Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Jakob Østergaard Nielsen,
Cloud Solution Architect, EG A/S
Identity in A World of Cloud
Identity management with Azure Act...
About me..
© EG A/S 2
Jakob Østergaard Nielsen
Cloud Solution Architect, EG A/S
Expertise:
Office 365, Microsoft Azure, Ce...
Agenda
© EG A/S 3
 Identity models
 How to choose and identity model
 Identity Synchronization tools
 Azure AD Connect...
The current reality…
Cloud
SaaS
Azure
Office 365Public
cloud
Other
Directories
Windows Server
Active Directory
On-premises Microsoft Azure Acti...
Office 365 Identity Models
© EG A/S 6
Identity Synchronization and Federation
WS-Federation
WS-Trust
SAML 2.0
Metadata
Shibboleth
Graph API
Synchronize
accounts...
Cloud Identity Model
Cloud identity model
“In Cloud”http://portal.office.com
© EG A/S 10
Synchronized Identity Model
Synchronized Identity Model
Password hashes
User accounts
User
Sign-on
Azure
AD Sync On-premise
directory“Same
Sign-On”
Au...
Password hash sync security
AD Account password
is hashed twice
Twice through one-way hash algorithm
Not reversible to get...
Choosing between sync tools
 All the features from DirSync
 Support sync from multiple AD
forests incl. merge of duplica...
Azure AD Connect – Identity Bridge
Azure AD
Connect
(sync + sign on)
Active
Directory
LDAP
directories
Azure AD Connect with Express Settings
Use one tool
instead of many
Get up and
running quickly
(5 clicks)
Start here, then...
Demo
Azure AD Connect
Get up and running with:
Most common, simple options
Single AD forest
Synchronization of all on-premise objects
Password s...
Customize settings allows more advanced options
Supports multi-forest synchronization
Support for Hybrid scenarios and/or ...
Making hybrid identity simple
Azure Active Directory Connect
Deployment assistant for
identity bridge components.
Simplifi...
Federated Identity Model
Federated identity model
AD FS
User
Security token
Authentication
Sign-on
Federated identity
On-premises
directory
Azure
A...
Password Sync Backup for Federated Sign-In
Password sync backup for
Office 365 federated sign-in
provides the option to
sw...
How to choose an identity model
Choosing Password Sync or ADFS for Sign-On
• Choose simplest model that will fit business requirements
• Cloud identity wh...
Change between models as needs change
Cloud Identity to Synchronized Identity
Deploy DirSync / Azure AD Sync / Azure AD Co...
Azure AD Connect: Federated Sign on
Active
Directory
Azure
AD
Firewall
Firewall
Making ADFS Easier
Get familiar with the TechNet Deployment Guidance
Implement the ADFS and Office 365 requirements
Public...
Currently ~2500 SaaS cloud apps
Integrate with Azure AD
Single Sign-On support
Central provisioning in Azure
User provisio...
SourceAnchor (ImmutableID)
Base64 encoding of on-premise account objectGUID
Static (“Immutable”) during entire lifetime of...
Account matching
Hard match
First attempt; hard match based on ObjectGUID
Soft match
If unsuccessful; attempt soft match b...
Directory Synchronization
IMPORTANT
Before activating AD Sync, be sure directory cleanup is completed !
Primary SMTP addre...
Common multi-forest topologies
Forests with GALSync
Users and Contacts should join on mail attribute
and be represented on...
Summary
 Choose the simplest identity model for your requirements
 Cloud identity for no on-premise AD
 Synchronized id...
Questions !
© EG A/S 37
© 2014 EG A/S. All rights reserved.
The content of this material, including the text, images and other graphics and their ...
CoLabora - Identity in a World of Cloud - June 2015
CoLabora - Identity in a World of Cloud - June 2015
Upcoming SlideShare
Loading in …5
×

CoLabora - Identity in a World of Cloud - June 2015

791 views

Published on

CoLabora UC User Group Meeting - June 2015.
Topic about: Identity in a World of Cloud - June 2015
Speaker: Jakob Østergaard Nielsen (www.mistercloudtech.com)

