identity and authentication management for office 365
Post on 13-Apr-2017
419 Views
Preview:
TRANSCRIPT
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Identity and Authentication Management for Office 365
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
@enowconsulting
Find us!
ENow Software
ENowSoftware
ENowSoftware.com
Some of ENow’s Loyal Customers
• Microsoft Silver ISV & Messaging Microsoft Partner
• Focused on building software solutions that simplify the life of IT administrators
• Software architected by MVPs with >15 years experience in high-end Microsoft
consulting and management
• Customers in over 60 countries ENow Software
About ENow
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
IDENTITY MANAGEMENT OVER THE HORIZON: WHAT’S NEW AND WHAT’S NEXTBy CTO Paul Robichaux
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
About the speaker – Nathan O’Bryan
MVP: Office Servers and ServicesMCSM: Messaging
Consultant @ SPS/ExtraTeamspscom.com/ExtraTeam.com
@MCSMLabhttp://www.mcsmlab.com
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Please save your questions for the end of the presentation.
We will be giving away two “Office 365 for Exchange Professionals” e-books for our favorite questions!
Ask & Win!
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
IntroductionIn order to make Office 365 a viable option for as many organizations as possible, Microsoft has built a lot of flexibility into their identity management platformOptions cause complexityToday I am going to clearly explain your options for identity and authentication managementOffice 365 moves fast
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Provides “SSO”Control account policiesMulti-factor authentication*Claims rulesSign in auditing/Immediate disableAuthentication authority for other applications
Why deploy ADFS?
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
“Single Sign on”Web client
Domain joined on internal network does not need passwordWindows 10 Azure AD joined PC gets single sign on (AD FS not required)
Rich clientActual Single Sign on
Outlook (basic proxy auth)No SSO
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
ADFS 3.0 – New features
No longer dependent on IISResponsive design for multiple form factorsSupport for changing passwords*Login page customization
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
AD FS vNext new featuresAuthenticate users from non-AD directories (LDAP, SQL)Access Control PoliciesImproved update processImproved logging/auditing
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Alternate login IDsIf you cannot use UPNAssign another attribute at the login ID
1.Update attribute flow in DirSync2.Install KB2919355 on ADFS 3.03.Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID <attribute you
have chosen> -LookupForests <forest list>4.Update first claims rule
Not supported for Exchange Hybrid
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Multi-factor authenticationCan be done with ADFS via 3rd party integrationBuilt-in to all Office 365 enterprise tenantsADFS 3.0 supports Workplace Join featureOutlook does not support Multi-factor authentication*
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Modern AuthenticationAllows multi-factor authentication to work for Outlook 2016Can be enabled for Outlook 2013 SP1Multi-factor authentication (MFA) for Office 2013 client applicationsSAML-based third-party identity provider sign inSmart card and certificate-based authenticationOutlook no longer requiring the basic authentication protocol
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
ADFS proxy/Windows Application ProxyProxy in DMZProxy provides FBA login, ADFS provides integrated loginWeb.config file to modify local authentication typeSome HLBs can replace functionality of ADFS proxyWAP replaces ADFS proxy for ADFS 3.0WAP also replaces some TMG functionality
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Sizing and securing ADFSADFS capacity planning worksheetConsider SQL and HA options
Security Configuration Wizard (SCW)ADFS setup creates role extension files for SCW security policiesRegister the appropriate role extension file using Scwcmd command-line tool
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
High availability options for ADFS4 servers (2 ADFS + 2 ADFS proxy/WAP) + 2 HLBHLB + 2 ADFS serversADFS uses Windows Internal Database by defaultSQL standardSQL Enterprise replication for multi-site HA
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Virtualizing ADFSHosted in your own Virtual environmentHosted in 1st or 3rd party Requires a DC in hosted environmentAzure requires availability sets for SLA
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
ClaimsStatements made about users and understood by both partners in ID federation that are used for authorization purposesClaims rulesCan allow complex authentication scenariosClaims processing processes all rules. Last matching rule appliesClaims rules can be used to control client, or location
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Troubleshooting ADFSVerify Metadata endpoints are available
https:// hostname/adfs/services/trust/mex https:// hostname/FederationMetadata/2007-06/FederationMetadata.xml
Confirm service account SPNsetspn -l contoso\adfssrvuser
Verify certificateIntermediate and root chainsCertificate valid
Event view Debug logCheck troubleshooting guide
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Recovering from ADFS failureConvert-MsolDomainToStandardRebuild ADFS server(s) and Update-MsolFederatedDomain
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Directory Synchronization ToolsAzure Active Directory Connect
Default choiceHigh resource requirements
DirSyncOld defaultShould be upgraded if possible
Microsoft Identity ManagerNew version of FIMNo charge for server, CALs available via Azure AD Premium license
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
AAD Connect OverviewLite version of Microsoft Identity ManagerAAD Connect features
“4 Click setup”Full shared GALSyncs security groupsSyncs on-premises photosProxies for mail-enabled users and contacts are retainedFree/Busy coexistenceCan configure AD FS
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Why deploy AAD Connect?Required for hybrid and staged deploymentsRequired for ID federation
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Sync processPull all objects from on-premises environment into metaversePull all objects from cloud into metaverse and match objects via source anchor (Object guid base 64 encoded)Write objects to cloud(optional) Write objects to AD
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Filtering AAD ConnectOriginally not supported because there was no soft delete functionality in Exchange OnlineMoving account from in-scope OU to an out-of-scope OU will cause that account to be “deleted” as far as DirSync is concernedCan be filtered by OU or AD attribute
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
How does it create the right objects?MSExchRecipientType17 recipient types (Exchange 2013)
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Installing AAD ConnectClick next…“4 click setup”Required permissionsKeeping up with new versionsForcing a manual sync
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
After installing AAD ConnectCan I still create users on portal ?
Sort of, but remember MsExchRecipientTypeDoes running sync assign licenses?
NoUse PowerShellGet-MsolUser –UnlicensedUsersOnly | Set-MsolUser –UsageLocation US | Set-MsolUserLicense –AddLicenses Tenant:AccountSku
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
What will sync and will not sync?Will syncAll usersMail-enabled contactsMail-enabled groups…and sometimes passwords
Will not syncBuilt-in admin accountsBuilt-in admin groupsMail-enabled Public FoldersDefault AD admin groupsDefault Exchange admin groupsExchange system mailbox accountsContact objects ending with MSOLDefault FIM filters
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Password Sync“Same sign-on” vs “Single sign-on”Double hashed passwords are copied to WAADAAD passwords may not expirePassword Sync process occurs every 2 minutes
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Password write backRequires Azure Active Directory PremiumSupports resetting passwords for users using AD FS or other federation technologiesSupports resetting passwords for users using password syncEnforces your on-premises AD password policiesDoesn’t require any inbound firewall rules
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Password Sync as a backup to ADFSDeploy ADFS and AAD Connect as normal, but turn on password syncTakes up to 2 hours to switch domain from Federated to StandardAlternately - Set-MsolDomainAuthentication -DomainName contoso.com –Authentication ManagedDifferent names spaces within the same tenant can use ADFS or Password Sync
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Troubleshooting SyncIDFixAzure AD Connect Health for syncAccidental deletion protectionCan’t do initial syncVerify accepted domainVerify users UPN (or other source anchor)Force syncMIISClient
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
SummaryActive Directory Federation ServicesAzure Active Directory Connect
Questions?
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Q&A
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Thank Youwww.enowsoftware.com
top related