2. Office 365 (and Azure) Identity Solutions
•
Individual / Small Business
•
•
•
•
•
No Integration Required
No Single Sign On
User logon Via Portal
No Servers on Premise
Medium Sized Business
•
•
•
•
•
No
Integration
Dirsync Tool – Perfect for Provisioning large groups of Users
No Single Sign On
User Login Via Portal
No Servers on Premise
ADFS &
Dirsync
Large Business
•
•
•
•
•
Deploy Dirsync
Implement ADFS
Users Login with WAD Credentials
Complex Server Infrastructure on Prem
Deployed as Part of a Hybrid Solution
Full Single
Sign On (SSO
Dirsync
(Provision
Only)
Hybrid
6. Planning a Move to the Cloud?
• Influencing Factors:
•
•
•
•
•
•
•
Service Trials
Size of Organization
Time Constraints
Complexity of Customers Current Environment
Physical Locations
Current Identity Infrastructure.
Current IT Infrastructure. Internal / Outsourced / Hosted
7. Planning a Move to the Cloud?
• Influencing Factors:
•
•
•
•
•
•
•
•
Software / Hardware Issues
Network Bandwidth Issues
Security Issues
Legal & Compliance Issues
Vendor Service Level Agreement (SLA)
High Availability / Backup Issues
Resource Issues. Staff, Budget, etc!
Risk Analysis of Moving into the Cloud!
8. Current Identity Solution
•
No Centralized Identity Solution
•
•
•
•
Typical of a One Man Company
No Servers on Premises
Uses POP Email, Web Browser or Mobile Device
The Small Business
•
•
•
•
•
•
Typically 5 to 25 Employees
Perhaps uses a Small Business Server on Premises
Are already Active Directory Users
Probably use Exchange Email
Adopt Small Scale SharePoint Usage
Probably outsource IT Support to External Consultant
9. Current Identity Solution
•
Medium to Enterprise level Organization
•
•
•
•
•
•
100s or 1000s of Users
More Complex Active Directory Infrastructure
More Complex Infrastructure, Trust Relationships etc.
Probably use Exchange Email, Lotus Notes or Other On-Site
Email Solution
Probably uses Multi Factor Authentication
In house IT Support
10. Identity Solutions for Office 365
• Separate credential from onpremises credential
• Authentication occurs via cloud
directory service
• Password policy is stored in Office
365
• Does not require on-premises server
deployment
• Same credential as on-premises
credential
• Authentication occurs via onpremises directory service
• Password policy is stored onpremises
• Requires on-premises DirSync
server
• Requires on-premises ADFS server
11. Identity Architecture and Integration Options
1. No Integration
2. Directory Data Only
3. Directory and Single sign-on (SSO)
Windows Azure Active Directory
EPC Group customer
premises
Active Directory
Federation
Server 2.0
IdP
AD
Admin Portal/
PowerShell
MS Online
Directory Sync
Provisioning
platform
Office 365
Desktop Setup
SharePoint
Online
Authentication
platform
Trust
IdP
Directory
Store
Exchange
Online
Lync
Online
Office
Subscription
Services
12. Understanding Identities
Cloud Identity
Cloud Identity + DirSync
Federated Identity
Large enterprise organizations with
Active Directory on-premises
Does not require on-premises server “Source of Authority” is on-premises
deployment
Enables coexistence
Scenario
Smaller organizations with or without Medium to Large organizations with
on-premises Active Directory
Active Directory on-premises
Single Sign-On experience
Benefits
“Source of Authority” is on-premises
2 Factor Authentication options
Enables coexistence
No Single Sign-On
No 2 Factor Authentication options
Limitations
No Single Sign-On
No 2 Factor Authentication options
Two sets of credentials to manage
Two sets of credentials to manage
Different password policies
Different password policies
Requires on-premises DirSync server
deployment
Requires on-premises ADFS server
deployment in high availability scenario
Requires on-premises DirSync server
deployment
13. Understanding Identities
Cloud Identity
Federated Identity
Federated Identity
(domain joined computer)
(non-domain joined computer)
Microsoft Outlook® 2010 on Windows® 7
Sign in each session
Sign in each session
Sign in each session
Outlook 2007 on Windows 7
Sign in each session
Sign in each session
Sign in each session
Outlook 2010 or Outlook 2007 on
Windows Vista® or Windows XP
Sign in each session
Sign in each session
Sign in each session
Exchange ActiveSync®
Sign in each session
Sign in each session
Sign in each session
POP, IMAP, Microsoft Outlook for Mac
2011
Sign in each session
Sign in each session
Sign in each session
Web Experiences: Office 365 Portal /
Outlook Web App / SharePoint Online /
Office Web Apps
Sign in each browser session
No Prompt
Sign in each browser session
Sign in each SharePoint Online session
Sign in each SharePoint Online Session
Sign in each SharePoint Online Session
Lync Online
Sign in each session
No prompt
Sign in each session
Outlook for Mac 2011
Sign in each session
Sign in each session
Sign in each session
Office 2010 or Office 2007 using
SharePoint Online
14. Make the Solutions Workable
•
•
•
•
•
•
•
Must be Tailored to Customer Requirements
Cost Effective
Avoid Ego Driven Design Bloat!
