Office 365 Identity Federation Technology Deep-DivePaul Black and Toby KnightTechnical Specialists

OSP224

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Session Objective(s): Identify the role that Provisioning & Synchronization plays in Directory IntegrationDiscuss available Provisioning & Synchronization Options Understand key directory concepts pertinent to Sync

Key Takeaway 1When to use which Directory Sync option/technology, and what’s supported

Key Takeaway 2Key architecture and design considerations of the end-to-end sync infrastructure

Session Objectives And Takeaways

Advanced Warning: Identity Crisis!!

Platform is being re-branded “Windows Azure Active Directory”

aka “Windows Azure AD” or just “AAD”

Windows Azure AD vs. Office 365

Go-to-market names for different packages of functionality (CRM Online, InTune as well!)

All GTMs share common platform pieces:Directory: “MSO DS”STS: OrgID

Platform pieces & tools will be branded Windows Azure AD

Powershell Module for Windows Azure Active DirectoryWindows Azure Active Directory Sync ToolWindows Azure Active Directory Connector for FIM 2010

Windows Azure AD vs. Office 365

AzureAD

AD

Cloudapp

Cloudapp

Cloudapp

AzureAD

AD

ExchangeOnline

SharePointOnline

LyncOnline

CRM Online

InTune

Provisioning vs Synchronization

The two are not the same!

Synchronization solutions are Provisioning solutions, but not the other way around!

Synchronization

Provisioning + long-term consistency/parity of state between

source objects and their representation in the external system.

Provisioning

Creation of objects and/or associated resources in a directory or external

system.

Directory Integration Options

Automated

How• DirSync, FIM +

Connector

Why• Large volume of

objects/churn• Require access to all

attributes in directory• Require consistency

between on-prem & cloud

• Want Single Sign-On

Scriptable

How• PowerShell cmdlets• GRAPH API

Why• Need automated

process, but don’t require access to all attributes in directory

• OK to not have full consistency between source and cloud

Manual

How• Create objects in

Windows Azure AD via Admin Portal or Bulk Import

Why• Low volume of objects to

create• No long term

management/consistency required

Examples of Integration - Manual

Example of Integration - Scriptable

PowershellNew-MsolUser -UserPrincipalName “jluk@fabrikam.com”

GRAPH

Example of Integration - Automated

(fill in DirSync picture here)

Directory Integration in the bigger picture

Directory Integration is the first half of a larger ecosystem

Single Sign-On solutions depend on successful Synchronization of data into the Directory!

Contoso customer premises

Architecture and Integration Options1. No Integration2. Directory Data Only3. Directory and Single sign-on (SSO)

ADMS Online

Directory Sync

Identity Services

Provisioningplatform

LyncOnline

SharePoint Online

Exchange Online

Active Directory Federation Server

2.0

Trust

IdPDirectory

Store

Admin Portal/PowerShell

Authentication platform

Office 365 Desktop Setup

Windows Azure Active Directory

IdP

CRM Online

InTune

Why Directory and SSO Integration

Single place for managementUser and groups (including securityp-enabled groups)PasswordsPassword policies

Support for Enterprise Single Sign onSupport for Hybrid environments for Services such as Exchange OnlineOptions for Strong Authentication (e.g. Smart cards)

Architecture Deep Dive

Customer Network

AD

Office 365 Datacenter

AW

S

FEs

Microsoft Online ID

Exchange

…

SharePoint

Lync

O365 Directo

ry

Work

flow

AD FS

O3

65

MA

Meta

Vers

eAD MA

DirSync

GR

AP

H

Life as a sync’d object

When an object created in the cloud, “owned in the cloud”Changes can be made via Portal, Powershell or in the various cloud services

When an object is created by Sync, “owned by sync”Changes can only be made via on-prem directory and then sync to cloud

When an object is created in the cloud, but also exists on-prem

Sync will try to Soft-Match the object coming via SyncSoft-match uses SMTP addresses to “best guess”If matched, “owned by sync”

Life as a sync’d object

Objects “owned by Sync” can be deleted directly in the cloud!

Remove-MsolUser/Contact/Group will allow you to delete an object that is owned by SyncIf still on-prem, will be recreated on next Sync cycle

Tour as a sync’d object

Sync Tool reads data from on-prem directory sourceSync Tool pushes data to AWS FEsAWS FE tries to create object in MSODS (if user, OrgID first)Workflow evaluates objects and attributes such as User.ProxyAddresses

Data validations performedServices read from MSODS and sync into services

Validation required? Done here.

