Identity management integration options for Office 365 4/16/2017 Identity management integration options for Office 365 Luca Bandinelli Senior Program Manager Microsoft © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/16/2017 4:33 PM Talk Abstract User management and identity integration is easy in Office 365. In this talk we will explain identity management concepts and describe the three identity models that you can use. We will talk about the cloud identity model, the synchronized identity model, and the federated identity model. For cloud and synchronized identity we will tell you all you need to set these up and demo how to configure them. For federated identity we will show you some of the tooling and give you guidance on how to scope the integration project. We will describe how you can switch between identity models and also give clear guidance about how to choose the right identity model for a given scenario or customer. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 Identity Models 4/16/2017 Office 365 Identity Models Cloud identity Synchronized identity Federated identity On-premises directory On-premises directory Zero on-premises servers Directory sync with password sync Federation Directory sync On-premises identity On-premises identity Between zero and three additional on-premises servers depending on the number of users Between two and eight on-premises servers and networking configuration depending on the sign-in availability requirements © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Identity Synchronization and Federation Passive Auth Windows Azure Active Directory WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Authentication SharePoint Online Exchange Web Access Authorization Active Auth Exchange Mailbox Access Outlook, Lync, Word, etc Directory Synchronize accounts Identity Provider Federated sign-in Active Federation is about authenticating user using WSTrust protocols and your Relying Party is who own's login window and ask for security token to STS Passive Federation is when Relying Party have no login logic and you are redirected to the login page located on STS On-Premises
Cloud identity model http://portal.office.com User Cloud identity User accounts On-premises directory
Synchronized Identity Model Password hashes User accounts Synchronized identity AAD Sync On-premises directory Sign-on User
Before installing AAD Sync http://aka.ms/aadsync Active Directory remediation Run IdFix Verify DNS domains with Office 365 Add these prior to syncing to preserve UPN Directories other than Active Directory Works with Office 365 – Identity program Will be added soon to AAD Sync One server is most common Domain controller is Okay Separate SQL Server is Okay up to 100,000 directory objects You can install to Azure IAAS Migrating from DirSync or FIM 2010 Uninstall / Reinstall Side by side install with object review Forest functional level Windows Server 2003
IdFix – DirSync AD Remediation Identifies and remediates AD object issues that will fail Office 365 DirSync Queries all domains in the authenticated forest via LDAP Provides a list and can export/ import values (CSV) Confirmation of each edit with undo/ rollback functionality and logging Critical system objects are skipped where editing could cause issues
What errors does IdFix look for? Errors Validated Attributes Duplicate proxyAddresses Invalid characters in attributes Over length attributes Format errors in attributes Use of non-routable domains Blank attribute that requires a value mailNickName proxyAddresses sAMAccountName targetAddress userPrincipalName
Demo Configuring Azure AD Sync 4/16/2017 Demo Setup Start on a VM with AD DS and Exchange Server installed. Update Internet Explorer as IE8 does not show the Admin Portal menu options. Download IDFix Run Set-IdFixErrors.ps1 script to add users to the domain. To reset this script you can delete the IdFix OU in Active Directory Users and Computers Run Azure AD Sync installer. Accept EULA and let it install SQL and service. Progress to where the tenant sign-in page shows up. To reset Azure AD Sync Uninstall “Microsoft Azure AD Connection Tool” Create an Office 365 trial tenant http://office.microsoft.com/en-us/business/redir/XT103040305.aspx Demo steps Configure Office 365 trial tenant for Directory Syncronization Run IDFix and fix onpremises directory problems Restore Azure AD Connect Services and click next to connect to tenant Enter AD forest and administrator credentials and click next Speak to matching users between forests Set up attribute filtering to restrict to Office 365 ProPlus attributes only Click configure and talk about setting user location in PowerShell while waiting, also talk about older DirSync Start Synchronization Services log viewer and watch it for the synchronization log events Talk about staging happening before production changes and talk about encrypted SQL database where changes are found When final fifth step is in progress switch over to Office 365 tenant and show users synced there © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Install the product Install all dependencies: With default settings: SQL Express LocalDB, Sync, Sign-in assistant, AAD Connector With default settings: Local service account w/ random password If you need advanced config, cancel the wizard and start with parameters Service account in the domain SQL on-box or off-box Ability to save the encryption keys Domain controller collocated install isn’t recommended But it is supported and you can install DirSync on the DC One server is most common DirSync installs SQL Express for replication data You can install with dedicated SQL Server and can use HA for SQL Server Consider using Azure To avoid any on-premises servers you can deploy to Azure IaaS
Connect to AAD Connect to AAD Do not enable MFA on the account Do not try to change to a different tenant on a second run of the wizard
Connect to on-premises ADDS Connect to ADDS Any user account will work (directory replication permissions are not required) For some features you will need additional permissions in AD: Hybrid Exchange Password (hash) synchronization Password write-back For each forest you have configured in Azure AD Sync, the account you have specified for a forest in the wizard must be given the “Reset-Password” and “Change Password” extended rights on the root object of each domain in the forest. The right should be marked as inherited by all user objects
User (and contact) matching
User (and contact) matching Match with AAD sourceAnchor (ImmutableID) Will not change during the lifetime of the object Should not find different values in different forests userPrincipalName Alternate attribute for user login, e.g. mail.
