o365con14 - moving from on-premises to online, the road to follow
DESCRIPTION
European Office 365 Connect 2014 PresentationTRANSCRIPT
http://technet.microsoft.com/en-us/office365/fp123607
ActiveDirectory.Local
AzureAD.OnMicrosoft.Com
ActiveDirectory.Local
AzureAD.OnMicrosoft.Com
Wait a Minute....
ActiveDirectory.Local
AzureAD.OnMicrosoft.Com
Wait a Minute....
Your.Domain
ActiveDirectory.Local
AzureAD.OnMicrosoft.Com
But... Wait Another Minute....
Your.Domain
Prepare for
dirsync
Activate
dirsync
Setup
dirsync
Synchronize
directories
Activate
synced users
Manage
dirsync
Service Protocol Port
LDAP TCP/UDP 389
Kerberos TCP/UDP 88
DNS TCP/UDP 53
Kerberos Change Password
TCP/UDP 464
RPC TCP 135
RPC randomly
allocated high TCP ports
TCP1024 - 65535
49152 - 655351
SMB TCP 445
SSL TCP 443
SQL TCP 1433
http://www.microsoft.com/en-us/download/details.aspx?id=36832
Attribute Object Type
MSExchArchiveStatus User
MSExchBlockedSendersHash User
SExchSafeRecipientsHash User
MSExchSafeSendersHash User
MSExchUCVoiceMailSettings User
ProxyAddresses User, Contact, Group
http://technet.microsoft.com/en-us/library/dn246918.aspx
http://technet.microsoft.com/en-us/library/jj710171.aspx
Microsoft Online Services
Logon Enabled User Object (Unlicensed)
Mail-Enabled User (not Mailbox-Enabled)
ProxyAddresses:
SMTP: [email protected]
smtp: [email protected]
TargetAddress:
On-premises
Active
Directory
Exchange
Server
DirSyncOnline
Directory
DirSync
Web Service
SharePoint
Online
Live ID
Exchange
Online
Lync Online
Sync Cycle Step 1:
Import Users, Groups,
and Contacts from source
Active Directory forest
Sync Cycle Step 2:
Imports Users, Groups, and
Contacts from Microsoft
Online Services via AWS
Sync Cycle Step 3:
Export Users, Groups, and
Contacts that do not already
exist in Microsoft Online
Services
User Object
Mailbox-Enabled
ProxyAddresses:
SMTP: [email protected]
http://365lab.net/2014/01/07/managing-office-365-e-mail-addresses-easy-with-powershell-when-using-dirsync/
Prepare for
dirsync
Activate
dirsync
Setup
dirsync
Synchronize
directories
Activate
synced users
Manage
dirsync
Scenario Description
Block all external access to Office 365
Office 365 access is allowed from all clients on the internal
corporate network, but requests from external clients are
denied based on the IP address of the external client.
Block all external access to Office 365, except Exchange
ActiveSync
Office 365 access is allowed from all clients on the internal
corporate network, as well as from any external client
devices, such as smart phones, that make use of Exchange
ActiveSync. All other external clients, such as those using
Outlook, are blocked.
Block all external access to Office 365, except for browser-
based applications such as Outlook Web Access or
SharePoint Online
Blocks external access to Office 365, except for passive
(browser-based) applications such as Outlook Web Access
or SharePoint Online.
Block all external access to Office 365 for members of
designated Active Directory groups
This scenario is used for testing and validating client access
policy deployment. It blocks external access to Office 365
only for members of one or more Active Directory group. It
can also be used to provide external access only to
members of a group.
http://technet.microsoft.com/library/dn509539.aspx
AD FS
AD FS
AD FS Proxy
AD FS Proxy
Active Directory
Directory Synchronization
DATA CENTER 1
AD FSAD FS
Proxy
Directory
synchronizationActive
Directory
AD FS
VPN
Tunn
el
VPN
VPN
Active Directory
VPN
Tunn
el
VPN
AD FS Proxy
AD FS Proxy
Active Directory
Directory Synchronization
AD FSAD FS Proxy
Directory synchronization
Active DIrectoryVPN
AD FS
AD FS
AD FS
Cloud identity
Single identity in the cloud
Suitable for small organizations
with no integration to on-
premises directories
Cloud identity with directory synchronization
Single identity
suitable for medium
and large organizations
without federation*
Federated identity
Single federated identity
and credentials suitable
for medium and large
organizations
Federation options
Suitable for educational organizations
j
Recommended where customers may use existing
non-ADFS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook only
Microsoft supported for integration only, no
shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
Shibboleth
Works with AD & Non-AD
Suitable for medium, large enterprises
including educational organizations
Recommended option for Active Directory (AD)
based customers
Single sign-on
Secure token based authentication
Support for web and rich clients
Microsoft supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Works with AD
Suitable for medium, large enterprises
including educational organizations
Recommended where customers may use existing
non-ADFS Identity systems with AD or Non-AD
Single sign-on
Secure token based authentication
Support for web and rich clients
Third-party supported
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Works for Office 365 Hybrid Scenarios
Works with AD & Non-AD
What is it?• Qualification of third party identity
providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used.
