office 365 identity management options
DESCRIPTION
More info on http://techdays.be.TRANSCRIPT
Office 365 Identity Options
@jseghers – MVP Office 365@mvanhorenbeeck – MVP Exchange Server
Agenda
• Identities and Identity Options in Office 365• DirSync Deep(er) Dive• ADFS• Introduction to ADFS• Supported Topologies• ADFS Workflows
• Windows Azure AD• Q&A
Objectives
• Understand the different identity types and their pro’s and con’s
• Understand how Directory Synchronization works• Be able to troubleshoot Directory Synchronization errors• Understand the different ADFS deployment scenarios• Understand how ADFS works and recognize authentication
flows• Understand how ADFS can be used into custom developed
websites• Understand what Windows Azure Active Directory is• Understand how Windows Azure Active Directory can be used
in custom developed websites
Office 365 Identity Options
Introduction to Identities
Introduction to identity options
1. MS Online IDs
Appropriate for• Smaller organizations
without AD on-premise
Pros• No servers required on-
premise
Cons• No SSO• No 2FA (strong
authentication)• 2 sets of credentials to
manage with differing password policies
• Users and groups mastered in the cloud
2. MS Online IDs + Dir Sync
Appropriate for• Orgs with AD on-premise
Pros• Users and groups mastered
on-premise• Enables co-existence
scenarios
Cons• No SSO• No 2FA• 2 sets of credentials to
manage with differing password policies
• Single server deployment
3. Federated IDs + Dir Sync
Appropriate for• Larger enterprise
organizations with AD on-premise
Pros• SSO with corporate cred• Users and groups mastered
on-premise• Password policy controlled
on-premise• 2FA solutions possible• Enables co-existence
scenarios
Cons• High availability server
deployments required
Introduction to identity options
Bronze Sky customer premises
1. Microsoft Online IDs
ADMS Online
Directory Sync
Identity platform
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
FederationGateway
Active Directory Federation Server
2.0
Trust
IdP DirectoryStore
Admin Portal
Authentication platform IdP
Service connector
Microsoft Office 365 Services
2. Microsoft Online IDs + DirSync3. Federated IDs + DirSync
Sign On Experience Federated vs. Non-Federated Summary
A new “service connector” is needed – primarily for rich clientsInstalls client and operating system updates to enable best sign-on experienceEnables authentication support for rich clientsEnsures clients have all needed configuration data to enable service usageObsolete in Office 2013
Web kiosk scenarios (e.g. OWA) supported without the service connector
Outlook2010
Win 7/ 8 Vista/XP
Federated IDs,
domain joined
MS Online IDs
Outlook Web Application
No prompt No prompt
Each session
ActiveSync, POP, IMAP, Entourage
Once at setup No prompt
Outlook 2007
No prompt
Once at setupEach session Each session Each session
Outlook 2007 or 2010
Win 7 / 8
Online IDOnline IDOnline IDOnline IDOnline ID
AD credentials
Win 7/Vista/XP
No prompt
Each session
Online ID
Directory Synchronization (DirSync)
What is DirSync?
“…is a Directory Synchronization engine based on Forefront Identity Manager (FIM) that will synchronize (a subset of) your on-
premise Active Directory with Windows Azure Active Directory (Office 365).”
Why use DirSync?
• Long term coexistence between Exchange on-prem and Exchange Online
• (Easy/quick provisioning*)• Single place for managing identities including:• Users• Groups• Memberships• …
• Enabler for Hybrid Deployments (required)• Two-way Directory Synchronization
DirSync
How does DirSync work?
SourceAD
MA
TargetWebService
MA
Active Directory
METAVERSE
Deployment Considerations
• Active Directory Health• Prerequisites check (Readiness Tool)• idFix (released 01/03/2013)
• Topology• Single Forest?• Multiple Domains?
• Security• Firewalls, Permissions
• 64-bit only!• (De-)activation time; can take some time to complete• Object filtering required?• SQL Express or Full SQL (+50k objects)
What objects are synced?
From AD to Office 365: http://support.microsoft.com/kb/2256198From Office 365 to AD (aka write-back):
Write-Back attribute Exchange "full fidelity" feature
SafeSendersHashBlockedSendersHashSafeRecipientHash
Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients.
msExchArchiveStatus Online Archive: Enables customers to archive mail.
ProxyAddresses (LegacyExchangeDN <online LegacyDn> as X500)
Enable Mailbox: Off-boards an online mailbox back to on-premises Exchange.
msExchUCVoiceMailSettings
Enable Unified Messaging (UM) - Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services.
DEMO Topology
DirSync (DS02)
SourceAD
MA
TargetWebService
MA
Active DirectoryDC01.exblog.be
METAVERSE
DEMO: DirSync Deep Dive
Caveats
• Be careful when re-enabling DirSync > possible data loss!
