Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office 365 deployment choices Cutover, Staged, Hybrid What is AD FS (Active Directory Federation Services) Attribute Stores, ADFS Configuration Database.

Published byHoward Briggs Modified over 8 years ago

Similar presentations

Presentation on theme: "Office 365 deployment choices Cutover, Staged, Hybrid What is AD FS (Active Directory Federation Services) Attribute Stores, ADFS Configuration Database."— Presentation transcript:

1

2

3 Office 365 deployment choices Cutover, Staged, Hybrid What is AD FS (Active Directory Federation Services) Attribute Stores, ADFS Configuration Database etc. Certificates – what to choose: Public, Internal, Wildcard, SAN SPN records – What type of SPN is needed, for the ADFS Service account DNS – Where to point the records WAAD (Windows Azure Active Directory Sync Tool) Demo

4 Office 365 deployment choices Cutover For fast cutover migrations No Exchange upgrades required on-premises Staged No Exchange upgrades required on-premises DirSync Hybrid deployment Manage users on-premises and online DirSync Enable cross-premises calendaring True move mailbox using MRS

5 AD FS Key Concepts ADFS is designed to provide SSO – Single Sign On with other security providers (Office 365, Windows Azure and many others as long as they support OIO SAML). ADFS provides client (internal or external to your network) with seamless SSO access to services, even when the user accounts and applications are located in completely different networks or organizations. Federation Service: Functions as a security token service (STS) and routes authentication requests from external user accounts in partner organizations and clients on the Internet. Federation Service Proxy: Functions as a proxy for the Federation Service in a perimeter network. This component is optional in an ADFS deployment.

6 AD FS Key Concepts Attribute Stores Directories or databases that store user accounts and their associated attribute values ADFS Configuration Database database defines the set of parameters that a Federation Service requires to identify partners Claims This enables organizations to securely project digital identity and entitlement rights Claims Engine the claims engine in ADFS is a rule-based engine that is dedicated to serving and processing claim requests Claims Pipeline The claims pipeline in ADFS represents the path that claims must follow through the Federation Service before they can be issued. Claim Rule Language The ADFS claim rule language acts as the administrative building block for the behavior of incoming and outgoing claims

7 ADFS 2.0, 2.1 and 2.2 ADFS 2.0 Has to be downloaded RU 3 needs to be installed ADFS 2.1 Is now a role in server Server 2012 New powershell cmdlets to perform powershell-based deployment within your federated identity installations ADFS 2.2 Same as 2.1 Easy MFA (Multi-Factor Authentication) 3rd party MFA also possible e.g. SafeNet No proxy server using wep application proxy

8 Identity types Cloud Identity Seperate credential from corporate credential Authentication occures via cloud directory service Password stored in O365 Federate indentity Same credential as corporate credential Authentication occures via on-premises AD Password stored on-premises Requires DirSync (WAAD)

9 Enterprise Perimeter Network ADFS Server Proxy External user Internal user Active Directory ADFS Server Proxy Single server configuration ADFS server farm and load-balancer ADFS proxy server

10 A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users) Office 365 (Resource) (Resource)

11 The user login and the sign in assistant kick in as above and do the round-trip to get the Auth. token. Now the user starts Outlook Outlook connect to Exchange Online and it will request Basic authentication The user will get at prompt and here they need to type in there username with an UPN ex. adam@domain.dk they can save this, but they will get prompted the first time. This will be send off to Exchange Online Now Exchange Online does a trick called “Proxy Auth” where it creates a shadow representation of the user. It then take the domain/UPN from the basic authentication and sends it to the Authentication Platform. The Authentication Platform returns with the URL to the ADFS server. Exchange Online then takes the basic authentication credential and sends them to the ADFS server. The ADFS server authenticate with the basic credentials and converts them to a SAML token including the claims: UPN and Source User ID (ImmutableID). This comes back to Exchange Online Exchange Online sends it to the Authentication Platform The Authentication Platform verifies the token and converts it to an Auth token, which contain the UPN and now Unique ID from the Authentication Platform. This Auth. token can now be used for login. Exchange Online can now authenticate the user and it will delete the shadow representation of the user.

