Office 365 Identity Federation Technology Deep-Dive

Slides:



Advertisements
Similar presentations
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Advertisements

Office 365 Deployment FastTrack Overview
Office 365 and SharePoint 2013 Hybrid Environments Rene Modery Singapore 1.
Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
 This session details common scenarios for deploying Office 365 services. Office 365 provides a breadth of capability, but often there is a key scenario.
Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
Private Cloud (on & off premises) Hybrid CloudPublic Cloud SaaS PaaS IaaS Microsoft’s Online service portfolio Office 365 Microsoft‘s communication.
Office 365 Identity aka Azure Active Directory
Identity management integration options for Office 365
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
OSP206. Experience Office as it was meant to be… without the complexity of setting up servers.
Active Directory Integration with Microsoft Office 365
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Windows Azure Active Directory.
Building Integrated Microsoft Office 365, SharePoint Online, and Office Solutions Using BCS and LOB Data Donovan Follette Sr. Technical.
SIM 320. Contoso customer premises AD MS Online Directory Sync Identity Services Provisioning platform Provisioning platform Lync Online Lync Online.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Single Sign-On with Microsoft Azure
Julien “Superman” Stroheker and Nicolas “Batman” Georgeault Negotium
Dan Kershaw Principal Program Manager Microsoft Corporation SESSION CODE: COS206.
Key Considerations in Architecting Active Directory Federation Alexander Yim WSHFC NCSHA, Nashville on Sept 28 th, 2015.
Microsoft NDA Confidential Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and.
A Lap Around Windows Azure Active Directory Stuart Kwan Lead Principal Program Manager Microsoft Corporation SIA209.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
The explosion of devices is eroding the standards-based approach to corporate IT. Devices Deploying and managing applications across platforms is.
OSP325 ScenarioUse Directory Synchronization? Initial on-boarding/bulk Provisioning of users only* No Identity FederationYes Long-term.
Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.
Office 365. Agenda Office 365 Services at a glance Office 365 Plans Register to Office 365 Service Office 365 Management Portal Exchange Online Management.
Bronze Sky customer premises AD MS Online Directory Sync Provisioning platform Provisioning platform Lync Online Lync Online SharePoint Online SharePoint.
Configuration Manager and InTune Gemeinsam oder einsam?
DNS DNS changes required to validate domains in Office 365 UPN – User Principal Name Every user must have a UPN UPN suffixes must match a validated.
Office 365: SharePoint Online 31 May | SharePoint Saturday Calgary – 31 MAY 2014 About Me – Jason Kaczor
Identities and Azure AD Premium
Microsoft Office 365: Identity and Access Solutions
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Managing Office 365 Identities and Requirements Question Answer
 Step 2 Deployment Overview  What is DirSync?  Purpose – What does it do?  Understanding Synchronization  Understanding Coexistence  Understanding.
Hybrid Identity Deep dive Ross Adams 2016 Redmond Summit | Identity Without Boundaries May 25 th 2016 Azure AD
 What is DirSync?  Purpose – What does it do?  Understanding Synchronization  Understanding Coexistence  Demo.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Private KEEP OFF! Private KEEP OFF! Open! What is a cloud? Cloud computing is a model for enabling convenient, on-demand network access to a shared.
Productivity Architect Meet Chris Bortlik Author, Blogger, Speaker.
Recording Brief EMS Partner Bootcamp Variables Values Module Title
Web SSO with Cloud Resources using AD Federation Services
6/1/2018 2:18 AM OSP302 Building Integrated Microsoft Office 365, SharePoint Online, and Office Solutions Using BCS and LOB Data Donovan Follette
Microsoft - Managing Office 365 Identities and Requirements
6/17/2018 5:54 AM OSP322 Getting the best of both worlds, making the most of SharePoint hybrid search solutions Shyam Narayan Microsoft © 2013 Microsoft.
Microsoft Virtual Academy
Microsoft Online Services Partner Deployment Training for Office 365
Leverage your on-premise investments with cloud innovation
SharePoint Online Management and Control
Deploying Office 365 ProPlus
Microsoft Office 365: Identity and Access Solutions
Local AD, Azure AD, & Google Suite User Management
Hybrid Search Planning Implementation.
Hybrid Search Technical Guidance.
05 | AD to Windows Azure AD IT Professionals
SharePoint Online Hybrid – Configure Outbound Search
M7: New Features for Office 365 Identity Management
Office 365 Identity Management
Office 365 Identity Management
AD FS Integration Active Directory Federation Services (AD FS) 7.4
2/27/2019 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
4/20/ :04 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.
M6: Advanced Identity Management topics for Office 365
Office 365 Identity Management
Presentation transcript:

Office 365 Identity Federation Technology Deep-Dive OSP224 Office 365 Identity Federation Technology Deep-Dive Paul Black and Toby Knight Technical Specialists