Optional features Optional features Exchange hybrid will write back attribues to the forest where the user’s mailbox is located Password write-back is an AAD Premium feature Allows to limit which attributes are flowing to AAD
Azure AD apps AAD apps and services If you start to limit, you have to come back to the wizard when new services are added
Azure AD attributes AAD attributes List of the attributes from the services selected on previous page Only remove attributes you know will not impact the services An exported attribute will remain in AAD if unselected later
Configure AADSync Configure AADSync Will configure AADSync using PowerShell
Done! Finished If you select to synchronize now, will also create an active scheduled task If you unselect, the scheduled task is created but will remain disabled
User (and contact) matching Metaverse Connector Space User (and contact) matching 1 2 1 2 1 2
Out of box configuration Single forest Same as DirSync Multi-forest configurations Fully-mesh, Account-resource forest One or multiple Exchange organizations with hybrid Exchange Group membership for security groups with ForeignSecurityPrincipals (FSPs) Assumptions User will have only one enabled user account User will have only one mailbox The best data quality for a user is where Exchange is located Passwords Password (hash) Sync and password write-back For each forest you have configured in Azure AD Sync, the account you have specified for a forest in the wizard must be given the “Reset-Password” and “Change Password” extended rights on the root object of each domain in the forest. The right should be marked as inherited by all user objects
Review the configuration Installation logs %windir%\temp\aadsync Synchronization Rules Depending on if Exchange and Lync is present in AD, different rules will be generated Depending on Exchange version attributes will be removed as needed Only selected services will have outbound rules to AAD Attributes you selected to not be included are removed from the outbound rules to AAD Introducing the Sync Rule Editor A “Resource Kit Tool” to view, change and add Sync Rules
AAD Sync installation review Be aware of directory object limits A new tenant can sync up to 50,000 directory objects Register a vanity domain and it is increased to 300,000 objects Sync now Expect about 1 hour per 5,000 objects Password expiry for the sync account Assign Office 365 licenses High availability Can Backup and reinstall Filtering AAD Sync By Domain and OUs By attributes Password Policy Considerations There are 2 types of password policies that are affected by enabling password sync: Password Complexity Policy Password Expiration Policy When you enable password sync, the password complexity policies configured in the on-premises Active Directory override any complexity policies that may be defined in the cloud for synchronized users. This means any password that is valid in the customer's on-premises Active Directory environment can be used for accessing Azure AD services. Note Passwords for users that are created directly in the cloud are still subject to password policies as defined in the cloud. If a user is in the scope of the password sync feature, the cloud account password is set to "Never Expire". This means that it is possible for a user's password to expire in the on-premises environment, but they can continue to log into cloud services using this expired password. The cloud password will be updated the next time the user changes the password in the on-premises environment.
Password hash sync security Azure AD Hash Extra Security User Password Password hash AD DS It is not reversible to get the users password A Hash Hashes are mathematical functions that are nearly impossible to reverse The result of the hash algorithm is called a digest Additional Processing We further process it with a one way hash SHA256 algorithm Connections are only to the Azure AD service Connections are SSL encrypted Enables Azure AD to validate the users password when they log in On-premises directory http://social.technet.microsoft.com/wiki/contents/articles/18096.dirsyncwindows-azure-ad-password-sync-frequently-asked-questions.aspx#Are_my_user_passwords_safe_How_secure_is_this_new_Password_Sync Are my user passwords safe? How secure is this new Password Sync? Yes. The information we retrieve from Active Directory aren't your users actual plaintext passwords - they're hashes of those passwords. Hashes are mathematical functions that are nearly impossible to crack. The hashes that we retrieve from AD cannot be used to gain access to any of your on-premises resources (Active Directory won't accept the password hash as a means to log a user in). Here are some additional details to help you feel comfortable with the security of Password Sync: we never see your plaintext password during the sync process. Ever. We only retrieve the hash of the user password from Active Directory. we re-hash the hash of the user password using a SHA256 algorithm before transport to Azure Active Directory Authentication Service transport of the digest (re-hash of the AD password hash) is done over an encrypted SSL session we store the digest in our system
Choosing between DirSync and AAD Sync Azure AD Sync Services Also has password hash sync Includes sync from multiple forests including merging duplicate users in these forests In addition to AD, can sync from LDAP v3, SQL Server coming soon Enables selective OU sync with using UX in the setup. Compared to DirSync which requires PowerShell configuration Enables transforming of attributes using UX in the setup Planned to replace DirSync in the future Preview cannot be upgraded to later release Includes password hash sync Linked from the Office 365 Admin Portal
Federated identity model Password hashes User accounts Federated identity AAD Sync AD FS Sign-on Authentication On-premises directory User Authentication
