o365-azuread identity management
TRANSCRIPT
Identity Management for Office 365/Microsoft Azure
PRESENTED BY:
David Pechon, Jr.VCP5-DCV, MCSA
About David• Started in IT in 1997 as an Information
Systems Operator/Analyst in the US Army
• Spent most of IT career in the financial services sector working for three banks and a loan servicing company.
• Prior consulting work with managed service providers and value added resellers.
• Certifications include Microsoft Certified Solutions Associate: Office 365,VMware Certified Professional 5 – Datacenter Virtualization
• Married with two children, lives in Ponchatoula, die hard Cubs fan, and likes to grill meat.
• Fun Fact: I’m an amateur calligrapher and has done so since I was 11.
@davidpechon
http://linkedin.com/in/davidpechonjr
3
What’s covered in this presentation?
4
• What is Azure Active Directory (AAD)
• Sync your on-prem AD with Azure Active Directory
• Active Directory Federation Services
• Azure Access Control Services
• Branding
What is Azure Active Directory?
5
What is Azure Active Directory?• Active Directory services hosted in Azure to allow for identity
management of Microsoft Cloud applications like Exchange Online, SharePoint Online, Dynamics, Windows Intune, and apps hosted in Azure.
• Third party cloud apps like SalesForce and Box can use Azure AD
• Integrates with on-premises Active Directory infrastructure using the directory sync tool, allowing for password and attribute synchronization.
• Can manipulate accounts using PowerShell using the Azure PowerShell Module and Microsoft Online Sign-on assistant
• With Active Directory Federation Services, you can provide single sign-on services.
• Multi-factor authentication is available.
Common Features of Azure AD
7
• Directory as a service1
• User and group management using UI or PowerShell• Access Panel portal for SSO-based user access to SaaS and
custom apps2
• User based application access management and provisioning
• Self-service password change for cloud users• Directory Sync tool• Standard security reports
1. Up to 500k objects for Free, unlimted for basic and premium. Does not apply to Office 365 and Windows Intune or any other Microsoft online service.
2. Up to 10 apps visible in the access panel for Free and Basic. No app limit in Premium.
Basic and Premium Features
8
Feature BASIC PREMIUM
99.9% SLA Uptime √ √Group based application access management and provisioning √ √Custom branding of sign-on page and access √ √Self service password reset √ √App Proxy: Secure remote access and SSO to on-prem web. √ √Self service group management for cloud users √Microsoft Identity Manager Server Licenses for syncing √Advanced anomaly security reports √Advanced application usage reporting √Multifactor authentication service for cloud users √Multifactor authentication server for on-prem users √
Preparing the On-Premesis AD
9
• Active Directory attributes must be cleaned up before synchronization
• Cannot synchronize users with user principal names of non valid top level domains. (e.g. domain.local)
• Remove duplicate UPNs and proxyAddress attributes
• Invalid characters in givenName, sn (surname), sAMAccountName, displayName, mail, proxyAddress, mailNickname, and userPrincipalName attributes.
Identifying Problems
10
Office 365 OnRamp identifies issues but does not correct them
IdFix can be used to identify errors and allow for remediating some
Fixing Errors: Use what your momma Microsoft gave you:
11
$oldSuffix = 'domain.local'$newSuffix = 'example.com'Get-ADUser -SearchBase "ou=text,dc=domain,dc=local" -SearchScope OneLevel -filter * | ForEach-Object$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)$_ | Set-ADUser -server yourDomainController -UserPrincipalName $newUpn }
Microsoft gives you ADUC, ADSI Edit, PowerShell, and other consoles and tools to correct attribute errors:
Synchronizing your on premises Active Directory with Azure Active Directory
12
Benefits of synchronizing Azure AD with on-premises AD
13
• DirSync to synchronize objects to Azure AD, or back to on-prem
• Users only see one account to access on site applications and cloud applications.
• Allows users to use existing AD account for third party cloud apps.
• Can be customized to sync a subset of AD objects.
• Manage users from on-premises AD environment
Azure Active Directory Sync (DirSync)
14
• Wizard only sets up initial synchronization
• Supports a single forest
• Only writes back attributes for hybrid Exchange 2010/2013 environment
• Must refer to another tool to setup filtering (included in installation): Forefront Identity Manager or FIM.
• Download from Office365 dashboard when setting up AD Sync.
Azure Active Directory Sync
15
• Released in October 2014, originally used to sync with just Azure AD but now can be used to sync for Office 365
• Allows for multiple forest synchronization.
• More attribute sync options by selecting a minimal set and customize flows.
• Supports password writeback
• Forefront Identity Manager completely replaced but Synchronization Service Manager (miisclient.exe) still exists with some changes.