• In large environments (+50k items) > Service Request needed to raise the object limit in Office 365
• Bad Active Directory “health” (object attributes) can influence DirSync’s behavior
• Strict permissions might cause issues (e.g. when inheritance flag is removed)
What about…DirSync without Exchange on-prem?
Missing attributes on-prem Extend AD schema on-prem
Missing management tools Exchange Management Tools3rd Party tools/scripts
Some takeaways
• Enterprise Admin Permissions required for setup to allow creating of the MSOL_DirSync account + optional Hybrid account and propagate permissions in the forest/domain(s).
• Use MIISclient.exe to view operation history and search for objects (SourceAnchor – ObjectGuid)
• Filtering is supported but should be treated carefully.
ADFS
Introduction
Federation Primer
Challenges Requirements• Reduce identities (or at least
management) to a single source of authority
• Allow people to logon into cloud-based solutions with their on-premise credentials
• Simplify management• Keep in control
Multiple Identities
The solution: ADFS
• Cross-premises password policies• Simplified user management• Support for two-factor authentication• Access Control using Client Access Policies
Active Directory Federation Services (ADFS)
Topologies
ADFS: On Premise Topology
Enterprise DMZ
AD FS 2.0 ServerProxy
Internaluser
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 ServerProxy
ADFS: On Premise Topology
Enterprise DMZ
AD FS 2.0 ServerProxy
Internaluser
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 ServerProxy
ADFS: Hybrid Topology: IAAS
EnterpriseInternal
user
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
IAASExternal
user
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
VPN
ADFS: Hybrid Topology: IAAS
EnterpriseInternal
user
ActiveDirectory
AD FS 2.0 Server
IAASExternal
user
ActiveDirectory
AD FS 2.0 Server
VPN
ADFS: Hybrid Topology: Windows Azure
IP SEC DEVICE
GATEWAY
CLOUD SERVICE
AD FS 2.0 Server
AD FS 2.0 Server
LB ENDPOINT
EnterpriseWindows Azure
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
ADFS: Cloud Topology: IAAS
IAAS
InternalExternal
user
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
ADFS & 2 Form Authentication
• Own solutions e.g. extra PIN integrated in the ADFS pages• Works only with form based authentication• ASP.NET Solution
• RSA SecurID Integration
• ForeFront UAG
ADFS
Authentication flows
Authentication flows
• Different authentication flows, depending on the application and service that you are using.
• Office 365 has three different flows:• Passive (Web Applications like e.g. SharePoint & OWA)• Active (Outlook, Exchange Online)• MEX (Lync)
Web (Passive) Authentication Flow
Online
ADFS
DC
Client Exchange/SP Online
Auth. Platform (WAAD)
WEB
Auth
Rich Client Authentication Flow
Online
ADFS
DC
Lync Online
Auth. Platform (WAAD)
MEX
UPN
Sign-in assistant
Active Authentication Flow
Online
ADFS
DC
Client Exchange/SP Online
Auth. Platform (WAAD)
Active
DEMO: ADFS Workflow
Key Takeaways
• ADFS requires a public certificate only for client communications; token signing and encryption can be done with self-signed certificates
• Workflow/endpoint is different depending the application you use: Passive (Web)/Rich Client (Lync)/ Active (Outlook)
• Troubleshooting is not always easy. e.g. requires understanding how to use tools like fiddler2 etc…
Nice-to-knows
RU1• Client Access Policy Support (filtering based on IP Address)• New performance counters > monitoring
RU2• RU1 + additional fixes (mainly stability improvements)• Added support for RelayState Parameter
Demo:ADFS – Websites
Windows Azure Active Directory
W.A.A.D. is a modern, REST-based service that provides identity and access control for your cloud applications.
Already used in:• Windows Azure• Office 365• Dynamics CRM Online• Windows Intune• 3rd party Cloud Services
Windows Azure Active Directory
W.A.A.D. integrates with domain credentials of local AD via ADFS
W.A.A.D. integrates with Access Control Service (a cloud-based service that provides an easy way of authenticating and authorizing users to your web applications and services while allowing the features of authentication and authorization to be factored out of your code)
W.A.A.D. integrates with Graph API: it allows you to read a subset of the entities in the directory: namely Users, Groups, Roles, Subscriptions, Tenant Details and some of the relationships which tie those together. The interaction is read-only
Windows Azure Active Directory
Demo:W.A.A.D. – Websites
Session Takeaways
1
2
3
Before deploying DirSync, check your AD and use tools like MiisClient, IdFix and the Readiness ToolWAAD can also be used to extend functionality of your websites
Office 365 uses three different authentication flows with ADFS: Active, Passive and MEX.
4 Mind ADFS topologies with regards to High Availability