Your SlideShare is downloading. ×
Understanding Office
365’s Identity Solutions:
Deep Dive
Office 365 (and Azure) Identity Solutions
•

Individual / Small Business
•
•
•
•

•

No Integration Required
No Single Sig...
Access Control Challenges

Secure
Access for a
Wide Array
of Devices

High
Availability

Role Based
Access
Control

Custom...
Support  Organizational Size Matters
The One Man Band
Small Business

Medium Size Business
Enterprise
The Four Pillars of Identity
Planning a Move to the Cloud?
• Influencing Factors:
•
•
•
•
•
•
•

Service Trials
Size of Organization
Time Constraints
C...
Planning a Move to the Cloud?
• Influencing Factors:
•
•
•
•
•
•
•
•

Software / Hardware Issues
Network Bandwidth Issues
...
Current Identity Solution
•

No Centralized Identity Solution
•
•
•

•

Typical of a One Man Company
No Servers on Premise...
Current Identity Solution
•

Medium to Enterprise level Organization
•
•
•
•
•
•

100s or 1000s of Users
More Complex Acti...
Identity Solutions for Office 365

• Separate credential from onpremises credential
• Authentication occurs via cloud
dire...
Identity Architecture and Integration Options
1. No Integration
2. Directory Data Only
3. Directory and Single sign-on (SS...
Understanding Identities
Cloud Identity

Cloud Identity + DirSync

Federated Identity
 Large enterprise organizations wit...
Understanding Identities
Cloud Identity

Federated Identity

Federated Identity

(domain joined computer)

(non-domain joi...
Make the Solutions Workable
•
•
•
•
•
•
•

Must be Tailored to Customer Requirements
Cost Effective
Avoid Ego Driven Desig...
Understanding Identities
• Two types of Domains
• Managed Domain
• Federated Domain

• Domain ownership must be verified
•...
Understanding Identities

• Microsoft Online Portal

• Active Directory tools
• Exchange Management
Tools
• Identity manag...
Windows Active Directory
Windows Active Directory
•
•
•
•
•
•
•
•
•

Directory service implemented on MS domain networks
Introduced in Windows 2000...
WAD: Potential Issues
•
•
•
•

As a number of trust limitations in respect to size & complexity
Designed primarily to mana...
Windows Azure Active Directory
Windows Azure Active Directory
What is Windows Azure Active Directory?
• Customized Version of ADLDS / ADAM
• Every Office 365 Customer is an Azure
•
•
•...
Relationship to Windows Server AD
• On-premises and cloud Active

Directory managed as one
• Directory information synchro...
WAAD Vs WAD!

• While enterprises work to consolidate identity system on-

premises, cloud apps are fragmenting identity… ...
Azure Active Directory Design Principles
The cloud design point demands capabilities that are not
part of current-day Wind...
To Federate or Not Too
Federate?
Protocols to Connect to Windows Azure

AD

Protocol

Purpose

Details

REST/HTTP
directory access

Create, Read, Update, D...
Deploying ADFS
ADFS 2.0 & SSO Requirements
•
•
•
•
•
•
•
•

Windows Server 2008 or Windows Server 2008 R2
Windows Server 2012 (2.1)
Power...
Understanding SAML Authentication Into the
Cloud
Customer

Microsoft Online Services

Active Directory

AD FS 2.0

Logon (...
Walkthrough
Access Control Using ADFS Client Endpoints
ADFS Claim Types
• Launch ADFS 2.0

•
•

•
•

Management Console,
browse to Claims Provider
Trusts, and Edit Claim
Rules…
...
Issuance Authorization Rule
• Launch ADFS 2.0

Management Console,
browse to Relying Party
Trusts, and Edit Claim
Rules…
•...
Cloud Provisioning
WAAD Provisioning
• Manual
• Simple Web based user interface
• Bulk import of user
• Best for small customers

• Scriptabl...
What is Dirsync?
(Azure Active Directory Sync Tool )

• Enables Simple & Rich Coexistence
• Provisions objects in Office 3...
Dirsync Implementation Options
1 Way Sync from AD to Cloud
• Provisions users, DLs, Security Groups and contacts
• Can mov...
Dirsync Password Synchronization
• No longer requires ADFS to provide SSO
• Does not sync plaintext passwords
• Dirsync sy...
Dirsync: Synchronization Schedule
• Default is Every 3 Hours
• “Start-OnlineCoexistenceSync” cmdlet can manually force a m...
•
•
•
•
•
•
•
•
•

