1 / 42

Microsoft Office 365 Directory Synchronization and Federation Options

OFC-B317. Microsoft Office 365 Directory Synchronization and Federation Options. Paul Andrew Ross Adams Aanchal Saxena. Agenda. 1. 2. 3. 4. 5. 6. Identity for Microsoft cloud services. Microsoft Account. Windows Azure Active Directory. Organizational Account Ex: alice@contoso.com.

sef
Download Presentation

Microsoft Office 365 Directory Synchronization and Federation Options

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OFC-B317 Microsoft Office 365 Directory Synchronization and Federation Options Paul Andrew Ross Adams Aanchal Saxena

  2. Agenda 1 2 3 4 5 6

  3. Identity for Microsoft cloud services Microsoft Account Windows Azure Active Directory Organizational Account Ex: alice@contoso.com Microsoft Account Ex: alice@outlook.com User User

  4. Office 365 Identity Models Cloud identity Federated identity Synchronized identity Zero on-premises servers Federation Directory sync On-premisesidentity On-premisesidentity On-premises directory On-premises directory Directory sync with password sync Between zero and three additional on-premises servers depending on the number of users Between two and eight on-premises servers and networking configuration depending on the sign-in availability requirements

  5. Choose the simplest model for your needs • Change between models as needs change • Choose cloud • if no on-premises directory • if there is on-premises directory restructuring • if you are in pilot with Office 365 • Password hash sync means federation is not required just to have the same password on the cloud • Choose password hash sync unless you have one of the scenarios that requires federation

  6. Scenarios for identity federation modelExisting infrastructure • You already have an AD FS Deployment • You already use a Third Party Federated Identity Provider • You use Forefront Identity Manager 2010 Technical requirements • You have Multiple Forests in your on-premises AD • You have an On-Premises Integrated Smart Card or Multi-Factor Authentication (MFA) Solution • Custom Hybrid Applications or Hybrid Search is Required • Web Accessible Forgotten Password Reset Policy requirements • You Require Sign-In Audit and/or Immediate Disable • Single Sign-On is Required • Require Client Sign-In Restrictions by Network Location or Work Hours • Policy preventing Synchronizing Password Hashes to Azure AD

  7. Identity Synchronization and Federation Passive Auth Windows Azure Active Directory WS-Federation Authentication SharePoint Online WS-Trust Metadata Exchange Web Access Shibboleth Authorization Active Auth Exchange Mailbox Access Graph API SAML 2.0 Outlook, Lync, Word, etc Federated sign-in Synchronize accounts On-Premises Identity Provider Directory

  8. Agenda 1 2 3 4 5 6

  9. DirSync on a domain controller or in Azure • You can use DirSync with no additional on-premises servers • DirSync on DC • Includes SQL Server Express • SQL Server and DC has resource contentions • Suitable for small deployments not more than 10,000 users • DirSync on Azure paper • Avoids on-premises servers • http://technet.microsoft.com/en-us/library/dn635310(v=office.15).aspx

  10. DirSync high availability • DirSync runs on one server • Backup SQL Server • Backup encryption keys • Cold standby of DirSync server • Restore SQL, encryption keys • Instructions http://www.microsoft.com/en-us/download/details.aspx?id=42524

  11. Password hash Sync Security • We typically get questions about the security of synchronizing passwords from banking and finance customers • The password hash that we get from AD is not reversible to get the users password • We further process it with a one way hash SHA256 algorithm • We connect over SSL to the Azure AD service and send the resulting hash of the hash • This enables Azure AD to validate the users password when they log in • More details at • http://social.technet.microsoft.com/wiki/contents/articles/18096.dirsyncwindows-azure-ad-password-sync-frequently-asked-questions.aspx

  12. Password Write-back What is it Part of AAD Premium Only via Self-service password reset How do I enable it Admin needs to turn-on the feature using DirSync PSH commandlet: Enable-OnlinePasswordWriteBack When does it write back Cloud authenticated (managed) user and password sync is enabled On-premises SSO authenticated (federated) user Security All communication takes place over SSL Registration of public/private key pairs for transport and encryption, you keep the private keys

  13. Azure AD Sync What’s included Possible to reduce set of attribute sync’d based on the services Support for a number of Multi forest scenarios Easier management for filtering objects via simple UX Support for attribute mapping rules via a simple UX What’s missing Password sync Password write back Hybrid configuration, i.e. no write back today What’s coming Production Support, i.e. not for Production today Support for other directories, such as LDAP, SQL or CSV http://social.technet.microsoft.com/wiki/contents/articles/24061.aadsync-scenario-overview.aspx

