office 365 identity management options
DESCRIPTION
More info on http://techdays.be.TRANSCRIPT
![Page 1: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/1.jpg)
Office 365 Identity Options
@jseghers – MVP Office 365@mvanhorenbeeck – MVP Exchange Server
![Page 2: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/2.jpg)
Agenda
• Identities and Identity Options in Office 365• DirSync Deep(er) Dive• ADFS• Introduction to ADFS• Supported Topologies• ADFS Workflows
• Windows Azure AD• Q&A
![Page 3: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/3.jpg)
Objectives
• Understand the different identity types and their pro’s and con’s
• Understand how Directory Synchronization works• Be able to troubleshoot Directory Synchronization errors• Understand the different ADFS deployment scenarios• Understand how ADFS works and recognize authentication
flows• Understand how ADFS can be used into custom developed
websites• Understand what Windows Azure Active Directory is• Understand how Windows Azure Active Directory can be used
in custom developed websites
![Page 4: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/4.jpg)
Office 365 Identity Options
Introduction to Identities
![Page 5: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/5.jpg)
Introduction to identity options
1. MS Online IDs
Appropriate for• Smaller organizations
without AD on-premise
Pros• No servers required on-
premise
Cons• No SSO• No 2FA (strong
authentication)• 2 sets of credentials to
manage with differing password policies
• Users and groups mastered in the cloud
2. MS Online IDs + Dir Sync
Appropriate for• Orgs with AD on-premise
Pros• Users and groups mastered
on-premise• Enables co-existence
scenarios
Cons• No SSO• No 2FA• 2 sets of credentials to
manage with differing password policies
• Single server deployment
3. Federated IDs + Dir Sync
Appropriate for• Larger enterprise
organizations with AD on-premise
Pros• SSO with corporate cred• Users and groups mastered
on-premise• Password policy controlled
on-premise• 2FA solutions possible• Enables co-existence
scenarios
Cons• High availability server
deployments required
![Page 6: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/6.jpg)
Introduction to identity options
Bronze Sky customer premises
1. Microsoft Online IDs
ADMS Online
Directory Sync
Identity platform
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
FederationGateway
Active Directory Federation Server
2.0
Trust
IdP DirectoryStore
Admin Portal
Authentication platform IdP
Service connector
Microsoft Office 365 Services
2. Microsoft Online IDs + DirSync3. Federated IDs + DirSync
![Page 7: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/7.jpg)
Sign On Experience Federated vs. Non-Federated Summary
A new “service connector” is needed – primarily for rich clientsInstalls client and operating system updates to enable best sign-on experienceEnables authentication support for rich clientsEnsures clients have all needed configuration data to enable service usageObsolete in Office 2013
Web kiosk scenarios (e.g. OWA) supported without the service connector
Outlook2010
Win 7/ 8 Vista/XP
Federated IDs,
domain joined
MS Online IDs
Outlook Web Application
No prompt No prompt
Each session
ActiveSync, POP, IMAP, Entourage
Once at setup No prompt
Outlook 2007
No prompt
Once at setupEach session Each session Each session
Outlook 2007 or 2010
Win 7 / 8
Online IDOnline IDOnline IDOnline IDOnline ID
AD credentials
Win 7/Vista/XP
No prompt
Each session
Online ID
![Page 8: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/8.jpg)
Directory Synchronization (DirSync)
![Page 9: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/9.jpg)
What is DirSync?
“…is a Directory Synchronization engine based on Forefront Identity Manager (FIM) that will synchronize (a subset of) your on-
premise Active Directory with Windows Azure Active Directory (Office 365).”
![Page 10: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/10.jpg)
Why use DirSync?
• Long term coexistence between Exchange on-prem and Exchange Online
• (Easy/quick provisioning*)• Single place for managing identities including:• Users• Groups• Memberships• …
• Enabler for Hybrid Deployments (required)• Two-way Directory Synchronization
![Page 11: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/11.jpg)
DirSync
How does DirSync work?
SourceAD
MA
TargetWebService
MA
Active Directory
METAVERSE
![Page 12: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/12.jpg)
Deployment Considerations
• Active Directory Health• Prerequisites check (Readiness Tool)• idFix (released 01/03/2013)
• Topology• Single Forest?• Multiple Domains?
• Security• Firewalls, Permissions
• 64-bit only!• (De-)activation time; can take some time to complete• Object filtering required?• SQL Express or Full SQL (+50k objects)
![Page 13: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/13.jpg)
What objects are synced?
From AD to Office 365: http://support.microsoft.com/kb/2256198From Office 365 to AD (aka write-back):
Write-Back attribute Exchange "full fidelity" feature
SafeSendersHashBlockedSendersHashSafeRecipientHash
Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients.
msExchArchiveStatus Online Archive: Enables customers to archive mail.
ProxyAddresses (LegacyExchangeDN <online LegacyDn> as X500)
Enable Mailbox: Off-boards an online mailbox back to on-premises Exchange.
msExchUCVoiceMailSettings
Enable Unified Messaging (UM) - Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services.
![Page 14: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/14.jpg)
DEMO Topology
DirSync (DS02)
SourceAD
MA
TargetWebService
MA
Active DirectoryDC01.exblog.be
METAVERSE
![Page 15: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/15.jpg)
DEMO: DirSync Deep Dive
![Page 16: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/16.jpg)
Caveats
• Be careful when re-enabling DirSync > possible data loss!
• In large environments (+50k items) > Service Request needed to raise the object limit in Office 365
• Bad Active Directory “health” (object attributes) can influence DirSync’s behavior
• Strict permissions might cause issues (e.g. when inheritance flag is removed)
![Page 17: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/17.jpg)
What about…DirSync without Exchange on-prem?
