Microsoft Office 365: Identity and Access Solutions SESSION CODE: SECOFC310 Toby Knight Michael Mahoney Technology Specialist Solution Architect Microsoft Microsoft Microsoft Office 365: Identity and Access Solutions (c) 2011 Microsoft. All rights reserved.

Session Objectives Describe the different Identity Options Explain the Identity Architecture and Features Describe how federated authentication works Describe the various deployment scenarios Questions

Office 365 Identity features Password policy controls for Microsoft Online IDs Single sign-on with corporate credentials Directory Synchronization updates Role-based administration: Five administration roles Company Admin Billing Admin User Account Admin HelpDesk Admin Service Support Admin “Admin on behalf of” for support partners

Contoso customer premises Identity Options Microsoft Online IDs Microsoft Online IDs + Microsoft Online Services Directory Synchronization Single Sign On + Directory Synchronization Microsoft Online Services Identity Services Authentication platform Exchange Online Trust Contoso customer premises Active Directory Federation Server 2.0 Admin Portal/ PowerShell IdP SharePoint Online IdP Directory Store AD MS Online Directory Sync Provisioning platform Lync Online Office 365 Desktop Setup

Identity options comparison 1. MS Online IDs 2. MS Online IDs + Dir Sync 3. Federated IDs + Dir Sync Appropriate for Smaller orgs without AD on-premise Pros No servers required on-premise Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies IDs mastered in the cloud Appropriate for Medium/Large orgs with AD on-premise Pros Users and groups mastered on-premise Enables co-existence scenarios Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies Single server deployment Appropriate for Larger enterprise orgs with AD on-premise Pros SSO with corporate cred IDs mastered on-premise Password policy controlled on-premise 2FA solutions possible Enables co-existence scenarios Cons High availability server deployments required

Sign on Experience Office 365 Desktop setup required for rich clients Installs client and operating system updates to enable best sign-on experience Not required for Web kiosk scenarios (e.g. OWA) Passwords prompts Can be saved for rich applications, can remain “signed in” for web applications Will prompt again when the password changes or expires Single Sign Prompts Can bypass prompts by using “Smart Links”. Still requires password for non-domain joined machines. Prompt for User Name must be in UPN format for realm discovery None Domain Joined Machines prompted for both Username Realm Discover and password (Active Directory credentials)

Sign On Experience SSO vs. Online IDs Summary Outlook Web Application SharePoint Web Application ActiveSync, POP, IMAP, Entourage Outlook 2007 or 2010 Office 2010, or Office 2007 SP2 Lync Online Win7/Vista/XP Win7/Vista/XP Win 7/Vista/XP Each session Each session Each session Each session Once at setup MS Online IDs Online ID Online ID Online ID Online ID Online ID SSO IDs (domain joined) No prompt Each session No prompt Each Session Each Session AD credentials AD credentials AD credentials AD credentials AD credentials SSO IDs (non-domain joined) Each session Each session Each session Each session Each Session AD credentials AD credentials AD credentials AD credentials AD credentials

Single Sign on Details Setup Authentication flows Deployment scenarios Identity federation rollout

Single Sign on Setup for New domains Microsoft Online PowerShell Module for Windows Connect to AD FS 2.0 and Microsoft Office 365 Add Domain (returns details for proof of ownership) Add Domain Microsoft Online Services Identity Services Authentication platform Contoso customer premises Trust Active Directory Federation Server 2.0 Admin Portal/ PowerShell Update Add Trust Claim Rules User Source ID = AD ObjectGUID Directory Store Provisioning platform Required Cname MSOL PowerShell Module Verify-Domain Active/Mex/Passive Token certs Current/Next Brand URI etc Add Domain

Single Sign Operations Add a Sub domain for Single Sign On Convert a domain to Single Sign On Used to convert a Standard domain to Single Sign on Convert a domain from Single Sign on to Standard Should be used with caution, may require users to get a new password. Get Properties of a domain configured for Single Sign on Useful for trouble shooting/verification Update Properties for a Single Sign on Domain Required when items change such as Token signing certs

DEMO: Federation Tool

Identity Federation Authentication flow (Passive/Web profile) Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729

