Download presentation
Presentation is loading. Please wait.
Published byPeyton Nunn Modified over 10 years ago
2
[Speaker] [Title] [Company] Identity management integration options for Office 365
3
User management and identity integration is easy in Office 365. In this talk we will explain identity management concepts and describe the three identity models that you can use. We will talk about the cloud identity model, the synchronized identity model, and the federated identity model. For cloud and synchronized identity we will tell you all you need to set these up and demo how to configure them. For federated identity we will show you some of the tooling and give you guidance on how to scope the integration project. We will describe how you can switch between identity models and also give clear guidance about how to choose the right identity model for a given scenario or customer. Talk Abstract
4
Identity for Microsoft cloud services User Microsoft Account Ex: alice@outlook.com User Organizational Account Ex: alice@contoso.com Microsoft Account Microsoft Azure Active Directory
5
Office 365 Identity Models
6
Identity Synchronization and Federation Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication
7
Cloud identity model
10
Synchronized identity model
11
Before installing DirSync Active Directory remediation IdFix Forest functional level Windows Server 2003 Multiple forests Not DirSync Azure AD Sync or Forefront Identity Manager 2010 Directories other than Active Directory Not DirSync Works with Office 365 – Identity program
12
IdFix – DirSync AD Remediation
13
What errors does IdFix look for? Duplicate proxyAddresses Invalid characters in attributes Over length attributes Format errors in attributes Use of non-routable domains Blank attribute that requires a value mailNickName proxyAddresses sAMAccountName targetAddress userPrincipalName
14
DirSync topology and number of servers A domain controller collocated install isn’t recommended But it is supported and you can install DirSync on the DC One server is most common DirSync installs SQL Express for replication data You can install with dedicated SQL Server and can use HA for SQL Server Consider using Azure To avoid any on-premises servers you can deploy to Azure IaaS Use the DirSync road map Read the docs, but skip the Microsoft Deployment Readiness Toolkit
15
DirSync installation and review Be aware of directory object limits A new tenant can sync up to 50,000 directory objects Register a vanity domain and it is increased to 300,000 objects Add DNS domains to Office 365 Add these prior to syncing to preserve UPN Sync now Expect about 1 hour per 5,000 objects Check event logs EventVwr Password expiry for the sync account Assign Office 365 licenses
16
Other DirSync considerations High availability Can Backup and reinstall Filtering DirSync By OU Security of hashes One way hashes (of hash) Not reversable Sent to Azure AD on SSL
17
Password hash sync security We typically get questions about the security of synchronizing passwords from banking and finance customers The password hash that we get from AD is not reversible to get the users password Hashes are mathematical functions that are nearly impossible to reverse. The result of the hash algorithm is called a digest We further process it with a one way hash SHA256 algorithm We connect over SSL to the Azure AD service and send the resulting hash of the hash This enables Azure AD to validate the users password when they log in More details at http://social.technet.microsoft.com/wiki/contents/articles/18096.dirsyncwindows-azure-ad-password- sync-frequently-asked-questions.aspx
18
Choosing between DirSync and AAD Sync Beta available Includes password hash sync Includes password write-back with Azure AD Premium license Can filter objects by OU Supports use of dedicated SQL Server install or SQL Express The setup wizard can be run multiple times for configuration changes Released and supported in production Includes sync from multiple forests including merging duplicate users in these forests ** In addition to AD, can sync from LDAP v3, SQL Server and CSV data ** Enables selective OU sync with using UX in the setup. Compared to DirSync which requires PowerShell configuration ** Enables transforming of attributes using UX in the setup Planned to replace DirSync in the future Preview cannot be upgraded to later release ** NOT IN BETA Beta available
19
Demo Configuring Azure AD Sync
20
Federated identity model
21
Password Sync Backup for Federated Sign-In This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.
22
ADFS is Also Easy Use trained and experienced deployment staff Use Azure AD Connect Tool https://microsoft.sharepoint.com/teams/OfficeOnRamp/wiki/Pages/Azure- Active-Directory-Connect-Tool.aspx Read all the TechNet Deployment Guidance http://technet.microsoft.com/en-us/library/jj205462.aspx Only implement the Office 365 requirements The only certificate required is the SSL certificate Prepare with firewall update permissions
23
Demo Azure AD Connect for AD FS
24
How to choose an identity model ?
