Spunite exploring identity management options in office 365
•Download as PPTX, PDF•
0 likes•1,606 views
These are the slides from my Exploring Officer 365 Identity Management session at SPUnite 2017. A most excellent event that I heartily recommend people attend when it returns!
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Spunite exploring identity management options in office 365
Similar to Spunite exploring identity management options in office 365 (20)
More from Paul Hunt
More from Paul Hunt (15)
Recently uploaded
Recently uploaded (20)
Spunite exploring identity management options in office 365
- 2. Exploring Identity Management options in Office 365 Paul Hunt - MVP
- 3. Who am I?
- 4. Who am I?
- 5. What is this session about?
- 10. In the Office 365 Scenario Trusted Identity Accounts are stored in Azure Active Directory and authenticated by Microsoft. Federated Identity Microsoft detects a federated domain and redirects the user with a claim that needs to be authenticated.
- 26. Common issues
- 27. Outbound Account Sync to Office 365 AAD Connect (Sync Service) Inbound Password & Attribute Sync to Active Directory (Optional) http://bit.ly/installaadc
- 38. • Skype for Business client applications are not supported (inc 2016) • Be aware of the Smart Lockout feature and ensure your AD lockout settings are greater than Azure AD.
- 39. Demo – IdFix, AAD Connect & Pass Through Auth
- 43. How does federation work?
- 52. Demo – ADFS and WAP
- 56. Self Service Password Reset
- 57. Demo – Password Write-Back
- 61. Creating a License template for groups
- 62. Creating a License template for groups
- 64. Migrating from Direct to Inherited
- 65. Pay attention to Assignment Paths!
- 66. Demo – Group Licensing
- 67. Currently expected to be available to E3 and above at General Availability*. *Subject to confirmation
- 73. What is needed?
- 75. Already logged in? Log out and choose forget… Or clear your cookies…
- 76. Limitations
- 83. Demo – Sign-in Branding
- 85. Many options - For Example http://bit.ly/fedthirdparties
- 86. PFE – AD FS Deep Dive (Planning) AD FS Topology Design Guide Customizing the AD FS sign-in pages Customising the Office 365 sign-in pages Running the Office 365 IdFix tool Microsoft Group Licensing Docs Useful Links
Editor's Notes
- I also do woodturning, It’s cheaper than therapy!! SharePoint can be a lot like woodturning.. If you don’t pay attention to what you’re doing, it’s easy to make a mistake and go through the bottom of the bowl!
- In the enterprise, the authentication is generally handled by Active Directory. The user logs on with a username and password, and AD authenticates them. At this stage, we’re not interested in what they’re allowed to do.. Just that they are who they say they are.
- When someone knocks at your door, you generally take a peek through the spy hole to see who it is.
- This is our friend Jane, popping round to study for the Office 365 MCSE! We know Jane and she’s someone we trust, so we open the door and let her in.
- When the gas man turns up to fix a problem, we don’t know him. We recognise the uniform and the ID though, and we TRUST the gas company to verify that person. If we choose to, we can validate his claim to be who he says by calling his company.
- We’ll cover each of these scenarios in depth.
- Adding wharf-consulting.co.uk
- Note the fact that it picks up your registrar if it can! This provides step-by-step instructions for that specific provider! Once you add the new MS value, you will need to wait for DNS to propagate. This can take some time (up to 12-24 hours, though I’ve never seen it take that long!), so be patient.
- Once validated, you can configure DNS..
- If you skip the verification, the domain will show set-up errors (but this can be ignored in a later step)
- This will be shown unless all of the DNS entries are corrected for Office 365 However if you’re not using O365 for Skype or E-mail, you may want to ignore this.
- So by re-running the check DNS wizard, we can then ignore failures. This sets the domain to set-up complete.
- Creating a user with the new UPN is simple.
- And on the same screen, you can apply roles and licenses. (Manual licensing!.. We’ll talk more about licensing after the next 2 methods!)
- And now users can sign in with their domain name.. At this point, we recommend you ensure that their UPN matches their E-mail
- At this point, we recommend you ensure that their UPN matches their E-mail, this makes it much easier for users to remember.
- *Required for federation (the next scenario)
- Download here:- https://www.microsoft.com/en-us/download/details.aspx?id=36832
- *Assuming UPN is correct and Password Sync is in use. Requires Domain to be added as per previous configuration Note: Inbound comms travels back down the outbound established connection.. No external publishing!
- I’m paraphrasing the important ones.. But check http://bit.ly/aadctopologies You can sync to multiple AAD, but you must ensure objects are only synchronised to one! Not recommended
- In this instance, the organisation may have two domains that are distinct from each other. Users exist only in one domain, this is the example we’re looking at today. More advanced scenarios do exist. I recommend reading the supported topologies document. Especially for Hybrid Exchange/Skype and in Resource domain situations
- Some key takeaways: Only a single AAD Connect server allowed per Azure AD (Except for staging) An Active Directory Object can only be synced to ONE Azure AD (Multiple AD sync to separate Azure AD is permitted, but must be syncing separate portions of Active Directory) Again, check your scenario against the whole Azure document. http://bit.ly/aadctopologies
- A staging server is fully installed as a separate AAD Connect server in the environment. This is activated manually using the wizard and you MUST shutdown or change the other server to staging mode A robust build process and a fresh VM is probably better!
- Connector is registered via outbound HTTPS request. Auth requests travel back down this reply route.
