office 365 identity management - smbnation 2015
TRANSCRIPT
![Page 1: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/1.jpg)
Office 365 Identity Management
Robert Crane
http://about.me/ciaops
![Page 2: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/2.jpg)
Agenda
• Identity option comparisons
• Online identity
• Synchronised identity
• Federated identity
• Federated Identity set up demo
• Conclusions
![Page 3: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/3.jpg)
1. MS Online IDs
Appropriate for• Smaller orgs without AD on
-premise
Pros• No servers required on-pre
mise
Cons• No SSO
• No 2FA
• 2 sets of credentials to manage with differing password policies
• IDs mastered in the cloud
2. MS Online IDs + DirSync
Appropriate for• Medium/Large orgs with A
D on-premise
Pros• Users and groups mastered
on-premise
• Enables co-existence scenarios
Cons• No SSO
• No 2FA
• 2 sets of credentials to manage with differing password policies
• Server deployment required
3. Federated IDs + DirSync
Appropriate for• Larger enterprise orgs with
AD on-premise
Pros• SSO with corporate cred
• IDs mastered on-premise
• Password policy controlled on-premise
• 2FA solutions possible
• Enables co-existence scenarios
Cons• High availability server depl
oyments required
Active DirectoryActive Directory
![Page 4: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/4.jpg)
Online Identity
![Page 6: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/6.jpg)
![Page 7: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/7.jpg)
![Page 8: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/8.jpg)
Synchronised Identity
![Page 9: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/9.jpg)
Office 365 Identity Models
![Page 10: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/10.jpg)
Directory Sync
• Synchronizes users, groups, and contacts to Windows
Azure AD.
• Users will have a different password in Windows
Azure AD than they have for the on-premises AD.
DEPRECATED
![Page 11: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/11.jpg)
Azure AD Sync tool
• Formerly known as Dirsync, this tool has been
updated to allow for the synchronization of local
Active Directory passwords to Azure Active Directory.
• Also synchronizes users, groups and contacts.
• This new feature will allow for same user sign in with
Microsoft cloud services such as Office 365 powered
by Azure Active Directory since the username and the
password from local AD will be synced up to Azure
AD.
DEPRECATED
![Page 12: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/12.jpg)
Azure AD Connect
Active Directory
![Page 13: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/13.jpg)
Synchronized Identity Model
Password hashes
User accounts
User
Sig
n-o
n
AAD Sync or Connect
On-premises
directory
![Page 14: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/14.jpg)
Before installing Azure AD Connecthttps://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/
Active Directory remediation Run IdFix
Verify DNS domains with Office 365 Add these prior to syncing to preserve UPN
Directories other than Active Directory Works with Office 365 – Identity program
One server is most common Domain controller is supported Separate SQL Server is okay up to around 100,000 directory objects You can install to Azure IaaS
Migrating from DirSync or FIM 2010 Upgrade
Forest functional level Windows Server 2003
![Page 15: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/15.jpg)
IdFix – DirSync AD Remediation
![Page 16: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/16.jpg)
What errors does IdFix look for?
Duplicate proxyAddresses
Invalid characters in attributes
Over length attributes
Format errors in attributes
Use of non-routable domains
Blank attribute that requires a value
mailNickName
proxyAddresses
sAMAccountName
targetAddress
userPrincipalName
![Page 17: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/17.jpg)
Install Azure AD Connect
![Page 18: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/18.jpg)
Install the Azure AD Connect
![Page 19: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/19.jpg)
Install the Azure AD Connect
![Page 20: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/20.jpg)
Connect to Azure AD
![Page 21: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/21.jpg)
Connect to on-premises Directories
![Page 22: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/22.jpg)
User (and contact) matching
![Page 23: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/23.jpg)
Filter users and devices
![Page 24: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/24.jpg)
Optional features
![Page 25: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/25.jpg)
Azure AD apps
![Page 26: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/26.jpg)
Azure AD attributes
![Page 27: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/27.jpg)
Configure AAD Connect
![Page 28: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/28.jpg)
Done!
![Page 29: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/29.jpg)
Review the configuration
Installation logs %windir%\temp\aadsync
Synchronization Rules Depending on if Exchange and Skype for Business is present in AD, different rules
will be generated
Depending on Exchange version attributes will be removed as needed
Only selected services will have outbound rules to AAD
Attributes you selected to not be included are removed from the outbound rules to AAD
Introducing the Sync Rule Editor A “Resource Kit Tool” to view, change and add Sync Rules
![Page 30: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/30.jpg)
View the synchronisation
- Passwords synced every 2 minutes
- User attributes synced every 3 hours
- Manual sync via \program
files\microsoft azure ad
sync\bin\directorysyncclientcmd.exe
![Page 31: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/31.jpg)
AAD Connect installation review
Be aware of directory object limits A new tenant can sync up to 50,000 directory objects
Register a vanity domain and it is increased to 300,000 objects
Sync now Expect about 1 hour per 5,000 objects
Password expiry for the sync account
Assign Office 365 licenses
High availability Can Backup and reinstall
Filtering AAD Connect By Domain and OUs
By attributes
![Page 32: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/32.jpg)
Password hash sync security
Password hash AD DS It is not reversible to
get the users password
A Hash Hashes are mathematical
functions that are nearly impossibleto reverse
The result of the hash algorithm iscalled a digest
Additional Processing We further process it with a one way hash SHA256 algorithm Connections are only to the Azure AD service Connections are SSL encrypted
Enables Azure AD to validate the users password when they log in
User
Password On-premises
directory
![Page 33: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/33.jpg)
Federated Identity
![Page 34: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/34.jpg)
Federated identity model
On-premises
directory
AAD Sync
or Connect
![Page 35: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/35.jpg)
Password Sync Backup for Federated Sign-In
This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.
