Jono Luk and David BrandtProgram ManagersMicrosoft

Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory

DMI309

Agenda• Office 365 Identity Management• What’s new• What is Directory Integration?• What are my options?• Common Scenarios• How Sync Works• How Single Sign-On Works• How Multi-factor Authentication Works

Microsoft Cloud Services

User

Microsoft AccountEx: alice@outlook.com

User

Organizational AccountEx: alice@contoso.com

Microsoft Account Windows Azure Active Directory

Common Identity Platform for Organizational AccountsWindows Azure Active Directory is the underlying identity platform for various cloud services that use Organizational Accounts

Can extend your existing on-prem Active Directory into the cloud

Directory

store

Authentication platform

Windows Azure Active

Directory

Your App

Office 365 Identity ManagementCloud Identities Synchronized Passwords

Single identitysuitable for medium and large organizations without federation

Federated Identities

Single federated identity and credentials suitable for medium and large organizations

Single identity in the cloud suitable for small organizations with no integration to on-premises directories

How to Choose Your Identity Solution

Cloud IDs Password Sync

Federated IDs

Same password to access resources on-premises and in cloud

Can control password policies on-premises

Single Sign-on for no password re-entry if on premises

Client access filtering by IP, client type, or by time schedule

Authentication occurs and is audited on-premises

Can immediately block disabled accounts on-premises

Change password available from web

Works with Forefront Identity Manager 2010 R2

Can customize the User Sign-in Page

Use with cloud based Multi-Factor Authentication

Use with on-premises based Multi-Factor Authentication

Source: http://technet.microsoft.com/en-us/library/jj573649.aspxSource: http://technet.microsoft.com/en-us/library/jj573649.aspx

Did You Know…?• We have added support for non-ADFS STS’s• Supported providers currently include: Shibboleth, Ping Federate,

OptimalIDM• Some feature gaps• Shibboleth – doesn’t support Lync 2010 client• Ping Federate – doesn’t support Windows Integrated Auth

• Azure Active Authentication Service• Support for cloud based Multi-factor Authentication• Now included with Office 365

• Azure Active Directory GRAPH API• REST API for programmatic access to data in Azure AD• Can build multi-tenant applications, or custom LOB Apps

Did You Know…?• SAML-P 2.0 Federation with Office 365• SAML 2.0 SP-Lite Profile for federated sign-on with Office 365 services.• Sign into Office 365 Outlook Web Access and SharePoint using on-

premises creds

• Support for Multiple Active Directory Forests• Azure Active Directory Connector for FIM 2010 R2

• Support for non-AD Directories• LDAP DirSync• Azure Active Directory Connector for FIM 2010 R2

• Multi-Factor Authentication for Office 365• SMIME Encryption now supported

Works with Office 365 – Identity ProgramWhat is it?Qualification of third party identity providers for federation with Office 365.Microsoft supports Office 365 only when qualified third party identity providers are used.

*For representative purposes only.

WS-Trust & WS-Federation

WS-Federation (passive auth)

SAML (passive auth)

Active Directory with ADFS • Flexibility to reuse existing identity provider investments

• Confidence that the solution is qualified by Microsoft

• Coordinated support between the partner and Microsoft

Shibboleth

Customer Benefits

Best Practices for Exchange • Pick the solution that’s right for you!• Different customers have different scenarios requiring different

solutions

• Minimize your on-premises infrastructure requirements • CloudIDs and ManagedIDs with Password Sync (i.e. same Sign-On) minimize

your on-premises infrastructure and availability requirements vs. Federated IDs

• You don’t need to use SSO just because you Sync but you should Sync in order to use SSO• Could use PowerShell to create your directory data, but incur

management overhead & not formally documented or supported scenario

Best Practices for Exchange – Con’t• Use SSO only if you need to• SSO solution doesn’t constrain Sync

solution• You can use any Sync solution with ADFS or non-AD STS

• You can control what objects sync into Azure AD

• You can’t control which part of objects sync coming soon!

Identity Related Things To Consider…• One or multiple tenants?• Example: Does 3 on-prem Exchange orgs mean 3 tenants?

• Non-AD sources• DirSync for LDAPv3• Similar to existing FIM 2010 R2 connector, except single directory

only• Availability• Preview in Summer 2014• Release later in 2014

• What provisioning tools do I use?• Graph / DirSync / etc.

