Microsoft Office 365: Identity and Access Solutions 9/22/2018 11:06 PM OSP215 Microsoft Office 365: Identity and Access Solutions Ross Adams Senior Program Manager Microsoft © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Session Objectives Describe the different Identity Options Explain the Identity Architecture and Features Describe how federated authentication works Describe the various deployment scenarios Questions

Office 365 Identity features Password policy controls for Microsoft Online IDs Single sign-on with corporate credentials Directory Synchronization updates Role-based administration: Five administration roles Company Admin Billing Admin User Account Admin HelpDesk Admin Service Support Admin “Admin on behalf of” for support partners

Contoso customer premises Identity Options Microsoft Online IDs Microsoft Online IDs + Microsoft Online Services Directory Synchronization Single Sign On + Directory Synchronization Microsoft Online Services Identity Services Authentication platform Exchange Online Trust Contoso customer premises Active Directory Federation Server 2.0 Admin Portal/ PowerShell IdP SharePoint Online IdP Directory Store AD MS Online Directory Sync Provisioning platform Lync Online Office 365 Desktop Setup

Identity options comparison 1. MS Online IDs 2. MS Online IDs + Dir Sync 3. Federated IDs + Dir Sync Appropriate for Smaller orgs without AD on-premise Pros No servers required on-premise Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies IDs mastered in the cloud Appropriate for Medium/Large orgs with AD on-premise Pros Users and groups mastered on-premise Enables co-existence scenarios Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies Single server deployment Appropriate for Larger enterprise orgs with AD on-premise Pros SSO with corporate cred IDs mastered on-premise Password policy controlled on-premise 2FA solutions possible Enables co-existence scenarios Cons High availability server deployments required

Sign on Experience Office 365 Desktop setup required for rich clients Installs client and operating system updates to enable best sign-on experience Not required for Web kiosk scenarios (e.g. OWA) Passwords prompts Can be saved for rich applications, can remain “signed in” for web applications Will prompt again when the password changes or expires Single Sign Prompts Can bypass prompts by using “Smart Links”. Still requires password for non-domain joined machines. Prompt for User Name must be in UPN format for realm discovery None Domain Joined Machines prompted for both Username Realm Discover and password (Active Directory credentials)

Sign On Experience SSO vs. Online IDs Summary Outlook Web Application SharePoint Web Application ActiveSync, POP, IMAP, Entourage Outlook 2007 or 2010 Office 2010, or Office 2007 SP2 Lync Online Win7/Vista/XP Win7/Vista/XP Win 7/Vista/XP Each session Each session Each session Each session Once at setup MS Online IDs Online ID Online ID Online ID Online ID Online ID SSO IDs (domain joined) No prompt Each session No prompt Each Session Each Session AD credentials AD credentials AD credentials AD credentials AD credentials SSO IDs (non-domain joined) Each session Each session Each session Each session Each Session AD credentials AD credentials AD credentials AD credentials AD credentials

Single Sign on Details Setup Authentication flows Deployment scenarios Identity federation rollout

Single Sign on Setup for New domains Microsoft Online PowerShell Module for Windows Connect to AD FS 2.0 and Microsoft Office 365 Add Domain (returns details for proof of ownership) Add Domain Microsoft Online Services Identity Services Contoso customer premises Authentication platform Trust Active Directory Federation Server 2.0 Admin Portal/ PowerShell Update Add Trust Claim Rules User Source ID = AD ObjectGUID Directory Store Provisioning platform Required Cname MSOL PowerShell Module Verify-Domain Active/Mex/Passive Token certs Current/Next Brand URI etc Add Domain

Single Sign Operations Add a Sub domain for Single Sign On Convert a domain to Single Sign On Used to convert a Standard domain to Single Sign on Convert a domain from Single Sign on to Standard Should be used with caution, may require users to get a new password. Get Properties of a domain configured for Single Sign on Useful for trouble shooting/verification Update Properties for a Single Sign on Domain Required when items change such as Token signing certs

DEMO: Federation Tool

Identity Federation Authentication flow (Passive/Web profile) Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729

Identity Federation Authentication flow (MEX/Rich Client Profile) Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729

Identity Federation Active flow (Outlook/Active Sync) Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729 Basic Auth Credentilas Username/Password