12 prerequisite A 64-bit computer (Win7, Win8, Server 2012) with WAAD PowerShell and MOSSIA assistant Microsoft Online Services Sign-In Assistant (MOSSIA) 7.2 Beta, 64-bit can be downloaded directly from Microsoft. Beta version is the one currently shipping with Office 365 Dirsync Tool (end of June 2013) and it is safe to usedownloaded directly Windows Azure Active Directory PowerShell Module (WAAD), 64-bit can be downloaded directly from Microsoft. WAAD requires MOSSIA.downloaded directly The latest versions of both components can also be obtained from Office 365 Portal, but only after the domain is added via the portal UI Global Administrator credentials to an Office 365 account

13 Certificates – what to choose: Public, Internal, Wildcard, SAN Public certificate for Service Communication single certificate SAN certificate Wildcard certificate Token Signing Certificate AD FS 2.x does by default create a self-signed certificates for signing tokens. Token Decrypting Certificate AD FS 2.x will by default use another self-signed certificate for the Token decrypting/encrypting certificate and as stated above Extend certificate expirey to 3 years Set-AdfsProperties -CertificateDuration 1095 Office 365 do not process automatic federation metadata updates http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

14 SPN records – What type of SPN is needed? To run the ADFS service a domain account is needed and nothing more ADFS only requires HOST SPN records for the ADFS service account. This is the same of using WID or SQL databases. How to create the SPN setspn -s host/{your_Federation_Service_name} {domain_name}\{service_account} How to check the SPN Setspn –l {service_account} Will show this in the demo.

15 DNS – Where to point the records Users should always contact their “local” ADFS instance Internet users must resolve to the ADFS-P servers The ADFS-P’s must resolve to the FS servers Internal users must resolve to the ADFS servers

16 What does DirSync brings to the table? An application that synchronizes on-premises Active Directory Objects with Office 365 Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment Provides a unified Global Address List experience between on-premises and Office 365 Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365 Enables coexistence for Exchange Works in both simple and hybrid deployment scenarios

17 Demo Let´s have a look

18 Evaluation Create a Text message on your phone and send it to 1919 with the content: UC302 5 5 5 I liked it a lot Session Code Peter Performanc e (1 to 5) Match of technical Level (1 to 5) Relevance (1 to 5) Comments (optional) Evaluation Scale: 1 = Very bad 2 = Bad 3 = Relevant 4 = Good 5 = Very Good! Questions: Speaker Performance Relevance according to your work Match of technical level according to published level Comments

19 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Office 365 deployment choices Cutover, Staged, Hybrid What is AD FS (Active Directory Federation Services) Attribute Stores, ADFS Configuration Database."

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Windows Azure Active Directory Active Directory Domain Services og Windows Azure AD ADFS & Windows Azure Directory Sync tool AD til WAAD dir & password.

Windows Azure Active Directory Active Directory Domain Services og Windows Azure AD ADFS & Windows Azure Directory Sync tool AD til WAAD dir & password.
Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.

Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.
 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.

 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.
Connecting Cloud and On-Premises Applications Using Windows Azure Virtual Network Name Title Microsoft Corporation.

Connecting Cloud and On-Premises Applications Using Windows Azure Virtual Network Name Title Microsoft Corporation.
IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.

IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.

App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.
TechEd 2013 4/20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

TechEd /20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation

Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation
Introduction Please answer the survey questions posted at the end of this meeting. Let us know what sessions you want! Josh Topal at

Introduction Please answer the survey questions posted at the end of this meeting. Let us know what sessions you want! Josh Topal at
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Windows Azure Dave Glover Developer Evangelist Microsoft Australia Tel: 0403809914

Windows Azure Dave Glover Developer Evangelist Microsoft Australia Tel:
Integrating NAV 2013R2 and Office 365 Office 365 Single Sign-on NAV as an app NAV online document store.

Integrating NAV 2013R2 and Office 365 Office 365 Single Sign-on NAV as an app NAV online document store.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.

Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
What’s new for the Exchange 2010 Developer? Developing Exchange-enabled Enterprise Applications Creating “Cloud Ready” Exchange-enabled Applications Deploying.

What’s new for the Exchange 2010 Developer? Developing Exchange-enabled Enterprise Applications Creating “Cloud Ready” Exchange-enabled Applications Deploying.

Similar presentations

Ads by Google