Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office 365 Identity Federation Technology Deep-Dive

Published byEsperanza Chestnut Modified over 10 years ago

Similar presentations

Presentation on theme: "Office 365 Identity Federation Technology Deep-Dive"— Presentation transcript:

1 Office 365 Identity Federation Technology Deep-Dive
OSP224 Office 365 Identity Federation Technology Deep-Dive Paul Black and Toby Knight Technical Specialists

2 Session Objectives And Takeaways
Tech Ready 15 4/2/2017 Session Objectives And Takeaways Session Objective(s): Identify the role that Provisioning & Synchronization plays in Directory Integration Discuss available Provisioning & Synchronization Options Understand key directory concepts pertinent to Sync Key Takeaway 1 When to use which Directory Sync option/technology, and what’s supported Key Takeaway 2 Key architecture and design considerations of the end-to-end sync infrastructure © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Advanced Warning: Identity Crisis!!
Platform is being re-branded “Windows Azure Active Directory” aka “Windows Azure AD” or just “AAD”

4 Windows Azure AD vs. Office 365
Go-to-market names for different packages of functionality (CRM Online, InTune as well!) All GTMs share common platform pieces: Directory: “MSO DS” STS: OrgID Platform pieces & tools will be branded Windows Azure AD Powershell Module for Windows Azure Active Directory Windows Azure Active Directory Sync Tool Windows Azure Active Directory Connector for FIM 2010

5 Windows Azure AD vs. Office 365
Exchange Online SharePoint Lync CRM InTune Cloud app Azure AD Cloud app Cloud app AD

6 Provisioning vs Synchronization
The two are not the same! Synchronization solutions are Provisioning solutions, but not the other way around! Provisioning Creation of objects and/or associated resources in a directory or external system. Synchronization Provisioning + long-term consistency/parity of state between source objects and their representation in the external system.

7 Directory Integration Options
Manual How Create objects in Windows Azure AD via Admin Portal or Bulk Import Why Low volume of objects to create No long term management/consistency required Scriptable How PowerShell cmdlets GRAPH API Why Need automated process, but don’t require access to all attributes in directory OK to not have full consistency between source and cloud Automated How DirSync, FIM + Connector Why Large volume of objects/churn Require access to all attributes in directory Require consistency between on-prem & cloud Want Single Sign-On

8 Examples of Integration - Manual

9 Example of Integration - Scriptable
Powershell New-MsolUser -UserPrincipalName GRAPH

10 Example of Integration - Automated
(fill in DirSync picture here)

11 Directory Integration in the bigger picture
Directory Integration is the first half of a larger ecosystem Single Sign-On solutions depend on successful Synchronization of data into the Directory!

12 Architecture and Integration Options
No Integration Directory Data Only Directory and Single sign-on (SSO) Windows Azure Active Directory Exchange Online Identity Services Authentication platform SharePoint Online Trust Contoso customer premises Active Directory Federation Server 2.0 Admin Portal/ PowerShell IdP Lync Online IdP Directory Store AD MS Online Directory Sync Provisioning platform CRM Online InTune Office 365 Desktop Setup

13 Why Directory and SSO Integration
Single place for management User and groups (including securityp-enabled groups) Passwords Password policies Support for Enterprise Single Sign on Support for Hybrid environments for Services such as Exchange Online Options for Strong Authentication (e.g. Smart cards)

14 Architecture Deep Dive
AD FS Microsoft Online ID Customer Network Office 365 Datacenter DirSync Workflow Exchange GRAPH AD MA MetaVerse O365 MA Lync AD O365 Directory AWS FEs SharePoint

15 Life as a sync’d object When an object created in the cloud, “owned in the cloud” Changes can be made via Portal, Powershell or in the various cloud services When an object is created by Sync, “owned by sync” Changes can only be made via on-prem directory and then sync to cloud When an object is created in the cloud, but also exists on-prem Sync will try to Soft-Match the object coming via Sync Soft-match uses SMTP addresses to “best guess” If matched, “owned by sync”

16 Life as a sync’d object Objects “owned by Sync” can be deleted directly in the cloud! Remove-MsolUser/Contact/Group will allow you to delete an object that is owned by Sync If still on-prem, will be recreated on next Sync cycle

17 Tour as a sync’d object Sync Tool reads data from on-prem directory source Sync Tool pushes data to AWS FEs AWS FE tries to create object in MSODS (if user, OrgID first) Workflow evaluates objects and attributes such as User.ProxyAddresses Data validations performed Services read from MSODS and sync into services Validation required? Done here.

