Sparkhound Senior Infrastructure Consultant David Pechon discusses Identity Management for O365 and Azure at the 2015 SharePoint TechFest Dallas event held at the Irving Convention Center. Learn how Active Directory Federation Services and DirSync allow you to synchronize your organization’s Active Directory and use it to authenticate users to Office 365 applications, such as Exchange Online, OneDrive for Business and SharePoint Online.
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Identity Management for Office 365 and Microsoft Azure
1. Identity Management for Office
365/Microsoft Azure
PRESENTED BY:
David Pechon, Jr.
VCP5-DCV, MCSA
2. About David
• Started in IT in 1997 as an Information
Systems Operator/Analyst in the US Army
• Spent most of IT career in the financial
services sector working for three banks and
a loan servicing company.
• Prior consulting work with managed service
providers and value added resellers.
• Certifications include Microsoft Certified
Solutions Associate: Office 365,VMware
Certified Professional 5 – Datacenter
Virtualization
• Married with two children, lives in
Ponchatoula, die hard Cubs fan, and likes
to grill meat.
• Fun Fact: I’m an amateur calligrapher and
has done so since I was 11.
david.pechon@sparkhound.com
@davidpechon
http://linkedin.com/in/davidpechonjr
4. What’s covered in this presentation?
4
• What is Azure Active Directory (AAD)
• Sync your on-prem AD with Azure Active Directory
• Active Directory Federation Services
• Azure Access Control Services
• Branding
6. What is Azure Active Directory?
• Active Directory services hosted in Azure to allow for identity
management of Microsoft Cloud applications like Exchange Online,
SharePoint Online, Dynamics, Windows Intune, and apps hosted in
Azure.
• Third party cloud apps like SalesForce and Box can use Azure AD
• Integrates with on-premises Active Directory infrastructure using the
directory sync tool, allowing for password and attribute synchronization.
• Can manipulate accounts using PowerShell using the Azure PowerShell
Module and Microsoft Online Sign-on assistant
• With Active Directory Federation Services, you can provide single sign-
on services.
• Multi-factor authentication is available.
7. Common Features of Azure AD
7
• Directory as a service1
• User and group management using UI or PowerShell
• Access Panel portal for SSO-based user access to SaaS and
custom apps2
• User based application access management and provisioning
• Self-service password change for cloud users
• Directory Sync tool
• Standard security reports
1. Up to 500k objects for Free, unlimted for basic and premium. Does not apply to Office 365
and Windows Intune or any other Microsoft online service.
2. Up to 10 apps visible in the access panel for Free and Basic. No app limit in Premium.
8. Basic and Premium Features
8
Feature BASIC PREMIUM
99.9% SLA Uptime √ √
Group based application access management and
provisioning
√ √
Custom branding of sign-on page and access √ √
Self service password reset √ √
App Proxy: Secure remote access and SSO to on-prem web. √ √
Self service group management for cloud users √
Microsoft Identity Manager Server Licenses for syncing √
Advanced anomaly security reports √
Advanced application usage reporting √
Multifactor authentication service for cloud users √
Multifactor authentication server for on-prem users √
9. Preparing the On-Premesis AD
9
• Active Directory attributes must be cleaned up before synchronization
• Cannot synchronize users with user principal names of non valid top
level domains. (e.g. domain.local)
• Remove duplicate UPNs and proxyAddress attributes
• Invalid characters in givenName, sn (surname), sAMAccountName,
displayName, mail, proxyAddress, mailNickname, and
userPrincipalName attributes.
10. Identifying Problems
10
Office 365 OnRamp
identifies issues but does
not correct them
IdFix can be used to
identify errors and allow
for remediating some
11. Fixing Errors: Use what your momma Microsoft
gave you:
11
$oldSuffix = 'domain.local'
$newSuffix = 'example.com'
Get-ADUser -SearchBase "ou=text,dc=domain,dc=local" -SearchScope OneLevel -filter * |
ForEach-Object
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server yourDomainController -UserPrincipalName $newUpn
}
Microsoft gives you ADUC, ADSI Edit, PowerShell, and
other consoles and tools to correct attribute errors:
13. Benefits of synchronizing Azure AD with on-
premises AD
13
• DirSync to synchronize objects
to Azure AD, or back to on-prem
• Users only see one account to
access on site applications and
cloud applications.
• Allows users to use existing AD
account for third party cloud
apps.
• Can be customized to sync a
subset of AD objects.
• Manage users from on-premises
AD environment
14. Azure Active Directory Sync (DirSync)
14
• Wizard only sets up initial
synchronization
• Supports a single forest
• Only writes back attributes for
hybrid Exchange 2010/2013
environment
• Must refer to another tool to setup
filtering (included in installation):
Forefront Identity Manager or
FIM.
• Download from Office365
dashboard when setting up AD
Sync.
15. Azure Active Directory Sync
15
• Released in October 2014, originally used to sync with just Azure AD but
now can be used to sync for Office 365
• Allows for multiple forest synchronization.
• More attribute sync options by selecting a minimal set and customize flows.
• Supports password writeback
• Forefront Identity Manager completely replaced but Synchronization
Service Manager (miisclient.exe) still exists with some changes.
• Also will soon be replaced by…
More info:
https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx
16. Azure AD Connect
16
• Currently in public preview, will replace Azure Active Directory Sync Tool
(DirSync) and Azure Active Directory Sync.
• Goes further than DirSync and AADS in setting up Active Directory
Federation Services (ADFS) and assisting with domain name
federation.
