3. 1. MS Online IDs
Appropriate for
• Smaller orgs without AD on
-premise
Pros
• No servers required on-pre
mise
Cons
• No SSO
• No 2FA
• 2 sets of credentials to man
age with differing password
policies
• IDs mastered in the cloud
2. MS Online IDs
+ DirSync
Appropriate for
• Medium/Large orgs with A
D on-premise
Pros
• Users and groups mastered
on-premise
• Enables co-existence
scenarios
Cons
• No SSO
• No 2FA
• 2 sets of credentials to man
age with differing password
policies
• Server deployment required
3. Federated IDs
+ DirSync
Appropriate for
• Larger enterprise orgs with
AD on-premise
Pros
• SSO with corporate cred
• IDs mastered on-premise
• Password policy controlled
on-premise
• 2FA solutions possible
• Enables co-existence
scenarios
Cons
• High availability server depl
oyments required
Active DirectoryActive Directory
10. Directory Sync
• Synchronizes users, groups, and contacts to Windows
Azure AD.
• Users will have a different password in Windows
Azure AD than they have for the on-premises AD.
DEPRECATED
11. Azure AD Sync tool
• Formerly known as Dirsync, this tool has been
updated to allow for the synchronization of local
Active Directory passwords to Azure Active Directory.
• Also synchronizes users, groups and contacts.
• This new feature will allow for same user sign in with
Microsoft cloud services such as Office 365 powered
by Azure Active Directory since the username and the
password from local AD will be synced up to Azure
AD.
DEPRECATED
14. Before installing Azure AD Connect
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/
Active Directory remediation
Run IdFix
Verify DNS domains with Office 365
Add these prior to syncing to preserve UPN
Directories other than Active Directory
Works with Office 365 – Identity program
One server is most common
Domain controller is supported
Separate SQL Server is okay up to around 100,000 directory objects
You can install to Azure IaaS
Migrating from DirSync or FIM 2010
Upgrade
Forest functional level
Windows Server 2003
16. What errors does IdFix look for?
Duplicate proxyAddresses
Invalid characters in attributes
Over length attributes
Format errors in attributes
Use of non-routable domains
Blank attribute that requires
a value
mailNickName
proxyAddresses
sAMAccountName
targetAddress
userPrincipalName
29. Review the configuration
Installation logs
%windir%tempaadsync
Synchronization Rules
Depending on if Exchange and Skype for Business is present in AD, different rules
will be generated
Depending on Exchange version attributes will be removed as needed
Only selected services will have outbound rules to AAD
Attributes you selected to not be included are removed from the outbound rules
to AAD
Introducing the Sync Rule Editor
A “Resource Kit Tool” to view, change and add Sync Rules
30. View the synchronisation
- Passwords synced every 2 minutes
- User attributes synced every 3 hours
- Manual sync via program
filesmicrosoft azure ad
syncbindirectorysyncclientcmd.exe
31. AAD Connect installation review
Be aware of directory object limits
A new tenant can sync up to 50,000 directory objects
Register a vanity domain and it is increased to 300,000 objects
Sync now
Expect about 1 hour per 5,000 objects
Password expiry for the sync account
Assign Office 365 licenses
High availability
Can Backup and reinstall
Filtering AAD Connect
By Domain and OUs
By attributes
32. Password hash sync security
Password hash AD DS
It is not reversible to
get the users password
A Hash
Hashes are mathematical
functions that are nearly impossible
to reverse
The result of the hash algorithm is
called a digest
Additional Processing
We further process it with a one way hash SHA256 algorithm
Connections are only to the Azure AD service
Connections are SSL encrypted
Enables Azure AD to validate the users password when
they log in
User
Password On-premises
directory
35. Password Sync Backup for Federated Sign-In
This new backup option for Office
365 customers using federated
sign-in provides the option to
manually switch your domain in a
short amount of time during
outages such as on- premises
power loss, internet connection
interruption and any other on-
premises outage.