Published in: Technology

CoLabora - Identity in a World of Cloud - June 2015

  1. 1. Jakob Østergaard Nielsen, Cloud Solution Architect, EG A/S Identity in A World of Cloud Identity management with Azure Active Directory and Office 365
  2. 2. About me.. © EG A/S 2 Jakob Østergaard Nielsen Cloud Solution Architect, EG A/S Expertise: Office 365, Microsoft Azure, Certifikat Service/PKI. Federation Service, Exchange, Active Directory. MCSE: Communication | MCSA: Office 365 | MCTS: Exchange | MCSA: Windows Server 2012R2 Contact me: E-mail: jakos@eg.dk Blog: mistercloudtech.com Twitter: twitter.com/JakobONielsen Phone: +45 7260 2378/+45 2085 9156
  3. 3. Agenda © EG A/S 3  Identity models  How to choose and identity model  Identity Synchronization tools  Azure AD Connect  Password sync and Federated identity  Azure Active Directory applications  SourceAnchor and account matchning  AD Sync Recommendations
  4. 4. The current reality…
  5. 5. Cloud SaaS Azure Office 365Public cloud Other Directories Windows Server Active Directory On-premises Microsoft Azure Active Directory Identity as the foundation
  6. 6. Office 365 Identity Models © EG A/S 6
  7. 7. Identity Synchronization and Federation WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication Federated sign-in
  8. 8. Cloud Identity Model
  9. 9. Cloud identity model “In Cloud”http://portal.office.com
  10. 10. © EG A/S 10
  11. 11. Synchronized Identity Model
  12. 12. Synchronized Identity Model Password hashes User accounts User Sign-on Azure AD Sync On-premise directory“Same Sign-On” Authentication
  13. 13. Password hash sync security AD Account password is hashed twice Twice through one-way hash algorithm Not reversible to get users password Result of the hashes is synced Additional security Connections are SSL encrypted Connections are only to the Azure AD Enables validation Azure AD can validate the users password when they log in Azure AD Account Password On-premise directory Azure AD Sync
  14. 14. Choosing between sync tools  All the features from DirSync  Support sync from multiple AD forests incl. merge of duplicate accounts to one Office 365 tenant.  Support sync from LDAP v3, SQL ID store (pending)  Installs prerequisite software components during install  Upgrade from DirSync with uninstall/install  Will include all features from DirSync and Azure AD Sync (announced)  Installer options to deploy Azure AD Sync with password sync and optionally ADFS  Will support Azure AD Premium features (password, device, group writeback, +…)  Released in GA on June 24, 2015  Still default Sync tool linked from the Office 365 Admin Portal  Only support for sync from single AD forest.  Supports object filtering (Domain, OU, attribute)  Remains supported following Microsoft Online Services Support Lifecycle Policy (12 months) - properly after AAD Connect GA*
  15. 15. Azure AD Connect – Identity Bridge Azure AD Connect (sync + sign on) Active Directory LDAP directories
  16. 16. Azure AD Connect with Express Settings Use one tool instead of many Get up and running quickly (5 clicks) Start here, then scale up or add options Custom options to address more complex scenarios
  17. 17. Demo Azure AD Connect
  18. 18. Get up and running with: Most common, simple options Single AD forest Synchronization of all on-premise objects Password synchronization of all users Creates default on-premise service account Creates default cloud service account with tailored role Enterprise admin requirement in on-premise AD Global admin requirement in Cloud Setup sync with AD Connector for on-premise AD and Azure Connector for Azure AD Azure AD Connect with Express Settings
  19. 19. Customize settings allows more advanced options Supports multi-forest synchronization Support for Hybrid scenarios and/or Single Sign-On using ADFS Deploy pilot users using filtering of domain, OU or attribute Assign custom lower privileges service account Sync selected users using filtering (OU, domain, group, attribute) Postpone initial full sync (‘staging mode’) Support Azure AD premium features: - writeback of passwords, users, groups, and devices from the cloud Windows 10 Computer sync to Azure AD Sync of custom and directory extension attributes Azure AD Connect
  20. 20. Making hybrid identity simple Azure Active Directory Connect Deployment assistant for identity bridge components. Simplified deployment of Federation components Health – Operations and monitoring of all Azure AD Connect components
  21. 21. Federated Identity Model
  22. 22. Federated identity model AD FS User Security token Authentication Sign-on Federated identity On-premises directory Azure AD Sync Password hashes User accounts Redirection For alternatives to on-premise ADFS, both ADFS and WAP can be hosted in Azure, or using a hosting partner. Single Sign-On for web apps, can also use Azure AD Access Control Service (ACS) as Secure Token Service (STS).
  23. 23. Password Sync Backup for Federated Sign-In Password sync backup for Office 365 federated sign-in provides the option to switch a federated domain to synchronized domain in the event of on-premise outages or Internet access disruption. Federated identity Backup Password Hash Sync User accounts AD FS Azure AD Sync On-premises directory
