Introduction Please answer the survey questions posted at the end of this meeting. Let us know what...

Identities in Microsoft Office 365

Fulvio SalanitroPartner Services Account Manager - Microsoft corporationSupport Webcast Series

Management SurfacesIntroduction

3

• We are recording today’s session, and will have the slide show presentation and the video recording on the original blog post and the Office 365 Community. You can find the video recording on our Video Channel - http://www.youtube.com/microsoftoffice365

• Questions can be asked at the end of the presentation through the Lync Meeting Console.

• We are recording today’s session, please understand that you may be captured in the recording. If you do not wish to be recorded, please do not type in the Lync IM Window or please leave the meeting.

Welcome to the webcast

http://www.youtube.com/microsoftoffice365

4

• Please answer the survey questions posted at the end of this meeting.

• Let us know what sessions you want! Email Josh Topal at [email protected].

• Feel free to give feedback too.

Feedback

mailto:[email protected]

Identities in Microsoft Office 365

Fulvio SalanitroPartner Services Account Manager - Microsoft corporationSupport Webcast Series

Session Agenda

Module 1: Understanding Identities

Module 2: Environment Preparation for Single Sign-On & Directory Synchronization (DirSync)

Module 3: Deploying SSO and ADFS 2.0

Module 4: Deploying Directory Synchronization (DirSync)

Assumed Knowledge

Server Technologies

• Active Directory• Active Directory

Federation Services (AD FS)

• Windows PowerShell™ 2.0

Network Technologies

• AD sites, trusts, & topology

• DNS & related technologies

• Wide area connectivity: networks, equipment, bandwidth, & latency

• Firewall technologies • SSL certificates

Module 1Understanding Identities

Module 1: Understanding Identities

Understanding Identities

Understanding Single Sign-On

Understanding DirSync

Understanding Identity Types

Cloud Identity

• Separate credential from corporate credential

• Authentication occurs via cloud directory service

• Password policy stored in Office 365

Federated Identity

• Same credential as corporate credential

• Authentication occurs via on-premises Active Directory service

• Password policy is stored on-premises

• Requires Directory Synchronization

Identity Usage Scenarios

Cloud Identity Cloud Identity + DirSync Federated Identity*

Scenario Smaller organizations

without on-premises Active Directory

Medium to Large organizations with Active Directory on-premises

Large enterprise organizations with Active Directory on-premises

Pros

Does not require on-premises server deployment

“Source of Authority” is on-premises

Enables coexistence

Password Synchronization (Optional)

Single Sign-On experience

“Source of Authority” is on-premises

2-Factor Authentication options

Enables coexistence

Cons

No Single Sign-On

No 2-Factor Authentication options

2 sets of credentials to manage with, potentially, different password policies

No Single Sign-On

No 2-Factor Authentication options

2 sets of credentials to manage with, potentially, different password policies

Requires on-premises server deployment

Requires on-premises server deployment in high availability scenario

* Requires DirSync

Understanding Single Sign-On(Federated Identity)


Cloud IdentityCloud Identity +

DirSyncFederated Identity*

Scenario• Smaller organizations


• Medium to Large organizations with on-premises Active Directory

• Large enterprise organizations with on-premises Active Directory

Pros

• Does not require on-premises server deployment

• “Source of Authority” is on-premises

• Enables coexistence

• Password Synchronization (Optional)

• Single Sign-On experience


• 2-Factor Authentication options


Cons

• No Single Sign-On

• No 2-Factor Authentication options

• 2 sets of credentials to manage with, potentially, different password policies




• Requires on-premises server deployment

• Requires on-premises server deployment in high-availability scenario

* Requires DirSync

Enables users to access both the on-premises and cloud-based organizations with a single user name and password

