Introduction
Please answer the survey questions posted at the end of this meeting. Let us know what sessions you want! Josh Topal at Feel free to give feedback too.
Module 1: Understanding Identities Module 2: Environment Preparation for Single Sign-On & Directory Synchronization (DirSync) Module 3: Deploying SSO and ADFS 2.0 Module 4: Deploying Directory Synchronization (DirSync)
Server Technologies Active Directory Active Directory Federation Services (AD FS) Windows PowerShell™ 2.0 Network Technologies AD sites, trusts, & topology DNS & related technologies Wide area connectivity: networks, equipment, bandwidth, & latency Firewall technologies SSL certificates
Module 1 Understanding Identities
Understanding Identities Understanding Single Sign-On Understanding DirSync
Cloud Identity Separate credential from corporate credential Authentication occurs via cloud directory service Password policy stored in Office 365 Federated Identity Same credential as corporate credential Authentication occurs via on- premises Active Directory service Password policy is stored on- premises Requires Directory Synchronization
Cloud IdentityCloud Identity + DirSyncFederated Identity* Scenario Smaller organizations without on-premises Active Directory Medium to Large organizations with Active Directory on-premises Large enterprise organizations with Active Directory on-premises Pros Does not require on-premises server deployment “Source of Authority” is on- premises Enables coexistence Password Synchronization (Optional) Single Sign-On experience “Source of Authority” is on- premises 2-Factor Authentication options Enables coexistence Cons No Single Sign-On No 2-Factor Authentication options 2 sets of credentials to manage with, potentially, different password policies No Single Sign-On No 2-Factor Authentication options 2 sets of credentials to manage with, potentially, different password policies Requires on-premises server deployment Requires on-premises server deployment in high availability scenario * Requires DirSync
Understanding Single Sign- On (Federated Identity)
Cloud IdentityCloud Identity + DirSyncFederated Identity* Scenario Smaller organizations without on-premises Active Directory Medium to Large organizations with on-premises Active Directory Large enterprise organizations with on-premises Active Directory Pros Does not require on- premises server deployment “Source of Authority” is on- premises Enables coexistence Password Synchronization (Optional) Single Sign-On experience “Source of Authority” is on- premises 2-Factor Authentication options Enables coexistence Cons No Single Sign-On No 2-Factor Authentication options 2 sets of credentials to manage with, potentially, different password policies No Single Sign-On No 2-Factor Authentication options 2 sets of credentials to manage with, potentially, different password policies Requires on-premises server deployment Requires on-premises server deployment in high-availability scenario * Requires DirSync
Policy Control Access Control Reduced Support Calls Security
Understanding DirSync
Cloud Identity Cloud Identity + DirSync Federated Identity* Scenario Smaller organizations without on-premises Active Directory Medium to Large organizations with Active Directory on-premises Large enterprise organizations with Active Directory on- premises Pros Does not require on- premises server deployment “Source of Authority” is on-premises Enables coexistence Password Synchronization (Optional) Single Sign-On experience “Source of Authority” is on- premises 2-Factor Authentication options Enables coexistence Cons No Single Sign-On No 2-Factor Authentication options 2 sets of credentials to manage with, potentially, different password policies No Single Sign-On No 2-Factor Authentication options 2 sets of credentials to manage with, potentially, different password policies Requires on-premises server deployment Requires on-premises server deployment in high-availability scenario * Requires DirSync
FeatureDirsync +Password Sync SSO with AD FS Use same username + password Control password policy on-premises No password re-entry if on-premises Client access filtering Authentication occurs on-premises (no credentials on cloud) Support for multi-forest configurations (FIM)
Module 1 Environment Preparation
DNS Preparation Active Directory Preparation Office 365 OnRamp
DNS Preparation
Active Directory(AD) Preparation
Office 365 OnRamp
OnRamp for Office 365 is an automated assistance tool that helps you gather configuration requirements and perform deployment readiness checks against your on-premises environment. OnRamp can accelerate the deployment timeline, especially for organizations with requirements such as identity federation or hybrid deployment. Tool is available at:
Module 3: Deploying SSO & ADFS 2.0
Deploying Active Directory Federation Server Deploying Active Directory Federation Server Proxy
AD FS 2.x Server Default topology for Office 365 is an AD FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service Recommend using at least two federation servers in a load-balanced configuration AD FS 2.x Proxy Server Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm Federation server proxies should be deployed in the DMZ
Windows Server 2008/2008R2 or Windows Server 2012PowerShellWeb Server (IIS).NET 3.5 SP1Windows Identity FoundationPublicly registered domain nameSSL Trusted Public CertificatesWindows Azure Active Directory Module for Windows PowerShellMicrosoft Online Sign In AssistantHigh availability design
