Document 390986
Microsoft Account Microsoft Account Ex: [email protected] User Windows Azure Active Directory Organizational Account Ex: [email protected] User Windows Azure Active Directory Authentication platform Directory store Your App Cloud Identities Single identity in the cloud suitable for small organizations with no integration to onpremises directories Synchronized Passwords Single identity suitable for medium and large organizations without federation Federated Identities Single federated identity and credentials suitable for medium and large organizations Cloud IDs Password Sync Federated IDs Same password to access resources on-premises and in cloud Can control password policies on-premises Single Sign-on for no password re-entry if on premises Client access filtering by IP, client type, or by time schedule Authentication occurs and is audited on-premises Can immediately block disabled accounts on-premises Change password available from web Works with Forefront Identity Manager 2010 R2 Can customize the User Sign-in Page Use with cloud based Multi-Factor Authentication Use with on-premises based Multi-Factor Authentication Source: http://technet.microsoft.com/en-us/library/jj573649.aspx Source: http://technet.microsoft.com/en-us/library/jj573649.aspx What is it? WS-Trust & WS-Federation Active Directory with ADFS WS-Federation (passive auth) SAML (passive auth) Customer Benefits • Flexibility to reuse existing identity provider investments • Confidence that the solution is qualified by Microsoft • Coordinated support between *For representative purposes only. the partner and Microsoft coming soon! Account Directory Exchange Orgs Azure AD Supported? Sync Solution 1 AD Forest 1, in AD forest. 1 Tenant Yes DirSync 1 AD Forest n resource forest(s), will retire all Exchange Forests. 1 Tenant Yes DirSync n AD Forests n in resource forest(s), will not retire. 1 Tenant Yes FIM + AAD Connector 1 LDAP Directory N/A 1 Tenant Yes LDAP DirSync n Tenants Yes FIM + AAD Connector OR n DirSyncs 1 AD Forest Non-AD directory N/A n Tenants Yes FIM + AAD Connector n AD Forests + m non-AD N/A n Tenants Yes FIM + AAD Connector Resource Forest DirSync (migrate data) (“sync, UPN, ImmutableID”) Login Forest AD FS Azure AD Tenant DirSync AD Forest Azure AD Tenant AD FS DirSync Azure AD Tenant Start Number Active Directory forests Multiple (>1) No Want to consolidate single forest? Single (1) Yes See consolidation whitepaper After consolidation Use Single Forest DirSync http://technet.microsoft.com/library/cc974332.aspx Number Exchange Orgs None (0) Single (1) Use FIM 2010 R2 Connectors http://technet.microsoft.com/library/dn511001.aspx Exchange Online DirSync Front-Ends OneDrive Windows InTune (workflows) GRAPH/PS Front-Ends Admin portals http://www.microsoft.com/downloads/details.aspx?FamilyID=72c15 d25-6515-4763-9b76-054362b58398 Rich Applications (SIA) • • • • Cloud IDs Lync Online Office Subscriptions CRM Rich Client Office 2013 Web Clients Mail Clients • • • Office 2010, Office 2007 SP2 with SharePoint Online Outlook Web Application Username and Password Username and Password Username and Password Online ID Online ID Online ID Username and Password Username and Password AD credentials Password Sync Username and Password (SSO from non-domain Joined machines) AD credentials AD credentials SSO IDs No Prompt Username AD credentials AD credentials (from domain joined machines) • • Office 2010, Office 2007 SP2 Active Sync/POP/IMAP Entourage Can save credentials Remember last user Username and Password AD credentials Can save credentials MEX Web Lync 2010/ Office Subscription Active AD FS 2.0 Proxy OWA Internal Basic auth proposal: Pass client IP, protocol, device name Exchange Online MEX Web Active Corporate Boundary OWA External Username Password AD FS 2.0 Server Lync 2010/ Office Subscription Username Password Username Password Username Password Outlook 2010/2007 IMAP/POP Outlook 2010/2007 Active Sync IMAP/POP Active Sync Authentication flow (Passive/Web profile) Customer Microsoft Online Services Active Directory Logon (SAML 1.1) Token AD FS 2.0 Server UPN:[email protected] Authentication platform Source User ID: ABC123 Auth Token UPN:[email protected] Unique ID: 254729 ` Client (joined to CorpNet) Exchange Online or SharePoint Online Authentication flow (MEX/Rich Client Profile) Customer Microsoft Online Services Active Directory Logon (SAML 1.1) Token AD FS 2.0 Server UPN:[email protected] Authentication platform Source User ID: ABC123 Auth Token UPN:[email protected] Unique ID: 254729 ` Client (joined to CorpNet) Lync Online Customer Windows Azure Active Directory Active Directory AD FS 2.0 Server (SAML 1.1) Token AD FS 2.0Logon Proxy UPN:[email protected] Authentication platform Source User ID: ABC123 Auth Token UPN:[email protected] Unique ID: 254729 ` Basic Auth Credentilas Username/Password Client (joined to CorpNet) Exchange Online Excludes Office 365 dedicated SKU and SMB SKUs. *Out of band refers to being able to use a second factor with no modification Upgradeable to Azure Multi-Factor Authentication to the existing app UX. Multi-Factor Authentication for Office 365 Windows Azure MultiFactor Authentication Administrators can Enable/Enforce MFA to end-users Yes Yes Use Mobile app (online and OTP) as second authentication factor Yes Yes Use Phone call as second authentication factor Yes Yes Use SMS as second authentication factor Yes Yes App passwords for non-browser clients (e.g. Outlook, Lync) Yes Yes Default Microsoft greetings during authentication phone calls Yes Yes Custom greetings during authentication phone calls Yes Fraud alert Yes Event Confirmation Yes Security Reports Yes Block/Unblock Users Yes One-Time Bypass Yes Customizable caller ID for authentication phone calls Yes MFA Server - MFA for on-premises applications Yes MFA SDK – MFA for custom apps Yes Overview Identity Management in Office 365 What’s New – be up to date on abilities Works with Office 365 – Identity program Exchange Best Practices – Keep it simple Multi-Factor Authentication
© Copyright 2024