Best Bets and Next
Choose Correct 365 Solution
Steps
Product V.s. Service
Clean House
SSO or not to SSO...
Upcoming SlideShare
Loading in...5
×

Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group

795

Published on

Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
795
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group"

  1. 1. Understanding Office 365’s Identity Solutions: Deep Dive
  2. 2. Office 365 (and Azure) Identity Solutions • Individual / Small Business • • • • • No Integration Required No Single Sign On User logon Via Portal No Servers on Premise Medium Sized Business • • • • • No Integration Dirsync Tool – Perfect for Provisioning large groups of Users No Single Sign On User Login Via Portal No Servers on Premise ADFS & Dirsync Large Business • • • • • Deploy Dirsync Implement ADFS Users Login with WAD Credentials Complex Server Infrastructure on Prem Deployed as Part of a Hybrid Solution Full Single Sign On (SSO Dirsync (Provision Only) Hybrid
  3. 3. Access Control Challenges Secure Access for a Wide Array of Devices High Availability Role Based Access Control Customer and Partner Access to Data
  4. 4. Support Organizational Size Matters The One Man Band Small Business Medium Size Business Enterprise
  5. 5. The Four Pillars of Identity
  6. 6. Planning a Move to the Cloud? • Influencing Factors: • • • • • • • Service Trials Size of Organization Time Constraints Complexity of Customers Current Environment Physical Locations Current Identity Infrastructure. Current IT Infrastructure. Internal / Outsourced / Hosted
  7. 7. Planning a Move to the Cloud? • Influencing Factors: • • • • • • • • Software / Hardware Issues Network Bandwidth Issues Security Issues Legal & Compliance Issues Vendor Service Level Agreement (SLA) High Availability / Backup Issues Resource Issues. Staff, Budget, etc! Risk Analysis of Moving into the Cloud!
  8. 8. Current Identity Solution • No Centralized Identity Solution • • • • Typical of a One Man Company No Servers on Premises Uses POP Email, Web Browser or Mobile Device The Small Business • • • • • • Typically 5 to 25 Employees Perhaps uses a Small Business Server on Premises Are already Active Directory Users Probably use Exchange Email Adopt Small Scale SharePoint Usage Probably outsource IT Support to External Consultant
  9. 9. Current Identity Solution • Medium to Enterprise level Organization • • • • • • 100s or 1000s of Users More Complex Active Directory Infrastructure More Complex Infrastructure, Trust Relationships etc. Probably use Exchange Email, Lotus Notes or Other On-Site Email Solution Probably uses Multi Factor Authentication In house IT Support
  10. 10. Identity Solutions for Office 365 • Separate credential from onpremises credential • Authentication occurs via cloud directory service • Password policy is stored in Office 365 • Does not require on-premises server deployment • Same credential as on-premises credential • Authentication occurs via onpremises directory service • Password policy is stored onpremises • Requires on-premises DirSync server • Requires on-premises ADFS server
  11. 11. Identity Architecture and Integration Options 1. No Integration 2. Directory Data Only 3. Directory and Single sign-on (SSO) Windows Azure Active Directory EPC Group customer premises Active Directory Federation Server 2.0 IdP AD Admin Portal/ PowerShell MS Online Directory Sync Provisioning platform Office 365 Desktop Setup SharePoint Online Authentication platform Trust IdP Directory Store Exchange Online Lync Online Office Subscription Services
  12. 12. Understanding Identities Cloud Identity Cloud Identity + DirSync Federated Identity  Large enterprise organizations with Active Directory on-premises  Does not require on-premises server  “Source of Authority” is on-premises deployment  Enables coexistence Scenario  Smaller organizations with or without  Medium to Large organizations with on-premises Active Directory Active Directory on-premises  Single Sign-On experience Benefits  “Source of Authority” is on-premises  2 Factor Authentication options  Enables coexistence  No Single Sign-On  No 2 Factor Authentication options Limitations  No Single Sign-On  No 2 Factor Authentication options  Two sets of credentials to manage  Two sets of credentials to manage  Different password policies  Different password policies  Requires on-premises DirSync server deployment  Requires on-premises ADFS server deployment in high availability scenario  Requires on-premises DirSync server deployment
