Active Directory Integration with Microsoft Office 365 4/19/2017 4:19 AM OSP321 Active Directory Integration with Microsoft Office 365 Ross Adams Senior Program Manager Microsoft Corporation © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Session Objectives Architecture for Office 365 and other services Integration Options Planning for Directory Integration Single Sign on Experience How Single sign on works Options for strong authentication

Windows Azure Active Directory Password policy controls for Cloud Accounts Password never expire Password complexity can be turned off Custom password policies for expiry/notification Single sign On with corporate credentials Role-based administration: Five administration roles Company Admin Billing Admin User Account Admin Help Desk Admin Service Support Admin

Windows Azure Active Directory Provisioning Manual Simple Web based user interface Bulk import of user Best for small customers Scriptable PowerShell module for windows Programmable New REST based API Limited attribute set/object types Automated Directory Synchronization with delta Full fidelity of attributes and object types Optimized for large object sets

Architecture and Integration Options No Integration Directory Data Only Directory and Single sign-on (SSO) Exchange Online Windows Azure Active Directory Authentication platform SharePoint Online Contoso customer premises Trust Active Directory Federation Server 2.0 Admin Portal/ PowerShell IdP Lync Online IdP Directory Store AD MS Online Directory Sync Provisioning platform Office Subscription Services Office 365 Desktop Setup

Why Directory and SSO Integration Single place for management User and groups including security groups Passwords Password policies Support for Enterprise Single Sign on Support for Hybrid environments for services such as Exchange Online Options for Strong Authentication (e.g. Smart cards)

Integration Comparison 1. No Integration 2. Directory Only 3. Directory and SSO Appropriate for Smaller orgs without AD on-premises Pros No servers required on-premises Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies IDs mastered in the cloud Appropriate for Medium/Large orgs with AD on-premises Pros Users and groups mastered on-premises Enables co-existence scenarios Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies Single server deployment Appropriate for Larger enterprise orgs with AD on-premises Pros SSO with corporate cred IDs mastered on-premises Password policy controlled on-premises 2FA solutions possible Enables hybrid scenarios Location isolation Cons High availability server deployments required

General Integration Requirements Active Directory Forest Functionality level 2003 Windows 2008 for AD FS 2.0 and SSO Windows 2003 or above for Directory Synchronization Depreciated 32 Bit (Windows 2003) Recommended 64 Bit (Windows 2008 and above) Support Virtualization Single Forest Multiple domains in a single the forest Multi forest support through premier engagement

Preparing for Directory integration and SSO Design for a high availability of AD FS 2.0 services Every User must have a UPN UPN suffix must match a validated domain in Office 365 UPN Character restrictions Only certain characters allows: Letters, numbers and .-_!#^~ No dot before @ symbol (for example ross.adams@contoso.com is allowed but ross.adams.jr.@contoso.com isn’t) Users need use UPN to logon to Office 365 Apps Office 365 Deployment Readiness Tool checks all of these and more

Directory Integration Validations Licensed Users All Proxy Address (SMTP/SIP) must be against a verified domain Addresses dropped during licensing UPN not updated automatically for Cloud ID based Users Must be updated manually Will update automatically when domain is converted to Single Sign on Unlicensed Users SMTP Proxy Address can be against non-verified domains SIP Address must match a verified domain Drop if not valid Verifying after Sync will add the removed proxy address back Background process

Directory Sync Setup Options 1 Way Sync from AD to Cloud Provisions users, DLs, Security Groups and contacts Can move to 2 Way Sync later on-premises master for all objects and properties 2 Way Sync from AD to Cloud and Cloud to AD Required for Hybrid Deployments e.g. co-existence with Exchange online and Exchange on-premises Cannot move back to 1 way sync Cloud becomes master for certain properties (safe senders, mail co-existence, UM)

Directory Sync configuration options Sync’s all objects with some exceptions Does not Default accounts (Administrator etc) Does not sync System Objects Directory Sync can be turned off but takes time Options that can’t be changed Scoping the attribute set Sync timeframe is every 3 hours

Sign in Experience for Single Sign On Rich/Web clients Rich clients applications with Microsoft Online Sign In Assistant. Lync Online, Office Subscriptions, CRM Online Integrated experience on a domain joined PC on the corporate network Client connects directly to AD FS 2.0 server or proxy Web based applications SharePoint Online, OWA, Office Rich Applications (Word, PowerPoint etc) Prompts for username for realm discovery Can be bypassed “Keep me signed in”, still required to authenticate to AD FS. Integrated auth to AD FS on domain joined PC on the corporate network Smart links can help with username prompt for example http://www.outlook.com/contoso.com

Sign in Experience for Single Sign On Exchange Online Outlook/IMAP/Active Sync/Entourage Often refereed to Exchange Proxy authentication Basic credentials relayed through Exchange to AD FS proxy active end point Prompts for both username and password but can be saved Support for rules to control access based on Client IP/Device type/Exchange Endpoint filtering

Sign On Experience with SSO Rich Applications (SIA) Lync Online Office Subscriptions CRM Rich Client Can save credentials Web Clients Office 2010, Office 2007 SP2 with SharePoint Online Outlook Web Application Remember last user Exchange Clients Office 2010, Office 2007 SP2 Active Sync/POP/IMAP Entourage Can save credentials Username and Password MS Online IDs Username and Password Username and Password Online ID Online ID Online ID SSO IDs (non-domain joined) Username and Password Username and Password Username and Password AD credentials AD credentials AD credentials SSO IDs (domain joined) No Prompt Username Username and Password AD credentials AD credentials AD credentials