18 Choose your own Sync Adventure
3 options for Directory Sync Single-forest DirSync appliance Multi-forest DirSync appliance Windows Azure Active Directory Connector for FIM 2010 (aka “Multi-Forest”) You don’t need to use SSO just because you sync but you should Sync in order to use SSO Could use PowerShell, but lots of management overhead & not formally tested scenario Sync solution doesn’t constrain SSO solution You can use any Sync solution with ADFS or non-AD STS (i.e. Shib)

19 Choose your own Sync Adventure
Single Forest DirSync When to use Single AD forest on-prem that contains all data to synchronize to AAD Multi-Forest DirSync When to use More than 1 AD Forest containing the directory data to synchronize to AAD ADs have “non-overlapping data” (no object in one forest is represented in another forest) AAD Connector When to use Multiple AD Forests containing directory data to synchronize to AAD Directory data “overlaps” (an object is represented in more than one forest) Non-AD directory sources*

20 Choose your own Sync Adventure
A notable exception to previous slide: This is a common pattern (prescribed by Exchange Product) Full migration to Exchange Online then collapse Resource Forest Sync’ing the necessary core attributes from Exchange  Auth forest can negate the need for multi-forest sync altogether Including SourceAnchor, UserPrincipalName Some things not supported at this time: Multiple Exchange Orgs Pattern Consider… 2 Forests on-prem: 1 Authentication/Logon forest 1 Exchange/”Resource” Forest “Sync” data from Exchange forest  Auth Forest Run single-forest DirSync against Auth Forest

21 Core Directory Sync Concepts
Source of Authority Where changes can be made to an object (either “on-prem” or “cloud”) De-/activating DirSync in the Admin portal transfers source of authority SourceAnchor used to uniquely identify objects created in cloud from on-prem directory Critical for Single Sign-On scenario (ADFS will be configured to generate SourceAnchor on AuthN, this needs to match the ImmutableID stored in OrgId during user provisioning time) Can’t change after initial provision of object by Sync  will error out

22 Core Directory Sync Concepts
UserPrincipalName The “sign-in name” for a user On-prem UPN needs to match UPN in the cloud for login to succeed Once licensed, user UPN won’t change even if changed on-prem Can override using Set-MsolUserPrincipalName cmdlet Hybrid Service Deployments Some attributes on on-prem objects are updated based on activities in the cloud Only modify objects that were initially sync’d to the cloud from on-prem

23 Core Directory Sync Concepts
We validate (some) data to protect the Core Directory and services: Attribute Validation UserPrincipalName UPNs must use verified domain If not, will autoconstruct UPN value (won’t update local AD): [sAMAccountName] + + [moera.onmicrosoft.com] Must contain only supported characters User.ProxyAddresses Cannot have duplicate proxy addresses  Sync Error (on license for EXO) Remove all proxyaddresses that are not using a verified domain Adding verified domain later will “re-hydrate” those PAs removed earlier

24 Core Directory Sync Concepts
Most common sync validation failures: Duplicate proxy addresses Duplicate UPN value Errors reported in Run the Deployment Readiness Tool!