Password Sync Backup for Federated Sign-In Federated identity Backup Password Hash Sync User accounts AD FS This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on- premises outage. AAD Sync On-premises directory Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $false -PasswordFile c:\userpasswords.txt The Convert-MsolDomainToStandard cmdlet converts the specified domain from single sign-on (also known as identity federation) to standard authentication. This process also removes the relying party trust settings in the AD FS server and online service. After the conversion, this cmdlet will convert all existing users from single sign-on to standard authentication. Any existing user who was configured for single sign-on will be given a new temporary password as part of the conversion process. Each converted user name and new temporary password will be recorded in a file for reference by the administrator. The administrator can then distribute the new temporary password to each converted user to enable the user to sign in to the online service. If you are temporariliy switching to use synchronized passwords while you are repairing your SSO infrastructure, set –SkipUserConversion to be $true
ADFS is Also Easy Use trained and experienced deployment staff 4/16/2017 ADFS is Also Easy Use trained and experienced deployment staff Use Azure AD Connect Tool Read all the TechNet Deployment Guidance http://technet.microsoft.com/en-us/library/jj205462.aspx Only implement the Office 365 requirements The only certificate required is the SSL certificate Prepare with firewall update permissions https://microsoft.sharepoint.com/teams/OfficeOnRamp/wiki/Pages/Azure-Active-Directory-Connect-Tool.aspx © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Change between models as needs change Cloud Identity to Synchronized Identity Deploy DirSync Hard match or soft match of users Synchronized Identity to Federated Identity Deploy AD FS Can leave password sync enabled as backup Federated identity to Synchronized Identity PowerShell Convert-MsolDomainToStandard Takes 2 hours plus 1 additional hour per 2,000 users Synchronized Identity to Cloud Identity PowerShell Set-MsolDirSyncEnabled Takes 72 hours and you can monitor with Get-MsolCompanyInformation http://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx
Choose the simplest model for your needs This is our recommendation Cloud Identity is the simplest model Choose cloud when You have no on-premises directory There is on-premises directory restructuring You are in pilot with Office 365
Choose synchronized identity if you have an on-premises directory Password hash sync means federation is not required just to have the same password on the cloud Same sign-on – the username and password is the same in the cloud as on-premises Single sign-on – you log on to the PC and no password is required for cloud services Save credentials for later uses Windows Credential Manager Outlook does not support Single sign-on Choose password hash sync unless you have one of the scenarios that requires federation
Scenarios for choosing federation Existing infrastructure You already have an AD FS Deployment You already use a Third Party Federated Identity Provider You use Forefront Identity Manager 2010
Scenarios for choosing federation Technical requirements You have an On-Premises Integrated Smart Card or Multi-Factor Authentication (MFA) Solution Custom Hybrid Applications or Hybrid Search is Required Web Accessible Forgotten Password Reset
Scenarios for choosing federation Policy requirements You Require Sign-In Audit and/or Immediate Disable Single Sign-On minimizing prompts is Required Require Client Sign-In Restrictions by Network Location or Work Hours Policy preventing Synchronizing Password Hashes to Azure AD
Office 365 federation options 4/16/2017 Office 365 federation options ADFS Third party WS-* Shibboleth (SAML 1.1) SAML 2.0 Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Support for web and rich clients Microsoft supported Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD Third-party supported Verified through ‘works with Office 365’ program Suitable for educational organizations Recommended where customers may use existing non-ADFS Identity systems Support for web clients and outlook (ECP) only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises For organizations that need to use SAML 2.0 Recommended where customers may use existing non-ADFS Identity systems Microsoft supported for integration only, no identity provider deployment support http://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers/ http://blogs.office.com/2014/01/30/the-works-with-office-365-identity-program-now-streamlined/ © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Works with Office 365 – Identity program Microsoft Lync 4/16/2017 Works with Office 365 – Identity program What is it? Qualification of third party identity providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used. Program Requirements Published Qualification Requirements Published Technical Integration Docs Automated Testing Tool Self Testing work by Partner Predictable and Shorter Qualification http://aka.ms/ssoproviders WS-Trust & WS-Federation Flexibility to reuse existing identity provider investments Confidence that the solution is qualified by Microsoft Coordinated support between the partner and Microsoft Customer Benefits Active Directory with ADFS RadiantOne Public description: http://blogs.office.com/b/microsoft_office_365_blog/archive/2013/09/03/works-with-office-365-identity-program.aspx http://technet.microsoft.com/en-us/library/jj679342.aspx Public Onboarding Technical Assistance: http://go.microsoft.com/?linkid=9841880 MS Confidential Qualification Status: http://infopedia/docstore/Pages/KCDoc.aspx?k=KC02-23-19714 SAML (passive auth) Shibboleth © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Summary Choose the simplest model for your needs Change between models as needs change Cloud identity model when there is no on- premises directory Synchronized identity model for most organizations Federated identity model for one of the scenarios
4/16/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.