  24. 24. How to choose an identity model
  25. 25. Choosing Password Sync or ADFS for Sign-On • Choose simplest model that will fit business requirements • Cloud identity when no on-premise AD exist • Password sync for standard on-premise AD integrations • Federated identity for the following scenarios: Organization already have ADFS or another federation service Hybrid integration with Cloud services (Exchange/SharePoint/Skype4B/..) Password prompts from domain joined computers must be minimized (SSO) Security Policy require Sign-In Auditing and/or Immediate Disable of accounts Security policy prohibits sync of password hashes to Azure AD Client sign-in restrictions by Network Location or Work Hours Conditional Access for both on-premise and cloud resources Use FIM/MIM for the on-premise identity management On-premise Multi-Factor Authentication or Smart Card support for sign in
  26. 26. Change between models as needs change Cloud Identity to Synchronized Identity Deploy DirSync / Azure AD Sync / Azure AD Connect Hard match or soft match of users Synchronized Identity to Federated Identity Deploy AD FS and configure a trust between ADFS and Azure AD PowerShell: Convert-MsolDomainToFederated Leave password sync enabled as backup Federated identity to Synchronized Identity PowerShell: Convert-MsolDomainToStandard Takes 2 hours plus 1 additional hour per 2,000 users Synchronized Identity to Cloud Identity PowerShell: Set-MsolDirSyncEnabled Takes 72 hours - monitor with PowerShell: Get-MsolCompanyInformation
  27. 27. Azure AD Connect: Federated Sign on Active Directory Azure AD Firewall Firewall
  28. 28. Making ADFS Easier Get familiar with the TechNet Deployment Guidance Implement the ADFS and Office 365 requirements Public SSL Certificate is required for ADFS/WAP Use Azure AD Connect for easier deployment Add Support for Multiple Domains during cloud federation Change Token-Signing and Token-Decrypting certificates expiration
  29. 29. Currently ~2500 SaaS cloud apps Integrate with Azure AD Single Sign-On support Central provisioning in Azure User provisioning with local AD groups using Azure AD Premium Full SaaS cloud app list at: Azure Active Directory Marketplace Azure Active Directory applications
  30. 30. SourceAnchor (ImmutableID) Base64 encoding of on-premise account objectGUID Static (“Immutable”) during entire lifetime of an object SourceAnchor value cannot (easily!) be changed after object is created in AAD ! When the Immutable attribute is first selected, it CANNOT be changed! Recommended: ObjectGUID, EmployeeID Avoid: mail, userPrincipalName UserPrincipalName The default logon attribute of users login to Cloud services Keep default ! – don’t change if at all possible Changing to another attribute is not supported with Hybrid Office 365 enabled SourceAnchor and UserPrincipalName
  31. 31. Account matching Hard match First attempt; hard match based on ObjectGUID Soft match If unsuccessful; attempt soft match based on Primary SMTP address IMPORTANT Be sure all SMTP domains are validated in tenant before activating directory synchronization If neither objectGUID nor SMTP match can be made, a new object will be created in Azure AD. Reactivation of AD Sync overwrites all changes in Azure AD since last sync -> Perform backup of cloud user data before reactivation !
  32. 32. Directory Synchronization IMPORTANT Before activating AD Sync, be sure directory cleanup is completed ! Primary SMTP address must be unique in the entire enterprise No duplicate proxyAddresses must exist All UPNs and SMTP addresses must be correctly formatted Only supported management tool is on-prem Exchange Admin Center/Shell When the Immutable attribute is first selected, it CANNOT be changed !
  33. 33. Common multi-forest topologies Forests with GALSync Users and Contacts should join on mail attribute and be represented only once. Account-Resource forests One or many Account forests with enabled accounts and one Resource forest with disabled accounts. Joined on objectSID and msExchMasterAccountSID. Separate forests Each object in every forest will be represented in Azure AD.
  34. 34. Summary  Choose the simplest identity model for your requirements  Cloud identity for no on-premise AD  Synchronized identity for basic setup – add more later  Federated identity for additional requirements  Identity models can be changed as requirements change  Azure AD Connect will be the new primary sync tool  Easier ADFS deployment still needs preparation  Azure AD applications integration and Single Sign-On  Plan ImmutableID and Matching attributes ahead  Directory Synchronization require proper AD cleanup
  35. 35. Questions ! © EG A/S 37
  36. 36. © 2014 EG A/S. All rights reserved. The content of this material, including the text, images and other graphics and their arrangement, are copyrighted by EG A/S or its affiliated, associated or related companies. EG A/S makes no warranties, express, implied or statutory, as to the information in this presentation.

×