Office 365 brings a host of productivity options, but one of the most overlooked components is how we'll authenticate to the Cloud. With Azure Active Directory (AAD) driving access and authentication to our Office 365 tenants, it is important to understand how we can interact with it. Join us as we explore Cloud Identity, Identity Federation, Directory Synchronization and most importantly Azure and its impacts on user experience and access of Office 365. Throughout this session, we'll answer the questions that impact you and how your decisions around identity shape your Office 365 experiences.
6. Terminology
What is Identity Management?
“Identity management (IdM) describes the
management of individual principals, their
authentication, authorisation, and privileges within
or across system and enterprise boundaries with
the goal of increasing security and productivity
while decreasing cost, downtime and repetitive
tasks.”
https://en.wikipedia.org/wiki/Identity_management
7. Determining which actions an
authenticated entity is authorized
to perform on the network
Terminology
Verifying that a user, device, or
service such as an application
provided on a network server is
the entity that it claims to be.
Authentication Authorization
8. Terminology
Single Sign On (SSO) is the ability for two disjoint Identity Providers
(IDP) to trust each other such that a user logged in to one does not
need to log in again for the second
Relying Party (RP) is the system that relies on the IDP to
authenticate a user
Security Assertion Markup
Language (SAML)
SAML is a public standard managed by OASIS.
SAML is the identity token and also the
protocol.
WSFED is used for web browser-based
authentication with an IDP. WS-Trust is used by
Office client apps to authenticate.*
WS-Federation (WSFED) / WS-Trust
11. Azure Active Directory
What is AAD?
“Azure Active Directory is a comprehensive identity
and access management cloud solution that
provides a robust set of capabilities to manage
users and groups and help secure access to
applications including Microsoft online services like
Office 365 and a world of non-Microsoft SaaS
applications.”
16. Choosing a Model
Federated Identity
Already have ADFS or a
3rd party IDP
Require immediate
disable or Sign-in Audit
SSO is required
Multiple Forests
CAC or on-premises
MFA
Business requires it
19. The Setup
What are we going to do?
• Office 365 E3 Tenant
• Configure DirSync
‐ Users in targeted OU
‐ One way password sync
‐ Alternate Login ID
20. Prepare and Download DirSync
• Logon to the Portal
• Select Users and groups and then
activate DirSync
‐ Select Users and Groups and
click Set up Active Directory
synchronization
‐ Activate Directory
Synchronization
• Wait for DirSync to enable
• Review all documentation, follow the
implementation steps, and download
DirSync
21. Install DirSync
• Logon to DirSync server and
run setup
• Follow setup wizard
• When finished, option to start
the configuration wizard
22. Configure DirSync
• Run configuration wizard
• Provide O365admin creds
• Provide AD admin creds
• If Exchange hybrid,
configure “write-back”
• Password sync option
• Create configuration
• When finished, option to
run synchronization
24. Alternate Login ID
When your on-premises UPN is non-routable on the public internet and you
can’t easily update UPN suffixes
Requires Windows Server 2012 R2 for AD FS*
Requires comfort with FIM and editing Management Agents
25. Azure AD Sync Services
• DirSync for LDAPv3
‐ Supports multiple forests
‐ Doesn’t include password hash sync
‐ Includes write back capability with Azure AD Premium subscription
• Availability
‐ Relase now available at: http://www.microsoft.com/en-us/download/details.aspx?id=44225
‐ Available today
• Target Identity Providers
‐ Same as FIM 2010 R2 connector
‐ FIM connector details at http://go.microsoft.com/fwlink/?LinkID=270179
26. Office Client Passive Authentication
• SSO with passive authentication
‐ Works with WSFED and SAML 2.0
• Planned for later in 2014
• Will require Office Client updates
‐ Move to Active Directory
Authentication Library (ADAL)
‐ OAUTH for passive authentication
‐ Support for MFA with AAD
‐ CAC/PIV support
SAML 2.0
27. Works with Office 365 – Identity program
• What is it?
‐ Qualification of third party identity
providers for federation with Office 365.
Microsoft supports Office 365 only
when qualified third party identity
providers are used.
• Program Requirements
‐ Published Qualification Requirements
‐ Published Technical Integration Docs
‐ Automated Testing Tool
‐ Self Testing work by Partner
‐ Predictable and Shorter Qualification
‐ http://aka.ms/ssoproviders
*For representative purposes
only.
WS-Trust & WS-
Federation
SAML (passive
auth)
• Flexibility to reuse
existing identity
provider investments
• Confidence that the
solution is qualified by
Microsoft
• Coordinated support
between the partner
and Microsoft
Customer
Benefits
28. Office 365 Federation Options
Suitable for medium, large
enterprises including
educational organizations
Suitable for medium, large
enterprises including
educational organizations
Suitable for educational
organizations
For organizations that
need to use SAML 2.0
30. The end to end Microsoft Stack
WS-Federation
WS-Trust
31. Agenda
Identity Management in Office 365
Identity Scenarios
Synchronisation Demo
Add-ons and More to Think About
32.
33. Resources
• Use third-party identity providers to
implement single sign-on
• Deployment scenarios for Office 365
with single sign-on and Azure
• Choosing a sign-in model for Office
365
• Password hash sync simplifies user
management for Office 365
• Using Alternate Login IDs with
Azure Active Directory
• Office 365 SAML 2.0 Federation
Implementer’s Guide
• Simplified login to Yammer from
Office 365
• Multi-Factor Authentication for
Office 365
• Office 365 User Account
Management