Single Sign-On with Microsoft Azure

Slides:



Advertisements
Similar presentations
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Advertisements

Office 365 Identity Federation Technology Deep-Dive
Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Private Cloud (on & off premises) Hybrid CloudPublic Cloud SaaS PaaS IaaS Microsoft’s Online service portfolio Office 365 Microsoft‘s communication.
RequirementsDeployment Options 2 3 Dirsync Overview 1 Understanding Synchronization 4.
Hybrid Search with SharePoint 2013 and Office 365 Brendan Griffin.
Identity management integration options for Office 365
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Exchange 2013 and Office 365 Presented by: John Deardurff Weinstein Group Internal Sales Training 11/18/2014.
Business Productivity Online Suite Enterprise class software delivered via subscription services hosted by Microsoft and sold with partners.
OSP206. Experience Office as it was meant to be… without the complexity of setting up servers.
Active Directory Integration with Microsoft Office 365
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Windows Azure Active Directory.
Building Integrated Microsoft Office 365, SharePoint Online, and Office Solutions Using BCS and LOB Data Donovan Follette Sr. Technical.
Empower Enterprise Mobility Jasbir Gill Azure Mobility.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
SIM 320. Contoso customer premises AD MS Online Directory Sync Identity Services Provisioning platform Provisioning platform Lync Online Lync Online.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
5 | Microsoft Confidential 6 | Microsoft Confidential.
Windows Azure Conference 2014 Windows Azure AD – All about WAAD & integration with on- premises AD.
…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
Microsoft NDA Confidential Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Office 365 deployment choices Cutover, Staged, Hybrid What is AD FS (Active Directory Federation Services) Attribute Stores, ADFS Configuration Database.
Identity Decision Tree Framework Quick Reference Guides.
The explosion of devices is eroding the standards-based approach to corporate IT. Devices Deploying and managing applications across platforms is.
Lync Server Private cloud / dedicated Lync Server Single domain & directory Users split – server / online Lync Hybrid Office 365 Lync Online Hosted.
Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Office 365 Office 365 Overview & InfrastructureAdministering Lync Online.
Office 365 Directory Synchronization Update: Deploying Password Sync.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Bronze Sky customer premises AD MS Online Directory Sync Provisioning platform Provisioning platform Lync Online Lync Online SharePoint Online SharePoint.
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
Configuration Manager and InTune Gemeinsam oder einsam?
DNS DNS changes required to validate domains in Office 365 UPN – User Principal Name Every user must have a UPN UPN suffixes must match a validated.
Craig Pringle & Derek Moir
Identities and Azure AD Premium
BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Managing Office 365 Identities and Requirements Question Answer
Hybrid Identity Deep dive Ross Adams 2016 Redmond Summit | Identity Without Boundaries May 25 th 2016 Azure AD
 What is DirSync?  Purpose – What does it do?  Understanding Synchronization  Understanding Coexistence  Demo.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Private KEEP OFF! Private KEEP OFF! Open! What is a cloud? Cloud computing is a model for enabling convenient, on-demand network access to a shared.
Productivity Architect Meet Chris Bortlik Author, Blogger, Speaker.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Web SSO with Cloud Resources using AD Federation Services
Microsoft Online Services Partner Deployment Training for Office 365
9/13/2018 4:54 PM BRK How to get Office 365 to the next level with Azure Active Directory Premium Brjann Brekkan Program Manager Lead – Customer.
SharePoint Online Management and Control
05 | AD to Windows Azure AD IT Professionals
TechEd /24/2018 4:00 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
Microsoft Virtual Academy
M7: New Features for Office 365 Identity Management
Office 365 Identity Management
Office 365 Identity Management
M3: Guidance for choosing the right integration option
AD FS Integration Active Directory Federation Services (AD FS) 7.4
Microsoft Ignite /24/2019 6:23 PM
2/27/2019 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
4/20/ :04 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.
M6: Advanced Identity Management topics for Office 365
Presentation transcript:

Single Sign-On with Microsoft Azure 4/22/2017 Single Sign-On with Microsoft Azure Julian Soh Mark Ghazai © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Active Directory Your Directory in the Cloud Cloud authentication A comprehensive identity and access management cloud solution It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers Azure Active Directory Premium includes Multi-Factor Authentication, and server and user CALs for Identity Manager

Difference between Directory Sync and AD FS Directory Synchronization is an identity propagation workload and does not require AD FS. AD FS is responsible for authentication by being the claims middleman. It generally requires some kind of directory synchronization first. AD FS works with AD DC to facilitate authentication.

1a – Simple Configuration Password Sync Lync Online Central AD Forefront Identity Manager (DirSync) Provisioning platform Password Sync IdP Azure Active Directory Office 365 Portal/ PowerShell Authentication platform Exchange SharePoint Exchange Hybrid Portal Support implications: Standard deployment model that is supported by Office 365 support. The portal is an optional component that can be used for group management or delegation of administration. Depending on what is used, it would be supported via Paid Microsoft support or the product vendor. Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.

1b – Simple Configuration Federated Authentication ADFS Federation Trust Authentication platform Lync Online Central IdP AD Federation Services Office 365 Portal/ PowerShell IdP SharePoint Online AD Azure Active Directory Provisioning platform Forefront Identity Manager (DirSync) Exchange Online Support implications: Standard deployment model that is supported by Office 365 support. Adds ADFS for federated authentication. The portal is an optional component that can be used for group management or delegation of administration. Depending on what is used, it would be supported via Paid Microsoft support or the product vendor. Exchange Hybrid Portal Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.