Choose your own Sync Adventure

3 options for Directory Sync1. Single-forest DirSync appliance2. Multi-forest DirSync appliance3. Windows Azure Active Directory Connector for FIM 2010 (aka “Multi-Forest”)

You don’t need to use SSO just because you sync but you should Sync in order to use SSO

Could use PowerShell, but lots of management overhead & not formally tested scenario

Sync solution doesn’t constrain SSO solutionYou can use any Sync solution with ADFS or non-AD STS (i.e. Shib)

Choose your own Sync Adventure

AAD Connector

When to use• Multiple AD Forests

containing directory data to synchronize to AAD

• Directory data “overlaps” (an object is represented in more than one forest)

• Non-AD directory sources*

Multi-Forest DirSync

When to use• More than 1 AD Forest

containing the directory data to synchronize to AAD

• ADs have “non-overlapping data” (no object in one forest is represented in another forest)

Single Forest DirSync

When to use• Single AD forest on-

prem that contains all data to synchronize to AAD

Choose your own Sync Adventure

A notable exception to previous slide:

This is a common pattern (prescribed by Exchange Product)Full migration to Exchange Online then collapse Resource Forest

Sync’ing the necessary core attributes from Exchange Auth forest can negate the need for multi-forest sync altogether

Including SourceAnchor, UserPrincipalName

Some things not supported at this time: Multiple Exchange Orgs

Pattern Consider…

2 Forests on-prem: • 1 Authentication/Logon forest• 1 Exchange/”Resource” Forest

• “Sync” data from Exchange forest Auth Forest

• Run single-forest DirSync against Auth Forest

Core Directory Sync Concepts

Source of AuthorityWhere changes can be made to an object (either “on-prem” or “cloud”)De-/activating DirSync in the Admin portal transfers source of authority

SourceAnchorused to uniquely identify objects created in cloud from on-prem directoryCritical for Single Sign-On scenario (ADFS will be configured to generate SourceAnchor on AuthN, this needs to match the ImmutableID stored in OrgId during user provisioning time)Can’t change after initial provision of object by Sync will error out

Core Directory Sync Concepts

UserPrincipalNameThe “sign-in name” for a userOn-prem UPN needs to match UPN in the cloud for login to succeedOnce licensed, user UPN won’t change even if changed on-prem

Can override using Set-MsolUserPrincipalName cmdlet

Hybrid Service DeploymentsSome attributes on on-prem objects are updated based on activities in the cloudOnly modify objects that were initially sync’d to the cloud from on-prem

Core Directory Sync Concepts

We validate (some) data to protect the Core Directory and services:

Attribute Validation

UserPrincipalName • UPNs must use verified domain• If not, will autoconstruct UPN value (won’t update local

AD):

[sAMAccountName] + ‘@’ + [moera.onmicrosoft.com]

• Must contain only supported characters

User.ProxyAddresses • Cannot have duplicate proxy addresses Sync Error

(on license for EXO)• Remove all proxyaddresses that are not using a verified

domain• Adding verified domain later will “re-hydrate” those PAs

removed earlier

Core Directory Sync Concepts

Most common sync validation failures:Duplicate proxy addresses Duplicate UPN valueErrors reported in Email

Run the Deployment Readiness Tool!

Core Directory Sync Concepts

Linking/Matching objects during syncFirst, check to see if object already exists with same SourceAnchor value

If object exists, update existing objectIf no objects hardmatch, try and soft match against existing objects (using SMTP addresses of on-prem object)

If candidate match exists, stamp SourceAnchor on the value on object for subsequent sync cycles

If no candidate match exists, create new object

DirSync QuotaProtect the directory for malicious “storage DOS”Default now 50K for tenants provisioned after 5/1

Core Directory Sync Concepts

Throttling SyncThroughput “shared” across tenants at AWS layer (throttled per partition)DirSync client automatically handles “Error Code 81” and retries againThrottling leads to variable sync times

V1/V2 differencesSome differences in what’s sync’d/not sync’dGroups without display names aren’t sync’d in v2!Contact migration team for documentation/list of deltas

Recovering deleted objects via Sync

Will be lighting up “soft delete” feature in PRODScenario:

On-prem AD Admin accidentally deletes a user object in ADDirSync “propagates delete” to the cloudUser object is deleted in the cloud (mailbox lost)

NOW WHAT?

Recovering deleted objects via Sync

Manual recoveryadmin identifies object to be recovered

Via DirSyncWhen admin restores the user object in AD (via W2K8R2 Recycle Bin), object is automatically recovered by DirSync – mailbox is recovered, etc.“recovery” is dependent on keeping the same SourceAnchor value! New SourceAnchor value with “same attribute values” will not recover the user object in the cloud!

Filtering Sync

2 kinds of filters customers ask for:Choose which objects get sync’d to the cloudChoose which attributes get sync’d to the cloud

We support the former, we don’t support the latter

Wiki post and UA documentation posted to walk customers through this customization

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Session Objective(s): Identify the role that Provisioning & Synchronization plays in Directory IntegrationDiscuss available Provisioning & Synchronization Options Understand key directory concepts pertinent to Sync

Key Takeaway 1When to use which Directory Sync option/technology, and what’s supported

Key Takeaway 2Key architecture and design considerations of the end-to-end sync infrastructure

In Review: Session Objectives And Takeaways

Related Content

Today OSE 225, Friday OSE 331, OSE 333, OSE 334

Hands-on Labs (OSPILL101 Designing a SharePoint site)

Office 365 @ The Microsoft Showcase

Find Me Later At The Microsoft Showcase Friday (9-12am)

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the

part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.