  13. 13. Understanding Identities Cloud Identity Federated Identity Federated Identity (domain joined computer) (non-domain joined computer) Microsoft Outlook® 2010 on Windows® 7 Sign in each session Sign in each session Sign in each session Outlook 2007 on Windows 7 Sign in each session Sign in each session Sign in each session Outlook 2010 or Outlook 2007 on Windows Vista® or Windows XP Sign in each session Sign in each session Sign in each session Exchange ActiveSync® Sign in each session Sign in each session Sign in each session POP, IMAP, Microsoft Outlook for Mac 2011 Sign in each session Sign in each session Sign in each session Web Experiences: Office 365 Portal / Outlook Web App / SharePoint Online / Office Web Apps Sign in each browser session No Prompt Sign in each browser session Sign in each SharePoint Online session Sign in each SharePoint Online Session Sign in each SharePoint Online Session Lync Online Sign in each session No prompt Sign in each session Outlook for Mac 2011 Sign in each session Sign in each session Sign in each session Office 2010 or Office 2007 using SharePoint Online
  14. 14. Make the Solutions Workable • • • • • • • Must be Tailored to Customer Requirements Cost Effective Avoid Ego Driven Design Bloat! Take into Account Future Growth Current / Future Migration Plans Local / National Legal / Compliance Issues Cross Platform Integration
  15. 15. Understanding Identities • Two types of Domains • Managed Domain • Federated Domain • Domain ownership must be verified • Must use publicly registered namespace (i.e. cannot use *.local, etc.) • Options for adding new domains: • Microsoft Online Portal • Microsoft Online Services Module for Windows PowerShell
  16. 16. Understanding Identities • Microsoft Online Portal • Active Directory tools • Exchange Management Tools • Identity management solutions • Microsoft Online Services Module for Windows PowerShell • Remote PowerShell
  17. 17. Windows Active Directory
  18. 18. Windows Active Directory • • • • • • • • • Directory service implemented on MS domain networks Introduced in Windows 2000 DCs authenticate and authorise users and computers in a domain Assigns and enforces security policies Deployed in a single domain nor as part of a larger forest Can be expanded through Trust Relationships Has both physical & logical attributes Only one instance per domain Active Directory uses LDAP, Kerberos, and DNS
  19. 19. WAD: Potential Issues • • • • As a number of trust limitations in respect to size & complexity Designed primarily to manage in-house networks Protocol limitations i.e. LDAP Customer security concerns about WAD data in cloud (closed attributes) • Does not natively support new cloud based protocols • Solution: Extend AD attributes into cloud…
  20. 20. Windows Azure Active Directory
  21. 21. Windows Azure Active Directory
  22. 22. What is Windows Azure Active Directory? • Customized Version of ADLDS / ADAM • Every Office 365 Customer is an Azure • • • • AD Tennant Designed primarily to meet the needs of cloud applications Extends Customers Active Directory into the cloud Think of it as a Fish on a Hook! Identity as a service: essential part of Platform as a Service
  23. 23. Relationship to Windows Server AD • On-premises and cloud Active Directory managed as one • Directory information synchronized to cloud, made available to cloud apps via roles-based access control • Federated authentication enables single sign on to cloud applications
  24. 24. WAAD Vs WAD! • While enterprises work to consolidate identity system on- premises, cloud apps are fragmenting identity… again
  25. 25. Azure Active Directory Design Principles The cloud design point demands capabilities that are not part of current-day Windows Server Active Directory • Maximize device & platform reach • http/web/REST based protocols • Multi-tenancy • Customer owns directory, not Microsoft • Optimize for availability, consistent performance, scale • Keep it simple
  26. 26. To Federate or Not Too Federate?
  27. 27. Protocols to Connect to Windows Azure AD Protocol Purpose Details REST/HTTP directory access Create, Read, Update, Delete directory objects and relationships Compatible with OData V3 Authenticate with OAuth 2.0 OAuth 2.0 Service to service authentication Delegated access JWT token format Open ID Connect Web application authentication Rich client authentication Under investigation JWT token format SAML 2.0 Web application authentication SAML 2.0 token format WS-Federation 1.3 Web application authentication SAML 1.1 token format SAML 2.0 token format JWT token format
