Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India

Session Objectives Describe the different Identity Features Explain the Identity Architecture and Features Describe how federated authentication works Describe the various deployment scenarios Questions

Office 365 Identity features Microsoft Online IDs Microsoft Online ID + Active Directory Sync Federated ID -Single sign-on with corporate credentials Role-based administration: Five administration roles Company Admin Billing Admin User Account Admin HelpDesk Admin Service Support Admin

Contoso customer premises Identity architecture: Identity options 1. Microsoft Online IDs AD MS Online Directory Sync Provisioning platform Provisioning platform Lync Online Lync Online SharePoint Online SharePoint Online Exchange Online Exchange Online Active Directory Federation Server 2.0 Trust IdP Directory Store Admin Portal Authentication platform Office 365 Desktop Setup Microsoft Online Services IdP

Identity options comparison 1. MS Online IDs Appropriate for Smaller orgs without AD on-premise Pros No servers required on- premise Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies IDs mastered in the cloud 2. MS Online IDs + Dir Sync Appropriate for Medium/Large orgs with AD on-premise Pros Users and groups mastered on-premise Enables co-existence scenarios Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies Single server deployment 3. Federated IDs + Dir Sync Appropriate for Larger enterprise orgs with AD on-premise Pros SSO with corporate cred IDs mastered on- premise Password policy controlled on-premise 2FA solutions possible Enables co-existence scenarios Cons High availability server deployments required

Single Sign on setup

Identity Federation Authentication flow (Passive/Web profile) Customer Microsoft Online Services User Source ID NET ID

Identity Federation Authentication flow (Rich Client profile) Customer Microsoft Online Services User Source ID NET ID

Identity Federation Authentication flow (EAS Basic Auth/Active profile) Customer Microsoft Online Services Basic Creden tial User Source ID NET ID

AD FS 2.0 deployment options 1.Single server configuration 2.AD FS 2.0 server farm and load-balancer 3.AD FS 2.0 proxy server or UAG/TMG (External Users, Active Sync, Down-level Clients with Outlook) Enterprise DMZ AD FS 2.0 Server Proxy Proxy Externaluser Internaluser ActiveDirectoryActiveDirectory Proxy Proxy

Customer AD Structures Matching domains –Internal Domain and External domain are the same Eg. contoso.com Sub Domain –Internal domains is a sub domain of the external domain Eg. Corp.contoso.com Local Domain –Internal domain is not publicly “registered” Eg. Contoso.local Multi Forest –Not Currently supported

General Rules Every User must have a UPN UPNs must match a validated domain in MSOL. Users need to understand that they must use UPN to logon to Microsoft Online Services

Active Directory Considerations Matching domain –No special requirements Sub Domain –Requires that Domains be registered in order, primary then sub domain Local Domain –Domain can not be registered thus cannot be used for federation Requires all users to get new UPN

Additional resources link Office 365 Beta service Descriptions Setting up a Federation Service

Resources Software Application Developers Infrastructure Professionals

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.