Common Topologies

• If configuring SSO for n Azure AD tenant scenarios, every namespace (UPN domain suffix) must be associated with at most one tenant in Azure AD

• Multiple Exchange forest support coming soon

Account Directory

Exchange Orgs Azure AD Supported? Sync Solution

1 AD Forest 1, in AD forest. 1 Tenant Yes DirSync

1 AD Forest n resource forest(s), will retire all Exchange Forests.

1 Tenant Yes DirSync

n AD Forests n in resource forest(s), will not retire.

1 Tenant Yes FIM + AAD Connector

1 LDAP Directory

N/A 1 Tenant Yes LDAP DirSync

1 AD Forest n Tenants Yes FIM + AAD Connector OR n DirSyncs

Non-AD directory

N/A n Tenants Yes FIM + AAD Connector

n AD Forests + m non-AD

N/A n Tenants Yes FIM + AAD Connector

Common Scenarios• 1 Account forest with 1 Resource Forest may

LOOK like Multiple AD Forests, but not really• Can solve with DirSync tool

Azure ADTenant

DirSync

Login Forest

Resource Forest

(migrate data)

AD FS

(“sync, UPN, ImmutableID”)

Common Scenarios• Single Forest, Multiple Tenants• Is supported with DirSync Appliance• Is supported with new Azure AD Connector• Is supported with a single AD FS farm or multiple farms

• Caveat:• Every object in the source AD must appear in

only ONE tenant in the cloud Azure ADTenant

DirSync

AD Forest

Azure ADTenant

DirSync

AD FS

Multi-forest Decision Flowchart

Number Active

Directory

forests

UseFIM 2010 R2 Connectors

Number Exchange Orgs

See consolidati

on whitepaper

UseSingle Forest

DirSync

Want to consolidate

single forest?

Single (1)

Multiple (>1)

Yes

None (0)

Start

After consolidati

on

No

Single (1)

http://technet.microsoft.com/library/cc974332.aspx

Windows Azure AD Connector for FIM 2010 R2For organizations with complex AD and Non-AD scenariosMulti-forest AD scenariosNon-AD on-prem Directories through Microsoft premier deployment support

RequirementsFIM 2010 R2 Sync EngineWindows Azure Active Directory Connector for FIM 2010 R2 http://technet.microsoft.com/library/dn511001.aspx

How Sync WorksKey pieces of sync to note:• SourceAnchor• Link between on-prem object and cloud• Stamped when object created in the cloud• Must be immutable for lifetime of object

• Soft-match• Our “fuzzy match”• If no SourceAnchor match available, fallback to soft-match to best-

guess which object in the cloud corresponds to the on-prem object• Match based on Primary SMTP

Example: User Provisioning

Active Directory

DirSync Front-Ends

GRAPH/PS Front-

Ends

(workflows)

Exchange Online

OneDrive

Windows InTune

Admin portals

How Sync Works• Syncs all objects with some exceptions• Does not sync Default accounts (Administrator etc)• Does not sync System Objects

• Directory Sync can be turned off but takes time

• Options that can’t be changed• Scoping the attributes that sync• Sync timeframe is every 3 hours

How Sync Works• Soft Delete/Recycle Bin• Objects that have been “deleted” kept in Recycle Bin• Automatically purged after 30 days• If deleted on-prem Azure AD, recover in on-prem AD will recover in

the cloud!• If deleted in AD: recover object (keeping SourceAnchor consistent)• If “dropped out of scope”: recovery is just bringing the object back

into scope

Password Sync• A feature in DirSync• No additional software, no additional reboots!

• Synchronizes password hashes from on-prem AD to Azure Active Directory

• Checks for password updates every 2 minutes • Regular DirSync still runs every 3 hours

Password Sync• On-premises password policies apply• Password sync’ing users “never expire” in

the cloud• Change password links hidden for password sync’ing users

• Sync’s passwords for all managed users (Federated and Non-Federated)

Integration Requirements• AD FS 2.0 and SSO

• Windows 2008+

• Directory Sync • Host OS:• Windows Server 2008 R2+ (includes Server 2012 R2)• Can be installed on a Domain Controller

• SQL • SQL Server 2008 R2+• (Default DirSync install uses SQL 2012 SP1 Express)

• Source AD:• Windows Server 2003+

• Supports Virtualization

Using Azure IaaS VMs• Can deploy DirSync and ADFS in Azure• Whitepaper available

http://www.microsoft.com/downloads/details.aspx?FamilyID=72c15d25-6515-4763-9b76-054362b58398

• Removes on-premises hardware requirements • Must have line of sight (VPN) to on-premises• Still requires an AD FS proxy• Requires AD DC in the Azure Cloud for SSO• Does not remove management or HA requirements

