5. Introduction to identity options
1. MS Online IDs
Appropriate for
⢠Smaller organizations without
AD on-premise
Pros
⢠No servers required on-
premise
Cons
⢠No SSO
⢠No 2FA (strong authentication)
⢠2 sets of credentials to
manage with differing
password policies
⢠Users and groups mastered in
the cloud
2. MS Online IDs + Dir Sync
Appropriate for
⢠Orgs with AD on-premise
Pros
⢠Users and groups mastered on-
premise
⢠Enables co-existence scenarios
Cons
⢠No SSO â BUT PASSWORD
SYNC
⢠No 2FA
⢠2 sets of credentials to manage
with differing password policies
⢠Single server deployment
3. Federated IDs + Dir Sync
Appropriate for
⢠Larger enterprise organizations
with AD on-premise
Pros
⢠SSO with corporate cred
⢠Users and groups mastered on-
premise
⢠Password policy controlled on-
premise
⢠2FA solutions possible
⢠Enables co-existence scenarios
Cons
⢠High availability server
deployments required
7. What is DirSync?
â˘
ââŚis a Directory Synchronization engine
based on Forefront Identity Manager (FIM)
that will synchronize a subset of your on-
premise Active Directory with Windows Azure
Active Directory (Office 365).â
8. Why use DirSync?
Long term coexistence between Active Directory On Premise and
Windows Azure Active Directory.
(Easy/quick provisioning*)
Single place for managing identities including:
⢠Users
⢠Groups
⢠Memberships
⢠âŚ
Enabler for Hybrid Deployments (required)
⢠Two-way Directory Synchronization
9. Deployment Considerations
Active Directory Assessment
⢠Prerequisites check (Readiness Tool)
Topology
⢠Single Forest?
⢠Multiple Domains?
Security
⢠Firewalls, Permissions
64-bit only!
De/Activation time; can take some time to complete
Object filtering required?
SQL Version - Windows 2012 Server Supported
11. What objects are synced?
From AD to Office 365: http://support.microsoft.com/kb/2256198
From Office 365 to AD (aka write-back):
Write-Back attribute Exchange "full fidelity" feature
SafeSendersHash
BlockedSendersHash
SafeRecipientHash
Filtering: Writes back on-premises filtering and online
safe and blocked sender data from clients.
msExchArchiveStatus Online Archive: Enables customers to archive mail.
ProxyAddresses
(LegacyExchangeDN <online LegacyDn> as X500)
Enable Mailbox: Off-boards an online mailbox back to on-
premises Exchange.
msExchUCVoiceMailSettings
Enable Unified Messaging (UM) - Online voice mail: This
new attribute is used only for UM-Microsoft Lync Server
2010 integration to indicate to Lync Server 2010 on-
premises that the user has voice mail in online services.
13. ADFS: On Premise Topology
Enterprise DMZ
AD FS 2.0
Server
Proxy
Internal
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
AD FS 2.0
Server
Proxy
14. ADFS: On Premise Topology
Enterprise DMZ
AD FS 2.0
Server
Proxy
Internal
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
AD FS 2.0
Server
Proxy
15. ADFS: Hybrid Topology: IAAS
Enterprise
Internal
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
IAAS
External
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
16. ADFS: Hybrid Topology: IAAS
Enterprise
Internal
user
Active
Directory
AD FS 2.0
Server
IAAS
External
user
Active
Directory
AD FS 2.0
Server
17. ADFS: Cloud Topology: IAAS
IAAS
Internal
External
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
19. Windows Azure & ADFS
⢠Virtual Network Support â Site to Site VPN
⢠Computing: 99,95% SLA Uptime for High Available System
â 99,9% SLA Uptime for Single System
⢠Storage: 99,9%
⢠Full Control over your Virtual Machines
⢠Pay as you Go, OPEX vs CAPEX
⢠PowerShell Support
20. Windows Azure: Terminology
Cloud Service: Role which several VMâs take upon themselves to
execute. E.G. ADFS. Cloud services need to have two instances or more
to quality for the SLA of 99,95%. 1 External Virtual IP Address per Cloud
Service
Availability Set
21. Windows Azure: Terminology
EndPoints: You need to add an endpoint to a machine for other resources
on the Internet or other virtual networks to communicate with it. You can
associate specific ports and a protocol to endpoints. Resources can
connect to an endpoint by using a protocol of TCP or UDP. The TCP
protocol includes HTTP and HTTPS communication.
Virtual Network enables you to create secure site-to-site connectivity, as
well as protected private virtual networks in the cloud.
25. Migration
DirSync:
1. Shutdown DirSync on Premise
2. Install DirSync on Azure
3. Configure DirSync on Azure
4. Uninstall DirSync on Azure
ADFS:
1. Convert all ADFS Domains to Standard Domains
2. Logon to primary ADFS on Azure
3. Convert all Standard Domains back to Federated Domains
* Using DirSync for only provisioning is NOT supported!
Note: Passwords are NOT synced. If you want to use your on-premise passwords in Office 365/Azure, you will have to deploy ADFS.Future release of DirSync might support Password Synchronization** Functionality nor a release date have been confirmed by Microsoft. As far as I understood, this sync will not really sync the password, but it will rather use the passwordâs hash