Take into Account Future Growth
Current / Future Migration Plans
Local / National Legal / Compliance Issues
Cross Platform Integration
15. Understanding Identities
• Two types of Domains
• Managed Domain
• Federated Domain
• Domain ownership must be verified
• Must use publicly registered namespace (i.e. cannot use *.local, etc.)
• Options for adding new domains:
• Microsoft Online Portal
• Microsoft Online Services Module for Windows PowerShell
16. Understanding Identities
• Microsoft Online Portal
• Active Directory tools
• Exchange Management
Tools
• Identity management
solutions
• Microsoft Online
Services Module for
Windows PowerShell
• Remote PowerShell
18. Windows Active Directory
•
•
•
•
•
•
•
•
•
Directory service implemented on MS domain networks
Introduced in Windows 2000
DCs authenticate and authorise users and computers in a domain
Assigns and enforces security policies
Deployed in a single domain nor as part of a larger forest
Can be expanded through Trust Relationships
Has both physical & logical attributes
Only one instance per domain
Active Directory uses LDAP, Kerberos, and DNS
19. WAD: Potential Issues
•
•
•
•
As a number of trust limitations in respect to size & complexity
Designed primarily to manage in-house networks
Protocol limitations i.e. LDAP
Customer security concerns about WAD data in cloud (closed
attributes)
• Does not natively support new cloud based protocols
• Solution: Extend AD attributes into cloud…
22. What is Windows Azure Active Directory?
• Customized Version of ADLDS / ADAM
• Every Office 365 Customer is an Azure
•
•
•
•
AD Tennant
Designed primarily to meet the needs
of cloud applications
Extends Customers Active Directory
into the cloud
Think of it as a Fish on a Hook!
