• Save
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group

  • 1,080 views
Uploaded on

Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group

Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,080
On Slideshare
1,078
From Embeds
2
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 2

https://twitter.com 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Understanding Office 365’s Identity Solutions: Deep Dive
  • 2. Office 365 (and Azure) Identity Solutions • Individual / Small Business • • • • • No Integration Required No Single Sign On User logon Via Portal No Servers on Premise Medium Sized Business • • • • • No Integration Dirsync Tool – Perfect for Provisioning large groups of Users No Single Sign On User Login Via Portal No Servers on Premise ADFS & Dirsync Large Business • • • • • Deploy Dirsync Implement ADFS Users Login with WAD Credentials Complex Server Infrastructure on Prem Deployed as Part of a Hybrid Solution Full Single Sign On (SSO Dirsync (Provision Only) Hybrid
  • 3. Access Control Challenges Secure Access for a Wide Array of Devices High Availability Role Based Access Control Customer and Partner Access to Data
  • 4. Support Organizational Size Matters The One Man Band Small Business Medium Size Business Enterprise
  • 5. The Four Pillars of Identity
  • 6. Planning a Move to the Cloud? • Influencing Factors: • • • • • • • Service Trials Size of Organization Time Constraints Complexity of Customers Current Environment Physical Locations Current Identity Infrastructure. Current IT Infrastructure. Internal / Outsourced / Hosted
  • 7. Planning a Move to the Cloud? • Influencing Factors: • • • • • • • • Software / Hardware Issues Network Bandwidth Issues Security Issues Legal & Compliance Issues Vendor Service Level Agreement (SLA) High Availability / Backup Issues Resource Issues. Staff, Budget, etc! Risk Analysis of Moving into the Cloud!
  • 8. Current Identity Solution • No Centralized Identity Solution • • • • Typical of a One Man Company No Servers on Premises Uses POP Email, Web Browser or Mobile Device The Small Business • • • • • • Typically 5 to 25 Employees Perhaps uses a Small Business Server on Premises Are already Active Directory Users Probably use Exchange Email Adopt Small Scale SharePoint Usage Probably outsource IT Support to External Consultant
  • 9. Current Identity Solution • Medium to Enterprise level Organization • • • • • • 100s or 1000s of Users More Complex Active Directory Infrastructure More Complex Infrastructure, Trust Relationships etc. Probably use Exchange Email, Lotus Notes or Other On-Site Email Solution Probably uses Multi Factor Authentication In house IT Support
  • 10. Identity Solutions for Office 365 • Separate credential from onpremises credential • Authentication occurs via cloud directory service • Password policy is stored in Office 365 • Does not require on-premises server deployment • Same credential as on-premises credential • Authentication occurs via onpremises directory service • Password policy is stored onpremises • Requires on-premises DirSync server • Requires on-premises ADFS server
  • 11. Identity Architecture and Integration Options 1. No Integration 2. Directory Data Only 3. Directory and Single sign-on (SSO) Windows Azure Active Directory EPC Group customer premises Active Directory Federation Server 2.0 IdP AD Admin Portal/ PowerShell MS Online Directory Sync Provisioning platform Office 365 Desktop Setup SharePoint Online Authentication platform Trust IdP Directory Store Exchange Online Lync Online Office Subscription Services
  • 12. Understanding Identities Cloud Identity Cloud Identity + DirSync Federated Identity  Large enterprise organizations with Active Directory on-premises  Does not require on-premises server  “Source of Authority” is on-premises deployment  Enables coexistence Scenario  Smaller organizations with or without  Medium to Large organizations with on-premises Active Directory Active Directory on-premises  Single Sign-On experience Benefits  “Source of Authority” is on-premises  2 Factor Authentication options  Enables coexistence  No Single Sign-On  No 2 Factor Authentication options Limitations  No Single Sign-On  No 2 Factor Authentication options  Two sets of credentials to manage  Two sets of credentials to manage  Different password policies  Different password policies  Requires on-premises DirSync server deployment  Requires on-premises ADFS server deployment in high availability scenario  Requires on-premises DirSync server deployment