DEMO: SSO in Action

Identity Details Microsoft Online Services requirements MS Online business scenarios always use WS-* WS-Trust provides support for rich client authentication Identity federation supported initially only through AD FS 2.0 Protocols supported WS-*, SAML1.1 SAML-P coming later Strong authentication (2FA) solutions Web applications via ADFS Proxy sign in page or other proxies (UAG/TMG) Rich Clients dependent on configuration

AD FS 2.0 deployment options Single server configuration AD FS 2.0 server farm and load-balancer AD FS 2.0 proxy server or UAG/TMG (External Users, Active Sync, Outlook) External user Active Directory AD FS 2.0 Server AD FS 2.0 Server AD FS 2.0 Server Proxy AD FS 2.0 Server Proxy Internal user Enterprise DMZ

Preparing for Identity Federation High availability design for AD FS 2.0 Every User must have a UPN UPN suffix must match a validated domain in Office 365 UPN Character restrictions Letters, numbers, dot, underscore or dash No dot before @ symbol Users may need to understand that they must use UPN to logon to Office 365 Apps Can be hidden from users with smart links from domain machines

Deployment options Identity federation Domain conversion is a big switch. Staged Rollout Start with a Federated Domain and license users over time Piloting Federation Suitable for Existing production standard domain (running Directory Sync) containing production licensed users Must use a different test domain, not sub-domain of an existing domain Update Users UPN on premise to new Test domain Must revert users back to a Managed domain at end of pilot

Single Forest AD Structures and Considerations Description Considerations Matching domains Internal Domain and External domain are the same i.e. contoso.com No special requirements Sub domain Internal domains is a sub domain of the external domain i.e. corp.contoso.com Requires Domains registered in order, primary then sub domains .local domain Internal domain is not publicly “registered” i.e. contoso.local Domain ownership can’t be proved, must use a different domain Requires all users to get new UPN. Use SMTP address if possible Multiple distinct UPN suffixes in single forest Mix of users having login UPNs under different domains i.e. contoso.com & fabrikam.com Currently requires multiple AD FS servers. Multi Forest Multiple AD Forest Not currently supported.

Strong Authentication Currently supported scenarios Sign in to desktop machine with smart cards. i.e. Logon to workstation with smart card and then all connections are based on existing Kerberos tickets, no additional prompts for the smart card Web Applications Unsupported scenarios Non-Domain Joined (rich apps)/Mobile applications Client Win7/Vista/XP Outlook 2010 No Outlook 2007 Lync 2010 Yes SharePoint Online Web Applications Mobile

Alternative Proxies and Strong Authentication Number of options depending on needs Rich Applications without strong authentication Web apps with strong authentication (RSA etc) OS/ActiveSync devices without strong authentication Three options: Authentication Scheme Authentication limitations AD FS proxy Requires integration of the strong authentication provider with the AD FS proxy login page. None Forefront TMG Publish the AD FS server. Integration with some strong authentication providers is provided out of the box. Supported but requires each path to be published separately Forefront UAG SP1 Publish the AD FS server. Integration with a wide range of authentication providers out of the box, very flexible integration options.

Office 365 Track Go Do’s Get questions answered (and get a beta account): http://www.microsoft.com/en-us/office365/online-software.aspx Office 365 Community (incl. blogs) http://community.office365.com/en-us/default.aspx Continue the conversation: Office 365 Facebook Site: https://www.facebook.com/office365?v=app_177440328974903 Office 365 Twitter Site: http://twitter.com/#!/office365 Office 365 Linked In Site: http://www.linkedin.com/groups/Microsoft-Office-365-3724282 Office 365 You Tube: http://www.youtube.com/microsoftoffice365 Office 365 Beta Service Descriptions: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6C6ECC6C-64F5-490A-BCA3-8835C9A4A2EA Office 365 Developer Training: http://msdn.microsoft.com/en-us/hh181605 SharePoint Online for Office 365 Developer Guide: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4387e030-73dc-48e7-ac95-abc043b9335a Office 365 Marketplace: http://office365.pinpoint.microsoft.com/en-US/default.aspx

