Supporting Architecture for Office 365 - SPO

Jethro Seghers

Blogger

Twitter: @jseghersE-mail: jethro.seghers@j-solutions.beBlog: http://www.j-solutions.be/blog

Consultant

Trainer

Agenda

GoalDifferent Architectural Entities Identities & User ProvisioningAuthenticationDemo

Goal

Goal

Make the correct choice for your Identity modelUnderstand the different toolsProvide a Same Sign On environmentEasy Authentication

Different Architectural Entities

Different Architectural Entities

User ProvisioningPowerShellDirSyncFIM Management Agent

AuthenticationWindows Azure Active Directory (W.A.A.D.)Local Active Directory via ADFSShibboleth (Education)

Identity options comparison1. MS Online IDs

Appropriate for• Smaller organizations without

AD on-premise

Pros• No servers required on-

premise

Cons• No SSO• No 2FA (strong authentication)• 2 sets of credentials to

manage with differing password policies

• Users and groups mastered in the cloud

2. MS Online IDs + Dir Sync

Appropriate for• Orgs with AD on-premise

Pros• Users and groups mastered on-

premise• Enables co-existence scenarios

Cons• No SSO• No 2FA• 2 sets of credentials to manage

with differing password policies• Single server deployment

3. Federated IDs + Dir Sync

Appropriate for• Larger enterprise organizations

with AD on-premise

Pros• SSO with corporate cred• Users and groups mastered on-

premise• Password policy controlled on-

premise• 2FA solutions possible• Enables co-existence scenarios

Cons• High availability server

deployments required

Bronze Sky customer premises

Identity architecture: Identity options1. Microsoft Online IDs

ADMS Online Directory

Sync

Identity platform

Provisioningplatform

LyncOnline

SharePoint Online

Exchange Online

FederationGateway

Active Directory Federation Server

2.0

Trust

IdP DirectoryStore

Admin Portal

Authentication platform IdP

Service connector

Microsoft Office 365 Services2. Microsoft Online IDs + DirSync3. Federated IDs + DirSync

Sign On Experience across apps and OSsFederated vs. Non-Federated Summary

A new “service connector” is needed – primarily for rich clientsInstalls client and operating system updates to enable best sign-on experienceEnables authentication support for rich clientsEnsures clients have all needed configuration data to enable service usageObsolete in Office 2013

Web kiosk scenarios (e.g. OWA) supported without the service connector

Outlook2010

Win 7 Vista/XP

Federated IDs,

domain joined

MS Online IDs

Outlook Web Application

No prompt No prompt

Each session

ActiveSync, POP, IMAP, Entourage

Once at setup No prompt

Outlook 2007

No prompt

Once at setupEach session Each session Each session

Outlook 2007 or 2010

Win 7

Online IDOnline IDOnline IDOnline IDOnline ID

AD credentials

Win 7/Vista/XP

No prompt

Each session

Office 2010, or Office 2007 SP2

SharePoint Online

Online ID

DirSync

What is DirSync?

“…is a Directory Synchronization engine based on Forefront Identity Manager (FIM) that will

synchronize a subset of your on-premise Active Directory with Windows Azure Active Directory

(Office 365).”

DirSync

How does DirSync work?

SourceADMA

TargetWebService

MA

Active Directory

METAVERSE

What does Directory Sync do for you

Enables you to manage your company’s information in one central location for both on-premise intranet and Office 365

Runs as an applianceInstall and forget

Proactively reports errors via email“No news is good news”

What does Directory Synchronization do for users

Seamless user experience across on-premise and Office 365 services (Exchange, Lync, SharePoint)

Flavors of Co-ExistenceIdentity Co-Existence (aka Single Sign-On, Federated Identity, Federated Authentication)Application Co-Existence

What does Directory Synchronization do for usersIdentity Co-Existence

Facilitates “Single Sign-On” Experience

For users: Single set of credentials to manage

On-premise users, security groups, distribution lists, contacts are available in the cloud

Complete Address Books in Exchange OnlineSharePoint Online ACL’ing via Security Groups

Users, contacts, groups can be created directly in Office 365, or sync’d from on-premise!

