Download   Report
  1. No category

Summit: ITP13 - Identity management integration options for Office 365

Identity management integration
options for Office 365
[Speaker]
[Title]
[Company]
Identity for Microsoft cloud services
Microsoft Account
Microsoft Account
Ex: [email protected]
User
Microsoft Azure Active Directory
Organizational Account
Ex: [email protected]
User
Office 365 Identity Models
Identity Synchronization and Federation
WS-Federation
Authentication
Metadata
Graph API
Synchronize
accounts
WS-Trust
Shibboleth
SAML 2.0
Federated sign-in
Cloud identity model
Synchronized identity model
Before installing DirSync
 Active Directory remediation
 IdFix
 Forest functional level
 Windows Server 2003
 Multiple forests
 Not DirSync
 Azure AD Sync or Forefront Identity Manager 2010
 Directories other than Active Directory
 Not DirSync
 Works with Office 365 – Identity program
IdFix – DirSync AD Remediation
What errors does IdFix look for?






Duplicate proxyAddresses
Invalid characters in attributes
Over length attributes
Format errors in attributes
Use of non-routable domains
Blank attribute that requires
a value





mailNickName
proxyAddresses
sAMAccountName
targetAddress
userPrincipalName
DirSync topology and number of servers
 A domain controller collocated install isn’t
recommended
 But it is supported and you can install DirSync on the DC
 One server is most common
 DirSync installs SQL Express for replication data
 You can install with dedicated SQL Server and can use HA for SQL Server
 Consider using Azure
 To avoid any on-premises servers you can deploy to Azure IaaS
 Use the DirSync road map
 Read the docs, but skip the Microsoft Deployment Readiness Toolkit
DirSync installation and review
 Be aware of directory object limits
 A new tenant can sync up to 50,000 directory objects
 Register a vanity domain and it is increased to 300,000 objects
 Add DNS domains to Office 365
 Add these prior to syncing to preserve UPN
 Sync now
 Expect about 1 hour per 5,000 objects
 Check event logs
 EventVwr
 Password expiry for the sync account
 Assign Office 365 licenses
Other DirSync considerations
 High availability
 Can Backup and reinstall
 Filtering DirSync
 By OU
 Security of hashes
 One way hashes (of hash)
 Not reversable
 Sent to Azure AD on SSL
Password hash sync security
 We typically get questions about the security of synchronizing
passwords from banking and finance customers
 The password hash that we get from AD is not reversible to get the
users password
 Hashes are mathematical functions that are nearly impossible to
reverse. The result of the hash algorithm is called a digest
 We further process it with a one way hash SHA256 algorithm
 We connect over SSL to the Azure AD service and send the resulting
hash of the hash
 This enables Azure AD to validate the users password when they log in
 More details at
 http://social.technet.microsoft.com/wiki/contents/articles/18096.dirsyncwindows-azure-ad-password-syncfrequently-asked-questions.aspx
Choosing between DirSync and AAD Sync
Beta available
Beta available
 Includes password hash sync
 Includes sync from multiple forests including
 Includes password write-back with Azure AD




Premium license
Can filter objects by OU
Supports use of dedicated SQL Server install or
SQL Express
The setup wizard can be run multiple times for
configuration changes
Released and supported in production





merging duplicate users in these forests
** In addition to AD, can sync from LDAP v3,
SQL Server and CSV data
** Enables selective OU sync with using UX in
the setup. Compared to DirSync which requires
PowerShell configuration
** Enables transforming of attributes using UX
in the setup
Planned to replace DirSync in the future
Preview cannot be upgraded to later release
** NOT IN BETA
Demo
Configuring Azure AD Sync
Federated identity model
Password Sync
Backup for
Federated Sign-In
This new backup option for
Office 365 customers using
federated sign-in provides the
option to manually switch your
domain in a short amount of
time during outages such as onpremises power loss, internet
connection interruption and any
other on-premises outage.
ADFS is Also Easy
 Use trained and experienced deployment staff
 Use Azure AD Connect Tool
 https://microsoft.sharepoint.com/teams/OfficeOnRamp/wiki/Pages/Azure-ActiveDirectory-Connect-Tool.aspx
 Read all the TechNet Deployment Guidance
 http://technet.microsoft.com/en-us/library/jj205462.aspx
 Only implement the Office 365 requirements
 The only certificate required is the SSL certificate
 Prepare with firewall update permissions
Demo
Azure AD Connect for AD FS
How to choose an identity model
?
Change between models as needs change
 Cloud Identity to Synchronized Identity
 Deploy DirSync
 Hard match or soft match of users
 Synchronized Identity to Federated Identity
 Deploy AD FS
 Can leave password sync enabled as backup
 Federated identity to Synchronized Identity
 PowerShell Convert-MsolDomainToStandard
 Takes 2 hours plus 1 additional hour per 2,000 users
 Synchronized Identity to Cloud Identity
 PowerShell Set-MsolDirSyncEnabled
 Takes 72 hours and you can monitor with Get-MsolCompanyInformation
Choose the simplest model for your needs
 This is our recommendation
 Cloud Identity is the simplest model
 Choose cloud when
 You have no on-premises directory
 There is on-premises directory restructuring
 You are in pilot with Office 365
Choose synchronized identity if you have
an on-premises directory
 Password hash sync means federation is not required
just to have the same password on the cloud




