You have an On-Premises Integrated Smart Card or Multi-Factor Authentication
(MFA) Solution6. Custom Hybrid Applications or Hybrid Search is Required7. Web Accessible Forgotten Password Reset
Policy requirements8. You Require Sign-In Audit and/or Immediate Disable9. Single Sign-On is Required10. Require Client Sign-In Restrictions by Network Location or Work Hours11. Policy preventing Synchronizing Password Hashes to Azure AD
Scenarios for identity federation modelExisting infrastructure
Identity Synchronization and Federation
On-Premises
Identity Provider
Federated sign-in
Windows Azure Active Directory
WS-Federation
WS-Trust
SAML 2.0
MetadataShibboleth
Graph API
Directory
Synchronize accounts
Exchange Web Access
SharePoint Online
Exchange Mailbox Access
Outlook, Lync, Word, etc
Authentication
Auth
oriza
tion
Passive
Auth
Active Auth
AgendaOverview Identity Management in Office 365
Synchronization Topics
Federation TopicsIntegration of SAML/OAUTH with Office
Works with Office 365 – Identity program
Troubleshooting Identity Management
1
2
3
4
6
5
You can use DirSync with no additional on-premises servers
DirSync on DCIncludes SQL Server ExpressSQL Server and DC has resource contentionsSuitable for small deployments not more than 10,000 users
DirSync on Azure paperAvoids on-premises servershttp://technet.microsoft.com/en-us/library/dn635310(v=office.15).aspx
DirSync on a domain controller or in Azure
DirSync runs on one serverBackup SQL ServerBackup encryption keysCold standby of DirSync serverRestore SQL, encryption keys
Instructions http://www.microsoft.com/en-us/download/details.aspx?id=42524
DirSync high availability
We typically get questions about the security of synchronizing passwords from banking and finance customersThe password hash that we get from AD is not reversible to get the users passwordWe further process it with a one way hash SHA256 algorithmWe connect over SSL to the Azure AD service and send the resulting hash of the hashThis enables Azure AD to validate the users password when they log inMore details at
http://social.technet.microsoft.com/wiki/contents/articles/18096.dirsyncwindows-azure-ad-password-sync-frequently-asked-questions.aspx
Password hash Sync Security
Password Write-backWhat is itPart of AAD PremiumOnly via Self-service password reset
How do I enable itAdmin needs to turn-on the feature using DirSync PSH commandlet: Enable-OnlinePasswordWriteBack
When does it write backCloud authenticated (managed) user and password sync is enabledOn-premises SSO authenticated (federated) user
SecurityAll communication takes place over SSLRegistration of public/private key pairs for transport and encryption, you keep the private keys
Azure AD SyncWhat’s includedPossible to reduce set of attribute sync’d based on the servicesSupport for a number of Multi forest scenariosEasier management for filtering objects via simple UXSupport for attribute mapping rules via a simple UX
What’s missingPassword sync Password write backHybrid configuration, i.e. no write back today
What’s comingProduction Support, i.e. not for Production todaySupport for other directories, such as LDAP, SQL or CSV
http://social.technet.microsoft.com/wiki/contents/articles/24061.aadsync-scenario-overview.aspx
Options:Forefront Identity Manager 2010
Supports multiple forests with additional workAzure AD Sync Services
Supports multiple forests and in preview nowDisparate forestsFull Mesh, i.e. Gal SyncAccount and resource forest
Consolidate forests into onehttp://technet.microsoft.com/library/cc974332.aspx
Sync multiple AD forests
Suitable for large organizations with certain AD and Non-AD scenarios
Complex multi-forest AD scenariosNon-AD synchronizationRequires Forefront Identity Manager and additional software licenses
RequirementsForefront Identity Manager 2010 R2Windows Azure Active Directory Connector for FIM 2010 R2 http://technet.microsoft.com/library/dn511001.aspx
Office 365 Connector for Forefront Identity Manager 2010 R2
Choosing between DirSync and AAD Sync
Includes password hash sync Includes password write-back with Azure AD Premium licenseCan filter objects by OUSupports use of dedicated SQL Server install or SQL ExpressThe setup wizard can be run multiple times for configuration changesReleased and supported in production
Includes sync from multiple forests including merging duplicate users in these forests** In addition to AD, can sync from LDAP v3, SQL Server and CSV data** Enables selective OU sync with using UX in the setup. ** Enables transforming of attributes using UX in the setupAllows for limiting the attributes sync’d to the cloudPlanned to replace DirSync in the futurePreview cannot be upgraded to later release
DirSync Azure AD Sync Services
** NOT IN PREVIEW
Preview available
You can install dirsync more than once in the same forest, but on different machinesYou need to handle conflicts