  14. Sync multiple AD forests Options: • Forefront Identity Manager 2010 • Supports multiple forests with additional work • Azure AD Sync Services • Supports multiple forests and in preview now • Disparate forests • Full Mesh, i.e. Gal Sync • Account and resource forest • Consolidate forests into one • http://technet.microsoft.com/library/cc974332.aspx

  15. Office 365 Connector for Forefront Identity Manager 2010 R2 • Suitable for large organizations with certain AD and Non-AD scenarios • Complex multi-forest AD scenarios • Non-AD synchronization • Requires Forefront Identity Manager and additional software licenses • Requirements • Forefront Identity Manager 2010 R2 • Windows Azure Active Directory Connector for FIM 2010 R2 • http://technet.microsoft.com/library/dn511001.aspx

  16. Choosing between DirSync and AAD Sync • Includes password hash sync • Includes password write-back with Azure AD Premium license • Can filter objects by OU • Supports use of dedicated SQL Server install or SQL Express • The setup wizard can be run multiple times for configuration changes • Released and supported in production • Includes sync from multiple forests including merging duplicate users in these forests • ** In addition to AD, can sync from LDAP v3, SQL Server and CSV data • ** Enables selective OU sync with using UX in the setup. • ** Enables transforming of attributes using UX in the setup • Allows for limiting the attributes sync’d to the cloud • Planned to replace DirSync in the future • Preview cannot be upgraded to later release Preview available DirSync Azure AD Sync Services ** NOT IN PREVIEW

  17. DirSync one directory to multiple tenants • You can install dirsync more than once in the same forest, but on different machines • You need to handle conflicts • A domain can only be validated in on tenant, i.e. for use with Email and UPN • Sub domains can be used in different tenants • You should look at how you filter your user sets • OU • Domain • Attribute

  18. Cross tenant collaboration • We don’t recommend multiple tenants for the same organization • There will not be a consolidated Global Address List • Could create users from one tenant as contacts in the other • SharePoint access across tenants must use External Sharing • Free busy federation between tenants is possible • Lync presence and calling between tenants is possible • There are third party tools (not Microsoft) tools that can merge tenants

  19. Agenda 1 2 3 4 5 6

  20. Federation protocols and auth types • WS-Federation • Supported by ADFS • For passive authentication • WS-Trust • Supported by ADFS • For active authentication • Shibboleth (SAML 1.1) • An identity provider used in education that uses a custom version of SAML 1.1 • Passive authentication only • Includes ECP for Outlook authentication • SAML 2.0 • A common federation protocol • For passive authentication only so similar to WS-Federation • Active Directory Authentication Library (OAUTH) • Library for common access to Azure AD, ADFS, and Azure ACS. • Passive Authentication • SharePoint Online • Outlook Web Access • Office 365 portal • Active Authentication • Office Sign-in Assistant • Office 365 ProPlus licensing • Word, Excel, PowerPoint connecting to SharePoint Online • Outlook, Lync • OneDrive for Business sync

  21. Backup Password Hash Sync Password Sync Backup for Federated Sign-In This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage. May take up to 2hrs to take effect User accounts Federated identity DirSync Tool AD FS On-premises directory

  22. Alternate Login ID removing dependency on User Principal Name (UPN) The reliance on UPN has been removed and you can now select an alternate login ID for use with Office 365 and Azure AD in general. Use of UPN will still be the default. Through configuration you can select the Mail attribute or any other attribute in your on-premises Active Directory. This works with either synchronized identity or federated identity.

  23. Demo Alternate login id

  24. Federate multiple domains in a tenant • A User Profile Name (UPN) is the sign-in ID that customers use. Eg: ArneA@contoso.com • Each DNS address you use in a UPN can be federated to an identity provider • Synchronized accounts can also be used • Azure AD uses the UPN DNS to do home realm discovery to a federated identity provider • Home realm discovery can be shortcut with URLs like this: • https://login.microsoftonline.com/whr=contoso.net • https://contoso.sharepoint.com

  25. Agenda 1 2 3 4 5 6

  26. Sync options for a SAML IDP • Using AD then directory Sync works for you • Can’t sync (non AD) • Script user creation via PowerShell or Azure AD • Directory GRAPH (RESTful interface) • Future support from AAD Sync for non AD sources • FIM 2010 via supported connectors

