This document provides an overview of Perficient, an information technology consulting firm, and their expertise in implementing Microsoft Office 365 solutions. Some key points:
- Perficient is a leading IT consulting firm founded in 1997 with over 2,000 employees across North America.
- They help clients implement business-driven technology solutions using their expertise in areas like business intelligence, customer experience, enterprise resource planning and more.
- Their Microsoft practice focuses on migrating customers to Office 365 through options like directory synchronization, federated identity and single sign-on.
- The presentation discusses identity management options in Office 365 like cloud identity, directory synchronization, federated identity and their suitability for organizations of different sizes.
2. Perficient is a leading information technology consulting firm serving clients throughout
North America.
We help clients implement business-driven technology solutions that integrate business
processes, improve worker productivity, increase customer loyalty and create a more
agile enterprise to better respond to new business opportunities.
About Perficient
3. • Founded in 1997
• Public, NASDAQ: PRFT
• 2012 revenue of $327 million
• Major market locations throughout North America
• Atlanta, Austin, Boston, Charlotte, Chicago, Cincinnati, Cleveland, Columbus, Dallas, Denver,
Detroit, Fairfax, Houston, Indianapolis, Minneapolis, New Orleans, New York, Northern California,
Philadelphia, Southern California, St. Louis, Toronto, Washington D.C.
• Global delivery centers in China, Europe and India
• ~2,000 colleagues
• Dedicated solution practices
• ~85% repeat business rate
• Alliance partnerships with major technology vendors
• Multiple vendor/industry technology and growth awards
Perficient Profile
4. Business Solutions
• Business Intelligence
• Business Process Management
• Customer Experience and CRM
• Enterprise Performance Management
• Enterprise Resource Planning
• Experience Design (XD)
• Management Consulting
Technology Solutions
• Business Integration/SOA
• Cloud Services
• Commerce
• Content Management
• Custom Application Development
• Education
• Information Management
• Mobile Platforms
• Platform Integration
• Portal & Social
Our Solutions Expertise
6. 6
Why Perficient for Office 365?
Certified
O365 MVP
Experienced
Hundreds of thousands users migrated
Innovative
7. 7
Shalini Pasupneti
Presenter Shalini Pasupneti is a Solution Architect in Perficient's
Microsoft infrastructure practice focusing on Exchange and Office
365. Recently, she‟s been guiding global and mid-size companies
in their transition to Office 365. She holds an MCITP in both
Exchange and Office 365.
Our Speaker
10. Common identity platform for
organizational accounts
Directory
store
Authentication
platform
Windows Azure
Active Directory
Windows Azure Active Directory is the
underlying identity platform for various
cloud services that use Organizational
Accounts
11. Cloud Identity
Single identity in the cloud
Suitable for small organizations
with no integration to on-
premises directories
Directory Synchronization
Single identity
suitable for medium
and large organizations
without federation
Federated Identity
Single federated identity
and credentials suitable
for medium and large
organizations
Office 365 Identity
12. Cloud Identity
Rich experience with Office Apps
Ease of deployment, management
and support
Lower cost as no additional servers are
required On-Premises
High availability and reliability as all
Identities and Services are managed in the
cloud
Windows Azure
Active Directory
User
Cloud Identity
Ex: alice@contoso.com
14. Rich experience with Office apps
Directory synchronization between on-premises and online
Identities are created and managed
on-premises and synchronized to the cloud
Single identity and credentials but no single sign-on for
on-premises and office 365 services
Reuse existing directory implementation on-premises
Windows Azure
Active Directory
User
On-Premises Identity
Ex: DomainAlice
Directory
Synchronization
Cloud Identity
Ex: alice@contoso.com
AD
Directory Synchronization
16. • Active Directory Health
• Prerequisites check (Readiness Tool)
• IdFix
• Topology
• Single forest
• Multiple forest
• Security
• Firewalls, permissions
• 64-bit only
• Object filtering required
• SQL Express or full SQL (+50k objects)
Deployment Considerations
17. •
• Customers can exclude objects from synchronizing to Office 365
• Scoping can be done at the following levels:
• AD domain-based
• Organizational unit-based
• User attribute based
• Additional filtering capabilities will become available with the O365
Connector
• Preventing the synchronization of specific attributes is not supported