A domain can only be validated in on tenant, i.e. for use with Email and UPNSub domains can be used in different tenants
You should look at how you filter your user sets
OUDomainAttribute
DirSync one directory to multiple tenants
We don’t recommend multiple tenants for the same organizationThere will not be a consolidated Global Address List
Could create users from one tenant as contacts in the otherSharePoint access across tenants must use External SharingFree busy federation between tenants is possibleLync presence and calling between tenants is possibleThere are third party tools (not Microsoft) tools that can merge tenants
Cross tenant collaboration
AgendaOverview Identity Management in Office 365
Synchronization Topics
Federation TopicsIntegration of SAML/OAUTH with Office
Works with Office 365 – Identity program
Troubleshooting Identity Management
1
2
3
4
6
5
Federation protocols and auth typesWS-Federation
Supported by ADFSFor passive authentication
WS-TrustSupported by ADFSFor active authentication
Shibboleth (SAML 1.1)An identity provider used in education that uses a custom version of SAML 1.1Passive authentication onlyIncludes ECP for Outlook authentication
SAML 2.0A common federation protocolFor passive authentication only so similar to WS-Federation
Active Directory Authentication Library (OAUTH)
Library for common access to Azure AD, ADFS, and Azure ACS.
Passive AuthenticationSharePoint OnlineOutlook Web AccessOffice 365 portal
Active AuthenticationOffice Sign-in AssistantOffice 365 ProPlus licensingWord, Excel, PowerPoint connecting to SharePoint OnlineOutlook, LyncOneDrive for Business sync
Password Sync Backup for Federated Sign-InThis new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.
May take up to 2hrs to take effect
On-premisesdirectory
DirSync Tool
Federated identity
Backup Password Hash Sync
User accounts
AD FS
Alternate Login ID removing dependency on User Principal Name (UPN)The reliance on UPN has been removed and you can now select an alternate login ID for use with Office 365 and Azure AD in general. Use of UPN will still be the default. Through configuration you can select the Mail attribute or any other attribute in your on-premises Active Directory. This works with either synchronized identity or federated identity.
Demo
Alternate login id
A User Profile Name (UPN) is the sign-in ID that customers use. Eg: [email protected] Each DNS address you use in a UPN can be federated to an identity providerSynchronized accounts can also be usedAzure AD uses the UPN DNS to do home realm discovery to a federated identity providerHome realm discovery can be shortcut with URLs like this:
https://login.microsoftonline.com/whr=contoso.nethttps://contoso.sharepoint.com
Federate multiple domains in a tenant
AgendaOverview Identity Management in Office 365
Synchronization Topics
Federation TopicsIntegration of SAML/OAUTH with Office
Works with Office 365 – Identity program
Troubleshooting Identity Management
1
2
3
4
6
5
Using AD then directory Sync works for youCan’t sync (non AD)
Script user creation via PowerShell or Azure ADDirectory GRAPH (RESTful interface)
Future support from AAD Sync for non AD sourcesFIM 2010 via supported connectors
Sync options for a SAML IDP
Sign-in federationSAML-P 2.0 passive auth
Equivalent to WS-Federation and used for web based applicationsNo equivalent for WS-Trust so Office clients applications cannot be used
Office client support passive auth end of 2014SAML-P federation guidance
http://technet.microsoft.com/en-us/library/dn641269.aspxUse of AD FS to interface to SAML provider
Wont enable Office client active authentication due to double hop
SAML-P 2.0 federation
Office desktop passive authOffice desktop client sign-in with passive auth
Previously the Office Sign-In Assistantrequired WS-Trust Passive authentication works with WS-Federation and SAML 2.0
AvailabilityAnnounced on February 10, 2014Details at http://blogs.office.comPlanned for later in 2014
What is it?Office desktop clients move to using ADALActive Directory Authentication LibraryUses OAUTH for passive authentication
On-PremisesSAML 2.0
Windows Azure Active Directory SAML 2.0
LDAP v3 Directory
DirSync LDAP v3
Exchange Mailbox Access
Outlook, Lync, Word, etc
Updated Office 2013 clients to support OAUTH and Multi-Factor Authentication
No need for App Passwords in updated clientsIf you can authenticate in a web browser, then you can authenticate in Office clientsOutlook, Lync, Word, Excel, PowerPoint, PowerShell, SkyDrive Pro
Clients will also supportFederation Identity Providers using SAML 2.0 protocolUS DoD Common Access Card (CAC)US Federal Personal Identity Verification card (PIV)
For release during CY 2014
Office client OAUTH authenticationFutures – Announced on Feb 10, 2014
The MFA Flow1. Office makes a request to a service
which supports new MFA flow2. Service instructs Office to visit an STS
which speaks a simple standards based protocol (OAuth)