Same sign-on – the username and password
is the same in the cloud as on-premises
Single sign-on – you log on to the PC and
no password is required for cloud services
Save credentials for later uses
Windows Credential Manager
Outlook does not support Single sign-on
 Choose password hash sync unless you have one
of the scenarios that requires federation
Scenarios for choosing federation
Existing infrastructure
1. You already have an AD FS Deployment
2. You already use a Third Party Federated Identity
Provider
3. You use Forefront Identity Manager 2010
Scenarios for choosing federation
Technical requirements
4. You have Multiple Forests in your on-premises AD
5. You have an On-Premises Integrated Smart Card or
Multi-Factor Authentication (MFA) Solution
6. Custom Hybrid Applications or Hybrid Search is
Required
7. Web Accessible Forgotten Password Reset
Scenarios for choosing federation
Policy requirements
8. You Require Sign-In Audit and/or Immediate Disable
9. Single Sign-On minimizing prompts is Required
10. Require Client Sign-In Restrictions by Network Location
or Work Hours
11. Policy preventing Synchronizing Password Hashes
to Azure AD
Office 365 federation options
Suitable for medium, large
enterprises including
educational organizations
Suitable for medium, large
enterprises including educational
organizations
Suitable for educational
organizations
For organizations that need to
use SAML 2.0
Recommended option for Active
Directory (AD) based customers
Single sign-on
Recommended where customers
may use existing non-ADFS
Identity systems
with AD or Non-AD
Recommended where customers
may use existing non-ADFS
Identity systems
Recommended where
customers may use existing
non-ADFS Identity systems
Support for web and rich clients
Single sign-on
Single sign-on
Single sign-on
Microsoft supported
Support for web and rich clients
Support for web clients and
outlook (ECP) only
Support for web clients and
outlook (ECP) only
Works for Office 365
Hybrid Scenarios
Third-party supported
Microsoft supported for
integration only, no shibboleth
deployment support
Microsoft supported for
integration only, no identity
provider deployment support
Requires on-premises servers
& support
Requires on-premises servers
& support
Works with AD and other
directories on-premises
Works with AD and other
directories on-premises
Requires on-premises servers,
licenses & support
Works for Office 365
Hybrid Scenarios
Requires on-premises servers,
licenses & support
Verified through ‘works with Office
365’ program
Works with Office 365 – Identity program
What is it?
Program Requirements
http://aka.ms/ssoproviders
Recent features change the landscape








Jun 2013 Password hash sync added to DirSync
Nov 2013 DirSync tool run on Domain Controllers
Feb 2014 Multi Factor Authentication for Office 365
Apr 2014 Azure Active Directory Sync Services
Apr 2014 Azure AD Premium Password Reset
May 2014 Alternate Sign-In ID to UPN
May 2014 DirSync backup for federated sign-in
Dec 2014 Office client passive authentication
Summary
 Choose the simplest model for your needs
 Change between models as needs change
 Cloud identity model when there is no onpremises directory
 Synchronized identity model for most
organizations
 Federated identity model for one of the 11
scenarios
Infolinx WEB in the Cloud

Infolinx WEB in the Cloud

Document 390986

Document 390986

Help Pages: How to Register with SMDMS site: Step 1: Step 2:

Help Pages: How to Register with SMDMS site: Step 1: Step 2:

#ChiTechTues

#ChiTechTues

How to block website on Cisco EPC 3825

How to block website on Cisco EPC 3825

How to View Personal Vacation Balance Using a computer

How to View Personal Vacation Balance Using a computer

Document 213371

Document 213371

STEP 1 – How to login to CQUCentral?

STEP 1 – How to login to CQUCentral?

How to Sign Up for a Gmail Account

How to Sign Up for a Gmail Account

s on Comm How to Sync my iPhone to TCC Email

s on Comm How to Sync my iPhone to TCC Email

abcdocz.com

© Copyright 2024