Provides users with a familiar sign-on experience

Allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools

Single Sign-On | Purpose

Single Sign-On | Benefits

Policy Control

Access Control

Reduced Support

Calls

Security

ADFS 2.x and SSO in Action

Understanding DirSync


Cloud IdentityCloud Identity +

DirSyncFederated Identity*

Scenario• Smaller organizations


• Medium to Large organizations with Active Directory on-premises

• Large enterprise organizations with Active Directory on-premises

Pros

• Does not require on-premises server deployment



• Password Synchronization (Optional)

• Single Sign-On experience


• 2-Factor Authentication options


Cons







• Requires on-premises server deployment

• Requires on-premises server deployment in high-availability scenario

* Requires DirSync

Application that synchronizes on-premises Active Directory with Office 365

x64 application based on FIM

Bundled with SQL Express 2012 SP1

Designed as an appliance: “Set it and forget it”

What is DirSync?

Entire Active Directory forest is scoped for synchronization

What is synchronized? All user objects All group objects Mail-enabled contact objects Passwords are not synchronized (by default, but now possible) Synchronization is from on-premises to Office 365 only Synchronization occurs every 3 hours

DirSync Synchronization

Prepare: Decide on Identity ScenarioFeature Dirsync +Password

SyncSSO with AD FS

Use same username + password Control password policy on-premises No password re-entry if on-premises Client access filtering Authentication occurs on-premises (no credentials on cloud) Support for multi-forest configurations (FIM)

Module 1Environment Preparation

Module 2: Environment Preparation

DNS Preparation

Active Directory Preparation

Office 365 OnRamp

DNS Preparation

Process Start wizard from admin portal Specify domain name Change DNS settings at registrar Verify domain Specify services Change DNS settings at registrar

TipsDNS record verification—be patient (can take up to 72 hours)

Adding a Domain

Add and Modify DNS Records

Verify Domain Ownership

Register Company’s TXT or MX Record

Active Directory(AD) Preparation

Minimum: User Name, First Name, Last Name, Display Name

Populate non-required attributes for GAL/SharePoint Online (Title, address, city, state, and zip)

Unsupported characters: Microsoft Online Deployment Guide lists all (e.g., Space ( ) @ ‘ | = ? /)

Preparing Active Directory Attribute Cleanup

Only routable domains can be used with ADFS deployment

Non-routable domains include .local OR .loc OR .internal

If organization has AD with only internal namespace, it must: Add a routable UPN suffix in Active Directory Forests and Trusts. Configure each user with that routable UserPrincipalName suffix

Preparing to Deploy Federation Server Farm

[email protected] [email protected]

Preparing to Deploy Federation Server Farm

DEMO:Setting Up UPN Suffix

Office 365 OnRamp

OnRamp for Office 365 is an automated assistance tool that helps you gather configuration requirements and perform deployment readiness checks against your on-premises environment.

OnRamp can accelerate the deployment timeline, especially for organizations with requirements such as identity federation or hybrid deployment.

Tool is available at: https://onramp.office365.com/onramp

Overview

https://onramp.office365.com/onramp

Why SSL certificates? SSO experience; ActiveSync Secure communications Auto-discover the Exchange Server

Certificates required for these Office 365 components: Exchange on-premises Single sign-on (for both the ADFS federation servers and ADFS

federation server proxies) Auto-discover, Outlook Anywhere, Exchange ActiveSync, and

Exchange Web Service (EWS) Exchange hybrid server

Planning for SSL Certificates

Module 3: Deploying SSO & ADFS 2.0

Module 3: Deploying SSO & ADFS 2.0 Deploying Active Directory Federation Server

Deploying Active Directory Federation Server Proxy

AD FS 2.x ComponentsAD FS 2.x Server

• Default topology for Office 365 is an AD FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service

• Recommend using at least two federation servers in a load-balanced configuration

AD FS 2.x Proxy Server

• Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm

• Federation server proxies should be deployed in the DMZ

Windows Server 2008/2008R2 or Windows Server 2012

PowerShell

Web Server (IIS)