What does Directory Synchronization do for usersApplication Co-Existence

2 types:Simple Rich

Simple Co-Existence:Full, consistent Address Book available across all O365 services

Exchange Online users can receive mail at any of their (valid) on-premise Proxy Addresses

Conf Room support (Outlook Room Finder)

What does Directory Synchronization do for usersApplication Co-Existence

Rich Co-Existence:Hybrid Deployments

Staged migrationsKeep data on-premise for various business or legal requirements

Free/Busy available to users on-premise and in cloud

DirSync Deployment

Active Directory Assessment• Prerequisites check (Readiness Tool)• Onramp.office365.com

Topology• Single Forest?• Multiple Domains?

Security• Firewalls, Permissions

DirSync Deployment

(De-)activation time; can take some time to complete

Object filtering required?DomainOUAttribute

SQL Express or Full SQL (+50k objects)

Supported on Windows 2012

lD85BkxzEE2NilRewNm0CQ==

Demo DirSync

Active Directory Domain Federation

Identity FederationAuthentication flow (passive profile)

`

Client(joined to CorpNet)

Federation GatewayAD FS 2.0 Server

Exchange Online

Active Directory

Customer Microsoft Office 365

Identity FederationAuthentication flow (active profile)

`

Client(joined to CorpNet)

Federation GatewayAD FS 2.0 Server

Exchange Online

Active Directory

Customer Microsoft Office 365

AD FS 2.0 deployment options

1. Single server configuration2. AD FS 2.0 server farm and load-balancer3. AD FS 2.0 proxy server (offsite users)

Enterprise DMZ

AD FS 2.0 ServerProxy

Internaluser

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 Server

AD FS 2.0 ServerProxy

ADFS: On Premise Topology

Enterprise DMZ

AD FS 2.0 ServerProxy

Internaluser

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 Server

AD FS 2.0 ServerProxy

ADFS: Hybrid Topology: IAAS

EnterpriseInternal

user

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 Server

IAASExternal

user

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 Server

VPN

ADFS: Hybrid Topology: IAAS

EnterpriseInternal

user

ActiveDirectory

AD FS 2.0 Server

IAASExternal

user

ActiveDirectory

AD FS 2.0 Server

VPN

ADFS: Hybrid Topology: Windows Azure

IP SEC DEVICE

GATEWAY

CLOUD SERVICE

AD FS 2.0 Server

AD FS 2.0 Server

LB ENDPOINT

EnterpriseWindows Azure

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 Server

ADFS: Cloud Topology: IAAS

IAAS

InternalExternal

user

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 Server

ADFS 2.X

ADFS supports multi forest

ADFS supports multi domain

ADFS 2.0 Rollup 2

ADFS 2.1 With Windows 2012 Server

Use Smart Links for SPO

Key takeaways

ADFS requires a public certificate only for client communications; token signing and encryption can be done with self-signed certificates

Workflow/endpoint is different depending the application you use: Passive (Web)/Rich Client (Lync)/ Active (Outlook)

Troubleshooting is not always easy. e.g. requires understanding how to use tools like fiddler2 etc…

Demo ADFS

Windows Azure Active Directory

Windows Azure Active Directory

W.A.A.D. is a modern, REST-based service that provides identity and access control for your cloud applications.

Already used in:• Windows Azure• Office 365• Dynamics CRM Online• Windows Intune• 3rd party Cloud Services

Windows Azure Active Directory

W.A.A.D. integrates with domain credentials of local AD via ADFS

W.A.A.D. integrates with Access Control Service

W.A.A.D. integrates with Graph API: it allows you to read a subset of the entities in the directory: namely Users, Groups, Roles, Subscriptions, Tenant Details and some of the relationships which tie those together. The interaction is read-only

Windows Azure Active Directory

GO TRY IT OUT