Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | roland-marshall |
View: | 219 times |
Download: | 0 times |
Jono Luk and David BrandtProgram ManagersMicrosoft
Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory
DMI309
Agenda• Office 365 Identity Management• What’s new• What is Directory Integration?• What are my options?• Common Scenarios• How Sync Works• How Single Sign-On Works• How Multi-factor Authentication Works
Microsoft Cloud Services
User
Microsoft AccountEx: [email protected]
User
Organizational AccountEx: [email protected]
Microsoft Account Windows Azure Active Directory
Common Identity Platform for Organizational AccountsWindows Azure Active Directory is the underlying identity platform for various cloud services that use Organizational Accounts
Can extend your existing on-prem Active Directory into the cloud
Directory
store
Authentication platform
Windows Azure Active
Directory
Your App
Office 365 Identity ManagementCloud Identities Synchronized Passwords
Single identitysuitable for medium and large organizations without federation
Federated Identities
Single federated identity and credentials suitable for medium and large organizations
Single identity in the cloud suitable for small organizations with no integration to on-premises directories
How to Choose Your Identity Solution
Cloud IDs Password Sync
Federated IDs
Same password to access resources on-premises and in cloud
Can control password policies on-premises
Single Sign-on for no password re-entry if on premises
Client access filtering by IP, client type, or by time schedule
Authentication occurs and is audited on-premises
Can immediately block disabled accounts on-premises
Change password available from web
Works with Forefront Identity Manager 2010 R2
Can customize the User Sign-in Page
Use with cloud based Multi-Factor Authentication
Use with on-premises based Multi-Factor Authentication
Source: http://technet.microsoft.com/en-us/library/jj573649.aspxSource: http://technet.microsoft.com/en-us/library/jj573649.aspx
Did You Know…?• We have added support for non-ADFS STS’s• Supported providers currently include: Shibboleth, Ping Federate,
OptimalIDM• Some feature gaps• Shibboleth – doesn’t support Lync 2010 client• Ping Federate – doesn’t support Windows Integrated Auth
• Azure Active Authentication Service• Support for cloud based Multi-factor Authentication• Now included with Office 365
• Azure Active Directory GRAPH API• REST API for programmatic access to data in Azure AD• Can build multi-tenant applications, or custom LOB Apps
Did You Know…?• SAML-P 2.0 Federation with Office 365• SAML 2.0 SP-Lite Profile for federated sign-on with Office 365 services.• Sign into Office 365 Outlook Web Access and SharePoint using on-
premises creds
• Support for Multiple Active Directory Forests• Azure Active Directory Connector for FIM 2010 R2
• Support for non-AD Directories• LDAP DirSync• Azure Active Directory Connector for FIM 2010 R2
• Multi-Factor Authentication for Office 365• SMIME Encryption now supported
Works with Office 365 – Identity ProgramWhat is it?Qualification of third party identity providers for federation with Office 365.Microsoft supports Office 365 only when qualified third party identity providers are used.
*For representative purposes only.
WS-Trust & WS-Federation
WS-Federation (passive auth)
SAML (passive auth)
Active Directory with ADFS • Flexibility to reuse existing identity provider investments
• Confidence that the solution is qualified by Microsoft
• Coordinated support between the partner and Microsoft
Shibboleth
Customer Benefits
Best Practices for Exchange • Pick the solution that’s right for you!• Different customers have different scenarios requiring different
solutions
• Minimize your on-premises infrastructure requirements • CloudIDs and ManagedIDs with Password Sync (i.e. same Sign-On) minimize
your on-premises infrastructure and availability requirements vs. Federated IDs
• You don’t need to use SSO just because you Sync but you should Sync in order to use SSO• Could use PowerShell to create your directory data, but incur
management overhead & not formally documented or supported scenario
Best Practices for Exchange – Con’t• Use SSO only if you need to• SSO solution doesn’t constrain Sync
solution• You can use any Sync solution with ADFS or non-AD STS
• You can control what objects sync into Azure AD
• You can’t control which part of objects sync coming soon!
Identity Related Things To Consider…• One or multiple tenants?• Example: Does 3 on-prem Exchange orgs mean 3 tenants?
• Non-AD sources• DirSync for LDAPv3• Similar to existing FIM 2010 R2 connector, except single directory
only• Availability• Preview in Summer 2014• Release later in 2014
• What provisioning tools do I use?• Graph / DirSync / etc.
