Presentation is loading. Please wait.

Presentation is loading. Please wait.

[Speaker] [Title] [Company] Identity management integration options for Office 365.

Similar presentations


Presentation on theme: "[Speaker] [Title] [Company] Identity management integration options for Office 365."— Presentation transcript:

1

2 [Speaker] [Title] [Company] Identity management integration options for Office 365

3 User management and identity integration is easy in Office 365. In this talk we will explain identity management concepts and describe the three identity models that you can use. We will talk about the cloud identity model, the synchronized identity model, and the federated identity model. For cloud and synchronized identity we will tell you all you need to set these up and demo how to configure them. For federated identity we will show you some of the tooling and give you guidance on how to scope the integration project. We will describe how you can switch between identity models and also give clear guidance about how to choose the right identity model for a given scenario or customer. Talk Abstract

4 Identity for Microsoft cloud services User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Microsoft Azure Active Directory

5 Office 365 Identity Models

6 Identity Synchronization and Federation Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication

7 Cloud identity model

8

9

10 Synchronized identity model

11 Before installing DirSync  Active Directory remediation  IdFix  Forest functional level  Windows Server 2003  Multiple forests  Not DirSync  Azure AD Sync or Forefront Identity Manager 2010  Directories other than Active Directory  Not DirSync  Works with Office 365 – Identity program

12 IdFix – DirSync AD Remediation

13 What errors does IdFix look for?  Duplicate proxyAddresses  Invalid characters in attributes  Over length attributes  Format errors in attributes  Use of non-routable domains  Blank attribute that requires a value  mailNickName  proxyAddresses  sAMAccountName  targetAddress  userPrincipalName

14 DirSync topology and number of servers  A domain controller collocated install isn’t recommended  But it is supported and you can install DirSync on the DC  One server is most common  DirSync installs SQL Express for replication data  You can install with dedicated SQL Server and can use HA for SQL Server  Consider using Azure  To avoid any on-premises servers you can deploy to Azure IaaS  Use the DirSync road map  Read the docs, but skip the Microsoft Deployment Readiness Toolkit

15 DirSync installation and review  Be aware of directory object limits  A new tenant can sync up to 50,000 directory objects  Register a vanity domain and it is increased to 300,000 objects  Add DNS domains to Office 365  Add these prior to syncing to preserve UPN  Sync now  Expect about 1 hour per 5,000 objects  Check event logs  EventVwr  Password expiry for the sync account  Assign Office 365 licenses

16 Other DirSync considerations  High availability  Can Backup and reinstall  Filtering DirSync  By OU  Security of hashes  One way hashes (of hash)  Not reversable  Sent to Azure AD on SSL

17 Password hash sync security  We typically get questions about the security of synchronizing passwords from banking and finance customers  The password hash that we get from AD is not reversible to get the users password  Hashes are mathematical functions that are nearly impossible to reverse. The result of the hash algorithm is called a digest  We further process it with a one way hash SHA256 algorithm  We connect over SSL to the Azure AD service and send the resulting hash of the hash  This enables Azure AD to validate the users password when they log in  More details at  sync-frequently-asked-questions.aspx

18 Choosing between DirSync and AAD Sync Beta available  Includes password hash sync  Includes password write-back with Azure AD Premium license  Can filter objects by OU  Supports use of dedicated SQL Server install or SQL Express  The setup wizard can be run multiple times for configuration changes  Released and supported in production  Includes sync from multiple forests including merging duplicate users in these forests  ** In addition to AD, can sync from LDAP v3, SQL Server and CSV data  ** Enables selective OU sync with using UX in the setup. Compared to DirSync which requires PowerShell configuration  ** Enables transforming of attributes using UX in the setup  Planned to replace DirSync in the future  Preview cannot be upgraded to later release ** NOT IN BETA Beta available

19 Demo Configuring Azure AD Sync

20 Federated identity model

21 Password Sync Backup for Federated Sign-In This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.

22 ADFS is Also Easy  Use trained and experienced deployment staff  Use Azure AD Connect Tool  https://microsoft.sharepoint.com/teams/OfficeOnRamp/wiki/Pages/Azure- Active-Directory-Connect-Tool.aspx  Read all the TechNet Deployment Guidance   Only implement the Office 365 requirements  The only certificate required is the SSL certificate  Prepare with firewall update permissions