.NET 3.5 SP1

Windows Identity Foundation

Publicly registered domain name

SSL Trusted Public Certificates

Windows Azure Active Directory Module for Windows PowerShell

Microsoft Online Sign In Assistant

High availability design

Single Sign-On | Server Requirements

Internet Explorer 8.0 or later

Firefox 10.0

Chrome 17.0 or later

Safari 5.0 or later

Microsoft Office 2010/2007 (Latest Service Pack)

Microsoft Office for Mac 2011 (Latest Service Pack)

Microsoft Office 2008 for Mac version 12.2.9

Office 365 Desktop Setup (Suggested)

Microsoft Online Sign In Assistant

Single Sign-On | Client Requirements

1) Single server configuration

2) AD FS 2.x Server Farm and load-balancer

3) AD FS 2.x Proxy Server or UAG/TMG (External Users, Active Sync, Down-level Clients with Outlook)

AD FS 2.x Deployment Options

EnterprisePerimeter

AD FS 2.x ServerProxy

External UserInternal

user

ActiveDirectory

AD FS 2.x Server

AD FS 2.x Server

AD FS 2.x ServerProxy

Understanding client authentication path

Lync 2010/Office Subscription

Active Sync

Corporate Boundary

Exchange Online

AD FS 2.0Server

MEX

Web

Active

AD FS 2.0 Proxy

MEX

Web

Active

Outlook 2010/2007IMAP/POP

UsernamePassword

UsernamePassword

OWAInternal

Lync 2010/Office Subscription

Outlook 2010/2007IMAP/POP

OWAExternal

UsernamePassword

Active Sync

UsernamePassword

Basic auth proposal: Pass

client IP, protocol, device name

Preparing to Deploy Fed. Server FarmActive Directory running in Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 with a functional level of mixed or native mode

AD FS 2.x deployed on Windows Server 2008/R2 or Windows Server 2012

AD FS 2.x Proxy deployed, if some users are connecting from outside the company’s network

Windows Azure Active Directory Module for Windows PowerShell to establish a trust with Office 365

Required updates installed for Office 365

A unique third-party certificate when installing and configuring federation servers and federation server proxies

Only routable domains can be used with ADFS deployment

Non-routable domains include .local OR .loc OR .internal

If organization has AD with only internal namespace, it must: Add a routable UPN suffix in Active Directory Forests and Trusts. Configure each user with that routable UserPrincipalName suffix

See Module 2 for full procedure

Preparing to Deploy Fed. Server Farm

[email protected] [email protected]

Deploying Active Directory Federation Server

AD FS 2.xAD FS 2.x Server

• The default topology for Office 365 is an AD FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service

• We recommend the use of at least two federation servers in a load-balanced configuration

DEMO:Creating a Certificate Request with Third-Party SSL Certificate Provider

Windows Server 2012

Buy and request a certificate from a Third-Party SSL Certificate Provider

DEMO:1. Download Windows

Azure Active Directory Module for Windows PowerShell

2. Create AD FS Service Account

Deploying a Federation Server Farm

Windows Server 2008















Windows Server 2012






















You must install AD FS 2.0 hotfixes after installing AD FS 2.0

As previously mentioned, an Update Rollup 2 for AD FS 2.0 is available

Only applicable with Windows 2008/2008R2

Important! Update Federation Server Farm

Complete Federation via PowerShell

Command Description

$cred=Get-Credential Prompt for Office 365 credentials and store them in a variable

Connect-MsolService –Credential $cred

Connect to Office 365 using stored credentials

Set-MSOLAdfscontext -Computer <AD FS 2.x primary server>

Specify the local AD FS 2.x Server

Convert-MSOLDomainToFederated –Domainname <domain.com>

Convert the standard local domain to an Identity Federated Domain

Get-MSOLFederationProperty Show Identity Federation Proprieties



Test Federation via PowerShell

DEMO:Create a New Host (A or AAAA)

