Introduction to identity options1. MS Online IDsAppropriate for• Smaller organizations withoutAD on-premisePros• No servers required on-premiseCons• No SSO• No 2FA (strong authentication)• 2 sets of credentials tomanage with differingpassword policies• Users and groups mastered inthe cloud2. MS Online IDs + Dir SyncAppropriate for• Orgs with AD on-premisePros• Users and groups mastered on-premise• Enables co-existence scenariosCons• No SSO – BUT PASSWORDSYNC• No 2FA• 2 sets of credentials to managewith differing password policies• Single server deployment3. Federated IDs + Dir SyncAppropriate for• Larger enterprise organizationswith AD on-premisePros• SSO with corporate cred• Users and groups mastered on-premise• Password policy controlled on-premise• 2FA solutions possible• Enables co-existence scenariosCons• High availability serverdeployments required
What is DirSync?•“…is a Directory Synchronization enginebased on Forefront Identity Manager (FIM)that will synchronize a subset of your on-premise Active Directory with Windows AzureActive Directory (Office 365).”
Why use DirSync?Long term coexistence between Active Directory On Premise andWindows Azure Active Directory.(Easy/quick provisioning*)Single place for managing identities including:• Users• Groups• Memberships• …Enabler for Hybrid Deployments (required)• Two-way Directory Synchronization
Deployment ConsiderationsActive Directory Assessment• Prerequisites check (Readiness Tool)Topology• Single Forest?• Multiple Domains?Security• Firewalls, Permissions64-bit only!De/Activation time; can take some time to completeObject filtering required?SQL Version - Windows 2012 Server Supported
DirSyncHow does DirSync work?Active DirectoryMETAVERSE
What objects are synced?From AD to Office 365: http://support.microsoft.com/kb/2256198From Office 365 to AD (aka write-back):Write-Back attribute Exchange "full fidelity" featureSafeSendersHashBlockedSendersHashSafeRecipientHashFiltering: Writes back on-premises filtering and onlinesafe and blocked sender data from clients.msExchArchiveStatus Online Archive: Enables customers to archive mail.ProxyAddresses(LegacyExchangeDN <online LegacyDn> as X500)Enable Mailbox: Off-boards an online mailbox back to on-premises Exchange.msExchUCVoiceMailSettingsEnable Unified Messaging (UM) - Online voice mail: Thisnew attribute is used only for UM-Microsoft Lync Server2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services.
Windows Azure & ADFS• Virtual Network Support – Site to Site VPN• Computing: 99,95% SLA Uptime for High Available System– 99,9% SLA Uptime for Single System• Storage: 99,9%• Full Control over your Virtual Machines• Pay as you Go, OPEX vs CAPEX• PowerShell Support
Windows Azure: TerminologyCloud Service: Role which several VM’s take upon themselves toexecute. E.G. ADFS. Cloud services need to have two instances or moreto quality for the SLA of 99,95%. 1 External Virtual IP Address per CloudServiceAvailability Set
Windows Azure: TerminologyEndPoints: You need to add an endpoint to a machine for other resourceson the Internet or other virtual networks to communicate with it. You canassociate specific ports and a protocol to endpoints. Resources canconnect to an endpoint by using a protocol of TCP or UDP. The TCPprotocol includes HTTP and HTTPS communication.Virtual Network enables you to create secure site-to-site connectivity, aswell as protected private virtual networks in the cloud.
MigrationDirSync:1. Shutdown DirSync on Premise2. Install DirSync on Azure3. Configure DirSync on Azure4. Uninstall DirSync on AzureADFS:1. Convert all ADFS Domains to Standard Domains2. Logon to primary ADFS on Azure3. Convert all Standard Domains back to Federated Domains