  28. 28. Deploying ADFS
  29. 29. ADFS 2.0 & SSO Requirements • • • • • • • • Windows Server 2008 or Windows Server 2008 R2 Windows Server 2012 (2.1) PowerShell V3 Web Server (IIS) .Net 3.5 SP1 Windows Identity Foundation Publicly registered domain name SSL Certificate for Hybrid Deployment
  30. 30. Understanding SAML Authentication Into the Cloud Customer Microsoft Online Services Active Directory AD FS 2.0 Logon (SAML 1.1) Token UPN:user@contoso.com ServerUser ID: ABC123 Source Authentication platform Auth Token UPN:user@contoso.com Unique ID: 254729 ` Client (joined to CorpNet) Exchange Online or SharePoint Online
  31. 31. Walkthrough Access Control Using ADFS Client Endpoints
  32. 32. ADFS Claim Types • Launch ADFS 2.0 • • • • Management Console, browse to Claims Provider Trusts, and Edit Claim Rules… Add new rule Select “Pass through or filter an incoming claim” template Provide rule name and type Repeat for all 5 claim types
  33. 33. Issuance Authorization Rule • Launch ADFS 2.0 Management Console, browse to Relying Party Trusts, and Edit Claim Rules… • Add new Issuance Authorization Rule • Select “Send claims using a custom rule” template • Add rule name and custom rule syntax
  34. 34. Cloud Provisioning
  35. 35. WAAD Provisioning • Manual • Simple Web based user interface • Bulk import of user • Best for small customers • Scriptable • PowerShell module for windows • Programmable New REST based API • Limited attribute set/object types • Automated • Directory Synchronization with delta • Full fidelity of attributes and object types • Optimized for large object sets
  36. 36. What is Dirsync? (Azure Active Directory Sync Tool ) • Enables Simple & Rich Coexistence • Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment • Provides a unified Global Address List experience between on-premises and Office 365 • Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365 • Enables coexistence for Exchange • Works in both simple and hybrid deployment scenarios • Enabler for mail routing between on-premises and Office 365 with a shared domain namespace • Enables coexistence for Microsoft Lync
  37. 37. Dirsync Implementation Options 1 Way Sync from AD to Cloud • Provisions users, DLs, Security Groups and contacts • Can move to 2 Way Sync later • on-premises master for all objects and properties 2 Way Sync from AD to Cloud and Cloud to AD • Required for Hybrid Deployments e.g. co-existence • • • • with Exchange online and Exchange on-premises Cannot move back to 1 way sync Cloud becomes master for certain properties (safe senders, mail co-existence, UM) Password Sync Option Password Syncing is 1 way. Users that have Password Sync enabled are required to change their passwords on premises in an AD connected machine.
  38. 38. Dirsync Password Synchronization • No longer requires ADFS to provide SSO • Does not sync plaintext passwords • Dirsync syncs hashes of hashes of your user's passwords greatly reducing the risk of a password leaking • You don't need to install any new software on your DCs or reboot DCs • Users don't need to change passwords • Password Syncing is 1 way. Users that have Password Sync enabled are required to change their passwords on premises in an AD connected machine. • “In my opinion not as secure as ADFS”
  39. 39. Dirsync: Synchronization Schedule • Default is Every 3 Hours • “Start-OnlineCoexistenceSync” cmdlet can manually force a manual sync • Synchronization can be re-scheduled here! 1. First navigate to the following directory on your DirSync Server. C:Program 2. 3. 4. 5. FilesMicrosoft Online Directory Sync Locate service executable that is used to run the DirSync scheduleLocate the following lines within the Microsoft.Online.DirSync.Scheduler.exe.config file: <add key="SyncTimeInterval" value="3:00:0" /> Edit the time within this file to reduce the sync schedule; for example to reduce the time to every 30 minutes use the following values: <add key="SyncTimeInterval" value="0:30:0" /> Finally open the Services console (Start>Run>Services.msc) and restart the Microsoft Online Services Directory Synchronization Service. 39
  40. 40. • • • • • • • • • Best Bets and Next Choose Correct 365 Solution Steps Product V.s. Service Clean House SSO or not to SSO? Read the Planning Guides Region V.s. Compliance! Get your DNS Correct Watch out for Expiring SSL Certs Beware the Deleted Domain Issue

×