Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Making sense of Microsoft Identities in a Hybrid world

637 views

Published on

Are you struggling to making heads or tails of the identity options for Office 365, Azure & onPrem installations? Does the seemingly ever changing landscape give you hives just thinking about the security implications? What are the recommended topologies & how in the world would you get started? If you have asked yourself any of these questions, you are not alone!

In this session we will walk through the concepts behind the new world of Identity Management, teach you about Azure Active Directory Connect, and explain some of the troubleshooting that you will likely need to do along the way. At the end of this session you will understand how to get your onPrem Identities synced to Azure & be on your way to enjoying all of the benefits of the Microsoft Cloud.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Making sense of Microsoft Identities in a Hybrid world

  1. 1. Making Sense of Microsoft Identities in a Hybrid World Jason Himmelstein, SharePoint MVP Office 365 Advisory Services Manager @sharepointlhorn http://www.sharepointlonghorn.com
  2. 2. www.rackspace.com Jason Himmelstein • SharePoint Server MVP • Office 365 Advisory Services Manager, Rackspace • ITPro enthusiast, Business Intelligence geek, & general technology fan boy • Re-installed Texan, die-hard Spurs, Longhorns, & Jaguars fan • Geek Blog: www.sharepointlonghorn.com • On the Twitters: @sharepointlhorn • GitHub: www.github.com/jasonhimmelstein
  3. 3. www.rackspace.com • Identity stuff • History lesson • Defining Terminology • Active Directory Core Concepts & Concerns • Topology & Security • Use Cases Agenda
  4. 4. www.rackspace.com • Bad news… we are ITPros! NO DEV TALK HERE  • Good news… The Microsoft Cloud Show covered the Azure AD dev topics recently! • http://www.microsoftcloudshow.com/podcast/Episodes/087-catching-up-with-paul-schaeflein-on-azure-ad- improvements Were you hoping for a dev focused talk?
  5. 5. www.rackspace.com History lesson
  6. 6. www.rackspace.com The dark days – SharePoint 2003 & 2007/BPOS
  7. 7. www.rackspace.com What we were expecting…
  8. 8. www.rackspace.com 8www.rackspace.com What we got…
  9. 9. www.rackspace.com Age of enlightenment - SharePoint 2010/Office 365 wave 14
  10. 10. www.rackspace.com What we were expecting…
  11. 11. www.rackspace.com What we got…
  12. 12. www.rackspace.com Age of the Internet - SharePoint 2013/Office 365 wave 15
  13. 13. www.rackspace.com 13www.rackspace.com What we were expecting…
  14. 14. www.rackspace.com 14www.rackspace.com What we got…
  15. 15. www.rackspace.com 15www.rackspace.com The future is here… kinda – SharePoint 2016//Office 365
  16. 16. www.rackspace.com 16www.rackspace.com What we are expecting…
  17. 17. www.rackspace.com 17www.rackspace.com What are we going to get?
  18. 18. www.rackspace.com Defining Terminology
  19. 19. www.rackspace.com • Active Directory • User Principal Name • Azure Active Directory • Identity as a Service • DirSync • ADFS • Azure ADConnect Defining Terminology
  20. 20. www.rackspace.com Azure AD Connect: Your Identity Bridge Azure AD Connect (sync + sign on) Active Directory LDAP
  21. 21. www.rackspace.com Hybrid Identity management Azure Active Directory Connect Consolidated deployment assistant for your identity bridge components Common monitoring for your identity bridge components
  22. 22. www.rackspace.com • FSMO roles, AD DNS, WINS, NETBIOS, etc • Dirty, dirty directories • 2003 (Everyone group) --> 2008 (Authenticated Users group) • IsCriticalSystemObject objects not synced (like Domain Users) • UPN issues around migration • Schema extensions Active Directory Core Concepts & Concerns