Identity Integration/SSO Details MS Online business scenarios always use WS-* WS-Federation for passive clients WS-Trust provides support for rich client authentication Identity federation supported through AD FS 2.0 SAML 1.1 Token Issuer URI : Used to locate the domain for certificate verifcation User Source Address : Unique, never changing identifier of the user UserPrincipalName (UPN) : Name the user uses to logon

Client to End Points usage

Client Access Filtering Enabled through client issuance rules in AD FS 2.0 Targeted at blocking external access scenarios for Outlook Block all external access Allow external access for specific mail clients (Active Sync, POP/IMAP) Allow external access to web applications (OWA, SharePoint) Requires ADFS Proxy Allow external access for specific groups of users No granularity on limiting Lync Online/Office Subscription services externally i.e. any rule above blocks access 3rd Party Proxies are required additional work see http://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx

Identity Federation Authentication flow (Passive/Web profile) Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729

Identity Federation Authentication flow (MEX/Rich Client Profile) Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729

Identity Federation Active flow (Outlook/Active Sync) Always external Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729 Basic Auth Credentilas Username/Password

Single Forest AD Structures and Considerations Description Considerations Matching domains Internal Domain and External domain are the same i.e. contoso.com No special requirements Sub domain Internal domains is a sub domain of the external domain i.e. corp.contoso.com Requires Domains registered in order, primary then sub domains .local domain Internal domain is not publicly “registered” i.e. contoso.local Domain ownership can’t be proved, must use a different domain Requires all users to get new UPN Use SMTP address if possible Smart Card issues Multiple distinct UPN suffixes in single forest Mix of users having login UPNs under different domains i.e. contoso.com & fabrikam.com Must use SupportMultipleDomain switch in PowerShell Sub domains require additional work Multi Forest Multiple AD Forest Premier engagement

Strong authentication approaches Focuses on Strong authentication (e.g. Smart cards) for extranet access Two approaches possible Only provide strong auth for web applications (e.g. OWA, SPO) by configuring/customizing AD FS 2.0 proxy Rich clients cannot be supported Use VPN to internal network as the gate to require 2FA access when connecting from outside the internal network Will work for rich clients as well

Web applications only Configure AD FS 2.0 proxy for smartcard access using in-box support Customize AD FS 2.0 proxy with 3rd party 2FA solutions Use IIS HTTP module from 2FA provider to intercept & authenticate 2FA prior to providing AD username/pwd at forms login page in AD FS 2.0 proxy (RSA Example here) Customize AD FS 2.0 forms login page to add 2FA credential collection and authenticate to 2FA service via code behind No support for Rich clients

Authentication platform Web Applications only INTRANET DMZ Other 2FA Access Smartcard Access AD DS Windows Azure Active Directory Authentication platform Redirect to Authentication platform Redirect to IdP AD FS AD FS Proxy Provide AD/Smartcard credentials Types User Name 2FA module Redirect Back Generate SAML token for authentication platform Authenticate 2FA response Redirect to Proxy Access Application 2FA Service Redirect to Strong auth provider Present ticket to Application Authenticate 2FA Present strong credentials Install 3rd party auth provider ADFS proxy No support for rich client apps

Strong Auth VPN to internal network Configure extranet access to always require VPN access Integrate 2FA with VPN provider Allow Internal Outlook traffic to authenticate with Client Access Policies and AD FS 2.0 Optionally allow EAS traffic to authenticate via AD FS 2.0 proxy & Client Access Policy Support for Rich Clients

2FA – Web Applications only Allow internal Outlook via ADFS proxy INTRANET DMZ Strong Auth VPN to internal network AD DS Windows Azure Active Directory Authentication platform AD FS AD FS Proxy Send Creds to Exchange Proxy Auth Disable passive pages on proxy Evaluate Client Access Rules, issue SAML Token Send AuthN request to ADFS 2FA Service Authenticate 2FA VPN Send Creds to Exchange Proxy Auth Connect to internal network Connect to VPN Provide 2FA creds

Questions

OSP Related Content Code Title Schedule OSP221 Microsoft Office 365 for Enterprises 6/26/2012 16:30 OSP222 Empowering Small Businesses: Microsoft Office 365 P-Suite 6/27/2012 10:15 OSP305 The Modern Compatibility Process to Accelerate Microsoft Office Deployment 6/27/2012 12:00 OSP224 Microsoft Office 365 Management and Deployment 6/27/2012 17:00 OSP321 Active Directory Integration with Microsoft Office 365 6/28/2012 8:30 OSP303 Supporting Microsoft Office in an Enterprise Environment 6/28/2012 12:00 OSP302 Building Integrated Microsoft Office 365, SharePoint Online, and Office Solutions Using BCS and LOB Data 6/28/2012 14:45 OSP340 Office Deployment – Notes from the Field 6/28/2012 16:30 OSP323 Microsoft Office 365 Security, Privacy, and Trust 6/29/2012 8:30 OSP324 Microsoft Office 365 Service Reliability and Disaster Recovery 6/29/2012 10:15 OSP350 Office 365 – evaluating, Deploying & Migrating – Notes from the field 6/29/2012 13:00 OSP223 Microsoft Office 365 for Education 6/29/2012 14:45

Related Resources Office 365 TechCenter: technet.microsoft.com/Office365 Office Client TechCenter: technet.microsoft.com/office Office, Office 365 and SharePoint Demo Area Includes: Office 365 IT Pro Command Center Office 365 Data Center Exhibit

Resources Learning TechNet http://europe.msteched.com Connect. Share. Discuss. http://europe.msteched.com Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn

Submit your evals online 4/19/2017 4:19 AM Evaluations Submit your evals online http://europe.msteched.com/sessions © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/19/2017 4:19 AM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/19/2017 4:19 AM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.