3. 3 | SharePoint Saturday Michigan 2013
Outline
Office365 Overview
Changingthe IdentityPerspective
Authenticationvs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
4. 4 | SharePoint Saturday Michigan 2013
Email and Calendaring
Websitesand Collaboration
IM and OnlineMeetings
OfficeClientand Web Apps
Hostedby Microsoft– in the cloud!
5. 5 | SharePoint Saturday Michigan 2013
Office365 Overview
Changingthe IdentityPerspective
Authenticationvs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
6. 6 | SharePoint Saturday Michigan 2013
Did Someone say Cloud?
7. 7 | SharePoint Saturday Michigan 2013
What’s Your Perspective?
9. 9 | SharePoint Saturday Michigan 2013
Office365 Overview
Changingthe IdentityPerspective
Authenticationvs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
10. 10 | SharePoint Saturday Michigan 2013
Authentication vs. Authorization
Who getsin?
What can they do?
11. 11 | SharePoint Saturday Michigan 2013
Who gets in?
Where do your Office 365
useraccounts live?
What is neededto use them?
What can they do?
What are the limitations
of the approach?
12. 12 | SharePoint Saturday Michigan 2013
Office365 Overview
Changingthe IdentityPerspective
Authenticationvs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
13. 13 | SharePoint Saturday Michigan 2013
Identity Options
1. MicrosoftOnline(MSO)IDs
2. MSOIDs +DirectorySynchronization
3. SingleSignOn +DirectorySynchronization
Your Environment
AD
MS Online
Directory Sync
Identity Services
Provisioning
platform
Lync
Online
SharePoint
Online
Exchange
Online
Active Directory
Federation
Services 2.0
Trust
IdP
Directory
Store
Admin Portal/
PowerShell
Authentication
platform
Office 365
Desktop Setup
Microsoft Online Services
IdP
14. 14 | SharePoint Saturday Michigan 2013
What can they do?
Appropriate for
• Smaller orgs without
AD on-premise
Pros
• No servers required on-
premise
Cons
• No SSO
• No 2FA
• 2 sets of credentials to
manage with differing
password policies
• IDs mastered in the
cloud
Appropriate for
• Medium/Large orgs with
AD on-premise
Pros
• Users and groups
mastered on-premise
• Enables co-existence
scenarios
Cons
• No SSO
• No 2FA
• 2 sets of credentials to
manage with differing
password policies
• Single server
deployment
Appropriate for
• Larger enterprise orgs
with AD on-premise
Pros
• SSO with corporate cred
• IDs mastered on-premise
• Password policy
controlled on-premise
• 2FA solutions possible
• Enables co-existence
scenarios
Cons
• High availability server
deployments required
15. 15 | SharePoint Saturday Michigan 2013
Sign On Experience *
SSO vs. Online IDs Summary
Win7/Vista/XP
SSO IDs
(domain
joined)
MS Online IDs
Outlook Web
Application
SharePoint Web
Application
ActiveSync,
POP, IMAP,
Entourage
Outlook 2007 or
2010
Online IDOnline IDOnline ID
Win 7/Vista/XP
Office 2010, or
Office 2007 SP2
Online ID
Win7/Vista/XP
Lync Online
Online ID
AD credentials AD credentials AD credentials AD credentials AD credentials
SSO IDs
(non-domain
joined) AD credentials AD credentials AD credentials AD credentials AD credentials
*Requires ADFS 2.0
16. 16 | SharePoint Saturday Michigan 2013
How does AD FS work?
Claimsauthentication
Think of it likea passport
PassportApplication
Visa Application
Submit for authorization
Allowedaccess
17. 17 | SharePoint Saturday Michigan 2013
AD FS’s Authentication flow
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online or
SharePoint Online
Active Directory
Your Environment Microsoft Online Services
Logon (SAML 1.1) Token
UPN:user@contoso.com
Source User ID: ABC123
Auth Token
UPN:user@contoso.com
Unique ID:254729
18. 18 | SharePoint Saturday Michigan 2013
AD FS 2.0 deployment options
1. Single serverconfiguration
2. AD FS 2.0 server farm and load-balancer
3. AD FS 2.0 proxy serveror UAG/TMG
(ExternalUsers,ActiveSync,Outlook)
Enterprise
DMZ
AD FS 2.0
Server
Proxy
External
userInternal
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
AD FS 2.0
Server
Proxy
19. 19 | SharePoint Saturday Michigan 2013
ADFS Considerations
Can you afford an outage?
How do you secureit?
It’s complex
RequiresspecificAD config
UPN formatting
RequiresDirSync
Otheroptions available
Shibboleth
Ping
Okta
Hattip:@usher
20. 20 | SharePoint Saturday Michigan 2013
Directory Synchronization
One-way or two-way
copy of accounts to Office365
Requiredfor SSO/ADFS
But can be usedwithout AD FS
Requiredfor Hybrid scenarios
Think of it as an appliance,
always running
21. 21 | SharePoint Saturday Michigan 2013
Your Environment
AD
MS Online
Directory Sync
Identity Services
Lync
Online
SharePoint
Online
Exchange
Online
Active Directory
Federation
Services 2.0
Trust
IdP
Directory
Store
Authentication
platform
Office 365
Desktop Setup
Microsoft Online Services
IdP
How DirSync Fits in
22. 22 | SharePoint Saturday Michigan 2013
Getting to know DirSync
It’s actually Forefront IdentityManager
CopiesAD accounts into Office365
But not back down
Doesn’tsync passwords
Filteringnow available
Can have sizingissues
Upload sizing
Databasesizing
FIM:no touchy! (maybe)
23. 23 | SharePoint Saturday Michigan 2013
Office365 Overview
Changingthe IdentityPerspective
Authenticationvs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
25. 25 | SharePoint Saturday Michigan 2013
Office365 Overview
Changingthe IdentityPerspective
Authenticationvs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
26. 26 | SharePoint Saturday Michigan 2013
Managing Identity in Office 365
Admin activitiesdo not go away
AD FS is complex
And important!
PowerShellis your friend
How’s your internetconnection?
Office365 is constantlychanging