Deploying Active Directory Federation Server Proxy

AD FS 2.x

AD FS 2.x Proxy Server

• Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm

• Federation server proxies should be deployed in the DMZ

External-facing federation server proxies are required if:

An organization will use Outlook clientsUsers will access Office 365 for enterprise from home or public locationsUsers will access Office 365 for enterprise via mobile devices

Prerequisites to deploy federation server proxies are:

Federation Server Proxy | Prerequisites

Federation server proxies deployed in the edge/DMZ networkFederation servers & federation server proxies able to communicate over TCP 443AD FS 2.x deployed on a Windows Server 2008/R2 or Windows Server 2012Internet Information Services (IIS) 7 or 7.5 installed + Imported Certificate.NET Framework 3.5 SP1 installed

DEMO:Deploying a Federation Proxy

Windows Server 2012

Deploying a Federation Proxy














DEMO:Deploying a Federation Proxy

Windows Server 2008







DEMO:Configure Host FileConfigure AD FS Proxy

Next Step: Synchronize with AD

AD FS 2.x and SSO are now in place, but there are no users inside the Office 365 subscriptionWe will need to replicate our users from the local AD to Office 365

We will deploy and use DirSync for that purpose (see Module 4)

Deployment Considerations

Deployment Architecture

Number of users Minimum number of servers

Fewer than 1,000 users0 dedicated federation servers0 dedicated federation server proxies 1 dedicated NLB server

1,000 to 15,000 users2 dedicated federation servers2 dedicated federation server proxies

15,000 to 60,000 usersBetween 3 and 5 dedicated federation serversAt least 2 dedicated federation server proxies

Revert from Federated to Cloud Identity

Use the following method only if this condition is true:The problem is caused by an on premise service outage that requires immediately restoring user access or the Active Directory Federation Services (AD FS) 2.0 server is available.

Additional Info:http://support.microsoft.com/kb/2662960/en-us

http://support.microsoft.com/kb/2662960/en-us

http://support.microsoft.com/kb/2662960/en-us

Revert from Federated to Cloud Identity

$cred = Get-CredentialWhen you are prompted, enter Office 365 administrator credentials that are not SSO-enabledConnect-MsolService –credential $credSet-MsolADFSContext –Computer <AD FS 2.x server name>Note In this command, the placeholder <AD FS 2.x server name> represents the name of the primary AD FS 2.x serverConvert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $false -PasswordFile c:\userpasswords.txt

The userpasswords.txt file will contain the Cloud Identity passwords for all users.

The AD FS 2.x federation service can support access policies for allowing or denying access based upon the combination of the user requesting access and the IP address of his devices.

Client Access Policy

Scenario Description

Block all external access to Office 365

Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client.

Block all external access to Office 365, except Exchange ActiveSync

Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked.

Block all external access to Office 365, except for browser-based applications

Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online.

Block all external access to Office 365 for members of designated Active Directory groups

This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group.

Module 4: Deploying Directory Synchronization (DirSync)

Enables “run state” administration and management of users, groups, and contactsSynchronizes adds/deletes/modifications of users, groups, and contacts from on-premise to Office 365

Not intended as a single use bulk upload tool

DirSync | Enables Single Sign-On

Do not install the Directory Synchronization tool on the same computer that has Active Directory Federation Services (AD FS) 2.0 installed on it

Install and Upgrade the Microsoft Online Services Directory Synchronization toolhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652545.aspx

Deploy and Configure AD FS 2.x and then DirSync

Important Deployment Notes

http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652545.aspx

DirSync Requirements Overview

Computer must be joined to an Active Directory domain within the same forest that will be synchronized with Office 365Does not have to be joined to the root domain

Computer must be able to communicate with any/all domain controllers forest wide

Computer should be located in an access controlled environmentShould be limited to those with access to domain controllers and other security sensitive systems