Scoping and Filtering for Synchronization
18. Directory Synchronization Write-Back
Attribute Feature
SafeSendersHash
BlockedSendersHash
SafeRecipientHash
Filtering Coexistence
enables on-premises filtering using cloud safe/blocked
sender info
msExchArchiveStatus Cloud Archive
Allows users to archive mail to the Office 365 service
ProxyAddresses (cloudLegDN) Mailbox off-boarding
Enables off-boarding of mailboxes back to on-premise
cloudmsExchUCVoiceMailSettings Voicemail coexistence
Enables on-premises mailbox users to have Lync Server
2010 in the cloud
19. Rich experience with Office Apps
Directory synchronization between on-premises and online
Identities are created and managed
on-premises and synchronized to the cloud
Single identity and password credentials but no single
sign-on for on-premises and Office 365 services
Reuse existing directory implementation on-premises
Password Synchronization
Windows Azure
Active Directory
User
On-Premises Identity
Ex: DomainAlice
Directory
Synchronization
with one way
Password Hash
Cloud Identity
Ex: alice@contoso.com
AD
20. Windows Azure Active Directory Sync Tool
• The tool is downloaded from the
Office 365 admin portal
• Only a one way hash of the
password will be synchronized to
WAAD such that the original
password cannot be reconstructed
from it
• Synchronizes user passwords from
on-premises AD to Azure AD (Office
365)
• Respects on-premises password
policies
• Can’t sync passwords for Federated
Users, but can co-exist
SAML2
Identity Provider
More Details on TechNet: http://aka.ms/sync
21. Windows Azure
Active Directory
User
On-Premises Identity
Ex: DomainAlice
Federation
using Non-
ADFS STS
Office 365
Connector on FIM
Non-AD
(LDAP)
Non-AD Synchronization
Preferred option for Directory
Synchronization with Non-AD
Sources
Non-AD support with FIM is
available through Microsoft-led
deployments
FIM 2010 Office 365 connector
supports complex multi-forest
topologies
22. • Single identity and sign-on for on-
premises and Office 365 services
• Identities mastered on-premises with a
single point of management
• Directory synchronization to synchronize
directory objects into Office 365
• Secure token based authentication
• Client access control based on IP
address with ADFS
• Strong factor authentication options
for additional security with ADFS
Windows Azure
Active Directory
User
On-Premises Identity
Ex: DomainAlice
Federation
AD
Non-AD
Directory
Synchronization
or
Federated Identity
23. User objects must have a value for UPN in on-premisesActive Directory
UPN domain suffix must match a verified domain in Office 365
Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified
domain and is used if UPN does not match a verified domain
Users must switch to using UPN to logon to Office 365
Not domainusername
UPN must have valid characters
Office 365 Deployment Readiness Tool will verify that on-premises objects have valid
characters
Deployment Considerations for UPN
24. Windows Server 2008 or Windows Server 2008 R2/2012
Active Directory Forest Functionality level 2003
PowerShell
Web Server (IIS)
.Net 3.5 SP1
Windows Identity Foundation
Publicly registered domain name
Public certificate (wild card supported but not recommended)
High availability, load balanced design
Choice between windows internal database or SQL
Federated Identity Requirements
25. Customer Microsoft Online Services
User
Source
ID
Logon (SAML 1.1) Token
UPN:user@contoso.com
Source User ID: ABC123
Auth Token
UPN:user@contoso.com
Unique ID: 254729
Authentication Flow (Passive/Web)
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online or
SharePoint Online
Active Directory
26. `
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Online Services
User
Source
ID
Logon (SAML 1.1) Token
UPN:user@contoso.com
Source User ID: ABC123
Auth Token
UPN:user@contoso.com
Unique ID: 254729
Basic Auth Credentials
Username/Password
Active Flow (Outlook/Active Sync)
27. Two-factor authentication
Requires ADFS Proxy Sign-in Page or
other proxies like TMG/UAG
Client Access Policies (ADFS)
Requires ADFS UR1
http://support.microsoft.com/kb/2607496
ADFS Customization
28. Client access control
Part of ADFS
Limit access to Office 365 based
on network connectivity (internet
versus intranet)
Block all external access to Office 365
based on the IP address of the external
client
Block all external access to Office 365
except Exchange Active Sync; all other
clients such as Outlook are blocked
Block all external access to Office 365
except for passive browser-based
applications such as Outlook Web Access
or SharePoint Online
ADFS Customization
29. Active Directory Federation Services
* Azure AD offers some basic 2FA features that are available with ADFS deployment on-premises. ADFS
can support a larger set of 2FA/Strong Authentication options.
