This presentation shows you how to manage your Office 365 identities.

1. Office 365 Identity Management
Robert Crane
http://about.me/ciaops

2. Agenda
• Identity option comparisons
• Online identity
• Synchronised identity
• Federated identity
• Federated Identity set up demo
• Conclusions

3. 1. MS Online IDs
Appropriate for
• Smaller orgs without AD on
-premise
Pros
• No servers required on-pre
mise
Cons
• No SSO
• No 2FA
• 2 sets of credentials to man
age with differing password
policies
• IDs mastered in the cloud
2. MS Online IDs
+ DirSync
Appropriate for
• Medium/Large orgs with A
D on-premise
Pros
• Users and groups mastered
on-premise
• Enables co-existence
scenarios
Cons
• No SSO
• No 2FA
• 2 sets of credentials to man
age with differing password
policies
• Server deployment required
3. Federated IDs
+ DirSync
Appropriate for
• Larger enterprise orgs with
AD on-premise
Pros
• SSO with corporate cred
• IDs mastered on-premise
• Password policy controlled
on-premise
• 2FA solutions possible
• Enables co-existence
scenarios
Cons
• High availability server depl
oyments required
Active DirectoryActive Directory

4. Online Identity

5. Cloud identity model
http://portal.office.com

8. Synchronised Identity

9. Office 365 Identity Models

10. Directory Sync
• Synchronizes users, groups, and contacts to Windows
Azure AD.
• Users will have a different password in Windows
Azure AD than they have for the on-premises AD.
DEPRECATED

11. Azure AD Sync tool
• Formerly known as Dirsync, this tool has been
updated to allow for the synchronization of local
Active Directory passwords to Azure Active Directory.
• Also synchronizes users, groups and contacts.
• This new feature will allow for same user sign in with
Microsoft cloud services such as Office 365 powered
by Azure Active Directory since the username and the
password from local AD will be synced up to Azure
AD.
DEPRECATED

12. Azure AD Connect
Active Directory

13. Synchronized Identity Model
Password hashes
User accounts
User
Sign-on
AAD Sync or Connect
On-premises
directory

14. Before installing Azure AD Connect
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/
 Active Directory remediation
 Run IdFix
 Verify DNS domains with Office 365
 Add these prior to syncing to preserve UPN
 Directories other than Active Directory
 Works with Office 365 – Identity program
 One server is most common
 Domain controller is supported
 Separate SQL Server is okay up to around 100,000 directory objects
 You can install to Azure IaaS
 Migrating from DirSync or FIM 2010
 Upgrade
 Forest functional level
 Windows Server 2003

15. IdFix – DirSync AD Remediation

16. What errors does IdFix look for?
 Duplicate proxyAddresses
 Invalid characters in attributes
 Over length attributes
 Format errors in attributes
 Use of non-routable domains
 Blank attribute that requires
a value
 mailNickName
 proxyAddresses
 sAMAccountName
 targetAddress
 userPrincipalName

17. Install Azure AD Connect

18. Install the Azure AD Connect

19. Install the Azure AD Connect

20. Connect to Azure AD

21. Connect to on-premises Directories

22. User (and contact) matching

23. Filter users and devices

24. Optional features

25. Azure AD apps

26. Azure AD attributes

27. Configure AAD Connect

28. Done!

29. Review the configuration
 Installation logs
 %windir%tempaadsync
 Synchronization Rules
 Depending on if Exchange and Skype for Business is present in AD, different rules
will be generated
 Depending on Exchange version attributes will be removed as needed
 Only selected services will have outbound rules to AAD
 Attributes you selected to not be included are removed from the outbound rules
to AAD
 Introducing the Sync Rule Editor
 A “Resource Kit Tool” to view, change and add Sync Rules

30. View the synchronisation
- Passwords synced every 2 minutes
- User attributes synced every 3 hours
- Manual sync via program
filesmicrosoft azure ad
syncbindirectorysyncclientcmd.exe

31. AAD Connect installation review
 Be aware of directory object limits
 A new tenant can sync up to 50,000 directory objects
 Register a vanity domain and it is increased to 300,000 objects
 Sync now
 Expect about 1 hour per 5,000 objects
 Password expiry for the sync account
 Assign Office 365 licenses
 High availability
 Can Backup and reinstall
 Filtering AAD Connect
 By Domain and OUs
 By attributes

32. Password hash sync security
 Password hash AD DS
 It is not reversible to
get the users password
 A Hash
 Hashes are mathematical
functions that are nearly impossible
to reverse
 The result of the hash algorithm is
called a digest
 Additional Processing
 We further process it with a one way hash SHA256 algorithm
 Connections are only to the Azure AD service
 Connections are SSL encrypted
 Enables Azure AD to validate the users password when
they log in
User
Password On-premises
directory

33. Federated Identity

34. Federated identity model
On-premises
directory
AAD Sync
or Connect

35. Password Sync Backup for Federated Sign-In
This new backup option for Office
365 customers using federated
sign-in provides the option to
manually switch your domain in a
short amount of time during
outages such as on- premises
power loss, internet connection
interruption and any other on-
premises outage.
Backup Password Hash Sync
User accounts
AAD Sync
On-premises
directory

36. Topology

37. Topology

38. 10.0.0.4
10.0.0.5
DC Azure AD Connect
Sync
ADFS
Certificate
Web Server
PowerShell
1. 2.