3. Office instructs AD library to launch web browser control
4. MFA and federation magic happens transparent to Office
5. Office gets back simple tokens that it caches for future communication with its services
6. Office sends token to service
Azure Active
Directory
1
2www-authenticate: Bearer authorization_uri: https://login.windows.net
Federated
tenant
Secure Token
Service
4 Do federated sign-in using SAML-P, WS-Fed, etc.
SAML token
5 Validate assertions
Hand back token for 365JWT token
3 Auth against https://login.windows.net...
6 JWT token
Office
AgendaOverview Identity Management in Office 365
Synchronization Topics
Federation TopicsIntegration of SAML/OAUTH with Office
Works with Office 365 – Identity program
Troubleshooting Identity Management
1
2
3
4
6
5
Works with Office 365 – Identity programWhat is it?Qualification of third party identity providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used.
Program RequirementsPublished Qualification RequirementsPublished Technical Integration DocsAutomated Testing ToolSelf Testing work by PartnerPredictable and Shorter Qualification
http://aka.ms/ssoproviders
*For representative purposes only.
WS-Trust & WS-Federation
Active Directory with ADFS Flexibility to reuse existing identity provider investments
Confidence that the solution is qualified by Microsoft
Coordinated support between the partner and Microsoft
Shibboleth
RadiantOne
Okta
Customer Benefits
SAML (passive auth)
AgendaOverview Identity Management in Office 365
Synchronization Topics
Federation TopicsIntegration of SAML/OAUTH with Office
Works with Office 365 – Identity program
Troubleshooting Identity Management
1
2
3
4
6
5
DirSync troubleshootingUse IdFix to correct directory errors prior to syncingClean duplicate SMTP/Proxy AddressesClean duplicate UPNs/non routable UPNsCheck Windows Event Viewer on DirSync server for errors
Troubleshooting Identity Management
ADFS infrastructureUse the Connectivity tool to verify your setup https://testconnectivity.microsoft.com/ Multiple Servers (or VM’s) are requiredAD FS is a very broad and capable technology
You don’t need to implement every part of it for a small Office 365 tenantOnly need the SSL Certificate for small tenant, don’t need other certs
SSL Certificate is required for Web Application Proxy serverPort 443 is required to be open to the Web Application Proxy server
Troubleshooting Identity Management
SummaryOverview Identity Management in Office 365
Synchronization Topics
Federation TopicsIntegration of SAML/OAUTH with Office
Works with Office 365 – Identity program
Troubleshooting Identity Management
1
2
3
4
6
5
Related content
Related Certification Exams http://aka.ms/office365mcsa
70-346 Managing Office 365 Identities and Requirements70-347 Enabling Office 365 Services
Breakout SessionsDCIM-B301 Leveraging Your On-Premises Directory Infrastructure to Manage Your Microsoft Azure Active Directory Identities OFC-B222 Introduction to Office 365 Identity ManagementOFC-B327 Authentication Patterns for SharePoint 2013 and Office 365 DCIM-B382 Cloud Identity and Access Management: Azure Active Directory Premium
Microsoft Solutions Experience Location (MSE)Paul Andrew : MSE Be Secure, after lunch tomorrow
Find Me Later At: http://twitter.com/pndrw
ResourcesLearning
Microsoft Certification & Training Resourceswww.microsoft.com/learning
msdnResources for Developers
http://microsoft.com/msdn
TechNetResources for IT Professionals
http://microsoft.com/technet
Sessions on Demandhttp://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.