Missing attributes on-prem Extend AD schema on-prem
Missing management tools Exchange Management Tools3rd Party tools/scripts
![Page 18: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/18.jpg)
Some takeaways
• Enterprise Admin Permissions required for setup to allow creating of the MSOL_DirSync account + optional Hybrid account and propagate permissions in the forest/domain(s).
• Use MIISclient.exe to view operation history and search for objects (SourceAnchor – ObjectGuid)
• Filtering is supported but should be treated carefully.
![Page 19: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/19.jpg)
ADFS
Introduction
![Page 20: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/20.jpg)
Federation Primer
Challenges Requirements• Reduce identities (or at least
management) to a single source of authority
• Allow people to logon into cloud-based solutions with their on-premise credentials
• Simplify management• Keep in control
Multiple Identities
![Page 21: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/21.jpg)
The solution: ADFS
• Cross-premises password policies• Simplified user management• Support for two-factor authentication• Access Control using Client Access Policies
![Page 22: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/22.jpg)
Active Directory Federation Services (ADFS)
Topologies
![Page 23: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/23.jpg)
ADFS: On Premise Topology
Enterprise DMZ
AD FS 2.0 ServerProxy
Internaluser
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 ServerProxy
![Page 24: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/24.jpg)
ADFS: On Premise Topology
Enterprise DMZ
AD FS 2.0 ServerProxy
Internaluser
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 ServerProxy
![Page 25: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/25.jpg)
ADFS: Hybrid Topology: IAAS
EnterpriseInternal
user
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
IAASExternal
user
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
VPN
![Page 26: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/26.jpg)
ADFS: Hybrid Topology: IAAS
EnterpriseInternal
user
ActiveDirectory
AD FS 2.0 Server
IAASExternal
user
ActiveDirectory
AD FS 2.0 Server
VPN
![Page 27: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/27.jpg)
ADFS: Hybrid Topology: Windows Azure
IP SEC DEVICE
GATEWAY
CLOUD SERVICE
AD FS 2.0 Server
AD FS 2.0 Server
LB ENDPOINT
EnterpriseWindows Azure
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
![Page 28: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/28.jpg)
ADFS: Cloud Topology: IAAS
IAAS
InternalExternal
user
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
![Page 29: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/29.jpg)
ADFS & 2 Form Authentication
• Own solutions e.g. extra PIN integrated in the ADFS pages• Works only with form based authentication• ASP.NET Solution
• RSA SecurID Integration
• ForeFront UAG
![Page 30: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/30.jpg)
ADFS
Authentication flows
![Page 31: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/31.jpg)
Authentication flows
• Different authentication flows, depending on the application and service that you are using.
• Office 365 has three different flows:• Passive (Web Applications like e.g. SharePoint & OWA)• Active (Outlook, Exchange Online)• MEX (Lync)
![Page 32: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/32.jpg)
Web (Passive) Authentication Flow
Online
ADFS
DC
Client Exchange/SP Online
Auth. Platform (WAAD)
WEB
Auth
![Page 33: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/33.jpg)
Rich Client Authentication Flow
Online
ADFS
DC
Lync Online
Auth. Platform (WAAD)
MEX
UPN
Sign-in assistant
![Page 34: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/34.jpg)
Active Authentication Flow
Online
ADFS
DC
Client Exchange/SP Online
Auth. Platform (WAAD)
Active
![Page 35: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/35.jpg)
DEMO: ADFS Workflow
![Page 36: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/36.jpg)
Key Takeaways
• ADFS requires a public certificate only for client communications; token signing and encryption can be done with self-signed certificates
• Workflow/endpoint is different depending the application you use: Passive (Web)/Rich Client (Lync)/ Active (Outlook)
• Troubleshooting is not always easy. e.g. requires understanding how to use tools like fiddler2 etc…
![Page 37: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/37.jpg)
Nice-to-knows
RU1• Client Access Policy Support (filtering based on IP Address)• New performance counters > monitoring
RU2• RU1 + additional fixes (mainly stability improvements)• Added support for RelayState Parameter
![Page 38: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/38.jpg)
Demo:ADFS – Websites
![Page 39: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/39.jpg)
Windows Azure Active Directory
W.A.A.D. is a modern, REST-based service that provides identity and access control for your cloud applications.
Already used in:• Windows Azure• Office 365• Dynamics CRM Online• Windows Intune• 3rd party Cloud Services
![Page 40: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/40.jpg)
Windows Azure Active Directory
W.A.A.D. integrates with domain credentials of local AD via ADFS
W.A.A.D. integrates with Access Control Service (a cloud-based service that provides an easy way of authenticating and authorizing users to your web applications and services while allowing the features of authentication and authorization to be factored out of your code)
W.A.A.D. integrates with Graph API: it allows you to read a subset of the entities in the directory: namely Users, Groups, Roles, Subscriptions, Tenant Details and some of the relationships which tie those together. The interaction is read-only
![Page 41: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/41.jpg)
Windows Azure Active Directory
![Page 42: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/42.jpg)
Demo:W.A.A.D. – Websites
![Page 43: Office 365 Identity Management options](https://reader035.vdocument.in/reader035/viewer/2022081412/5455a928af7959d2368b830d/html5/thumbnails/43.jpg)
Session Takeaways
1
2
3
Before deploying DirSync, check your AD and use tools like MiisClient, IdFix and the Readiness ToolWAAD can also be used to extend functionality of your websites
Office 365 uses three different authentication flows with ADFS: Active, Passive and MEX.
4 Mind ADFS topologies with regards to High Availability