25
Change between models as needs change Cloud Identity to Synchronized Identity Deploy DirSync Hard match or soft match of users Synchronized Identity to Federated Identity Deploy AD FS Can leave password sync enabled as backup Federated identity to Synchronized Identity PowerShell Convert-MsolDomainToStandard Takes 2 hours plus 1 additional hour per 2,000 users Synchronized Identity to Cloud Identity PowerShell Set-MsolDirSyncEnabled Takes 72 hours and you can monitor with Get-MsolCompanyInformation
26
Choose the simplest model for your needs This is our recommendation Cloud Identity is the simplest model Choose cloud when You have no on-premises directory There is on-premises directory restructuring You are in pilot with Office 365
27
Choose synchronized identity if you have an on-premises directory Password hash sync means federation is not required just to have the same password on the cloud Same sign-on – the username and password is the same in the cloud as on-premises Single sign-on – you log on to the PC and no password is required for cloud services Save credentials for later uses Windows Credential Manager Outlook does not support Single sign-on Choose password hash sync unless you have one of the scenarios that requires federation
28
Scenarios for choosing federation Existing infrastructure 1.You already have an AD FS Deployment 2.You already use a Third Party Federated Identity Provider 3.You use Forefront Identity Manager 2010
29
Scenarios for choosing federation Technical requirements 4.You have Multiple Forests in your on-premises AD 5.You have an On-Premises Integrated Smart Card or Multi-Factor Authentication (MFA) Solution 6.Custom Hybrid Applications or Hybrid Search is Required 7.Web Accessible Forgotten Password Reset
30
Scenarios for choosing federation Policy requirements 8.You Require Sign-In Audit and/or Immediate Disable 9.Single Sign-On minimizing prompts is Required 10.Require Client Sign-In Restrictions by Network Location or Work Hours 11.Policy preventing Synchronizing Password Hashes to Azure AD
31
Office 365 federation options Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Support for web and rich clients Microsoft supported Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD Single sign-on Support for web and rich clients Third-party supported Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program Suitable for educational organizations Recommended where customers may use existing non-ADFS Identity systems Single sign-on Support for web clients and outlook (ECP) only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises For organizations that need to use SAML 2.0 Recommended where customers may use existing non-ADFS Identity systems Single sign-on Support for web clients and outlook (ECP) only Microsoft supported for integration only, no identity provider deployment support Requires on-premises servers & support Works with AD and other directories on-premises
32
Works with Office 365 – Identity program
33
Recent features change the landscape Jun 2013 Password hash sync added to DirSync Nov 2013 DirSync tool run on Domain Controllers Feb 2014 Multi Factor Authentication for Office 365 Apr 2014 Azure Active Directory Sync Services Apr 2014 Azure AD Premium Password Reset May 2014 Alternate Sign-In ID to UPN May 2014 DirSync backup for federated sign-in Dec 2014 Office client passive authentication
34
Summary Choose the simplest model for your needs Change between models as needs change Cloud identity model when there is no on- premises directory Synchronized identity model for most organizations Federated identity model for one of the 11 scenarios
38
Title of Slide here. Subtitle copy here...Sed ut perspiciatis unde omnis iste natus error sit. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Sed ut perspiciatis unde omnis iste natus error sit. voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo.
39
Slide Title Here... Headline 1 here…Headline 2 here… Sed ut perspiciatis unde omnis iste natus error sit. voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt.
40
Sed ut perspiciatis unde omnis iste natus error sit. voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Title of Presentation
41
Title of Slide here. Subtitle copy here...Sed ut prrspiciatis Subtitle copy here...Sed voluptas sed quaia ut perspiciatis Subtitle copy here...Sed voluptas sed quaia ut perspiciatis Subtitle copy here...Sed voluptas sed quaia ut perspiciatis Subtitle copy here...Sed voluptas sed quaia ut perspiciatis Subtitle copy here...Sed voluptas sed quaia ut perspiciatis
42
Title of Slide here. Subtitle copy here...Sed ut perspiciatis unde omnis iste natus error sit. Sed ut perspiciatis unde omnis iste natus error sit. voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Sed ut perspiciatis unde omnis iste natus error sit. voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo.
43
ICONS
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.