Microsoft Office 365 for IT Professionals Jump Start Microsoft Productivity, Email & Collaboration in the Cloud. Training designed for experienced technologists and IT leaders whose jobs demand they know how to best leverage new, emerging Microsoft technologies. Three-Day Jump Start Course May 24: “Office 365 Platform” May 25: “Exchange Online” May 26: “Lync & SharePoint Online” May 24-26, 2011 Week after TechEd Tailored for IT Pros Learn from the Best REGISTER NOW: http://bit.ly/Office365-JUMP

Office 365 Track Sessions Monday, May 16 Tuesday, May 17 OSP212: Microsoft Office 365: The Future of Productivity (Room 307 | 1:15 PM) OSP216: Microsoft Office 365: Deployment Overview (Room B313 | 3:00 PM) Tuesday, May 17 OSP273-INT: Microsoft Office 365 Administration and Automation Using Windows PowerShell (Room B301 | 8:30 AM) OSP213: What Do Existing BPOS Customers Need to Do to Prepare for Microsoft Office 365? (Room C201 | 1:30 PM) OSP276-INT: Microsoft Office 365 Client Connectivity (Room B304 | 1:30PM) OSP215: Microsoft Office 365: Identity and Access Solutions (Room B314 | 3:15 PM) OSP324: The Taming of the Clouds: Integrating SaaS with Your On-Premise Environment (Room C211 | 5:00 PM) Wednesday, May 18 OSP272-INT: Licensing Microsoft Online Services (Room B302| 10:15 AM) OSP274-INT: What Do Existing BPOS Customers Need to Do to Prepare for Microsoft Office 365? Q&A Follow Up (Room B304 | 3:15 PM) OSP 325: Microsoft Office 365: Directory Synchronization (Room B313 | 3:15 PM) Thursday, May 19 OSP381-INT: Microsoft Office 365: Identity and Access Solutions - Q&A Follow Up (Room B301 | 10:15 AM) OSP219: Deploying Microsoft Office Professional Plus Subscription (Room B314 | 2:45 PM) OSP214: Security and Compliance on the Microsoft Business Productivity Online Standard Suite and Microsoft Office 365 Platforms (Room B313 | 4:30 PM)

Related Office 365 Sessions Monday, May 16 EXL202: Microsoft Lync 2010: In the Cloud (Room B206 | 3:00 PM) OSP210: Microsoft SharePoint Online Overview (Room B402 | 3:00 PM) Tuesday, May 17 OSP309: Integrating Microsoft SharePoint 2010 and Microsoft Dynamics CRM Online (Room C302 | 1:30 PM) EXL319: Microsoft Lync 2010: Setup, Deployment, Upgrade and Coexistence Scenarios (Room B206 | 3:15 PM) OSP301: Integrating Microsoft SharePoint 2010 with Windows Azure (Room C203 | 5:00PM) Wednesday, May 18 EXL302: Archiving and Discovery in Microsoft Exchange 2010 SP1 and Exchange Online (Room B207| 10:15 AM) OSP308: Claims Identity in Microsoft SharePoint 2010 (Room B314 | 10:15 AM) OSP372-INT: Building Cloud Apps Using Microsoft Dynamics CRM Online and Windows Azure (Room B303 | 10:15 AM) OSP305: Developing Collaboration Solutions in the Cloud with Microsoft SharePoint Online (Room B314 | 1:30 PM) EXL311: Microsoft Exchange Server & Microsoft Office 365: How to Set Up a Hybrid Deployment (Room B206 | 3:15 PM) Thursday, May 19 EXL375-INT: Understanding Archiving and Compliance in Microsoft Exchange Online (Room B302 | 8:30 AM) EXL322: Microsoft Exchange Online: Unified Messaging in Microsoft Office 365 (Room B207 | 1:00 PM) EXL309: Microsoft Exchange Online in Microsoft Office 365: Migration Case Study (Room B207 | 2:45 PM) OSP306: Developing Powerful Workflows in the Cloud with Microsoft SharePoint Online (Room C208 | 2:45 PM)

Questions?

Resources Learning http://northamerica.msteched.com Tech Ed North America 2010 9/22/2018 11:06 PM Resources Connect. Share. Discuss. http://northamerica.msteched.com Learning Sessions On-Demand & Community Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning Resources for IT Professionals Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Complete an evaluation on CommNet and enter to win! Tech Ed North America 2010 9/22/2018 11:06 PM Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tech Ed North America 2010 9/22/2018 11:06 PM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/22/2018 11:06 PM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.