synchronizing and managing identities between active directory on prem and sharepoint online -...
TRANSCRIPT
Antonio MaioSenior SharePoint Architect & Senior ManagerMicrosoft SharePoint Server MVP
Synchronizing and Managing Identities Between Active Directory On-Prem and SharePoint Online
Email: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
About Protiviti
INDIA (3)
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.
• 2,500+ professionals
• 1,000+ clients
• 70+ offices
• Over 20countries in the Americas, Europe and Asia-Pacific
Protiviti is one of the fastest growing consulting firms worldwide. Our revenues have increased from US $15 million in 2002, to US $423.8 million in 2011.
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Sensitive Data
PII, PCI, PHI
Access to
Systems/Data
Log & Track
Access
Identity Theft
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
…moving to the Cloud
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Why Hybrid?
• Get started slowly | Take small steps | Explore cloud services
• Access to collaboration features for extranet & remote users
• Employees connect to Corp. resources/content from almost anywhere
• 3rd party solutions or custom code – continue to use & extend to cloud
• Retain corporate control & storage of sensitive data
Hybrid Deployments
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Identity Models for Office 365
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Cloud Identity Model
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Synchronized Identity Model
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Federated Identity Model
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Make the Simplest Choice
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Selecting an Identity ModelI need to…
Directory Sync Scenario
Directory Sync with Password Sync
Directory Sync with Single Sign-On
Sync new user, contact, & groups created in on-premises Active Directory to cloud automatically
Sync incremental updates made to existing accounts in on-premises Active Directory to cloud automatically
Set up my tenant for Office 365 hybrid scenarios
Enable users to sign in to cloud services using on-premises password
Reduce password administration costs
Control password policies from on-premises Active Directory
Enable cloud-based multi-factor authentication solutions
Enable on-premises multi-factor authentication solutions
Ensure user authentications occur in on-premises Active Directory
Implement single sign-on using corporate credentials
Customize the user Sign-In page
Limit access to cloud services based on the location, client type or Exchange endpoint of the client
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync
Multi-steps process
1. Prepare for Directory Synchronization• Prerequisites, Permissions, Understand Limits
• Alternate UPN Suffix for .local Domain
• Clean Up Active Directory
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership
• Use “Microsoft Deployment Readiness Tool”
3. Setup Directory Synchronization Server• Option: Hybrid Deployment
• Option: Enable Password Synchronization
4. Synchronize Directories
5. Activate Users & Assign Office 365 Licenses
6. Manage Directory Synchronization
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
DEMONSTRATION
Active Directory DirSync
On Premise (Azure for Demo) Cloud
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync
Multi-steps process
1. Prepare for Directory Synchronization• Prerequisites, Permissions, Understand Limits
• Alternate UPN Suffix for .local Domain
• Clean Up Active Directory
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership
• Use “Microsoft Deployment Readiness Tool”
3. Setup Directory Synchronization Server• Option: Hybrid Deployment
• Option: Enable Password Synchronization
4. Synchronize Directories
5. Activate Users & Assign Office 365 Licenses
6. Manage Directory Synchronization
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync• Alternate UPN Suffix for .local Domain
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync• Alternate UPN Suffix for .local Domain
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync• Clean up Active Directory – set UPN for each user identity
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync
• Clean up Active Directory – set proxyAddresses each user identity
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync
• Clean up Active Directory – set proxyAddresses each user identity
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync
Multi-steps process
1. Prepare for Directory Synchronization• Prerequisites, Permissions, Understand Limits
• Alternate UPN Suffix for .local Domain
• Clean Up Active Directory
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership
• Use “Microsoft Deployment Readiness Tool”
3. Setup Directory Synchronization Server• Option: Hybrid Deployment
• Option: Enable Password Synchronization
4. Synchronize Directories
5. Activate Users & Assign Office 365 Licenses
6. Manage Directory Synchronization
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync• Register Domain with Office 365 & Validate Ownership
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync• Register Domain with Office 365 & Validate Ownership