SSO and Office 365• Why it’s good for Admins• Single Credential to manage • Credentials stored on-premises• Single place to manage polices – on-premises workstation restrictions

etc• IDP is your AD

• Why it’s great for Users• I have a single credential• In most cases I don’t need to enter my credentials more than once• (even if I am, it’s is always the same credential)

Sign On Experiences for O365Web Clients• Office 2010, Office

2007 SP2 with SharePoint Online

• Outlook Web Application

Remember last user

Mail Clients• Office 2010, Office

2007 SP2 • Active Sync/POP/IMAP• Entourage

Can save credentials

Rich Applications (SIA)• Lync Online• Office Subscriptions• CRM Rich Client• Office 2013

Can save credentials

SSO IDs (from domain joined machines)

Cloud IDs

No Prompt

Username and Password

Online ID

AD credentials

Password Sync (SSO from non-domain Joined machines)

Username and Password

AD credentials

Username

Username and PasswordOnline ID

AD credentials

Username and Password

AD credentials

Username and Password

Username and PasswordOnline ID

AD credentials

Username and Password

AD credentials

Client to End Points Usage

Lync 2010/Office Subscription

Active Sync

Corporate Boundary

Exchange Online

AD FS 2.0Server

MEX

Web

Active

AD FS 2.0 Proxy

MEX

Web

Active

Outlook 2010/2007IMAP/POP

UsernamePassword

UsernamePassword

OWAInternal

Lync 2010/Office Subscription

Outlook 2010/2007IMAP/POP

OWAExternal

UsernamePassword

Active Sync

UsernamePassword

Basic auth proposal: Pass

client IP, protocol, device name

Identity FederationAuthentication flow (Passive/Web profile)

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online orSharePoint Online

Active Directory

Customer Microsoft Online Services

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Identity FederationAuthentication flow (MEX/Rich Client Profile)

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Lync Online

Active Directory

Customer Microsoft Online Services

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Customer Windows Azure Active Directory

Exchange – Proxy Auth

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Proxy

Exchange Online

Active Directory

AD FS 2.0 Server

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Basic Auth CredentilasUsername/Password

Client Access Filtering• For blocking external access for Outlook

Scenarios• Block all external access • Allow external access for specific mail clients (Active Sync, POP/IMAP)• Allow external access to web applications (OWA, SharePoint)• Requires ADFS Proxy

• Can combine above with groups limitations

• No granularity on limiting Lync Online/Office Subscription services externally• i.e. any rule above blocks access

• Enabled through client issuance rules in AD FS 2.0

Multi-Factor Authentication Scenarios• Federated Users• Office 365 resources just need Multi-Factor Authentication for Office

365• Use Azure Multi-Factor Authentication Server for other ADFS connected

applications

• Hybrid• On-premises server applications require Azure Multi-Factor

Authentication Server• Example: MSIT Lync on-premises and Exchange Online

• App Password for Administrator• Office 365 administrative accounts have had MFA, but no App Password

• PowerShell• Create a service account which is an administrator and control access

Enterprise authentication using any phone

Mobile Apps Text MessagesPhone Calls

Out-of-Band PushOne-Time-Passcode(OTP) Token

Out-of-Band* CallOut-of-Band TextOne-Time Passcode(OTP) by text

*Out of band refers to being able to use a second factor with no modification

to the existing app UX.

Excludes Office 365 dedicated SKU and SMB SKUs.

Upgradeable to Azure Multi-Factor Authentication

Multi-Factor authentications options

Multi-Factor Authentication for Office

365

Windows Azure Multi-Factor Authentication

Administrators can Enable/Enforce MFA to end-users Yes Yes

Use Mobile app (online and OTP) as second authentication factor

Yes Yes

Use Phone call as second authentication factor Yes Yes

Use SMS as second authentication factor Yes Yes

App passwords for non-browser clients (e.g. Outlook, Lync)

Yes Yes

Default Microsoft greetings during authentication phone calls

Yes Yes

Custom greetings during authentication phone calls Yes

Fraud alert Yes

Event Confirmation Yes

Security Reports Yes

Block/Unblock Users Yes

One-Time Bypass Yes

Customizable caller ID for authentication phone calls Yes

MFA Server - MFA for on-premises applications Yes

MFA SDK – MFA for custom apps Yes

Multi-factor Authentication for Office 365 added in Feb 2014 at no cost to Office 365 users

Summary

Overview Identity Management in Office 365

What’s New – be up to date on abilities

Works with Office 365 – Identity program

Exchange Best Practices – Keep it simple

Multi-Factor Authentication

1

2

3

4

5

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.