1. SPC2012 – IT-Pro
7/1/2018
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. SPO Sign-in experience
SPC Developer
7/1/2018
SPO Sign-in experience
Venky Veeraraghavan
Program Manager
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. What we are going to cover today
How does SharePoint Online sign-in work?
What do I do to ensure a great end-user experience?

4. How does SharePoint Online sign-in work?

5. Comparison On-prem Online Who are you? (aka AuthN) Active Directory
Pluggable via SAML-Claims
What do we know about you? (aka Profile)
Pluggable via LDAP
Who are you? (AuthN)
Organizational Account
Also, Microsoft Account
Also, Corporate AD
What do we know about you? (Profile)
MSOnline
Corporate AD

6. Microsoft SharePoint Conference 2009
7/1/2018
On-prem
Authentication flow
Profile flow
SP Services
SP Profile
AD Import
SP Web App SP
SPODS AD
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Microsoft SharePoint Conference 2009
7/1/2018
Online (whoa!)
Authentication flow
Profile flow MS
Acc
SP Services
LyO
EXO
SP Profile
AD Import
LyDS
OCDS
EXDS
EXDS AD AD
SP Web App
SPO
SPODS
trust
SPO-DS
Sync
Org Acc
MSODS
MSO Portal
MSO-DS
Federated Customer
ADFS
Dir Sync
Non-federated Customer AD
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Let’s break it down

9. Microsoft SharePoint Conference 2009
7/1/2018
Small Biz
Authentication flow
Profile flow
SP Services
SP Profile
AD Import
SP Web App
SPO
SPODS
SPO-DS
Sync Daemon
Org Acc
MSODS
MSO Portal
MSO-DS
Non-federated Customer
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Large Enterprise Authentication flow Profile flow Org Acc SPO
SP Services
SP Profile
AD Import
SP Web App
SPO
SPODS
SPO-DS
Sync Daemon
Org Acc
MSODS
MSO Portal
MSO-DS
Federated Customer
ADFS
Dir Sync AD

11. Back together now

12. Non-federated Customer
Online
Authentication flow
Profile flow
MS Acc
SP Services
LyO
EXO
SP Profile
AD import
LyDS
OCDS
EXDS
EXDS AD AD
SP Web App
SPO
SPODS
SPO-DS
trust
Sync Daemon
Org Acc
MSODS
BOX-P
MSO-DS
Federated Customer
ADFS
Dir Sync
Non-federated Customer AD

13. Demo
Browser and Office sign-in

15. Organization Account
Microsoft Account

18. Sign-in paths Passive (aka Browser and Mobile)
Uses the Browser to get the user authenticated
Authentication state is maintained via Cookies
Persistent Cookies == best experience
Office 2007 SP2 and Office 2010 also use the same method (often called MS-OFBA)
Active (aka Office 2013)
Uses a client library to get the user authenticated
The client library stores the users credentials and/or negotiates with Windows/ADFS to sign-in
Authentication state is maintained via Signin Token
Office 2013 uses this method

19. What do I do to ensure a great end-user experience?

20. Three things you need to do
Educate end-users
Partner with your IDM IT Pro
Plan content migration as SP Admins

21. Educate end-users Cloud sign-in is different from Windows 7/1/2018
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. End user education Why do I need to sign-in? What is my username?
No Integrated Auth with OrgID, so users have to sign-in
Possibly confusing to users who were not signing in to SharePoint before
Recommend that users select “Keep me signed in” on private computers – NOT recommended in kiosk!
What is my username?
Use a User Principal Name (looks like an address)
So – instead of domain\user
How often?
Users might think they’re seeing the cred prompt more times than expected
ADFS security policy determines how long cookies are kept around
Users need to sign-in every time authN cookies have expired – rolling 5 day window
Any Machine settings?
Chrome users need the Reg-key for Extended protection
Put all O365/SPO urls in trusted sites list – (tool available from Portal)

23. Anywhere, anytime access
SPC2012 – IT Pro
7/1/2018
Anywhere, anytime access
Users need to sign-in everywhere
OnPrem access also needs you to sign-in on the OrgID sign-in page with your Organizational Account
ADFS might still do silent sign-in with windows integrated Auth (IE only)
Every Browser is different
Your ADFS policy might have Extended Protection enabled
Chrome will need special regkey settings to enable this
SSO between rich client and browser
Works only for clients that use passive sign-in
Involves the OrgID sign-in page
In addition to the ADFS sign-in page users saw outside the corporate network
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Partner with your Identity Mgmt IT Pro
The key to getting the experience great is a great partnership with your IDM peers.

25. You and the IDM ITPro: Sign-in
SPC2012 – IT Pro
7/1/2018
You and the IDM ITPro: Sign-in
Corporate IDM system is critical for the experience
Issues in IDM system often manifest as SharePoint errors
Often happens because of suspect data quality (more later)
Shared protection
Your Corporate ADFS likely also protects other corporate resources
Consistent Experience
Design the ADFS sign-in page with the OrgID sign-in page in mind
Minimize the seams in the users’ experience
Balance Experience and Security
Org security policies and the best user experience are in tension with each other
1. Session cookies vs. Persistent cookies
2. Token timeouts
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. You and the IDM ITPro: Directory
Data Cleanliness
UPNs are set on all records and the same as what you told your end user – ideally address 
All Security Groups should have names
Group Names should not collide when using Multi-forest sync
Data Completeness
Sync all Users in the organization to the cloud
Sync all Groups to the cloud
Exceptions for “large” groups (>15K currently) members – need to split groups
AD well known groups – eg. NTAuthority\All Authenticated Users are not available

27. SharePoint Admin:
Plan for migration to O365

28. What an SharePoint Admin should do
Have a plan for groups
Instead of “NT_Authority\All Authenticated Users” to “Everyone in <tenantname>”
Migrate ACLs to corresponding Cloud groups – same name as on-prem
Add all sub-groups to the ACL when split to deal with “large” group issue
Work with IDM IT Pro
Identify how to support user escalations together
Monitor from the dirsynch tool about synch issues
Do you have proper permissions everywhere?
Define experience goals together
Balance security policy and successful user experience
Do a trial run
Choose a limited but used content to move to the cloud
Empirically analyze experience issues and fix them

29. Summary

30. Key Takeaways Design the end-user experience Educate end-users
For Federated sign-in, you “own” the ADFS sign-in experience
Plan for kiosk and browser populations
Educate end-users
The experience is going to change.. Manage it
Work closely with your IDM ITPro
Data Quality and Completeness
Security Policies
Support

31. Questions!

32. MySPC
Evaluate this session now on MySPC using your laptop or mobile device:

33. 7/1/2018 4:01 PM
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.