- You can run addition connectors on additional servers (Only one per server) Registered through PowerShell.
- The workarounds for the above is to ensure that you synchronised password hashes to Azure AD.
- Demoing the Wizard, and the MIIS client, Portal sync status Install Video and demo for Pass through PowerShell and the Sync commands
- Adding this slide in because EVERYONE needs these commands at some point! Get-ADSyncScheduler Start-ADSyncSyncCycle -PolicyType Delta or Initial MIIS Client
- Note: This requires Synchronised Identity to be configured FIRST!
- Company.com can be our on-premises environment, Azure or a third party federation service
- The basic requirements are: ADFS Server / WAP Proxy Split DNS – Internal/External resolution should be different Published endpoint and matching SSL cert (wildcards are ok!) All communications are over HTTPS/443 (If planning on using Workplace Join, then additional SAN entries are required on the certs) See https://technet.microsoft.com/en-us/library/dn554247(v=ws.11).aspx for more info.
- For resilience, we can load balance the ADFS and WAP servers And I would hope you have more than one DC!! Using Windows internal database you’re limited to 30! Adfs servers Clustering is supported, but I prefer HW Load Balancers as they can use health rules to monitor status
- *not required for ADFS scenarios https://technet.microsoft.com/en-us/library/ee913581(v=ws.11).aspx WID Limits you to 30 ADFS servers and limits some ADFS functions. https://technet.microsoft.com/en-us/library/gg982489(v=ws.11).aspx ADFS 4.0 on Server 2016 – Sizing spreadsheet - http://adfsdocs.blob.core.windows.net/adfs/ADFSCapacity2016.xlsx
- The primary server can be changed using PowerShell. Get-ADFSSyncProperties (Will show Primary computer, or sync details) Set-ADFSSyncProperties –Role PrimaryComputer (Will make the current server the primary.) Then run Set-ADFSSyncProperties –Role SecondaryComputer –PrimaryComputerName <FQDN of Primary>
- Note: This can take up to 1 hour!
- This will remove all entities from ADFS relating to that domain. As previous, this can take up to an hour to take effect!
- This will leave all of the ADFS configuration in place. Which isn’t a problem if your ADFS is in flames..
- Demoing federated domains, ADFS/WAP configuration.
- Protected accounts - https://docs.microsoft.com/en-gb/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
- Demoing Peter Falk resetting his password, Eventvwr events etc
- This has been a long time coming and was one of the primary reasons people went to Okta and similar. Should be available to E3 and above at GA.
- You can do it with cloud identities, but it’s lots of portal switching and not worth it.
- What’s the difference? Why both?
- Demoing Group based licensing. http://www.myfatblog.co.uk/index.php/2017/03/azure-ad-group-based-licensing-in-office-365/ http://www.myfatblog.co.uk/index.php/2017/03/azure-ad-group-based-licensing-remediation-of-errors/ Video linked in these.
- This was posted in the Technical Communities Forum.
- We define single sign-on as “The user signs into the device once and is automatically authenticated into everything else from that point on.”
- We define single sign-on as “The user signs into the device once and is automatically authenticated into everything else from that point on.”
- When you log into portals like Portal.office.com, or Powerbi.Microsoft.com, Office 365 doesn’t know who you are or what tenant you’re connecting to. So you must choose an identity.
- Comments on the launch blog state that MS are working on this. (Which hopefully has happened by the time this session runs!) https://blogs.technet.microsoft.com/enterprisemobility/2017/08/02/the-new-azure-ad-signin-experience-is-now-in-public-preview/
- Covering the Home realm discovery, direct links and ADFS https://technet.microsoft.com/en-us/library/dn280950(v=ws.11).aspx https://azure.microsoft.com/en-gb/documentation/articles/active-directory-add-company-branding/
- This is due to the nature of how your users may connect. Generic Portal URLs are unable to ascertain your domain until a username is added.
- 1 – The large image can be changed.. Note: It compresses and enlarges from the top left! 2 – Company logo can be applied 3 – Sign-on instructions can be amended (Note: This is visible to the public, so don’t put anything sensitive here!) 4 – Keep me signed in can be turned off (BUT this can adversely affect some apps!) This logon will be automatically shown when going to service specific URLs, such as www.outlook.com/?realm=wharfconsulting.co.uk but strangely NOT Wharfconsulting.sharepoint.com
- 1 - Company logo 2 - Sign-in image 3 – Page description 4 – Home and privacy links
- Covering Office365/Azure service and ADFS if time!
- http://bit.ly/fedthirdparties Some may require AAD Connect for the write-back elements.
- 2 that I’ve worked with. All publish good guides to working with Office 365 But don’t cover all scenarios, e.g. write back for Exchange, so you may still need AAD Connect. They do add some value, such as license management by AD group.
- Deep Dive Planning - https://blogs.technet.microsoft.com/askpfeplat/2014/11/23/adfs-deep-dive-planning-and-design-considerations/ Design Guide - https://technet.microsoft.com/en-us/library/dn554245(v=ws.11).aspx ADFS Sign-in pages - https://technet.microsoft.com/en-us/library/dn280950(v=ws.11).aspx Office 365 Signin pages - https://azure.microsoft.com/en-gb/documentation/articles/active-directory-add-company-branding/ Running the ID Fix tool - https://support.office.com/en-gb/article/Install-and-run-the-Office-365-IdFix-tool-f4bd2439-3e41-4169-99f6-3fabdfa326ac