Session Objectives And Takeaways Tech Ready 15 4/2/2017 Session Objectives And Takeaways Session Objective(s): Identify the role that Provisioning & Synchronization plays in Directory Integration Discuss available Provisioning & Synchronization Options Understand key directory concepts pertinent to Sync Key Takeaway 1 When to use which Directory Sync option/technology, and what’s supported Key Takeaway 2 Key architecture and design considerations of the end-to-end sync infrastructure © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Advanced Warning: Identity Crisis!! Platform is being re-branded “Windows Azure Active Directory” aka “Windows Azure AD” or just “AAD”

Windows Azure AD vs. Office 365 Go-to-market names for different packages of functionality (CRM Online, InTune as well!) All GTMs share common platform pieces: Directory: “MSO DS” STS: OrgID Platform pieces & tools will be branded Windows Azure AD Powershell Module for Windows Azure Active Directory Windows Azure Active Directory Sync Tool Windows Azure Active Directory Connector for FIM 2010

Windows Azure AD vs. Office 365 Exchange Online SharePoint Lync CRM InTune Cloud app Azure AD Cloud app Cloud app AD

Provisioning vs Synchronization The two are not the same! Synchronization solutions are Provisioning solutions, but not the other way around! Provisioning Creation of objects and/or associated resources in a directory or external system. Synchronization Provisioning + long-term consistency/parity of state between source objects and their representation in the external system.

Directory Integration Options Manual How Create objects in Windows Azure AD via Admin Portal or Bulk Import Why Low volume of objects to create No long term management/consistency required Scriptable How PowerShell cmdlets GRAPH API Why Need automated process, but don’t require access to all attributes in directory OK to not have full consistency between source and cloud Automated How DirSync, FIM + Connector Why Large volume of objects/churn Require access to all attributes in directory Require consistency between on-prem & cloud Want Single Sign-On

Examples of Integration - Manual

Example of Integration - Scriptable Powershell New-MsolUser -UserPrincipalName “jluk@fabrikam.com” GRAPH

Example of Integration - Automated (fill in DirSync picture here)

Directory Integration in the bigger picture Directory Integration is the first half of a larger ecosystem Single Sign-On solutions depend on successful Synchronization of data into the Directory!

Architecture and Integration Options No Integration Directory Data Only Directory and Single sign-on (SSO) Windows Azure Active Directory Exchange Online Identity Services Authentication platform SharePoint Online Trust Contoso customer premises Active Directory Federation Server 2.0 Admin Portal/ PowerShell IdP Lync Online IdP Directory Store AD MS Online Directory Sync Provisioning platform CRM Online InTune Office 365 Desktop Setup

Why Directory and SSO Integration Single place for management User and groups (including securityp-enabled groups) Passwords Password policies Support for Enterprise Single Sign on Support for Hybrid environments for Services such as Exchange Online Options for Strong Authentication (e.g. Smart cards)

Architecture Deep Dive AD FS Microsoft Online ID Customer Network Office 365 Datacenter DirSync Workflow Exchange GRAPH AD MA MetaVerse O365 MA Lync AD O365 Directory AWS FEs SharePoint …

Life as a sync’d object When an object created in the cloud, “owned in the cloud” Changes can be made via Portal, Powershell or in the various cloud services When an object is created by Sync, “owned by sync” Changes can only be made via on-prem directory and then sync to cloud When an object is created in the cloud, but also exists on-prem Sync will try to Soft-Match the object coming via Sync Soft-match uses SMTP addresses to “best guess” If matched, “owned by sync”

Life as a sync’d object Objects “owned by Sync” can be deleted directly in the cloud! Remove-MsolUser/Contact/Group will allow you to delete an object that is owned by Sync If still on-prem, will be recreated on next Sync cycle

Tour as a sync’d object Sync Tool reads data from on-prem directory source Sync Tool pushes data to AWS FEs AWS FE tries to create object in MSODS (if user, OrgID first) Workflow evaluates objects and attributes such as User.ProxyAddresses Data validations performed Services read from MSODS and sync into services Validation required? Done here.