Program Update Jan 2014:• Published Qualification
Requirements
• Published Technical Integration Docs
• Automated Testing Tool
• Self Testing work by Partner
• Predictable and Shorter Qualification
WS-Trust & WS-Federation
WS-Federation
SAML
Active Directory with ADFS
Customer Benefits
• Flexibility to reuse
existing identity
provider investments
• Confidence that the
solution is qualified by
Microsoft
• Coordinated support
between the partner
and Microsoft
http://blogs.office.com/2014/03/06/announcing-support-for-saml-2-0-federation-with-office-365/
Two or more of the following factors:
Types of multi-factor authentication:Hardware OTP Tokens
Certificates
Smart Cards
Phone-Based Authentication:
Phone Call, Text Message, and Push
Software OTP Tokens
Multiple factors are required for sign-InFamiliar to consumer cloud service users such as the Microsoft Account
Simple block to password compromise from another country
Addresses regulatory compliance and high risk user scenarios
AKA two-factor, 2FA, MFA, strong authentication
Powered by PhoneFactor, acquired by Microsoft in 2012
Trusted by thousands of enterprises to authenticate employee, customer, and partner access
Secures applications and identities in the cloud and on-premises
App Passwords
Multi-Factor
Authentication for Office
365
Windows Azure Multi-
Factor Authentication
Administrators can Enable/Enforce MFA to end-users Yes Yes
Use Mobile app (online and OTP) as second authentication
factor
Yes Yes
Use Phone call as second authentication factor Yes Yes
Use SMS as second authentication factor Yes Yes
App passwords for non-browser clients (e.g. Outlook, Lync) Yes Yes
Default Microsoft greetings during authentication phone calls Yes Yes
Custom greetings during authentication phone calls Yes
Fraud alert Yes
Event Confirmation Yes
Security Reports Yes
Block/Unblock Users Yes
One-Time Bypass Yes
Customizable caller ID for authentication phone calls Yes
MFA Server - MFA for on-premises applications Yes
MFA SDK – MFA for custom apps Yes
http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx
http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/
http://technet.microsoft.com/en-us/library/hh852542.aspx
http://gallery.technet.microsoft.com/office/Exchange-Client-Network-8af1bf00
http://technet.microsoft.com/en-us/library/jj204570.aspx
http://trippams.online.lync.com/
http://technet.microsoft.com/en-us/library/jj688118.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=19011
http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh373144.aspx
http://technet.microsoft.com/en-us/exchangelabshelp/gg263350
http://go.microsoft.com/fwlink/?linkid=236301
http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh416761.aspx
https://sls.microsoft.com
http://officecdn.microsoft.com
http://go.microsoft.com/
https://sls.microsoft.com/
http://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl
http://crl.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunications.crl
http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunications.crl
http://crl.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crl
http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crl
https://activation.sls.microsoft.com
http://technet.microsoft.com/en-us/library/hh852551.aspx
http://office.microsoft.com/en-001/sharepoint-server-help/what-is-skydrive-pro-HA102822076.aspx
ActiveDirectory.Local
AzureAD.OnMicrosoft.Com
Msbelux.be
http://office.microsoft.com/en-001/office365-sharepoint-online-small-business-help/let-users-create-their-own-team-sites-HA102844581.aspx
http://office.microsoft.com/en-001/office365-sharepoint-online-enterprise-help/manage-my-site-settings-HA102459836.aspx
http://blogs.technet.com/b/office_resource_kit/archive/2013/01/21/office-2013-click-to-run-customization.aspx
http://blogs.technet.com/b/office_resource_kit/archive/2013/04/17/the-new-office-garage-series-click-to-run-customization-and-deployment-deep-dive-part-1-with-high-g-aerobatics.aspx
http://blogs.technet.com/b/office_resource_kit/archive/2013/04/23/the-new-office-garage-series-click-to-run-customization-and-deployment-deep-dive-part-2-workarounds.aspx
http://blogs.technet.com/b/office_resource_kit/archive/2013/04/30/the-new-office-garage-series-click-to-run-customization-and-deployment-deep-dive-part-3-integration-and-automation-with-software-distribution-tools.aspx