Common Topologies
• If configuring SSO for n Azure AD tenant scenarios, every namespace (UPN domain suffix) must be associated with at most one tenant in Azure AD
• Multiple Exchange forest support coming soon
Account Directory
Exchange Orgs Azure AD Supported? Sync Solution
1 AD Forest 1, in AD forest. 1 Tenant Yes DirSync
1 AD Forest n resource forest(s), will retire all Exchange Forests.
1 Tenant Yes DirSync
n AD Forests n in resource forest(s), will not retire.
1 Tenant Yes FIM + AAD Connector
1 LDAP Directory
N/A 1 Tenant Yes LDAP DirSync
1 AD Forest n Tenants Yes FIM + AAD Connector OR n DirSyncs
Non-AD directory
N/A n Tenants Yes FIM + AAD Connector
n AD Forests + m non-AD
N/A n Tenants Yes FIM + AAD Connector
Common Scenarios• 1 Account forest with 1 Resource Forest may
LOOK like Multiple AD Forests, but not really• Can solve with DirSync tool
Azure ADTenant
DirSync
Login Forest
Resource Forest
(migrate data)
AD FS
(“sync, UPN, ImmutableID”)
Common Scenarios• Single Forest, Multiple Tenants• Is supported with DirSync Appliance• Is supported with new Azure AD Connector• Is supported with a single AD FS farm or multiple farms
• Caveat:• Every object in the source AD must appear in
only ONE tenant in the cloud Azure ADTenant
DirSync
AD Forest
Azure ADTenant
DirSync
AD FS
Multi-forest Decision Flowchart
Number Active
Directory
forests
UseFIM 2010 R2 Connectors
Number Exchange Orgs
See consolidati
on whitepaper
UseSingle Forest
DirSync
Want to consolidate
single forest?
Single (1)
Multiple (>1)
Yes
None (0)
Start
After consolidati
on
No
Single (1)
http://technet.microsoft.com/library/cc974332.aspx
Windows Azure AD Connector for FIM 2010 R2For organizations with complex AD and Non-AD scenariosMulti-forest AD scenariosNon-AD on-prem Directories through Microsoft premier deployment support
RequirementsFIM 2010 R2 Sync EngineWindows Azure Active Directory Connector for FIM 2010 R2 http://technet.microsoft.com/library/dn511001.aspx
How Sync WorksKey pieces of sync to note:• SourceAnchor• Link between on-prem object and cloud• Stamped when object created in the cloud• Must be immutable for lifetime of object
• Soft-match• Our “fuzzy match”• If no SourceAnchor match available, fallback to soft-match to best-
guess which object in the cloud corresponds to the on-prem object• Match based on Primary SMTP
Example: User Provisioning
Active Directory
DirSync Front-Ends
GRAPH/PS Front-
Ends
(workflows)
Exchange Online
OneDrive
Windows InTune
Admin portals
How Sync Works• Syncs all objects with some exceptions• Does not sync Default accounts (Administrator etc)• Does not sync System Objects
• Directory Sync can be turned off but takes time
• Options that can’t be changed• Scoping the attributes that sync• Sync timeframe is every 3 hours
How Sync Works• Soft Delete/Recycle Bin• Objects that have been “deleted” kept in Recycle Bin• Automatically purged after 30 days• If deleted on-prem Azure AD, recover in on-prem AD will recover in
the cloud!• If deleted in AD: recover object (keeping SourceAnchor consistent)• If “dropped out of scope”: recovery is just bringing the object back
into scope
Password Sync• A feature in DirSync• No additional software, no additional reboots!