2 Password Sync for Same-Sign-On Agency IdP AD Authentication platform Lync Online FIM w/ Password Sync Office 365 Portal/ PowerShell IdP SharePoint Online Central Azure Active Directory Provisioning platform Forefront Identity Manager Exchange Online Support implications: The ‘Central’ environment is configured as a standard deployment model that is supported by Office 365 support. The complexity is abstracted from the O365 portion through a FIM sync that also replicates password from the ‘Agency’ AD. That FIM implementation or other solution would be supported by paid Microsoft support or the product vendor. The portal is an optional component that can be used for group management or delegation of administration. Depending on what is used, it would be supported via Paid Microsoft support or the product vendor. Notes: This model could also use ADFS out of central. If ADFS is used single-sign-on would only be available for users whose desktops exist in the ‘Central’ AD. This solution is useful where a customer: Is planning to do an AD consolidation bring ‘Agency’ into ‘Central’ Wants to use a single namespace for authentication This solution can keep the management of the ‘Central’ environment as a standard deployment Password Sync IdP Central Exchange Hybrid Portal Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.

3 Agency Single Sign-On w/ Central ADFS IdP AD Two-way Trust ADFS Federation Trust Authentication platform Lync Online Central IdP Office 365 Portal/ PowerShell IdP SharePoint Online AD AD Federation Services Azure Active Directory FIM Server Provisioning platform Forefront Identity Manager Exchange Online Support implications: The ‘Central’ environment is configured as a standard deployment model w/ FIM+Connector. The main components are supported by Office 365 support. For FIM+Connector, the connector is provided by Microsoft and supported by Office 365 support. The rest of the FIM implementation would need to be maintained by the customer and supported by paid Microsoft support. The complexity is abstracted from the O365 portion through a FIM sync that stamps a custom immutable identifier on users in both forests that is used for ADFS authentication. That FIM implementation or other solution would be supported by paid Microsoft support or the product vendor. The portal is an optional component that can be used for group management or delegation of administration. Depending on what is used, it would be supported via Paid Microsoft support or the product vendor. Notes: My understanding is that you can now customize DirSync to pull the immutable ID from a custom attribute. If that is the case DirSync could be used instead of FIM+Connector. This solution is useful where a customer: Already has a FIM sync in place Has a central authority to run the Office 365 solution, but the ‘Agency’ organization wants to remain as autonomous as possible. Does not want to use a single namespace for authentication ‘Agency’ desires single-sign-on There is a potential for a forest consolidation in the future. Exchange Hybrid Portal Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.

4 Agency Single-Sign-On w/ Agency Provided ADFS IdP AD AD Federation Services ADFS Federation Trusts ADFS Federation Trusts Authentication platform Lync Online FIM Server Central IdP Office 365 Portal/ PowerShell IdP SharePoint Online AD AD Federation Services Azure Active Directory Provisioning platform Forefront Identity Manager Exchange Online Support implications: The ‘Central’ environment is configured as a standard deployment model w/ FIM+Connector. The main components are supported by Office 365 support. For FIM+Connector, the connector is provided by Microsoft and supported by Office 365 support. The rest of the FIM implementation would need to be maintained by the customer and supported by paid Microsoft support. The complexity is abstracted from the O365 portion through a FIM sync that stamps a custom immutable identifier on users in both forests that is used for ADFS authentication. That FIM implementation or other solution would be supported by paid Microsoft support or the product vendor. The portal is an optional component that can be used for group management or delegation of administration. Depending on what is used, it would be supported via Paid Microsoft support or the product vendor. Notes: This is very similar to the previous example, but is useful where a two-way forest trust is not possible. Requires ADFS multiple ADFS farms My understanding is that you can now customize DirSync to pull the immutable ID from a custom attribute. If that is the case DirSync could be used instead of FIM+Connector. This solution is useful where a customer: Already has a FIM sync in place Has a central authority to run the Office 365 solution, but the ‘Agency’ organization wants to remain as autonomous as possible. Does not want to use a single namespace for authentication ‘Agency’ desires single-sign-on ‘Agency’ or ‘Central’ are opposed to a trust. There is a potential for a forest consolidation in the future. Exchange Hybrid Portal Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.

Run these in Azure? Why? How these would look like when running in Azure Connectivity (s2s VPN or ExpressRoute) Why? Uptime, SLA, redundancy

DC Web Server/Application 443 443

443 DC Web Server/Application 443 443

MIM enables consistent IAM policies 4/22/2017 On-premises and private cloud Azure Active Directory Azure AD App Proxy Microsoft Identity Manager vNext Your apps © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Identity Manager Capabilities 4/22/2017 Identity Manager Capabilities Clients Identity Manager Platform Scenarios Portal Outlook Windows Custom Role Management Certificate Management Policies and Workflow Request Permission AuthN AuthZ Service DB Action Group Management Password Reset Identity Stores Cloud Services Identity Synchronization Databases Directories Applications © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure AD Connect Demo

Azure Calculator Demo Typical VM Sizes Description http://azure.microsoft.com/en-us/pricing/calculator/ Typical VM Sizes Description 1x AAD Sync Server with internal database (1 x A2 Basic VM) 1x R/W Domain Controller (1 x A2 Basic VM) 2x AD FS Proxy Servers (optional) (2x A2 Standard VM) 2x AD FS Servers (2 x A2 Standard VM)

Azure AD as an IDaaS demo…

Resources Azure Active Directory Connect https://msdn.microsoft.com/en-us/library/azure/dn832695.aspx Office 365 and ADFS…Active Directory Federation Service Installation http://social.technet.microsoft.com/wiki/contents/articles/9082.office-365-and-adfs-active-directory-federation- service-installation.aspx