• Writeback – AD objects can be synced back to on-prem AD in the form
of users, groups, and devices
• Windows 10 devices domain joined can be synced directly from Azure
AD.
• Sync filtering based on AD Groups, allows for a “Pilot Mode”
• Prevent accidental deletions by setting a threshold via PowerShell.
• Will be the single choice for Azure and Office 365 deployments.
17. Azure AD Connect tools
17
Wizard – Unlike the DirSync wizard,
you are given more options to setup
synchronization.
Like AADS, FIM is replaced by
Synchronization Service Manager
18. Filtering on DirSync
18
Using the miisclient.exe tool,
you can setup filtering via
attribute…
…or by organizational unit.
$ou = "<organizational unit>"
get-aduser -Filter 'surname -Like "*"' -searchbase $ou | set-aduser -add
@{extensionAttribute10='synctocloud'}
19. Filtering via Azure AD Sync/Connect
19
Filter by attribute by using the
Synchronization Rules Editor.
Filter by domain or OU by
using the Synchronization
Service Manager UI
20. Filtering via Azure AD Connect
20
Azure AD Connect now allows you to filter by group during
setup.
22. What is ADFS?
22
Active Directory Federation Services or ADFS is a server role that allows for
single sign-on for internal and external access to various web applications.
For Office 365, ADFS 2.0 is the minimum requirement and is a separate
installable for Windows Server 2008. On 2008 R2, 2012, and 2012 R2,
ADFS is a role that can be installed.
23. How SSO with ADFS works:
23
1. User logs onto Office 365
using a federated login
2. AzureAD detects the
domain is federated with an
ADFS Farm
3. For internal users, NTLM
credentials can be passed to
ADFS server to verify login
(setup in a GPO). External
users on a web proxy (and
non-IE users) are given a login
screen to enter a password.
4. When user credentials are
verified as correct, a token is
passed back to Office
365/Azure AD verifying the
user identity.
24. Claims rules with ADFS
24
Allows administrators to permit
or deny the access of
federated logins based on IP
address, group membership,
geolocation, etc.
Uses Claim Rule Language
but basic rules can be setup
using a wizard.
25. ADFS Setup Tips
25
Never name the federation
service or farm ADFS, or the
name of an existing object.
This will cause a conflict of
the service principle name
attribute. The service
account must have the ADFS
service name as the SPN
Never expose your ADFS server to the world, that’s what the ADFS Proxy (ADFS
2.x) or Web Application Proxy (ADFS 3.0) is for.
For larger deployments, use a load balancer between proxies and internal ADFS
servers.
Enable the relay trust via PowerShell, don’t manually create it:
$cred=Get-Credential
Connect-msolservice -credential $cred
Set-msoladfscontext -computer <FQDN of ADFS Server>
Convert-MSOLDomainToFederated -Domainname <Federated domain>
27. What is Azure ACS?
27
A claims based authentication mechanism that allows
application developers to use public authentication
providers (e.g. Facebook, Google, Windows Live ID) and
organization ADFS for authentication.
Integrates with Windows
Identity Foundation,
supports OAuth 2.0, and
can be used for .NET
Framework, PHP, Python,
Java and Ruby.
This is primarily used for
publicly available web
apps and SharePoint sites
where you don’t want to
manage user accounts but
still have people
authenticate to use your
app.
Setting up ACS for SharePoint 2013:
https://technet.microsoft.com/en-us/library/dn635311.aspx
29. Branding the Office 365 Landing Page
29
In the Azure dashboard ->
Active Directory -> Configure,
you have the option to
customize branding
You can setup a default
branding page, by language,
and then add your images,
sign-in text, and background
colors.
31. Branding the ADFS Login Page
31
The ADFS login page can be branded using two PowerShell commands:
For the logo banner on the right side (240x35px @ 96 dpi):
set-adfswebtheme -targetname default -logo @{path='c:imageslogo.png'}
For the image on the left:
set-adfswebtheme -targetname default -illustration @{path='c:imagesimage.jpg'}
Source: https://technet.microsoft.com/en-us/library/dn280950.aspx
34. Can I setup my directory synchronization and
ADFS in the cloud too?
34
All services can be installed
in Azure, so long as you have
a VPN to your on-premises
environment.
SLIDE PURPOSE: Describe our Market Differentiators – our end-to-end business approach and driving a meaningful impact
SPIEL: How do we make an impact? We make it happen with consultants who think far beyond tomorrow, solutions that push the boundaries of technology’s promise, and support that frees you to focus on what you do best.
These are the items that will be covered in this presentation
Azure AD is a
All of these features are offered by all levels of Azure AD. There are some limitations however if you are are using a Microsoft online service, you don’t have to worry about this limit. The 10 app limit is just how many apps they can see in the access panel at one time.
These features are only available in the basic and premium editions.
Azure ACS is basically a claims based authentication service very similar to ADFS. What makes this unique is rather than authenticate your organizations users, you use this to authenticate external users such as customers, commenters, etc. The difference is that you don’t have to manage these accounts and users use an account they already have.
Basically, any web app or SharePoint site you host in Azure, can have Facebook, Google, or Windows Live accounts authenticate to it.
Keep in mind, don’t confuse the SharePoint farm in this graphic for SharePoint online that comes with Office 365. Azure has the ability to spin up VMs for SharePoint, granted you have the licensing for it and to get more flexibility out of SharePoint 2013 while leveraging the scalability of Azure.
Before wrapping up, I’m sure many of you may be wondering….
Can I setup all of these services in the cloud? The answer is yes. Basically you would treat Azure just like another physical site. You’d have a domain controller, dirsync server, ADFS servers, and proxies.