DirSync | Server Requirements

DirSync | Software Requirements

Windows Installer 4.5 or

later

Windows PowerShell version 2.0

Microsoft .NET Framework

version 3.5 or later

Windows Server 2008 R2 x64

with the latest service pack

installed

Minimum of 1GB hard drive space600 MB for a complete installation of all Directory Synchronization Tool components400 MB required to create the initial database file

Additional hard drive space most likely required for mid-size or larger companies

Server hardware should meet the minimum requirements for SQL Server 2012 Express Edition and FIM (x64)

DirSync | Hardware Requirements

Recommend a system that exceeds the minimum requirements:

DirSync | Hardware Recommendations

Number of objects in Active Directory CPU Memory Hard disk size

Fewer than 10,000 1.6 GHz 4 GB 70 GB

10,000–50,000 1.6 GHz 4 GB 70 GB

50,000–100,000 1.6 GHz 16 GB 100 GB

100,000–300,000 1.6 GHz 32 GB 300 GB

300,000–600,000 1.6 GHz 32 GB 450 GB

More than 600,000 1.6 GHz 32 GB 500 GB

Account used to install DirSync must have:Local machine administrator permissionsIf using full SQL, rights within SQL to create the DirSync database, and to setup the SQL service account with the role of db_owner

Account used to configure DirSync must reside in the local machine MIISAdmins groupAccount used to install DirSync is automatically added

Administrator permission in the Office 365 tenant

DirSync uses an administrator account in the tenant to provision and update/modify objects

DirSync | Permission Requirements

Enterprise Administrator permission in the on-premise Active DirectoryCredential is not stored/saved by the configuration wizardUsed to create the “MSOL_AD_Sync” domain account in the “CN=Users” container of the root domain of the forest

Used to delegate the following permissions on each domain partition in the forest:

Replicating Directory Changes Replicating Directory Changes allReplication Synchronization

DirSync | Permission Requirements


Entire Active Directory forest is scoped for synchronization

What is synchronized? All user objects All group objects Mail-enabled contact objects Passwords are not synchronized (by default, but now

possible) Synchronization is from on-premises to Office 365 only

(unless “write-back” is enabled)

Synchronization occurs every 3 hours

Use “Start-OnlineCoexistenceSync” cmdlet to force a sync


First synchronization cycle after installation is a full synchronizationTime-consuming process relative to number of objects synchronized~5000 objects per hour

Subsequent synchronization cycles are deltas only Much faster

Not all on-premises attributes synchronized for each object type, but 100+ attributes are synchronized


Once implemented, on-premises AD becomes the “source of authority” for synchronized objects

Modifications to synchronized objects must occur in the on-premises ADSynchronized objects cannot be modified or deleted via the portal unless DirSync is disabled for the tenant

Scoping/FilteringCustom scoping or filtering is officially supported (guidance available here: http://technet.microsoft.com/en-us/library/jj710171.aspx )


http://technet.microsoft.com/en-us/library/jj710171.aspx

Activate DirSync

DirSync activation could require up to 48 hours, plan this activity in advance!

Download DirSync

Installation

Installation

Configuration

Configuration

The configuration Wizard will enable this specific option ONLY if the forest schema has been already extended for Exchange 2010/2013

This is a requirement for an Hybrid Environment

Configuration

Configuration

Configuration

Configuration

Users Sync Results on Office 365 Portal

DEMO

Troubleshooting

In a SSO Enviroment, when I try to login to Office 365 I get (everytime) a popup window asking for my credentials.

Issue 1

In a SSO Enviroment, when I try to login to Office 365 from outside my organization(ADFS Proxy), I receive an error message.

Issue 2

Reference Number will be always different

Q&A and Feedback

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Date post:	24-Dec-2015
Category:	Documents
Upload:	theodore-matthews
View:	214 times
Download:	0 times

Introduction Please answer the survey questions posted at the end of this meeting. Let us know what...

Documents