3Advanced Warning: Identity Crisis!! Platform is being re-branded “Windows Azure Active Directory”aka “Windows Azure AD” or just “AAD”
4Windows Azure AD vs. Office 365 Go-to-market names for different packages of functionality (CRM Online, InTune as well!)All GTMs share common platform pieces:Directory: “MSO DS”STS: OrgIDPlatform pieces & tools will be branded Windows Azure ADPowershell Module for Windows Azure Active DirectoryWindows Azure Active Directory Sync ToolWindows Azure Active Directory Connector for FIM 2010
5Windows Azure AD vs. Office 365 ExchangeOnlineSharePointLyncCRMInTuneCloudappAzureADCloudappCloudappAD
6Provisioning vs Synchronization The two are not the same!Synchronization solutions are Provisioning solutions, but not the other way around!ProvisioningCreation of objects and/or associated resources in a directory or external system.SynchronizationProvisioning + long-term consistency/parity of state between source objects and their representation in the external system.
7Directory Integration Options ManualHowCreate objects in Windows Azure AD via Admin Portal or Bulk ImportWhyLow volume of objects to createNo long term management/consistency requiredScriptableHowPowerShell cmdletsGRAPH APIWhyNeed automated process, but don’t require access to all attributes in directoryOK to not have full consistency between source and cloudAutomatedHowDirSync, FIM + ConnectorWhyLarge volume of objects/churnRequire access to all attributes in directoryRequire consistency between on-prem & cloudWant Single Sign-On
9Example of Integration - Scriptable PowershellNew-MsolUser -UserPrincipalNameGRAPH
10Example of Integration - Automated (fill in DirSync picture here)
11Directory Integration in the bigger picture Directory Integration is the first half of a larger ecosystemSingle Sign-On solutions depend on successful Synchronization of data into the Directory!
12Architecture and Integration Options No IntegrationDirectory Data OnlyDirectory and Single sign-on (SSO)Windows Azure Active DirectoryExchangeOnlineIdentity ServicesAuthentication platformSharePointOnlineTrustContoso customer premisesActive Directory Federation Server 2.0Admin Portal/PowerShellIdPLyncOnlineIdPDirectoryStoreADMS Online Directory SyncProvisioningplatformCRM OnlineInTuneOffice 365 Desktop Setup
13Why Directory and SSO Integration Single place for managementUser and groups (including securityp-enabled groups)PasswordsPassword policiesSupport for Enterprise Single Sign onSupport for Hybrid environments for Services such as Exchange OnlineOptions for Strong Authentication (e.g. Smart cards)
14Architecture Deep Dive AD FSMicrosoft Online IDCustomer NetworkOffice 365 DatacenterDirSyncWorkflowExchangeGRAPHAD MAMetaVerseO365 MALyncADO365 DirectoryAWS FEsSharePoint…
15Life as a sync’d objectWhen an object created in the cloud, “owned in the cloud”Changes can be made via Portal, Powershell or in the various cloud servicesWhen an object is created by Sync, “owned by sync”Changes can only be made via on-prem directory and then sync to cloudWhen an object is created in the cloud, but also exists on-premSync will try to Soft-Match the object coming via SyncSoft-match uses SMTP addresses to “best guess”If matched, “owned by sync”
16Life as a sync’d objectObjects “owned by Sync” can be deleted directly in the cloud!Remove-MsolUser/Contact/Group will allow you to delete an object that is owned by SyncIf still on-prem, will be recreated on next Sync cycle
17Tour as a sync’d objectSync Tool reads data from on-prem directory sourceSync Tool pushes data to AWS FEsAWS FE tries to create object in MSODS (if user, OrgID first)Workflow evaluates objects and attributes such as User.ProxyAddressesData validations performedServices read from MSODS and sync into servicesValidation required? Done here.