  23. 23. www.rackspace.com • ADFS vs DirSync • Multifactor Auth Topology & Security
  24. 24. www.rackspace.com Same Sign On scenario
  25. 25. www.rackspace.com Single Sign On scenario
  26. 26. www.rackspace.com Highly Available Auth scenario
  27. 27. www.rackspace.com • Old environment moving to a new Hybrid Estate • New Farm Identities • Extranet situations Use Cases
  28. 28. www.rackspace.com Pre-requisites for Installing Azure AD Connect • Office 365 tenant • 1 Registered Domain URL • 2 Machines – 1 AD Domain Controller (ADDC) • Windows 2003 or later – 1 Domain member server • Windows 2008 or greater • But really, Windows 2012 R2
  29. 29. www.rackspace.com Downloads • Package downloads on member server • Azure AD Connect – http://go.microsoft.com/fwlink/?linkid=615771&clcid=0x409 • PowerShell Bits – Windows PowerShell cmdlets for Office 365 management and deployment • https://www.microsoft.com/en-us/download/details.aspx?id=35588 – Microsoft Online Services Sign-In Assistant for IT Professionals RTW • http://www.microsoft.com/en-us/download/details.aspx?id=41950 – Azure AD Module for Windows PowerShell • http://go.microsoft.com/fwlink/p/?linkid=236297
  30. 30. www.rackspace.com CSSA (The Cloud Search Service Application) • Introduced in the August 2015 CU for SharePoint 2013 • Combines on-prem Search index and SharePoint Online Search • Not Federation – Search results are not separated – Does not require a Search index on-prem • Allows cloud services to include onPrem content • Todd Klindt’s blog post: Getting Comfortable with the new hybrid Cloud Search Service in SharePoint 2013
  31. 31. www.rackspace.com Param( [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $User ) # Add the Active Directory bits and not complain if they're already there Import-Module ActiveDirectory -ErrorAction SilentlyContinue Real world example
  32. 32. www.rackspace.com # Add the Azure Active Directory module Import-Module MSOnline # Define AD group that is synced to AAD and is used for ODFB audience $syncgroupname = "CloudSync" $syncgroup =Get-ADGroup $syncgroupname
  33. 33. www.rackspace.com # Location to AAD Connect manual sync EXE $syncclient = "C:Program FilesMicrosoft Azure AD SyncBinDirectorySyncClientCmd.exe" # Name of the Azure License to apply $license = "reseller-account:ENTERPRISEPACK"
  34. 34. www.rackspace.com # Azure AD domain suffix $aadsuffix = "rackhybrid4.com" # First, add the user to the group Add-ADGroupMember -Identity $syncgroupname -Members $User # Remind them to recompile their SharePoint audience Write-Host "You'll need to recompile your SharePoint audience to reflect the group change"
  35. 35. www.rackspace.com # Sync up to Azure AD & $syncclient # Now tweak the user in Azure AD # First connect Connect-MsolService # Get the user $aaduser = "$user@$aadsuffix"
  36. 36. www.rackspace.com # Set the user's location. Without that the license will fail Set-MsolUser -UserPrincipalName $aaduser -UsageLocation "US" # Set the user's license Set-MsolUserLicense -UserPrincipalName $aaduser -AddLicenses $license
  37. 37. www.rackspace.com • The next version of FIM – ILM – MIIS • Better cloud and Windows 10 & 2016 support • Don’t upgrade SharePoint FIM • AD Team Blog Post MIM (Microsoft Identity Management)
  38. 38. www.rackspace.com • Helps you configure your hybrid options • Requires August 2015 CU • Shows up in Admin Tenant Console • Plan for the SharePoint Hybrid Picker The Hybrid Picker
  39. 39. Q & A
  40. 40. www.rackspace.com Blog: www.sharepointlonghorn.com Twitter: @sharepointlhorn LinkedIn: www.linkedin.com/in/jasonhimmelstein SlideShare: http://www.slideshare.net/jasonhimmelstein Email: jase@sharepointlonghorn.com me

×