  • 13. Understanding Identities Cloud Identity Federated Identity Federated Identity (domain joined computer) (non-domain joined computer) Microsoft Outlook® 2010 on Windows® 7 Sign in each session Sign in each session Sign in each session Outlook 2007 on Windows 7 Sign in each session Sign in each session Sign in each session Outlook 2010 or Outlook 2007 on Windows Vista® or Windows XP Sign in each session Sign in each session Sign in each session Exchange ActiveSync® Sign in each session Sign in each session Sign in each session POP, IMAP, Microsoft Outlook for Mac 2011 Sign in each session Sign in each session Sign in each session Web Experiences: Office 365 Portal / Outlook Web App / SharePoint Online / Office Web Apps Sign in each browser session No Prompt Sign in each browser session Sign in each SharePoint Online session Sign in each SharePoint Online Session Sign in each SharePoint Online Session Lync Online Sign in each session No prompt Sign in each session Outlook for Mac 2011 Sign in each session Sign in each session Sign in each session Office 2010 or Office 2007 using SharePoint Online
  • 14. Make the Solutions Workable • • • • • • • Must be Tailored to Customer Requirements Cost Effective Avoid Ego Driven Design Bloat! Take into Account Future Growth Current / Future Migration Plans Local / National Legal / Compliance Issues Cross Platform Integration
  • 15. Understanding Identities • Two types of Domains • Managed Domain • Federated Domain • Domain ownership must be verified • Must use publicly registered namespace (i.e. cannot use *.local, etc.) • Options for adding new domains: • Microsoft Online Portal • Microsoft Online Services Module for Windows PowerShell
  • 16. Understanding Identities • Microsoft Online Portal • Active Directory tools • Exchange Management Tools • Identity management solutions • Microsoft Online Services Module for Windows PowerShell • Remote PowerShell
  • 17. Windows Active Directory
  • 18. Windows Active Directory • • • • • • • • • Directory service implemented on MS domain networks Introduced in Windows 2000 DCs authenticate and authorise users and computers in a domain Assigns and enforces security policies Deployed in a single domain nor as part of a larger forest Can be expanded through Trust Relationships Has both physical & logical attributes Only one instance per domain Active Directory uses LDAP, Kerberos, and DNS
  • 19. WAD: Potential Issues • • • • As a number of trust limitations in respect to size & complexity Designed primarily to manage in-house networks Protocol limitations i.e. LDAP Customer security concerns about WAD data in cloud (closed attributes) • Does not natively support new cloud based protocols • Solution: Extend AD attributes into cloud…
  • 20. Windows Azure Active Directory
  • 21. Windows Azure Active Directory
  • 22. What is Windows Azure Active Directory? • Customized Version of ADLDS / ADAM • Every Office 365 Customer is an Azure • • • • AD Tennant Designed primarily to meet the needs of cloud applications Extends Customers Active Directory into the cloud Think of it as a Fish on a Hook! Identity as a service: essential part of Platform as a Service
  • 23. Relationship to Windows Server AD • On-premises and cloud Active Directory managed as one • Directory information synchronized to cloud, made available to cloud apps via roles-based access control • Federated authentication enables single sign on to cloud applications
  • 24. WAAD Vs WAD! • While enterprises work to consolidate identity system on- premises, cloud apps are fragmenting identity… again
  • 25. Azure Active Directory Design Principles The cloud design point demands capabilities that are not part of current-day Windows Server Active Directory • Maximize device & platform reach • http/web/REST based protocols • Multi-tenancy • Customer owns directory, not Microsoft • Optimize for availability, consistent performance, scale • Keep it simple
  • 26. To Federate or Not Too Federate?