18Choose your own Sync Adventure 3 options for Directory SyncSingle-forest DirSync applianceMulti-forest DirSync applianceWindows Azure Active Directory Connector for FIM 2010 (aka “Multi-Forest”)You don’t need to use SSO just because you sync but you should Sync in order to use SSOCould use PowerShell, but lots of management overhead & not formally tested scenarioSync solution doesn’t constrain SSO solutionYou can use any Sync solution with ADFS or non-AD STS (i.e. Shib)
19Choose your own Sync Adventure Single Forest DirSyncWhen to useSingle AD forest on-prem that contains all data to synchronize to AADMulti-Forest DirSyncWhen to useMore than 1 AD Forest containing the directory data to synchronize to AADADs have “non-overlapping data” (no object in one forest is represented in another forest)AAD ConnectorWhen to useMultiple AD Forests containing directory data to synchronize to AADDirectory data “overlaps” (an object is represented in more than one forest)Non-AD directory sources*
20Choose your own Sync Adventure A notable exception to previous slide:This is a common pattern (prescribed by Exchange Product)Full migration to Exchange Online then collapse Resource ForestSync’ing the necessary core attributes from Exchange Auth forest can negate the need for multi-forest sync altogetherIncluding SourceAnchor, UserPrincipalNameSome things not supported at this time: Multiple Exchange OrgsPatternConsider…2 Forests on-prem:1 Authentication/Logon forest1 Exchange/”Resource” Forest“Sync” data from Exchange forest Auth ForestRun single-forest DirSync against Auth Forest
21Core Directory Sync Concepts Source of AuthorityWhere changes can be made to an object (either “on-prem” or “cloud”)De-/activating DirSync in the Admin portal transfers source of authoritySourceAnchorused to uniquely identify objects created in cloud from on-prem directoryCritical for Single Sign-On scenario (ADFS will be configured to generate SourceAnchor on AuthN, this needs to match the ImmutableID stored in OrgId during user provisioning time)Can’t change after initial provision of object by Sync will error out
22Core Directory Sync Concepts UserPrincipalNameThe “sign-in name” for a userOn-prem UPN needs to match UPN in the cloud for login to succeedOnce licensed, user UPN won’t change even if changed on-premCan override using Set-MsolUserPrincipalName cmdletHybrid Service DeploymentsSome attributes on on-prem objects are updated based on activities in the cloudOnly modify objects that were initially sync’d to the cloud from on-prem
23Core Directory Sync Concepts We validate (some) data to protect the Core Directory and services:AttributeValidationUserPrincipalNameUPNs must use verified domainIf not, will autoconstruct UPN value (won’t update local AD):[sAMAccountName] + + [moera.onmicrosoft.com]Must contain only supported charactersUser.ProxyAddressesCannot have duplicate proxy addresses Sync Error(on license for EXO)Remove all proxyaddresses that are not using a verified domainAdding verified domain later will “re-hydrate” those PAs removed earlier
24Core Directory Sync Concepts Most common sync validation failures:Duplicate proxy addressesDuplicate UPN valueErrors reported inRun the Deployment Readiness Tool!
25Core Directory Sync Concepts Linking/Matching objects during syncFirst, check to see if object already exists with same SourceAnchor valueIf object exists, update existing objectIf no objects hardmatch, try and soft match against existing objects (using SMTP addresses of on-prem object)If candidate match exists, stamp SourceAnchor on the value on object for subsequent sync cyclesIf no candidate match exists, create new objectDirSync QuotaProtect the directory for malicious “storage DOS”Default now 50K for tenants provisioned after 5/1
26Core Directory Sync Concepts Throttling SyncThroughput “shared” across tenants at AWS layer (throttled per partition)DirSync client automatically handles “Error Code 81” and retries againThrottling leads to variable sync timesV1/V2 differencesSome differences in what’s sync’d/not sync’dGroups without display names aren’t sync’d in v2!Contact migration team for documentation/list of deltas
27Recovering deleted objects via Sync Will be lighting up “soft delete” feature in PRODScenario:On-prem AD Admin accidentally deletes a user object in ADDirSync “propagates delete” to the cloudUser object is deleted in the cloud (mailbox lost)NOW WHAT?
28Recovering deleted objects via Sync Manual recoveryadmin identifies object to be recoveredVia DirSyncWhen admin restores the user object in AD (via W2K8R2 Recycle Bin), object is automatically recovered by DirSync – mailbox is recovered, etc.“recovery” is dependent on keeping the same SourceAnchor value! New SourceAnchor value with “same attribute values” will not recover the user object in the cloud!
29Filtering Sync 2 kinds of filters customers ask for: Choose which objects get sync’d to the cloudChoose which attributes get sync’d to the cloudWe support the former, we don’t support the latterWiki post and UA documentation posted to walk customers through this customization
31Related Content Today OSE 225, Friday OSE 331, OSE 333, OSE 334 Hands-on Labs (OSPILL101 Designing a SharePoint site)Office The Microsoft ShowcaseFind Me Later At The Microsoft Showcase Friday (9-12am)