• Also will soon be replaced by…More info:https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx
Azure AD Connect
16
• Currently in public preview, will replace Azure Active Directory Sync Tool (DirSync) and Azure Active Directory Sync.
• Goes further than DirSync and AADS in setting up Active Directory Federation Services (ADFS) and assisting with domain name federation.
• Writeback – AD objects can be synced back to on-prem AD in the form of users, groups, and devices
• Windows 10 devices domain joined can be synced directly from Azure AD.
• Sync filtering based on AD Groups, allows for a “Pilot Mode”
• Prevent accidental deletions by setting a threshold via PowerShell.
• Will be the single choice for Azure and Office 365 deployments.
Azure AD Connect tools
17
Wizard – Unlike the DirSync wizard, you are given more options to setup synchronization.
Like AADS, FIM is replaced by Synchronization Service Manager
Filtering on DirSync
18
Using the miisclient.exe tool, you can setup filtering via attribute…
…or by organizational unit.
$ou = "<organizational unit>"get-aduser -Filter 'surname -Like "*"' -searchbase $ou | set-aduser -add @{extensionAttribute10='synctocloud'}
Filtering via Azure AD Sync/Connect
19
Filter by attribute by using the Synchronization Rules Editor.
Filter by domain or OU by using the Synchronization Service Manager UI
Filtering via Azure AD Connect
20
Azure AD Connect now allows you to filter by group during setup.
Active Directory Federated Services
21
What is ADFS?
22
Active Directory Federation Services or ADFS is a server role that allows for single sign-on for internal and external access to various web applications.
For Office 365, ADFS 2.0 is the minimum requirement and is a separate installable for Windows Server 2008. On 2008 R2, 2012, and 2012 R2, ADFS is a role that can be installed.
How SSO with ADFS works:
23
1. User logs onto Office 365 using a federated login 2. AzureAD detects the
domain is federated with an ADFS Farm
3. For internal users, NTLM credentials can be passed to ADFS server to verify login (setup in a GPO). External users on a web proxy (and non-IE users) are given a login screen to enter a password.
4. When user credentials are verified as correct, a token is passed back to Office 365/Azure AD verifying the user identity.
Claims rules with ADFS
24
Allows administrators to permit or deny the access of federated logins based on IP address, group membership, geolocation, etc.
Uses Claim Rule Language but basic rules can be setup using a wizard.
ADFS Setup Tips
25
Never name the federation service or farm ADFS, or the name of an existing object. This will cause a conflict of the service principle name attribute. The service account must have the ADFS service name as the SPNNever expose your ADFS server to the world, that’s what the ADFS Proxy (ADFS 2.x) or Web Application Proxy (ADFS 3.0) is for.
For larger deployments, use a load balancer between proxies and internal ADFS servers.
Enable the relay trust via PowerShell, don’t manually create it:
$cred=Get-CredentialConnect-msolservice -credential $credSet-msoladfscontext -computer <FQDN of ADFS Server>Convert-MSOLDomainToFederated -Domainname <Federated domain>
Azure Access Control Services
26
What is Azure ACS?
27
A claims based authentication mechanism that allows application developers to use public authentication providers (e.g. Facebook, Google, Windows Live ID) and organization ADFS for authentication.Integrates with Windows Identity Foundation, supports OAuth 2.0, and can be used for .NET Framework, PHP, Python, Java and Ruby.
This is primarily used for publicly available web apps and SharePoint sites where you don’t want to manage user accounts but still have people authenticate to use your app.
Setting up ACS for SharePoint 2013:https://technet.microsoft.com/en-us/library/dn635311.aspx
Branding
28
Branding the Office 365 Landing Page
29
In the Azure dashboard -> Active Directory -> Configure, you have the option to customize branding
You can setup a default branding page, by language, and then add your images, sign-in text, and background colors.
Branding the Office 365 Landing Page
30
Branding the ADFS Login Page
31
The ADFS login page can be branded using two PowerShell commands:
For the logo banner on the right side (240x35px @ 96 dpi):set-adfswebtheme -targetname default -logo @{path='c:\images\logo.png'}
For the image on the left:
set-adfswebtheme -targetname default -illustration @{path='c:\images\image.jpg'}
Source: https://technet.microsoft.com/en-us/library/dn280950.aspx
Branding the ADFS Login Page
32
BONUS: In the cloud or on prem?
33
Can I setup my directory synchronization and ADFS in the cloud too?
34
All services can be installed in Azure, so long as you have a VPN to your on-premises environment.YES!
Questions?
35
Come see us at our booth across from Microsoft!
36
@davidpechon
http://linkedin.com/in/davidpechonjr
Come talk to my fellow Sparkies, we’re the ones in the lime green shirts!
My contact info:
37