Download presentation
Presentation is loading. Please wait.
1
M6: Advanced Identity Management topics for Office 365
2
Meet Paul Andrew | @pndrw
Office 365 Technical Product Manager Office 365 datacenter, networking, identity management Passion for informing and inspiring IT Professionals to create simpler solutions to complex problems Meet Sam Devasahayam Azure Principal Program Manager Lead
3
DirSync / ADFS on a domain controller or in Azure
You can use DirSync with no additional on-premises servers DirSync on DC Includes SQL Server Express SQL Server and DC has resource contentions Suitable for small deployments not more than 10,000 users DirSync on Azure paper Avoids on-premises servers
4
DirSync high availability
DirSync runs on one server Backup SQL Server Backup encryption keys Cold standby of DirSync server Restore SQL, encryption keys Instructions us/download/details.aspx?id=42524
5
Password hash Sync Security
4/24/2019 Password hash Sync Security We typically get questions about the security of synchronizing passwords from banking and finance customers The password hash that we get from AD is not reversible to get the users password We further process it with a one way hash SHA256 algorithm We connect over SSL to the Azure AD service and send the resulting hash of the hash This enables Azure AD to validate the users password when they log in More details at azure-ad-password-sync-frequently-asked-questions.aspx © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6
Password Write-back What is it How do I enable it
Part of AAD Premium Only via Self-service password reset How do I enable it Admin needs to turn-on the feature using DirSync PSH commandlet: Enable-OnlinePasswordWriteBack When does it write back Cloud authenticated (managed) user and password sync is enabled On-premises SSO authenticated (federated) user Security All communication takes place over SSL Registration of public/private key pairs for transport and encryption, you keep the private keys
7
Azure AD Sync What’s included What’s missing What’s coming
Possible to reduce set of attribute sync’d based on the services Support for a number of Multi forest scenarios Easier management for filtering objects via simple UX Support for attribute mapping rules via a simple UX What’s missing Password sync Password write back Hybrid configuration, i.e. no write back today What’s coming Production Support, i.e. not for Production today Support for other directories, such as LDAP, SQL or CSV
8
Sync multiple AD forests
Options: Forefront Identity Manager 2010 Supports multiple forests with additional work Azure AD Sync Services Supports multiple forests and in preview now Disparate forests Full Mesh, i.e. Gal Sync Account and resource forest Consolidate forests into one
9
Office 365 Connector for Forefront Identity Manager 2010 R2
TechEd 2013 4/24/2019 9:16 PM Office 365 Connector for Forefront Identity Manager 2010 R2 Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization Requires Forefront Identity Manager and additional software licenses Requirements Forefront Identity Manager 2010 R2 Windows Azure Active Directory Connector for FIM 2010 R2 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
10
DirSync one directory to multiple tenants
You can install dirsync more than once in the same forest, but on different machines You need to handle conflicts A domain can only be validated in on tenant, i.e. for use with and UPN Sub domains can be used in different tenants You should look at how you filter your user sets OU Domain Attribute
11
Cross tenant collaboration
We don’t recommend multiple tenants for the same organization There will not be a consolidated Global Address List Could create users from one tenant as contacts in the other SharePoint access across tenants must use External Sharing Free busy federation between tenants is possible Lync presence and calling between tenants is possible There are third party tools (not Microsoft) tools that can merge tenants
12
Federate multiple domains in a tenant
A User Profile Name (UPN) is the sign-in ID that customers use. Eg: Each DNS address you use in a UPN can be federated to an identity provider Synchronized accounts can also be used Azure AD uses the UPN DNS to do home realm discovery to a federated identity provider Home realm discovery can be shortcut with URLs like this:
13
Troubleshooting Identity Management
4/24/2019 Troubleshooting Identity Management DirSync troubleshooting Use IdFix to correct directory errors prior to syncing Clean duplicate SMTP/Proxy Addresses Clean duplicate UPNs/non routable UPNs Check Windows Event Viewer on DirSync server for errors © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
14
Troubleshooting Identity Management
4/24/2019 Troubleshooting Identity Management ADFS infrastructure Use the Connectivity tool to verify your setup Multiple Servers (or VM’s) are required AD FS is a very broad and capable technology You don’t need to implement every part of it for a small Office 365 tenant Only need the SSL Certificate for small tenant, don’t need other certs SSL Certificate is required for Web Application Proxy server Port 443 is required to be open to the Web Application Proxy server © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
15
M6 Summary: Advanced Identity Management topics for Office 365
DirSync on a Domain Controller or in Azure DirSync HA Password sync security and write back AAD Sync, Sync multiple forests, and Forefront Identity Manager Multiple Tenants Multiple DNS domains Troubleshooting
Similar presentations