  27. SAML-P 2.0 federation • Sign-in federation • SAML-P 2.0 passive auth • Equivalent to WS-Federation and used for web based applications • No equivalent for WS-Trust so Office clients applications cannot be used • Office client support passive auth end of 2014 • SAML-P federation guidance • http://technet.microsoft.com/en-us/library/dn641269.aspx • Use of AD FS to interface to SAML provider • Wont enable Office client active authentication due to double hop

  28. Office desktop client sign-in with passive auth Previously the Office Sign-In Assistantrequired WS-Trust Passive authentication works with WS-Federation and SAML 2.0 Availability Announced on February 10, 2014 Details at http://blogs.office.com Planned for later in 2014 What is it? Office desktop clients move to using ADAL Active Directory Authentication Library Uses OAUTH for passive authentication Office desktop passive auth Exchange Mailbox Access Outlook, Lync, Word, etc SAML 2.0 Windows Azure Active Directory SAML 2.0 DirSync LDAP v3 LDAP v3 Directory On-Premises

  29. Office client OAUTH authenticationFutures – Announced on Feb 10, 2014 Updated Office 2013 clients to support OAUTH and Multi-Factor Authentication No need for App Passwords in updated clients If you can authenticate in a web browser, then you can authenticate in Office clients Outlook, Lync, Word, Excel, PowerPoint, PowerShell, SkyDrive Pro Clients will also support Federation Identity Providers using SAML 2.0 protocol US DoD Common Access Card (CAC) US Federal Personal Identity Verification card (PIV) For release during CY 2014

  30. Azure Active Directory Office 365 The MFA Flow Secure Token Service Federated tenant Office makes a request to a service which supports new MFA flow Service instructs Office to visit an STS which speaks a simple standards based protocol (OAuth) Office instructs AD library to launch web browser control MFA and federation magic happens transparent to Office Office gets back simple tokens that it caches for future communication with its services Office sends token to service Do federated sign-in using SAML-P, WS-Fed, etc. JWT token 4 6 Validate assertions Hand back token for 365 5 JWT token SAML token Web Browser 2 www-authenticate: Bearer authorization_uri: https://login.windows.net Auth against https://login.windows.net... ADAL 3 Office Authentication HTTP layer 1 Application code Office

  31. Agenda 1 2 3 4 5 6

  32. Works with Office 365 – Identity program WS-Trust & WS-Federation Customer Benefits What is it? Qualification of third party identity providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used. Program Requirements Published Qualification Requirements Published Technical Integration Docs Automated Testing Tool Self Testing work by Partner Predictable and Shorter Qualification http://aka.ms/ssoproviders Flexibility to reuse existing identity provider investments Confidence that the solution is qualified by Microsoft Coordinated support between the partner and Microsoft Active Directory with ADFS Okta RadiantOne SAML (passive auth) *For representative purposes only. Shibboleth

  33. Agenda 1 2 3 4 5 6

  34. Troubleshooting Identity Management • DirSync troubleshooting • Use IdFix to correct directory errors prior to syncing • Clean duplicate SMTP/Proxy Addresses • Clean duplicate UPNs/non routable UPNs • Check Windows Event Viewer on DirSync server for errors

  35. Troubleshooting Identity Management • ADFS infrastructure • Use the Connectivity tool to verify your setup https://testconnectivity.microsoft.com/ • Multiple Servers (or VM’s) are required • AD FS is a very broad and capable technology • You don’t need to implement every part of it for a small Office 365 tenant • Only need the SSL Certificate for small tenant, don’t need other certs • SSL Certificate is required for Web Application Proxy server • Port 443 is required to be open to the Web Application Proxy server

  36. Summary 1 2 3 4 5 6

  37. Related content • Breakout Sessions • DCIM-B301 Leveraging Your On-Premises Directory Infrastructure to Manage Your Microsoft Azure Active Directory Identities • OFC-B222 Introduction to Office 365 Identity Management • OFC-B327 Authentication Patterns for SharePoint 2013 and Office 365 • DCIM-B382 Cloud Identity and Access Management: Azure Active Directory Premium • Related Certification Exams http://aka.ms/office365mcsa • 70-346 Managing Office 365 Identities and Requirements • 70-347 Enabling Office 365 Services • Microsoft Solutions Experience Location (MSE) • Paul Andrew : MSE Be Secure, after lunch tomorrow • Find Me Later At: http://twitter.com/pndrw

  38. Resources Learning • Sessions on Demand • Microsoft Certification & Training Resources http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning msdn TechNet • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn

  39. Complete an evaluation and enter to win!

  40. Evaluate this session • Scan this QR code to evaluate this session.

More Related