Backup Password Hash Sync
User accounts
AAD Sync
On-premises
directory
41. ADFS and SSO
Read all the TechNet Deployment Guidance
http://technet.microsoft.com/en-us/library/jj205462.aspx
Only implement the Office 365 requirements
The only certificate required is the SSL certificate
Prepare with firewall update permissions
42. Change between models as needs change
Cloud Identity to Synchronized Identity
Deploy Azure AD Connect
Hard match or soft match of users
Synchronized Identity to Federated Identity
Deploy AD FS
Can leave password sync enabled as backup
Federated identity to Synchronized Identity
PowerShell Convert-MsolDomainToStandard
Takes 2 hours plus 1 additional hour per 2,000 users
Synchronized Identity to Cloud Identity
PowerShell Set-MsolDirSyncEnabled
Takes 72 hours and you can monitor with Get-MsolCompanyInformation
43. Choose the simplest model for your needs
This is Microsoft’s recommendation
Cloud Identity is the simplest model
Choose cloud when
You have no on-premises directory
There is on-premises directory restructuring
You are in pilot with Office 365
44. Choose synchronized identity if you have
an on-premises directory
Password hash sync means federation is not required
just to have the same password on the cloud
Same sign-on – the username and password is the same in the cloud as on-premises
Single sign-on – you log on to the PC and no password is required for cloud services
Save credentials for later uses Windows Credential Manager
Outlook does not support Single sign-on
Choose password hash sync unless you have one
of the scenarios that requires federation
45. Scenarios for choosing federation
Existing infrastructure
1. You already have an AD FS Deployment.
2. You already use a Third Party Federated Identity
Provider.
3. You use Forefront Identity Manager.
4. You have an On-Premises Integrated Smart Card or
Multi-Factor Authentication (MFA) Solution.
5. Custom Hybrid Applications or Hybrid Search is
Required.
6. Web Accessible Forgotten Password Reset.
46. Scenarios for choosing federation
Policy requirements
7. You Require Sign-In Audit and/or Immediate Disable.
8. Single Sign-On minimizing prompts is Required.
9. Require Client Sign-In Restrictions by Network Location
or Work Hours.
10. Policy preventing Synchronizing Password Hashes
to Azure AD.
47. Office 365 federation options
Suitable for medium, large
enterprises including
educational organizations
Recommended option for Active
Directory (AD) based customers
Single sign-on
Support for web and rich clients
Microsoft supported
Works for Office 365
Hybrid Scenarios
Requires on-premises servers,
licenses & support
Suitable for medium, large
enterprises including educational
organizations
Recommended where customers
may use existing non-ADFS
Identity systems
with AD or Non-AD
Single sign-on
Support for web and rich clients
Third-party supported
Works for Office 365
Hybrid Scenarios
Requires on-premises servers,
licenses & support
Verified through ‘works with Office
365’ program
Suitable for educational
organizations
Recommended where customers
may use existing non-ADFS
Identity systems
Single sign-on
Support for web clients and
outlook (ECP) only
Microsoft supported for
integration only, no shibboleth
deployment support
Requires on-premises servers
& support
Works with AD and other
directories on-premises
For organizations that need to
use SAML 2.0
Recommended where
customers may use existing
non-ADFS Identity systems
Single sign-on
Support for web clients and
outlook (ECP) only
Microsoft supported for
integration only, no identity
provider deployment support
Requires on-premises servers
& support
Works with AD and other
directories on-premises
48. What is it?
Program Requirements
http://aka.ms/ssoproviders
Works with Office 365 – Identity program
49. Yammer DIRSYNC
Will eventually be replaced with Azure AD Connect
After you set up this integration product, users will be
able to be automatically:
removed from your Yammer network when you disable them in AD
invited to your Yammer network when you add them to AD
updated with new profile information when you update their
attributes in AD
Install a separate syncing program locally and configure
http://blog.ciaops.com/2015/06/configuring-yammer-dirsync.html
Not recommended unless you have a specific need
51. Summary
Choose the simplest model for your needs
Change between models as needed.
Cloud identity model when there is no on-premises
directory.
Synchronized identity model for most organizations.
Federated identity model for specific scenarios.
Federated and synchronised identities require on
premise equipment.