Looking to reduce the number of post-it notes you see stuck around the office? Seeking to automate your user creation processes for Office 365? Or maybe you’re interested in single sign-on for everything you host in the cloud? Are you questioning what a cloud identity is? This session will take you through the basics of identity in the Microsoft Cloud and show you how to set up and configure Office 365 with Azure Active Directory using the Azure Active Directory Synchronization Connect tools.
5. Terminology
What is Identity Management?
“Identity management (IdM) describes the
management of individual principals, their
authentication, authorisation, and privileges within
or across system and enterprise boundaries with the
goal of increasing security and productivity while
decreasing cost, downtime and repetitive tasks.”
https://en.wikipedia.org/wiki/Identity_management
6. Determining which actions an
authenticated entity is authorized
to perform on the network
Terminology
Verifying that a user, device, or
service such as an application
provided on a network server is
the entity that it claims to be.
Authentication Authorization
7. Terminology
Single Sign On (SSO) is the ability for two disjointed Identity
Providers (IDP) to trust each other such that a user logged in to
one does not need to log in again for the second
Relying Party (RP) is the system that relies on the IDP to
authenticate a user
Security Assertion Markup
Language (SAML)
SAML is a public standard managed by OASIS.
SAML is the identity token and also the
protocol.
WSFED is used for web browser-based
authentication with an IDP. WS-Trust is used by
Office client apps to authenticate.*
WS-Federation (WSFED) / WS-Trust
10. Azure Active Directory
What is AAD?
“Azure Active Directory is a comprehensive identity
and access management cloud solution that
provides a robust set of capabilities to manage users
and groups and help secure access to applications
including Microsoft online services like Office 365
and a world of non-Microsoft SaaS applications.”
17. Choosing a Model
Federated Identity
Already have ADFS or
a 3rd party IDP
Require immediate
disable or Sign-in Audit
SSO is required
Multiple Forests
CAC or on-premises
MFA
Business requires it
22. Deploying Directory Synchronization
• Prepare for directory synchronization
• Activate directory synchronization
• Set up directory synchronization agent
• Synchronize directory
• Activate synchronized users
• Manage directory synchronization
23. IdFix
Errors Validated
• Duplicate proxyAddresses
• Invalid characters in attributes
• Over length attributes
• Format errors in attributes
• Use of non-routable domains
• Blank attribute that requires a value
Attributes
• displayName
• givenName
• mail
• mailNickName
• proxyAddresses
• sAMAccountName
• sn
• targetAddress
• userPrincipalName
24. Prepare for Directory Synchronization
Ensure you have your UPN suffixes in place if not using an Internet Routable
Domain
http://technet.microsoft.com/library/jj151831.aspx
http://technet.microsoft.com/en-
us/library/hh852478.aspx
66. Alternate Login ID
When your on-premises UPN is non-routable on the public internet and you
can’t easily update UPN suffixes
Requires Windows Server 2012 R2 for AD FS*
Requires comfort with FIM and editing Management Agents
67. Office Client Passive Authentication
• SSO with passive authentication
‐ Works with WSFED and SAML
2.0
• Went Tech Preview in Nov 2014
• Requires Office Client updates
‐ Move to Active Directory
Authentication Library (ADAL)
‐ OAUTH for passive
authentication
‐ Support for MFA with AAD
‐ CAC/PIV support
SAML 2.0
68. Works with Office 365 – Identity program
• What is it?
‐ Qualification of third party identity
providers for federation with Office 365.
Microsoft supports Office 365 only when
qualified third party identity providers
are used.
• Program Requirements
‐ Published Qualification Requirements
‐ Published Technical Integration Docs
‐ Automated Testing Tool
‐ Self Testing work by Partner
‐ Predictable and Shorter Qualification
*For representative purposes
only.
WS-Trust & WS-
Federation
SAML (passive
auth)
• Flexibility to reuse
existing identity
provider investments
• Confidence that the
solution is qualified by
Microsoft
• Coordinated support
between the partner
and Microsoft
Customer
Benefits
69. Office 365 Federation Options
Suitable for medium,
large enterprises including
educational organizations
Suitable for medium, large
enterprises including
educational organizations
Suitable for educational
organizations
For organizations that
need to use SAML 2.0
71. The end to end Microsoft Stack
WS-Federation
WS-Trust
72. Agenda
Identity Management in Office 365
Identity Scenarios
Synchronization Demo
Add-ons and More to Think About
73. Resources
• Use third-party identity providers to
implement single sign-on
• Deployment scenarios for Office 365 with
single sign-on and Azure
• Choosing a sign-in model for Office 365
• Password hash sync simplifies user
management for Office 365
• Directory Integration Tools
• Using smart links or IdP initiated
authentication with Office 365
• Using Alternate Login IDs with
Azure Active Directory
• Office 365 SAML 2.0 Federation
Implementer’s Guide
• Simplified login to Yammer from
Office 365
• Multi-Factor Authentication for
Office 365
• Office 365 User Account
Management