23 Demo Azure AD Connect for AD FS

24 How to choose an identity model ?

25 Change between models as needs change  Cloud Identity to Synchronized Identity  Deploy DirSync  Hard match or soft match of users  Synchronized Identity to Federated Identity  Deploy AD FS  Can leave password sync enabled as backup  Federated identity to Synchronized Identity  PowerShell Convert-MsolDomainToStandard  Takes 2 hours plus 1 additional hour per 2,000 users  Synchronized Identity to Cloud Identity  PowerShell Set-MsolDirSyncEnabled  Takes 72 hours and you can monitor with Get-MsolCompanyInformation

26 Choose the simplest model for your needs  This is our recommendation  Cloud Identity is the simplest model  Choose cloud when  You have no on-premises directory  There is on-premises directory restructuring  You are in pilot with Office 365

27 Choose synchronized identity if you have an on-premises directory  Password hash sync means federation is not required just to have the same password on the cloud  Same sign-on – the username and password is the same in the cloud as on-premises  Single sign-on – you log on to the PC and no password is required for cloud services  Save credentials for later uses Windows Credential Manager  Outlook does not support Single sign-on  Choose password hash sync unless you have one of the scenarios that requires federation

28 Scenarios for choosing federation Existing infrastructure 1.You already have an AD FS Deployment 2.You already use a Third Party Federated Identity Provider 3.You use Forefront Identity Manager 2010

29 Scenarios for choosing federation Technical requirements 4.You have Multiple Forests in your on-premises AD 5.You have an On-Premises Integrated Smart Card or Multi-Factor Authentication (MFA) Solution 6.Custom Hybrid Applications or Hybrid Search is Required 7.Web Accessible Forgotten Password Reset

30 Scenarios for choosing federation Policy requirements 8.You Require Sign-In Audit and/or Immediate Disable 9.Single Sign-On minimizing prompts is Required 10.Require Client Sign-In Restrictions by Network Location or Work Hours 11.Policy preventing Synchronizing Password Hashes to Azure AD

31 Office 365 federation options Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Support for web and rich clients Microsoft supported Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD Single sign-on Support for web and rich clients Third-party supported Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program Suitable for educational organizations Recommended where customers may use existing non-ADFS Identity systems Single sign-on Support for web clients and outlook (ECP) only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises For organizations that need to use SAML 2.0 Recommended where customers may use existing non-ADFS Identity systems Single sign-on Support for web clients and outlook (ECP) only Microsoft supported for integration only, no identity provider deployment support Requires on-premises servers & support Works with AD and other directories on-premises

32 Works with Office 365 – Identity program

33 Recent features change the landscape  Jun 2013 Password hash sync added to DirSync  Nov 2013 DirSync tool run on Domain Controllers  Feb 2014 Multi Factor Authentication for Office 365  Apr 2014 Azure Active Directory Sync Services  Apr 2014 Azure AD Premium Password Reset  May 2014 Alternate Sign-In ID to UPN  May 2014 DirSync backup for federated sign-in  Dec 2014 Office client passive authentication

34 Summary  Choose the simplest model for your needs  Change between models as needs change  Cloud identity model when there is no on- premises directory  Synchronized identity model for most organizations  Federated identity model for one of the 11 scenarios

35

36

37

38 Title of Slide here. Subtitle copy here...Sed ut perspiciatis unde omnis iste natus error sit. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Sed ut perspiciatis unde omnis iste natus error sit. voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo.

39 Slide Title Here... Headline 1 here…Headline 2 here… Sed ut perspiciatis unde omnis iste natus error sit. voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt.

40 Sed ut perspiciatis unde omnis iste natus error sit. voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Title of Presentation

41 Title of Slide here. Subtitle copy here...Sed ut prrspiciatis Subtitle copy here...Sed voluptas sed quaia ut perspiciatis Subtitle copy here...Sed voluptas sed quaia ut perspiciatis Subtitle copy here...Sed voluptas sed quaia ut perspiciatis Subtitle copy here...Sed voluptas sed quaia ut perspiciatis Subtitle copy here...Sed voluptas sed quaia ut perspiciatis

42 Title of Slide here. Subtitle copy here...Sed ut perspiciatis unde omnis iste natus error sit. Sed ut perspiciatis unde omnis iste natus error sit. voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Sed ut perspiciatis unde omnis iste natus error sit. voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo.

43 ICONS


Download ppt "[Speaker] [Title] [Company] Identity management integration options for Office 365."

Similar presentations


Ads by Google