Password Sync SSO with AD FS
Same password to access
resources
Can control password policies
on-premises
Support for two factor
authentication
*
No password re-entry if on
premises
Client access filtering
Authentication occurs in on
premises directory
31. Cloud Identity Federated Identity
(domain joined computer)
Federated Identity
(non-domain joined computer)
Microsoft Outlook® 2010 on
Windows® 7
Sign in each session Sign in each session Sign in each session
Outlook 2007 on Windows 7 Sign in each session Sign in each session Sign in each session
Outlook 2010 or Outlook 2007 on
Windows Vista® or Windows XP
Sign in each session Sign in each session Sign in each session
Exchange ActiveSync® Sign in each session Sign in each session Sign in each session
POP, IMAP, Microsoft Outlook for
Mac 2011
Sign in each session Sign in each session Sign in each session
Web Experiences: Office 365 Portal /
Outlook Web App / SharePoint
Online / Office Web Apps
Sign in each browser session No Prompt Sign in each browser session
Office 2010 or Office 2007 using
SharePoint Online
Sign in each SharePoint Online session Sign in each SharePoint Online Session Sign in each SharePoint Online Session
Lync Online Sign in each session No prompt Sign in each session
Outlook for Mac 2011 Sign in each session Sign in each session Sign in each session
User Experience
32. Windows Azure
Active Directory
User
On-Premises Identity
Ex: DomainAlice
Federation
using ADFS
AD
DirSync on FIM
AD
AD
Multi-forest AD
FIM 2010 Office 365
connector supports
complex multi-forest
topologies
Multi-forest DirSync
appliance supports multiple
dis-joint account forests
Multiple exchange
organizations currently not
supported
33. Number
Active
Directory
forests
See
consolidation
whitepaper
Use
Single Forest
DirSync
Use
Office 365
Connector
Use
Multi Forest
DirSync
Need on-
premises org
consolidation
Number
Exchange
Orgs
“Disjoint”
Account
Forests?
“Disjoint” account
forests and exchange
org accessed by
accounts in the same
forest?
Want to
consolidate
single
forest?
After
consolidation
Single (1)
Multiple (>1)
Yes
None (0)Multiple (>1)
Start
After
consolidation
No
Single (1) Yes
Yes
No
No
Multi-forest Decision Flowchart
34. Cloud Identity Directory Sync Password Sync Graph API FIM Single Sign-On
Org size Small All All Large Large Large
Control of
attributes in
directory
Least control Full control via on-
premises directory
Full control via on-
premises directory
Can control core
attributes and
select optional
Can control core
attributes and
select optional
Full control via on-
premises directory
Source of authority Cloud On-premises On-Premises Cloud On-premises On-premises
Hardware
requirements
No on-premises
hardware required
Windows Server
OS for DirSync
appliance
Windows Server
OS for DirSync
appliance
Machine to run
Powershell jobs on
Federated Identity
Manager with
office 365
Connector
DirSync appliance
ADFS (or other
STS) deployment
Login experience Disjoint username,
password for on-
premises and
cloud
Enter credentials
twice
Disjoint username,
password for on-
premises and
cloud
Enter credentials
twice
Same username,
password for on-
premises and
cloud
Enter credentials
twice
Disjoint username,
password for on-
premises and
cloud
Enter credentials
twice
Disjoint username,
password for on-
premises and
cloud
Enter credentials
twice
Same username,
password for on-
premises and
cloud
Login once if on-
premises
Identity Integration Options
35. Suitable for educational organizations
Recommended where customers may use
existing non-ADFS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no
shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
Shibboleth (SAML)
Works with AD & Non-AD
Suitable for medium, large enterprises
including educational organizations
Recommended option for Active Directory (AD)
based customers
Single sign-on
Secure token based authentication
Support for web and rich clients
Microsoft supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Works with AD
Suitable for medium, large enterprises
including educational organizations
Recommended where customers may use
existing non-ADFS Identity systems with AD or
Non-AD
Single sign-on
Secure token based authentication
Support for web and rich clients
Third-party supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through „works with Office 365‟ program
Works for Office 365 Hybrid Scenarios
Works with Office 365 - Identity
Federation Options
37. Customized
Microsoft
Training for IT
Pros & End
Users
bit.ly/1cy8WV5
10.16 How Lamar
Created an
Engaging &
Mobile Website
bit.ly/18Sfa0O
10.15 Agile BI:
How to Deliver
More Value in
Less Time
bit.ly/17lsd7H
Connect with Perficient