25 Core Directory Sync Concepts
Linking/Matching objects during sync First, check to see if object already exists with same SourceAnchor value If object exists, update existing object If no objects hardmatch, try and soft match against existing objects (using SMTP addresses of on-prem object) If candidate match exists, stamp SourceAnchor on the value on object for subsequent sync cycles If no candidate match exists, create new object DirSync Quota Protect the directory for malicious “storage DOS” Default now 50K for tenants provisioned after 5/1

26 Core Directory Sync Concepts
Throttling Sync Throughput “shared” across tenants at AWS layer (throttled per partition) DirSync client automatically handles “Error Code 81” and retries again Throttling leads to variable sync times V1/V2 differences Some differences in what’s sync’d/not sync’d Groups without display names aren’t sync’d in v2! Contact migration team for documentation/list of deltas

27 Recovering deleted objects via Sync
Will be lighting up “soft delete” feature in PROD Scenario: On-prem AD Admin accidentally deletes a user object in AD DirSync “propagates delete” to the cloud User object is deleted in the cloud (mailbox lost) NOW WHAT?

28 Recovering deleted objects via Sync
Manual recovery admin identifies object to be recovered Via DirSync When admin restores the user object in AD (via W2K8R2 Recycle Bin), object is automatically recovered by DirSync – mailbox is recovered, etc. “recovery” is dependent on keeping the same SourceAnchor value! New SourceAnchor value with “same attribute values” will not recover the user object in the cloud!

29 Filtering Sync 2 kinds of filters customers ask for:
Choose which objects get sync’d to the cloud Choose which attributes get sync’d to the cloud We support the former, we don’t support the latter Wiki post and UA documentation posted to walk customers through this customization

30 In Review: Session Objectives And Takeaways
Tech Ready 15 4/2/2017 In Review: Session Objectives And Takeaways Session Objective(s): Identify the role that Provisioning & Synchronization plays in Directory Integration Discuss available Provisioning & Synchronization Options Understand key directory concepts pertinent to Sync Key Takeaway 1 When to use which Directory Sync option/technology, and what’s supported Key Takeaway 2 Key architecture and design considerations of the end-to-end sync infrastructure © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Related Content Today OSE 225, Friday OSE 331, OSE 333, OSE 334
Hands-on Labs (OSPILL101 Designing a SharePoint site) Office The Microsoft Showcase Find Me Later At The Microsoft Showcase Friday (9-12am)

32 4/2/2017 3:16 AM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Office 365 Identity Federation Technology Deep-Dive"

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Office 365 Deployment FastTrack Overview

Office 365 Deployment FastTrack Overview
Office 365 and SharePoint 2013 Hybrid Environments Rene Modery Singapore 1.

Office 365 and SharePoint 2013 Hybrid Environments Rene Modery Singapore 1.
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
 This session details common scenarios for deploying Office 365 services. Office 365 provides a breadth of capability, but often there is a key scenario.

 This session details common scenarios for deploying Office 365 services. Office 365 provides a breadth of capability, but often there is a key scenario.
Configuring SharePoint 2013 and Office 365 Hybrid – Part 1

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
Private Cloud (on & off premises) Hybrid CloudPublic Cloud SaaS PaaS IaaS Microsoft’s Online service portfolio Office 365 Microsoft‘s communication.

Private Cloud (on & off premises) Hybrid CloudPublic Cloud SaaS PaaS IaaS Microsoft’s Online service portfolio Office 365 Microsoft‘s communication.
Office 365 Identity aka Azure Active Directory

Office 365 Identity aka Azure Active Directory
Identity management integration options for Office 365

Identity management integration options for Office 365
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
OSP206. Experience Office as it was meant to be… without the complexity of setting up servers.

OSP206. Experience Office as it was meant to be… without the complexity of setting up servers.
Active Directory Integration with Microsoft Office 365

Active Directory Integration with Microsoft Office 365
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.

Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Windows Azure Active Directory.

User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Windows Azure Active Directory.
Building Integrated Microsoft Office 365, SharePoint Online, and Office Solutions Using BCS and LOB Data Donovan Follette Sr. Technical.

Building Integrated Microsoft Office 365, SharePoint Online, and Office Solutions Using BCS and LOB Data Donovan Follette Sr. Technical.
SIM 320. Contoso customer premises AD MS Online Directory Sync Identity Services Provisioning platform Provisioning platform Lync Online Lync Online.

SIM 320. Contoso customer premises AD MS Online Directory Sync Identity Services Provisioning platform Provisioning platform Lync Online Lync Online.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Similar presentations

Ads by Google