M7: New Features for Office 365 Identity Management
Meet Paul Andrew | @pndrw Office 365 Technical Product Manager Office 365 datacenter, networking, identity management Passion for informing and inspiring IT Professionals to create simpler solutions to complex problems Meet Jono Luk Office Senior PM Manager Office Client & Cloud Identity infrastructure Long time Identity Management SME Passion for ensuring top-quality customer story and solutions
Recent features change the landscape 12/4/2018 Recent features change the landscape May 2013 Office 365 SSO with SAML 2.0 Identity Providers May 2013 Office 365 Adapter Jun 2013 Password hash sync added to DirSync Nov 2013 DirSync tool run on Domain Controllers Feb 2014 Multi Factor Authentication for Office 365 Feb 2014 Multi-Forest AD Feb 2014 Non-AD Synchronization Apr 2014 Alternate Sign-In ID to UPN May 2014 Password Sync Backup for Federated Sign-In May 2014 Azure Active Directory Sync Services Dec 2014 Office client passive authentication © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Windows Azure Active Directory Microsoft Lync Office 365 SSO with SAML 2.0 Identity Providers Shipped May 2013* 12/4/2018 * for early adopters Windows Azure Active Directory SAML-P Authentication Office 365 already supports: Microsoft Active Directory WS-Federation (qualified) Shibboleth Identity Providers Customers who need SSO with a SAML 2.0 identity provider can sign up for the early adopter program SAML2 Identity Provider User https://spsites.microsoft.com/sites/bosm/boswiki/Pages/SAML-P-Early-Adopter.aspx © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Office 365 Adapter Customer On-Premises Deployment Shipped May 2013 Federation & DirSync Deployment Prescriptive guidance for Partners or MCS to deploy the On-Premises components required in Azure Bundle these components with Services and/or support to appear as an ‘adapter’ What remains on-premises Existing AD infrastructure (required for other IT needs) VPN router Exchange coexistence servers, if required Where to find more Information Microsoft Download Center’s Office 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure Azure ADFS AD DirSync VPN Tunnel AD Replication VPN Router AD Customer On-Premises
More Details on TechNet: http://aka.ms/sync Windows Azure Active Directory Sync Tool Shipped June 2013 More Details on TechNet: http://aka.ms/sync Synchronizes user password hashes from on-prem AD to Azure AD (Office 365) Respects on-premises password policies. Can’t sync passwords for Federated Users, but can co- exist.
DirSync runs on a Domain Controller Microsoft Lync DirSync runs on a Domain Controller 12/4/2018 Shipped Nov 2013 Windows Azure Active Directory Only for up to 10,000 user objects. DirSync and AD Domain Controller © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Multi-Factor Authentication for Office 365 Microsoft Lync 12/4/2018 Shipped Feb 2014 Multi-Factor Authentication for Office 365 UPDATED Multi-Factor Authentication Phone call SMS message Mobile app Licensing Included in all Office 365 SKUs Prior to Jan 2014 this was available for Admin accounts only. Futures Seamless multi-factor authentication is planned in the next 12 months for Office client applications *For representative purposes only. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Windows Azure Active Directory Microsoft Office Multi-forest AD 12/4/2018 Shipped Feb 2014 Windows Azure Active Directory Multi-forest AD support is available using Forefront Identity Manager 2010 R2. You also need the Windows Azure Active Directory Connector for FIM 2010 R2. Guidance is also available for merging AD Forests on TechNet. Federation using ADFS Forefront Identity Manager On-premises identity AD AD AD User © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Windows Azure Active Directory Microsoft Office Non-AD Synchronization 12/4/2018 Shipped Feb 2014 Windows Azure Active Directory Preferred option for Directory Synchronization with Non-AD Sources Non-AD support with Forefront Identity Manager 2010 R2 is available now FIM 2010 R2 Office 365 connector supports complex multi-forest topologies Federation using non-ADFS STS Office 365 Connector on FIM On-premises identity Non-AD (LDAP) User © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Alternate Login ID removing dependency on User Principal Name (UPN) Shipped April 2014 Alternate Login ID removing dependency on User Principal Name (UPN) The reliance on UPN has been removed and you can now select an alternate login ID for use with Office 365 and Azure AD in general. Use of UPN will still be the default. Through configuration you can select the Mail attribute or any other attribute in your on- premises Active Directory. This works with either synchronized identity or federated identity.
Password Sync Backup for Federated Sign-In Shipped May 2014 Backup Password Hash Sync Federated identity User accounts DirSync Tool AD FS This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on-premises power loss, internet connection interruption and any other on-premises outage. On-premises directory
Azure Active Directory Sync Services Targeted Q3 CY 2014 A new identity sync tool that provides customers with the ability to sync identity information from complex AD environments (i.e. multi-forest) and other identity directories such as Generic LDAP v3 (PowerShell, CSV etc.), Generic SQL through ODBC driver (MySQL, IBM, Oracle) and Generic Web Service (SOAP, JAVA, REST/JSON/XML) In beta as of June 2014
Office Client OAUTH Support Targeted End of 2014 Office Client OAUTH Support This feature enables Office rich client applications to work with third party Identity Providers and to work with the Windows Azure Multi-factor Authentication implementation.
M7 Summary: New Features for Office 365 Identity Management Great new features May 2013 Office 365 SSO with SAML 2.0 Identity Providers May 2013 Office 365 Adapter Jun 2013 Password hash sync added to DirSync Nov 2013 DirSync tool run on Domain Controllers Feb 2014 Multi Factor Authentication for Office 365 Feb 2014 Multi-Forest AD Feb 2014 Non-AD Synchronization Apr 2014 Alternate Sign-In ID to UPN May 2014 Password Sync Backup for Federated Sign-In May 2014 Azure Active Directory Sync Services Dec 2014 Office client passive authentication