Office 365 Identity Federation Technology Deep-Dive OSP224 Office 365 Identity Federation Technology Deep-Dive Paul Black and Toby Knight Technical Specialists
Session Objectives And Takeaways Tech Ready 15 4/2/2017 Session Objectives And Takeaways Session Objective(s): Identify the role that Provisioning & Synchronization plays in Directory Integration Discuss available Provisioning & Synchronization Options Understand key directory concepts pertinent to Sync Key Takeaway 1 When to use which Directory Sync option/technology, and what’s supported Key Takeaway 2 Key architecture and design considerations of the end-to-end sync infrastructure © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Advanced Warning: Identity Crisis!! Platform is being re-branded “Windows Azure Active Directory” aka “Windows Azure AD” or just “AAD”
Windows Azure AD vs. Office 365 Go-to-market names for different packages of functionality (CRM Online, InTune as well!) All GTMs share common platform pieces: Directory: “MSO DS” STS: OrgID Platform pieces & tools will be branded Windows Azure AD Powershell Module for Windows Azure Active Directory Windows Azure Active Directory Sync Tool Windows Azure Active Directory Connector for FIM 2010
Windows Azure AD vs. Office 365 Exchange Online SharePoint Lync CRM InTune Cloud app Azure AD Cloud app Cloud app AD
Provisioning vs Synchronization The two are not the same! Synchronization solutions are Provisioning solutions, but not the other way around! Provisioning Creation of objects and/or associated resources in a directory or external system. Synchronization Provisioning + long-term consistency/parity of state between source objects and their representation in the external system.
Directory Integration Options Manual How Create objects in Windows Azure AD via Admin Portal or Bulk Import Why Low volume of objects to create No long term management/consistency required Scriptable How PowerShell cmdlets GRAPH API Why Need automated process, but don’t require access to all attributes in directory OK to not have full consistency between source and cloud Automated How DirSync, FIM + Connector Why Large volume of objects/churn Require access to all attributes in directory Require consistency between on-prem & cloud Want Single Sign-On
Examples of Integration - Manual
Example of Integration - Scriptable Powershell New-MsolUser -UserPrincipalName “jluk@fabrikam.com” GRAPH
Example of Integration - Automated (fill in DirSync picture here)
Directory Integration in the bigger picture Directory Integration is the first half of a larger ecosystem Single Sign-On solutions depend on successful Synchronization of data into the Directory!
Architecture and Integration Options No Integration Directory Data Only Directory and Single sign-on (SSO) Windows Azure Active Directory Exchange Online Identity Services Authentication platform SharePoint Online Trust Contoso customer premises Active Directory Federation Server 2.0 Admin Portal/ PowerShell IdP Lync Online IdP Directory Store AD MS Online Directory Sync Provisioning platform CRM Online InTune Office 365 Desktop Setup
Why Directory and SSO Integration Single place for management User and groups (including securityp-enabled groups) Passwords Password policies Support for Enterprise Single Sign on Support for Hybrid environments for Services such as Exchange Online Options for Strong Authentication (e.g. Smart cards)
Architecture Deep Dive AD FS Microsoft Online ID Customer Network Office 365 Datacenter DirSync Workflow Exchange GRAPH AD MA MetaVerse O365 MA Lync AD O365 Directory AWS FEs SharePoint …
Life as a sync’d object When an object created in the cloud, “owned in the cloud” Changes can be made via Portal, Powershell or in the various cloud services When an object is created by Sync, “owned by sync” Changes can only be made via on-prem directory and then sync to cloud When an object is created in the cloud, but also exists on-prem Sync will try to Soft-Match the object coming via Sync Soft-match uses SMTP addresses to “best guess” If matched, “owned by sync”
Life as a sync’d object Objects “owned by Sync” can be deleted directly in the cloud! Remove-MsolUser/Contact/Group will allow you to delete an object that is owned by Sync If still on-prem, will be recreated on next Sync cycle
Tour as a sync’d object Sync Tool reads data from on-prem directory source Sync Tool pushes data to AWS FEs AWS FE tries to create object in MSODS (if user, OrgID first) Workflow evaluates objects and attributes such as User.ProxyAddresses Data validations performed Services read from MSODS and sync into services Validation required? Done here.
