SPC2012 – IT-Pro 7/1/2018 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
SPO Sign-in experience SPC2012 - Developer 7/1/2018 SPO Sign-in experience Venky Veeraraghavan Program Manager © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
What we are going to cover today How does SharePoint Online sign-in work? What do I do to ensure a great end-user experience?
How does SharePoint Online sign-in work?
Comparison On-prem Online Who are you? (aka AuthN) Active Directory Pluggable via SAML-Claims What do we know about you? (aka Profile) Pluggable via LDAP Who are you? (AuthN) Organizational Account Also, Microsoft Account Also, Corporate AD What do we know about you? (Profile) MSOnline Corporate AD
Microsoft SharePoint Conference 2009 7/1/2018 On-prem Authentication flow Profile flow SP Services SP Profile AD Import SP Web App SP SPODS AD © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft SharePoint Conference 2009 7/1/2018 Online (whoa!) Authentication flow Profile flow MS Acc SP Services LyO EXO SP Profile AD Import LyDS OCDS EXDS EXDS AD AD SP Web App SPO SPODS trust SPO-DS Sync Org Acc MSODS MSO Portal MSO-DS Federated Customer ADFS Dir Sync Non-federated Customer AD © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Let’s break it down
Microsoft SharePoint Conference 2009 7/1/2018 Small Biz Authentication flow Profile flow SP Services SP Profile AD Import SP Web App SPO SPODS SPO-DS Sync Daemon Org Acc MSODS MSO Portal MSO-DS Non-federated Customer © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Large Enterprise Authentication flow Profile flow Org Acc SPO SP Services SP Profile AD Import SP Web App SPO SPODS SPO-DS Sync Daemon Org Acc MSODS MSO Portal MSO-DS Federated Customer ADFS Dir Sync AD
Back together now
Non-federated Customer Online Authentication flow Profile flow MS Acc SP Services LyO EXO SP Profile AD import LyDS OCDS EXDS EXDS AD AD SP Web App SPO SPODS SPO-DS trust Sync Daemon Org Acc MSODS BOX-P MSO-DS Federated Customer ADFS Dir Sync Non-federated Customer AD
Demo Browser and Office sign-in
Organization Account Microsoft Account
Sign-in paths Passive (aka Browser and Mobile) Uses the Browser to get the user authenticated Authentication state is maintained via Cookies Persistent Cookies == best experience Office 2007 SP2 and Office 2010 also use the same method (often called MS-OFBA) Active (aka Office 2013) Uses a client library to get the user authenticated The client library stores the users credentials and/or negotiates with Windows/ADFS to sign-in Authentication state is maintained via Signin Token Office 2013 uses this method
What do I do to ensure a great end-user experience?
Three things you need to do Educate end-users Partner with your IDM IT Pro Plan content migration as SP Admins
Educate end-users Cloud sign-in is different from Windows 7/1/2018 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
End user education Why do I need to sign-in? What is my username? No Integrated Auth with OrgID, so users have to sign-in Possibly confusing to users who were not signing in to SharePoint before Recommend that users select “Keep me signed in” on private computers – NOT recommended in kiosk! What is my username? Use a User Principal Name (looks like an email address) So – user@domain.com instead of domain\user How often? Users might think they’re seeing the cred prompt more times than expected ADFS security policy determines how long cookies are kept around Users need to sign-in every time authN cookies have expired – rolling 5 day window Any Machine settings? Chrome users need the Reg-key for Extended protection Put all O365/SPO urls in trusted sites list – (tool available from Portal)
Anywhere, anytime access SPC2012 – IT Pro 7/1/2018 Anywhere, anytime access Users need to sign-in everywhere OnPrem access also needs you to sign-in on the OrgID sign-in page with your Organizational Account ADFS might still do silent sign-in with windows integrated Auth (IE only) Every Browser is different Your ADFS policy might have Extended Protection enabled Chrome will need special regkey settings to enable this SSO between rich client and browser Works only for clients that use passive sign-in Involves the OrgID sign-in page In addition to the ADFS sign-in page users saw outside the corporate network © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Partner with your Identity Mgmt IT Pro The key to getting the experience great is a great partnership with your IDM peers.
You and the IDM ITPro: Sign-in SPC2012 – IT Pro 7/1/2018 You and the IDM ITPro: Sign-in Corporate IDM system is critical for the experience Issues in IDM system often manifest as SharePoint errors Often happens because of suspect data quality (more later) Shared protection Your Corporate ADFS likely also protects other corporate resources Consistent Experience Design the ADFS sign-in page with the OrgID sign-in page in mind Minimize the seams in the users’ experience Balance Experience and Security Org security policies and the best user experience are in tension with each other 1. Session cookies vs. Persistent cookies 2. Token timeouts © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
You and the IDM ITPro: Directory Data Cleanliness UPNs are set on all records and the same as what you told your end user – ideally email address All Security Groups should have names Group Names should not collide when using Multi-forest sync Data Completeness Sync all Users in the organization to the cloud Sync all Groups to the cloud Exceptions for “large” groups (>15K currently) members – need to split groups AD well known groups – eg. NTAuthority\All Authenticated Users are not available
SharePoint Admin: Plan for migration to O365
What an SharePoint Admin should do Have a plan for groups Instead of “NT_Authority\All Authenticated Users” to “Everyone in <tenantname>” Migrate ACLs to corresponding Cloud groups – same name as on-prem Add all sub-groups to the ACL when split to deal with “large” group issue Work with IDM IT Pro Identify how to support user escalations together Monitor email from the dirsynch tool about synch issues Do you have proper permissions everywhere? Define experience goals together Balance security policy and successful user experience Do a trial run Choose a limited but used content to move to the cloud Empirically analyze experience issues and fix them
Summary
Key Takeaways Design the end-user experience Educate end-users For Federated sign-in, you “own” the ADFS sign-in experience Plan for kiosk and browser populations Educate end-users The experience is going to change.. Manage it Work closely with your IDM ITPro Data Quality and Completeness Security Policies Support
Questions!
MySPC Evaluate this session now on MySPC using your laptop or mobile device: http://myspc.sharepointconference.com
7/1/2018 4:01 PM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.