  • 27. Protocols to Connect to Windows Azure AD Protocol Purpose Details REST/HTTP directory access Create, Read, Update, Delete directory objects and relationships Compatible with OData V3 Authenticate with OAuth 2.0 OAuth 2.0 Service to service authentication Delegated access JWT token format Open ID Connect Web application authentication Rich client authentication Under investigation JWT token format SAML 2.0 Web application authentication SAML 2.0 token format WS-Federation 1.3 Web application authentication SAML 1.1 token format SAML 2.0 token format JWT token format
  • 28. Deploying ADFS
  • 29. ADFS 2.0 & SSO Requirements • • • • • • • • Windows Server 2008 or Windows Server 2008 R2 Windows Server 2012 (2.1) PowerShell V3 Web Server (IIS) .Net 3.5 SP1 Windows Identity Foundation Publicly registered domain name SSL Certificate for Hybrid Deployment
  • 30. Understanding SAML Authentication Into the Cloud Customer Microsoft Online Services Active Directory AD FS 2.0 Logon (SAML 1.1) Token UPN:user@contoso.com ServerUser ID: ABC123 Source Authentication platform Auth Token UPN:user@contoso.com Unique ID: 254729 ` Client (joined to CorpNet) Exchange Online or SharePoint Online
  • 31. Walkthrough Access Control Using ADFS Client Endpoints
  • 32. ADFS Claim Types • Launch ADFS 2.0 • • • • Management Console, browse to Claims Provider Trusts, and Edit Claim Rules… Add new rule Select “Pass through or filter an incoming claim” template Provide rule name and type Repeat for all 5 claim types
  • 33. Issuance Authorization Rule • Launch ADFS 2.0 Management Console, browse to Relying Party Trusts, and Edit Claim Rules… • Add new Issuance Authorization Rule • Select “Send claims using a custom rule” template • Add rule name and custom rule syntax
  • 34. Cloud Provisioning
  • 35. WAAD Provisioning • Manual • Simple Web based user interface • Bulk import of user • Best for small customers • Scriptable • PowerShell module for windows • Programmable New REST based API • Limited attribute set/object types • Automated • Directory Synchronization with delta • Full fidelity of attributes and object types • Optimized for large object sets
  • 36. What is Dirsync? (Azure Active Directory Sync Tool ) • Enables Simple & Rich Coexistence • Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment • Provides a unified Global Address List experience between on-premises and Office 365 • Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365 • Enables coexistence for Exchange • Works in both simple and hybrid deployment scenarios • Enabler for mail routing between on-premises and Office 365 with a shared domain namespace • Enables coexistence for Microsoft Lync
  • 37. Dirsync Implementation Options 1 Way Sync from AD to Cloud • Provisions users, DLs, Security Groups and contacts • Can move to 2 Way Sync later • on-premises master for all objects and properties 2 Way Sync from AD to Cloud and Cloud to AD • Required for Hybrid Deployments e.g. co-existence • • • • with Exchange online and Exchange on-premises Cannot move back to 1 way sync Cloud becomes master for certain properties (safe senders, mail co-existence, UM) Password Sync Option Password Syncing is 1 way. Users that have Password Sync enabled are required to change their passwords on premises in an AD connected machine.
  • 38. Dirsync Password Synchronization • No longer requires ADFS to provide SSO • Does not sync plaintext passwords • Dirsync syncs hashes of hashes of your user's passwords greatly reducing the risk of a password leaking • You don't need to install any new software on your DCs or reboot DCs • Users don't need to change passwords • Password Syncing is 1 way. Users that have Password Sync enabled are required to change their passwords on premises in an AD connected machine. • “In my opinion not as secure as ADFS”
  • 39. Dirsync: Synchronization Schedule • Default is Every 3 Hours • “Start-OnlineCoexistenceSync” cmdlet can manually force a manual sync • Synchronization can be re-scheduled here! 1. First navigate to the following directory on your DirSync Server. C:Program 2. 3. 4. 5. FilesMicrosoft Online Directory Sync Locate service executable that is used to run the DirSync scheduleLocate the following lines within the Microsoft.Online.DirSync.Scheduler.exe.config file: <add key="SyncTimeInterval" value="3:00:0" /> Edit the time within this file to reduce the sync schedule; for example to reduce the time to every 30 minutes use the following values: <add key="SyncTimeInterval" value="0:30:0" /> Finally open the Services console (Start>Run>Services.msc) and restart the Microsoft Online Services Directory Synchronization Service. 39
  • 40. • • • • • • • • • Best Bets and Next Choose Correct 365 Solution Steps Product V.s. Service Clean House SSO or not to SSO? Read the Planning Guides Region V.s. Compliance! Get your DNS Correct Watch out for Expiring SSL Certs Beware the Deleted Domain Issue