• Synchronizes password hashes from on-prem AD to Azure Active Directory
• Checks for password updates every 2 minutes • Regular DirSync still runs every 3 hours
Password Sync• On-premises password policies apply• Password sync’ing users “never expire” in
the cloud• Change password links hidden for password sync’ing users
• Sync’s passwords for all managed users (Federated and Non-Federated)
Integration Requirements• AD FS 2.0 and SSO
• Windows 2008+
• Directory Sync • Host OS:• Windows Server 2008 R2+ (includes Server 2012 R2)• Can be installed on a Domain Controller
• SQL • SQL Server 2008 R2+• (Default DirSync install uses SQL 2012 SP1 Express)
• Source AD:• Windows Server 2003+
• Supports Virtualization
Using Azure IaaS VMs• Can deploy DirSync and ADFS in Azure• Whitepaper available
http://www.microsoft.com/downloads/details.aspx?FamilyID=72c15d25-6515-4763-9b76-054362b58398
• Removes on-premises hardware requirements • Must have line of sight (VPN) to on-premises• Still requires an AD FS proxy• Requires AD DC in the Azure Cloud for SSO• Does not remove management or HA requirements
SSO and Office 365• Why it’s good for Admins• Single Credential to manage • Credentials stored on-premises• Single place to manage polices – on-premises workstation restrictions
etc• IDP is your AD
• Why it’s great for Users• I have a single credential• In most cases I don’t need to enter my credentials more than once• (even if I am, it’s is always the same credential)
Sign On Experiences for O365Web Clients• Office 2010, Office
2007 SP2 with SharePoint Online
• Outlook Web Application
Remember last user
Mail Clients• Office 2010, Office
2007 SP2 • Active Sync/POP/IMAP• Entourage
Can save credentials
Rich Applications (SIA)• Lync Online• Office Subscriptions• CRM Rich Client• Office 2013
Can save credentials
SSO IDs (from domain joined machines)
Cloud IDs
No Prompt
Username and Password
Online ID
AD credentials
Password Sync (SSO from non-domain Joined machines)
Username and Password
AD credentials
Username
Username and PasswordOnline ID
AD credentials
Username and Password
AD credentials
Username and Password
Username and PasswordOnline ID
AD credentials
Username and Password
AD credentials
Client to End Points Usage
Lync 2010/Office Subscription
Active Sync
Corporate Boundary
Exchange Online
AD FS 2.0Server
MEX
Web
Active
AD FS 2.0 Proxy
MEX
Web
Active
Outlook 2010/2007IMAP/POP
UsernamePassword
UsernamePassword
OWAInternal
Lync 2010/Office Subscription
Outlook 2010/2007IMAP/POP
OWAExternal
UsernamePassword
Active Sync
UsernamePassword
Basic auth proposal: Pass
client IP, protocol, device name
Identity FederationAuthentication flow (Passive/Web profile)
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online orSharePoint Online
Active Directory
Customer Microsoft Online Services
User Source ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123
Auth TokenUPN:[email protected] ID: 254729
Identity FederationAuthentication flow (MEX/Rich Client Profile)
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Lync Online
Active Directory
Customer Microsoft Online Services
User Source ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123
Auth TokenUPN:[email protected] ID: 254729
Customer Windows Azure Active Directory
Exchange – Proxy Auth
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Proxy
Exchange Online
Active Directory
AD FS 2.0 Server
User Source ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123
Auth TokenUPN:[email protected] ID: 254729
Basic Auth CredentilasUsername/Password
Client Access Filtering• For blocking external access for Outlook
Scenarios• Block all external access • Allow external access for specific mail clients (Active Sync, POP/IMAP)• Allow external access to web applications (OWA, SharePoint)• Requires ADFS Proxy
• Can combine above with groups limitations
• No granularity on limiting Lync Online/Office Subscription services externally• i.e. any rule above blocks access
• Enabled through client issuance rules in AD FS 2.0
Multi-Factor Authentication Scenarios• Federated Users• Office 365 resources just need Multi-Factor Authentication for Office
365• Use Azure Multi-Factor Authentication Server for other ADFS connected
applications
• Hybrid• On-premises server applications require Azure Multi-Factor
Authentication Server• Example: MSIT Lync on-premises and Exchange Online
• App Password for Administrator• Office 365 administrative accounts have had MFA, but no App Password
• PowerShell• Create a service account which is an administrator and control access
Enterprise authentication using any phone
Mobile Apps Text MessagesPhone Calls
Out-of-Band PushOne-Time-Passcode(OTP) Token
Out-of-Band* CallOut-of-Band TextOne-Time Passcode(OTP) by text
*Out of band refers to being able to use a second factor with no modification
to the existing app UX.
Excludes Office 365 dedicated SKU and SMB SKUs.
Upgradeable to Azure Multi-Factor Authentication
Multi-Factor authentications options
Multi-Factor Authentication for Office
365
Windows Azure Multi-Factor Authentication
Administrators can Enable/Enforce MFA to end-users Yes Yes
Use Mobile app (online and OTP) as second authentication factor
Yes Yes
Use Phone call as second authentication factor Yes Yes
Use SMS as second authentication factor Yes Yes
App passwords for non-browser clients (e.g. Outlook, Lync)
Yes Yes
Default Microsoft greetings during authentication phone calls
Yes Yes
Custom greetings during authentication phone calls Yes
Fraud alert Yes
Event Confirmation Yes
Security Reports Yes
Block/Unblock Users Yes
One-Time Bypass Yes
Customizable caller ID for authentication phone calls Yes
MFA Server - MFA for on-premises applications Yes
MFA SDK – MFA for custom apps Yes
Multi-factor Authentication for Office 365 added in Feb 2014 at no cost to Office 365 users
Summary
Overview Identity Management in Office 365
What’s New – be up to date on abilities
Works with Office 365 – Identity program
Exchange Best Practices – Keep it simple
Multi-Factor Authentication
1
2
3
4
5
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.