Choose your own Sync Adventure 3 options for Directory Sync Single-forest DirSync appliance Multi-forest DirSync appliance Windows Azure Active Directory Connector for FIM 2010 (aka “Multi-Forest”) You don’t need to use SSO just because you sync but you should Sync in order to use SSO Could use PowerShell, but lots of management overhead & not formally tested scenario Sync solution doesn’t constrain SSO solution You can use any Sync solution with ADFS or non-AD STS (i.e. Shib)
Choose your own Sync Adventure Single Forest DirSync When to use Single AD forest on-prem that contains all data to synchronize to AAD Multi-Forest DirSync When to use More than 1 AD Forest containing the directory data to synchronize to AAD ADs have “non-overlapping data” (no object in one forest is represented in another forest) AAD Connector When to use Multiple AD Forests containing directory data to synchronize to AAD Directory data “overlaps” (an object is represented in more than one forest) Non-AD directory sources*
Choose your own Sync Adventure A notable exception to previous slide: This is a common pattern (prescribed by Exchange Product) Full migration to Exchange Online then collapse Resource Forest Sync’ing the necessary core attributes from Exchange Auth forest can negate the need for multi-forest sync altogether Including SourceAnchor, UserPrincipalName Some things not supported at this time: Multiple Exchange Orgs Pattern Consider… 2 Forests on-prem: 1 Authentication/Logon forest 1 Exchange/”Resource” Forest “Sync” data from Exchange forest Auth Forest Run single-forest DirSync against Auth Forest
Core Directory Sync Concepts Source of Authority Where changes can be made to an object (either “on-prem” or “cloud”) De-/activating DirSync in the Admin portal transfers source of authority SourceAnchor used to uniquely identify objects created in cloud from on-prem directory Critical for Single Sign-On scenario (ADFS will be configured to generate SourceAnchor on AuthN, this needs to match the ImmutableID stored in OrgId during user provisioning time) Can’t change after initial provision of object by Sync will error out
Core Directory Sync Concepts UserPrincipalName The “sign-in name” for a user On-prem UPN needs to match UPN in the cloud for login to succeed Once licensed, user UPN won’t change even if changed on-prem Can override using Set-MsolUserPrincipalName cmdlet Hybrid Service Deployments Some attributes on on-prem objects are updated based on activities in the cloud Only modify objects that were initially sync’d to the cloud from on-prem
Core Directory Sync Concepts We validate (some) data to protect the Core Directory and services: Attribute Validation UserPrincipalName UPNs must use verified domain If not, will autoconstruct UPN value (won’t update local AD): [sAMAccountName] + ‘@’ + [moera.onmicrosoft.com] Must contain only supported characters User.ProxyAddresses Cannot have duplicate proxy addresses Sync Error (on license for EXO) Remove all proxyaddresses that are not using a verified domain Adding verified domain later will “re-hydrate” those PAs removed earlier
Core Directory Sync Concepts Most common sync validation failures: Duplicate proxy addresses Duplicate UPN value Errors reported in Email Run the Deployment Readiness Tool!
Core Directory Sync Concepts Linking/Matching objects during sync First, check to see if object already exists with same SourceAnchor value If object exists, update existing object If no objects hardmatch, try and soft match against existing objects (using SMTP addresses of on-prem object) If candidate match exists, stamp SourceAnchor on the value on object for subsequent sync cycles If no candidate match exists, create new object DirSync Quota Protect the directory for malicious “storage DOS” Default now 50K for tenants provisioned after 5/1
Core Directory Sync Concepts Throttling Sync Throughput “shared” across tenants at AWS layer (throttled per partition) DirSync client automatically handles “Error Code 81” and retries again Throttling leads to variable sync times V1/V2 differences Some differences in what’s sync’d/not sync’d Groups without display names aren’t sync’d in v2! Contact migration team for documentation/list of deltas
Recovering deleted objects via Sync Will be lighting up “soft delete” feature in PROD Scenario: On-prem AD Admin accidentally deletes a user object in AD DirSync “propagates delete” to the cloud User object is deleted in the cloud (mailbox lost) NOW WHAT?
Recovering deleted objects via Sync Manual recovery admin identifies object to be recovered Via DirSync When admin restores the user object in AD (via W2K8R2 Recycle Bin), object is automatically recovered by DirSync – mailbox is recovered, etc. “recovery” is dependent on keeping the same SourceAnchor value! New SourceAnchor value with “same attribute values” will not recover the user object in the cloud!
Filtering Sync 2 kinds of filters customers ask for: Choose which objects get sync’d to the cloud Choose which attributes get sync’d to the cloud We support the former, we don’t support the latter Wiki post and UA documentation posted to walk customers through this customization
In Review: Session Objectives And Takeaways Tech Ready 15 4/2/2017 In Review: Session Objectives And Takeaways Session Objective(s): Identify the role that Provisioning & Synchronization plays in Directory Integration Discuss available Provisioning & Synchronization Options Understand key directory concepts pertinent to Sync Key Takeaway 1 When to use which Directory Sync option/technology, and what’s supported Key Takeaway 2 Key architecture and design considerations of the end-to-end sync infrastructure © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Related Content Today OSE 225, Friday OSE 331, OSE 333, OSE 334 Hands-on Labs (OSPILL101 Designing a SharePoint site) Office 365 @ The Microsoft Showcase Find Me Later At The Microsoft Showcase Friday (9-12am)
4/2/2017 3:16 AM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.