Choose your own Sync Adventure 3 options for Directory Sync Single-forest DirSync appliance Multi-forest DirSync appliance Windows Azure Active Directory Connector for FIM 2010 (aka “Multi-Forest”) You don’t need to use SSO just because you sync but you should Sync in order to use SSO Could use PowerShell, but lots of management overhead & not formally tested scenario Sync solution doesn’t constrain SSO solution You can use any Sync solution with ADFS or non-AD STS (i.e. Shib)

Choose your own Sync Adventure Single Forest DirSync When to use Single AD forest on-prem that contains all data to synchronize to AAD Multi-Forest DirSync When to use More than 1 AD Forest containing the directory data to synchronize to AAD ADs have “non-overlapping data” (no object in one forest is represented in another forest) AAD Connector When to use Multiple AD Forests containing directory data to synchronize to AAD Directory data “overlaps” (an object is represented in more than one forest) Non-AD directory sources*

Choose your own Sync Adventure A notable exception to previous slide: This is a common pattern (prescribed by Exchange Product) Full migration to Exchange Online then collapse Resource Forest Sync’ing the necessary core attributes from Exchange  Auth forest can negate the need for multi-forest sync altogether Including SourceAnchor, UserPrincipalName Some things not supported at this time: Multiple Exchange Orgs Pattern Consider… 2 Forests on-prem: 1 Authentication/Logon forest 1 Exchange/”Resource” Forest “Sync” data from Exchange forest  Auth Forest Run single-forest DirSync against Auth Forest

Core Directory Sync Concepts Source of Authority Where changes can be made to an object (either “on-prem” or “cloud”) De-/activating DirSync in the Admin portal transfers source of authority SourceAnchor used to uniquely identify objects created in cloud from on-prem directory Critical for Single Sign-On scenario (ADFS will be configured to generate SourceAnchor on AuthN, this needs to match the ImmutableID stored in OrgId during user provisioning time) Can’t change after initial provision of object by Sync  will error out

Core Directory Sync Concepts UserPrincipalName The “sign-in name” for a user On-prem UPN needs to match UPN in the cloud for login to succeed Once licensed, user UPN won’t change even if changed on-prem Can override using Set-MsolUserPrincipalName cmdlet Hybrid Service Deployments Some attributes on on-prem objects are updated based on activities in the cloud Only modify objects that were initially sync’d to the cloud from on-prem

Core Directory Sync Concepts We validate (some) data to protect the Core Directory and services: Attribute Validation UserPrincipalName UPNs must use verified domain If not, will autoconstruct UPN value (won’t update local AD): [sAMAccountName] + ‘@’ + [moera.onmicrosoft.com] Must contain only supported characters User.ProxyAddresses Cannot have duplicate proxy addresses  Sync Error (on license for EXO) Remove all proxyaddresses that are not using a verified domain Adding verified domain later will “re-hydrate” those PAs removed earlier

Core Directory Sync Concepts Most common sync validation failures: Duplicate proxy addresses Duplicate UPN value Errors reported in Email Run the Deployment Readiness Tool!

Core Directory Sync Concepts Linking/Matching objects during sync First, check to see if object already exists with same SourceAnchor value If object exists, update existing object If no objects hardmatch, try and soft match against existing objects (using SMTP addresses of on-prem object) If candidate match exists, stamp SourceAnchor on the value on object for subsequent sync cycles If no candidate match exists, create new object DirSync Quota Protect the directory for malicious “storage DOS” Default now 50K for tenants provisioned after 5/1

Core Directory Sync Concepts Throttling Sync Throughput “shared” across tenants at AWS layer (throttled per partition) DirSync client automatically handles “Error Code 81” and retries again Throttling leads to variable sync times V1/V2 differences Some differences in what’s sync’d/not sync’d Groups without display names aren’t sync’d in v2! Contact migration team for documentation/list of deltas

Recovering deleted objects via Sync Will be lighting up “soft delete” feature in PROD Scenario: On-prem AD Admin accidentally deletes a user object in AD DirSync “propagates delete” to the cloud User object is deleted in the cloud (mailbox lost) NOW WHAT?

Recovering deleted objects via Sync Manual recovery admin identifies object to be recovered Via DirSync When admin restores the user object in AD (via W2K8R2 Recycle Bin), object is automatically recovered by DirSync – mailbox is recovered, etc. “recovery” is dependent on keeping the same SourceAnchor value! New SourceAnchor value with “same attribute values” will not recover the user object in the cloud!

Filtering Sync 2 kinds of filters customers ask for: Choose which objects get sync’d to the cloud Choose which attributes get sync’d to the cloud We support the former, we don’t support the latter Wiki post and UA documentation posted to walk customers through this customization

In Review: Session Objectives And Takeaways Tech Ready 15 4/2/2017 In Review: Session Objectives And Takeaways Session Objective(s): Identify the role that Provisioning & Synchronization plays in Directory Integration Discuss available Provisioning & Synchronization Options Understand key directory concepts pertinent to Sync Key Takeaway 1 When to use which Directory Sync option/technology, and what’s supported Key Takeaway 2 Key architecture and design considerations of the end-to-end sync infrastructure © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Related Content Today OSE 225, Friday OSE 331, OSE 333, OSE 334 Hands-on Labs (OSPILL101 Designing a SharePoint site) Office 365 @ The Microsoft Showcase Find Me Later At The Microsoft Showcase Friday (9-12am)

4/2/2017 3:16 AM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.