39. 10.0.0.4
10.0.0.5 10.32.0.4
DC Azure AD Connect
Sync
ADFS ProxyADFS
10.0.0.X
3.

40. DEMO

41. ADFS and SSO
 Read all the TechNet Deployment Guidance
 http://technet.microsoft.com/en-us/library/jj205462.aspx
 Only implement the Office 365 requirements
 The only certificate required is the SSL certificate
 Prepare with firewall update permissions

42. Change between models as needs change
 Cloud Identity to Synchronized Identity
 Deploy Azure AD Connect
 Hard match or soft match of users
 Synchronized Identity to Federated Identity
 Deploy AD FS
 Can leave password sync enabled as backup
 Federated identity to Synchronized Identity
 PowerShell Convert-MsolDomainToStandard
 Takes 2 hours plus 1 additional hour per 2,000 users
 Synchronized Identity to Cloud Identity
 PowerShell Set-MsolDirSyncEnabled
 Takes 72 hours and you can monitor with Get-MsolCompanyInformation

43. Choose the simplest model for your needs
 This is Microsoft’s recommendation
 Cloud Identity is the simplest model
 Choose cloud when
 You have no on-premises directory
 There is on-premises directory restructuring
 You are in pilot with Office 365

44. Choose synchronized identity if you have
an on-premises directory
 Password hash sync means federation is not required
just to have the same password on the cloud
 Same sign-on – the username and password is the same in the cloud as on-premises
 Single sign-on – you log on to the PC and no password is required for cloud services
 Save credentials for later uses Windows Credential Manager
 Outlook does not support Single sign-on
 Choose password hash sync unless you have one
of the scenarios that requires federation

45. Scenarios for choosing federation
Existing infrastructure
1. You already have an AD FS Deployment.
2. You already use a Third Party Federated Identity
Provider.
3. You use Forefront Identity Manager.
4. You have an On-Premises Integrated Smart Card or
Multi-Factor Authentication (MFA) Solution.
5. Custom Hybrid Applications or Hybrid Search is
Required.
6. Web Accessible Forgotten Password Reset.

46. Scenarios for choosing federation
Policy requirements
7. You Require Sign-In Audit and/or Immediate Disable.
8. Single Sign-On minimizing prompts is Required.
9. Require Client Sign-In Restrictions by Network Location
or Work Hours.
10. Policy preventing Synchronizing Password Hashes
to Azure AD.

47. Office 365 federation options
Suitable for medium, large
enterprises including
educational organizations
Recommended option for Active
Directory (AD) based customers
Single sign-on
Support for web and rich clients
Microsoft supported
Works for Office 365
Hybrid Scenarios
Requires on-premises servers,
licenses & support
Suitable for medium, large
enterprises including educational
organizations
Recommended where customers
may use existing non-ADFS
Identity systems
with AD or Non-AD
Single sign-on
Support for web and rich clients
Third-party supported
Works for Office 365
Hybrid Scenarios
Requires on-premises servers,
licenses & support
Verified through ‘works with Office
365’ program
Suitable for educational
organizations
Recommended where customers
may use existing non-ADFS
Identity systems
Single sign-on
Support for web clients and
outlook (ECP) only
Microsoft supported for
integration only, no shibboleth
deployment support
Requires on-premises servers
& support
Works with AD and other
directories on-premises
For organizations that need to
use SAML 2.0
Recommended where
customers may use existing
non-ADFS Identity systems
Single sign-on
Support for web clients and
outlook (ECP) only
Microsoft supported for
integration only, no identity
provider deployment support
Requires on-premises servers
& support
Works with AD and other
directories on-premises

48. What is it?
Program Requirements
http://aka.ms/ssoproviders
Works with Office 365 – Identity program

49. Yammer DIRSYNC
 Will eventually be replaced with Azure AD Connect
 After you set up this integration product, users will be
able to be automatically:
 removed from your Yammer network when you disable them in AD
 invited to your Yammer network when you add them to AD
 updated with new profile information when you update their
attributes in AD
 Install a separate syncing program locally and configure
 http://blog.ciaops.com/2015/06/configuring-yammer-dirsync.html
 Not recommended unless you have a specific need

50. Resources

51. Summary
 Choose the simplest model for your needs
 Change between models as needed.
 Cloud identity model when there is no on-premises
directory.
 Synchronized identity model for most organizations.
 Federated identity model for specific scenarios.
 Federated and synchronised identities require on
premise equipment.

52. QUESTIONS / FEEDBACK?
director@ciaops.com
@directorcia