Internet Explorer 8.0 or laterFirefox 10.0Chrome 17.0 or laterSafari 5.0 or laterMicrosoft Office 2010/2007 (Latest Service Pack)Microsoft Office for Mac 2011 (Latest Service Pack)Microsoft Office 2008 for Mac version Office 365 Desktop Setup (Suggested)Microsoft Online Sign In Assistant
1) Single server configuration 2) AD FS 2.x Server Farm and load-balancer 3) AD FS 2.x Proxy Server or UAG/TMG (External Users, Active Sync, Down-level Clients with Outlook) Enterprise Perimeter AD FS 2.x Server Proxy External User Internal user Active Directory AD FS 2.x Server Proxy
Active Directory running in Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 with a functional level of mixed or native mode AD FS 2.x deployed on Windows Server 2008/R2 or Windows Server 2012 AD FS 2.x Proxy deployed, if some users are connecting from outside the company’s network Windows Azure Active Directory Module for Windows PowerShell to establish a trust with Office 365 Required updates installed for Office 365 A unique third-party certificate when installing and configuring federation servers and federation server proxies
Deploying Active Directory Federation Server
AD FS 2.x Server The default topology for Office 365 is an AD FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service We recommend the use of at least two federation servers in a load-balanced configuration
Buy and request a certificate from a Third- Party SSL Certificate Provider
Select the newly imported and generated certificate
Buy and request a certificate from a Third- Party SSL Certificate Provider
CommandDescription $cred=Get-Credential Prompt for Office 365 credentials and store them in a variable Connect-MsolService – Credential $cred Connect to Office 365 using stored credentials Set-MSOLAdfscontext -Computer Specify the local AD FS 2.x Server Convert-MSOLDomainToFederated –Domainname Convert the standard local domain to an Identity Federated Domain Get-MSOLFederationProperty Show Identity Federation Proprieties
Deploying Active Directory Federation Server Proxy
AD FS 2.x Proxy Server Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm Federation server proxies should be deployed in the DMZ
External-facing federation server proxies are required if: An organization will use Outlook clients Users will access Office 365 for enterprise from home or public locations Users will access Office 365 for enterprise via mobile devices Prerequisites to deploy federation server proxies are: Federation server proxies deployed in the edge/DMZ network Federation servers & federation server proxies able to communicate over TCP 443 AD FS 2.x deployed on a Windows Server 2008/R2 or Windows Server 2012 Internet Information Services (IIS) 7 or 7.5 installed + Imported Certificate.NET Framework 3.5 SP1 installed
AD FS 2.x and SSO are now in place, but there are no users inside the Office 365 subscription We will need to replicate our users from the local AD to Office 365 We will deploy and use DirSync for that purpose (see Module 4)
Deployment Considerations
Number of usersMinimum number of servers Fewer than 1,000 users 0 dedicated federation servers 0 dedicated federation server proxies 1 dedicated NLB server 1,000 to 15,000 users 2 dedicated federation servers 2 dedicated federation server proxies 15,000 to 60,000 users Between 3 and 5 dedicated federation servers At least 2 dedicated federation server proxies
Use the following method only if this condition is true: The problem is caused by an on premise service outage that requires immediately restoring user access or the Active Directory Federation Services (AD FS) 2.0 server is available. Additional Info: kb/ /en-us kb/ /en-us
$cred = Get-Credential When you are prompted, enter Office 365 administrator credentials that are not SSO-enabled Connect-MsolService –credential $cred Set-MsolADFSContext –Computer Note In this command, the placeholder represents the name of the primary AD FS 2.x server Convert-MSOLDomainToStandard –DomainName - SkipUserConversion $false -PasswordFile c:\userpasswords.txt The userpasswords.txt file will contain the Cloud Identity passwords for all users.
The AD FS 2.x federation service can support access policies for allowing or denying access based upon the combination of the user requesting access and the IP address of his devices. ScenarioDescription Block all external access to Office 365 Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client. Block all external access to Office 365, except Exchange ActiveSync Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked. Block all external access to Office 365, except for browser-based applications Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online. Block all external access to Office 365 for members of designated Active Directory groups This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group.
Module 4: Deploying Directory Synchronization (DirSync)
DirSync Requirements Overview
Windows Installer 4.5 or later Windows PowerShell version 2.0 Microsoft.NET Framework version 3.5 or later Windows Server 2008 R2 x64 with the latest service pack installed
Number of objects in Active Directory CPUMemoryHard disk size Fewer than 10, GHz4 GB70 GB 10,000–50, GHz4 GB70 GB 50,000–100, GHz16 GB100 GB 100,000–300, GHz32 GB300 GB 300,000–600, GHz32 GB450 GB More than 600, GHz32 GB500 GB
DirSync Synchronization
DirSync activation could require up to 48 hours, plan this activity in advance!
Troubleshooting
Reference Number will be always different
Q&A and Feedback