Identity as a service: essential part of
Platform as a Service
23. Relationship to Windows Server AD
• On-premises and cloud Active
Directory managed as one
• Directory information synchronized
to cloud, made available to cloud
apps via roles-based access
control
• Federated authentication enables
single sign on to cloud applications
24. WAAD Vs WAD!
• While enterprises work to consolidate identity system on-
premises, cloud apps are fragmenting identity… again
25. Azure Active Directory Design Principles
The cloud design point demands capabilities that are not
part of current-day Windows Server Active Directory
• Maximize device & platform reach
• http/web/REST based protocols
• Multi-tenancy
• Customer owns directory, not Microsoft
• Optimize for availability, consistent performance, scale
• Keep it simple
27. Protocols to Connect to Windows Azure
AD
Protocol
Purpose
Details
REST/HTTP
directory access
Create, Read, Update, Delete directory
objects and relationships
Compatible with OData V3
Authenticate with OAuth 2.0
OAuth 2.0
Service to service authentication
Delegated access
JWT token format
Open ID Connect
Web application authentication
Rich client authentication
Under investigation
JWT token format
SAML 2.0
Web application authentication
SAML 2.0 token format
WS-Federation 1.3 Web application authentication
SAML 1.1 token format
SAML 2.0 token format
JWT token format
29. ADFS 2.0 & SSO Requirements
•
•
•
•
•
•
•
•
Windows Server 2008 or Windows Server 2008 R2
Windows Server 2012 (2.1)
PowerShell V3
Web Server (IIS)
.Net 3.5 SP1
Windows Identity Foundation
Publicly registered domain name
SSL Certificate for Hybrid Deployment
30. Understanding SAML Authentication Into the
Cloud
Customer
Microsoft Online Services
Active Directory
AD FS 2.0
Logon (SAML 1.1) Token
UPN:user@contoso.com
ServerUser ID: ABC123
Source
Authentication platform
Auth Token
UPN:user@contoso.com
Unique ID: 254729
`
Client
(joined to CorpNet)
Exchange Online or
SharePoint Online
32. ADFS Claim Types
• Launch ADFS 2.0
•
•
•
•
Management Console,
browse to Claims Provider
Trusts, and Edit Claim
Rules…
Add new rule
Select “Pass through or
filter an incoming claim”
template
Provide rule name and type
Repeat for all 5 claim types
33. Issuance Authorization Rule
• Launch ADFS 2.0
Management Console,
browse to Relying Party
Trusts, and Edit Claim
Rules…
• Add new Issuance
Authorization Rule
• Select “Send claims using a
custom rule” template
• Add rule name and custom
rule syntax
35. WAAD Provisioning
• Manual
• Simple Web based user interface
• Bulk import of user
• Best for small customers
• Scriptable
• PowerShell module for windows
• Programmable New REST based API
• Limited attribute set/object types
• Automated
• Directory Synchronization with delta
• Full fidelity of attributes and object types
• Optimized for large object sets
36. What is Dirsync?
(Azure Active Directory Sync Tool )
• Enables Simple & Rich Coexistence
• Provisions objects in Office 365 with same email
addresses as the objects in the on-premises environment
• Provides a unified Global Address List experience
between on-premises and Office 365
• Objects hidden from the GAL on-premises are also hidden from the
GAL in Office 365
• Enables coexistence for Exchange
• Works in both simple and hybrid deployment scenarios
• Enabler for mail routing between on-premises and Office
365 with a shared domain namespace
• Enables coexistence for Microsoft Lync
37. Dirsync Implementation Options
1 Way Sync from AD to Cloud
• Provisions users, DLs, Security Groups and contacts
• Can move to 2 Way Sync later
• on-premises master for all objects and properties
2 Way Sync from AD to Cloud and Cloud to AD
• Required for Hybrid Deployments e.g. co-existence
•
•
•
•
with Exchange online and Exchange on-premises
Cannot move back to 1 way sync
Cloud becomes master for certain properties (safe
senders, mail co-existence, UM)
Password Sync Option
Password Syncing is 1 way. Users that have
Password Sync enabled are required to change their
passwords on premises in an AD connected machine.
38. Dirsync Password Synchronization
• No longer requires ADFS to provide SSO
• Does not sync plaintext passwords
• Dirsync syncs hashes of hashes of your user's passwords
greatly reducing the risk of a password leaking
• You don't need to install any new software on your DCs or
reboot DCs
• Users don't need to change passwords
• Password Syncing is 1 way. Users that have Password
Sync enabled are required to change their passwords on
premises in an AD connected machine.
• “In my opinion not as secure as ADFS”
39. Dirsync: Synchronization Schedule
• Default is Every 3 Hours
• “Start-OnlineCoexistenceSync” cmdlet can manually force a manual sync
• Synchronization can be re-scheduled here!
1. First navigate to the following directory on your DirSync Server. C:Program
2.
3.
4.
5.
FilesMicrosoft Online Directory Sync
Locate service executable that is used to run the DirSync scheduleLocate the
following lines within the Microsoft.Online.DirSync.Scheduler.exe.config file:
<add key="SyncTimeInterval" value="3:00:0" />
Edit the time within this file to reduce the sync schedule; for example to reduce
the time to every 30 minutes use the following values: <add
key="SyncTimeInterval" value="0:30:0" />
Finally open the Services console (Start>Run>Services.msc) and restart the
Microsoft Online Services Directory Synchronization Service.
39
40. •
•
•
•
•
•
•
•
•
Best Bets and Next
Choose Correct 365 Solution
Steps
Product V.s. Service
Clean House
SSO or not to SSO?
Read the Planning Guides
Region V.s. Compliance!
Get your DNS Correct
Watch out for Expiring SSL Certs
Beware the Deleted Domain Issue