Backup Password Hash Sync
User accounts
AAD Sync
On-premises
directory
![Page 36: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/36.jpg)
Topology
![Page 37: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/37.jpg)
Topology
![Page 38: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/38.jpg)
10.0.0.4
10.0.0.5
DC Azure AD Connect
Sync
ADFS
Certificate
Web Server
PowerShell
1. 2.
![Page 39: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/39.jpg)
10.0.0.4
10.0.0.5 10.32.0.4
DC Azure AD Connect
Sync
ADFS ProxyADFS
10.0.0.X
3.
![Page 40: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/40.jpg)
DEMO
![Page 41: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/41.jpg)
ADFS and SSO
Read all the TechNet Deployment Guidance http://technet.microsoft.com/en-us/library/jj205462.aspx
Only implement the Office 365 requirements The only certificate required is the SSL certificate
Prepare with firewall update permissions
![Page 42: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/42.jpg)
Change between models as needs change
Cloud Identity to Synchronized Identity Deploy Azure AD Connect
Hard match or soft match of users
Synchronized Identity to Federated Identity Deploy AD FS
Can leave password sync enabled as backup
Federated identity to Synchronized Identity PowerShell Convert-MsolDomainToStandard
Takes 2 hours plus 1 additional hour per 2,000 users
Synchronized Identity to Cloud Identity PowerShell Set-MsolDirSyncEnabled
Takes 72 hours and you can monitor with Get-MsolCompanyInformation
![Page 43: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/43.jpg)
Choose the simplest model for your needs
This is Microsoft’s recommendation
Cloud Identity is the simplest model
Choose cloud when You have no on-premises directory
There is on-premises directory restructuring
You are in pilot with Office 365
![Page 44: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/44.jpg)
Choose synchronized identity if you have an on-premises directory
Password hash sync means federation is not required just to have the same password on the cloud
Same sign-on – the username and password is the same in the cloud as on-premises
Single sign-on – you log on to the PC and no password is required for cloud services
Save credentials for later uses Windows Credential Manager
Outlook does not support Single sign-on
Choose password hash sync unless you have one of the scenarios that requires federation
![Page 45: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/45.jpg)
Scenarios for choosing federationExisting infrastructure
1. You already have an AD FS Deployment.
2. You already use a Third Party Federated Identity Provider.
3. You use Forefront Identity Manager.
4. You have an On-Premises Integrated Smart Card or Multi-Factor Authentication (MFA) Solution.
5. Custom Hybrid Applications or Hybrid Search is Required.
6. Web Accessible Forgotten Password Reset.
![Page 46: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/46.jpg)
Scenarios for choosing federationPolicy requirements
7. You Require Sign-In Audit and/or Immediate Disable.
8. Single Sign-On minimizing prompts is Required.
9. Require Client Sign-In Restrictions by Network Location or Work Hours.
10. Policy preventing Synchronizing Password Hashes to Azure AD.
![Page 47: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/47.jpg)
Office 365 federation options
Suitable for medium, large enterprises including educational organizations
Recommended option for Active Directory (AD) based customers
Single sign-on
Support for web and rich clients
Microsoft supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Suitable for medium, large enterprises including educational organizations
Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD
Single sign-on
Support for web and rich clients
Third-party supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Suitable for educational organizations
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
For organizations that need to use SAML 2.0
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no identity provider deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
![Page 48: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/48.jpg)
What is it?
Program Requirements
http://aka.ms/ssoproviders
Works with Office 365 – Identity program
![Page 49: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/49.jpg)
Yammer DIRSYNC
Will eventually be replaced with Azure AD Connect
After you set up this integration product, users will be able to be automatically: removed from your Yammer network when you disable them in AD
invited to your Yammer network when you add them to AD
updated with new profile information when you update their attributes in AD
Install a separate syncing program locally and configure http://blog.ciaops.com/2015/06/configuring-yammer-dirsync.html
Not recommended unless you have a specific need
![Page 50: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/50.jpg)
Resources
![Page 51: Office 365 Identity Management - SMBNation 2015](https://reader034.vdocument.in/reader034/viewer/2022051007/5a64912e7f8b9a31568b54dd/html5/thumbnails/51.jpg)
Summary
Choose the simplest model for your needs
Change between models as needed.
Cloud identity model when there is no on-premises directory.
Synchronized identity model for most organizations.
Federated identity model for specific scenarios.
Federated and synchronised identities require on premise equipment.