Identity Federation Authentication flow (MEX/Rich Client Profile) Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729

Identity Federation Active flow (Outlook/Active Sync) Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729 Basic Auth Credentilas Username/Password

Identity Details Microsoft Online Services requirements MS Online business scenarios always use WS-* WS-Trust provides support for rich client authentication Identity federation supported initially only through AD FS 2.0 Protocols supported WS-*, SAML1.1 SAML-P coming later Strong authentication (2FA) solutions Web applications via ADFS Proxy sign in page or other proxies (UAG/TMG) Rich Clients dependent on configuration

AD FS 2.0 deployment options Single server configuration AD FS 2.0 server farm and load-balancer AD FS 2.0 proxy server or UAG/TMG (External Users, Active Sync, Outlook) External user Active Directory AD FS 2.0 Server AD FS 2.0 Server AD FS 2.0 Server Proxy AD FS 2.0 Server Proxy Internal user Enterprise DMZ

Preparing for Identity Federation High availability design for AD FS 2.0 Every User must have a UPN UPN suffix must match a validated domain in Office 365 UPN Character restrictions Letters, numbers, dot, underscore or dash No dot before @ symbol Users may need to understand that they must use UPN to logon to Office 365 Apps Can be hidden from users with smart links from domain machines

Deployment options Identity federation Domain conversion is a big switch. Staged Rollout Start with a Federated Domain and license users over time Piloting Federation Suitable for Existing production standard domain (running Directory Sync) containing production licensed users Must use a different test domain, not sub-domain of an existing domain Update Users UPN on premise to new Test domain Must revert users back to a Managed domain at end of pilot

Single Forest AD Structures and Considerations Description Considerations Matching domains Internal Domain and External domain are the same i.e. contoso.com No special requirements Sub domain Internal domains is a sub domain of the external domain i.e. corp.contoso.com Requires Domains registered in order, primary then sub domains .local domain Internal domain is not publicly “registered” i.e. contoso.local Domain ownership can’t be proved, must use a different domain Requires all users to get new UPN. Use SMTP address if possible Multiple distinct UPN suffixes in single forest Mix of users having login UPNs under different domains i.e. contoso.com & fabrikam.com Currently requires multiple AD FS servers. Multi Forest Multiple AD Forest Not currently supported.

Strong Authentication Currently supported scenarios Sign in to desktop machine with smart cards. i.e. Logon to workstation with smart card and then all connections are based on existing Kerberos tickets, no additional prompts for the smart card Web Applications Unsupported scenarios Non-Domain Joined (rich apps)/Mobile applications Client Win7/Vista/XP Outlook 2010 No Outlook 2007 Lync 2010 Yes SharePoint Online Web Applications Mobile

Alternative Proxies and Strong Authentication Number of options depending on needs Rich Applications without strong authentication Web apps with strong authentication (RSA etc) OS/ActiveSync devices without strong authentication Three options: Authentication Scheme Authentication limitations AD FS proxy Requires integration of the strong authentication provider with the AD FS proxy login page. None Forefront TMG Publish the AD FS server. Integration with some strong authentication providers is provided out of the box. Supported but requires each path to be published separately Forefront UAG SP1 Publish the AD FS server. Integration with a wide range of authentication providers out of the box, very flexible integration options.

Enrol in Microsoft Virtual Academy Today Why Enroll, other than it being free? The MVA helps improve your IT skill set and advance your career with a free, easy to access training portal that allows you to learn at your own pace, focusing on Microsoft technologies. What Do I get for enrolment? Free training to make you become the Cloud-Hero in my Organization Help mastering your Training Path and get the recognition Connect with other IT Pros and discuss The Cloud Where do I Enrol? www.microsoftvirtualacademy.com Then tell us what you think. TellTheDean@microsoft.com

(c) 2011 Microsoft. All rights reserved. 4/27/2017 2:50 PM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. (c) 2011 Microsoft. All rights reserved. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Resources www.msteched.com/Australia Sessions On-Demand & Community www.microsoft.com/australia/learning Microsoft Certification & Training Resources http:// technet.microsoft.com/en-au Resources for IT Professionals http://msdn.microsoft.com/en-au Resources for Developers (c) 2011 Microsoft. All rights reserved.