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync• Register Domain with Office 365 & Validate Ownership
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync• Register Domain with Office 365 & Validate Ownership
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync• Register Domain with Office 365 & Validate Ownership
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync• Activate Directory Synchronization
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync• Activate Directory Synchronization
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync
Multi-steps process
1. Prepare for Directory Synchronization• Prerequisites, Permissions, Understand Limits
• Alternate UPN Suffix for .local Domain
• Clean Up Active Directory
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership
• Use “Microsoft Deployment Readiness Tool”
3. Setup Directory Synchronization Server• Option: Hybrid Deployment
• Option: Enable Password Sync
4. Synchronize Directories
5. Activate Users & Assign Office 365 Licenses
6. Manage Directory Synchronization
• Requires: AD Enterprise Domain Admin Acct
• Requires: O365 Service Admin Acct
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync
Multi-steps process
1. Prepare for Directory Synchronization• Prerequisites, Permissions, Understand Limits
• Alternate UPN Suffix for .local Domain
• Clean Up Active Directory
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership
• Use “Microsoft Deployment Readiness Tool”
3. Setup Directory Synchronization Server• Option: Hybrid Deployment
• Option: Enable Password Synchronization
4. Synchronize Directories
5. Activate Users & Assign Office 365 Licenses
6. Manage Directory Synchronization
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync
• After users & groups are synchronized
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Directory Sync
Multi-steps process
1. Prepare for Directory Synchronization• Prerequisites, Permissions, Understand Limits
• Alternate UPN Suffix for .local Domain
• Clean Up Active Directory
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership
• Use “Microsoft Deployment Readiness Tool”
3. Setup Directory Synchronization Server• Option: Hybrid Deployment
• Option: Enable Password Synchronization
4. Synchronize Directories
5. Activate Users & Assign Office 365 Licenses
6. Manage Directory Synchronization
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Identity Federation
Multi-steps process:
1. Prepare for Single Sign On• Prerequisites, Prepare Active Directory
• Prepare Network infrastructure for Federation servers
2. Setup the On Premise Security Token Service (STS) - Active Directory Federation Services (ADFS)
• Set up Windows PowerShell for SSO with AD FS
• Set up trust between AD FS and Azure AD
3. Setup Directory Synchronization
4. Verify & Manage Single Sign On
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Identity Federation
Multi-steps process:
1. Prepare for Single Sign On• Prerequisites, Prepare Active Directory
• Prepare Network infrastructure for Federation servers
2. Setup the On Premise Security Token Service (STS) - Active Directory Federation Services (ADFS)
• Set up Windows PowerShell for SSO with AD FS
• Set up trust between AD FS and Azure AD
3. Setup Directory Synchronization
4. Verify & Manage Single Sign On
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Identity Federation
Multi-steps process:
1. Prepare for Single Sign On• Prerequisites, Prepare Active Directory
• Prepare Network infrastructure for Federation servers
2. Setup the On Premise Security Token Service (STS) - Active Directory Federation Services (ADFS)
• Set up Windows PowerShell for SSO with AD FS
• Set up trust between AD FS and Azure AD
3. Setup Directory Synchronization
4. Verify & Manage Single Sign On
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Configuring Identity Federation
Multi-steps process:
1. Prepare for Single Sign On• Prerequisites, Prepare Active Directory
• Prepare Network infrastructure for Federation servers
2. Setup the On Premise Security Token Service (STS) - Active Directory Federation Services (ADFS)
• Set up Windows PowerShell for SSO with AD FS
• Set up trust between AD FS and Azure AD
3. Setup Directory Synchronization
4. Verify & Manage Single Sign On
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Overall Benefits
• Reduced administration costs• Leveraging your already existing on-premises user and group
accounts
• Improved productivity• Significantly reduce the amount of time it takes to make cloud based
services accessible
• Increased security• Ensures that only those appropriate users have access to your
corporate assets
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.
Step by Step Procedures
Please see 2 blog posts:• Part 1: http://sharepoint.protiviti.com/blog/Lists/Posts/Post.aspx?ID=142
• Part 2: http://sharepoint.protiviti.com/blog/Lists/Posts/Post.aspx?ID=165
This deck will be posted to my blog: www.trustsharepoint.com
Email: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2
Managing and Synchronizing IdentitiesBetween Active Directory On-Prem and SharePoint Online
Antonio MaioSenior SharePoint Architect & Senior ManagerMicrosoft SharePoint Server MVP
Thank You – Question and Answer