Office 365 Identity Management

Meet Paul Andrew | @pndrw Office 365 Technical Product Manager Office 365 datacenter, networking, identity management Passion for informing and inspiring IT Professionals to create simpler solutions to complex problems Meet Nasos Kladakis | @AKladakis Azure Senior Product Marketing Manager Azure Active Directory Azure Multi-Factor Authentication

Office 365 Identity Management Agenda Module 1: Introduction to Identity Management concepts and integration options Module 2: Directory Synchronization is Easy with Office 365 Module 3: Guidance for choosing the right integration option Module 4: Third party identity providers with Office 365 Module 5: Multi-Factor Authentication use with Office 365 Module 6: Advanced Identity Management topics for Office 365 Module 7: New Features for Office 365 Identity Management

M1: Introduction to Identity Management concepts and integration options

Identity management Access Authentication Authorization Identity management deals with identifying individuals in a system and controlling access to the resources in that system Integral components of identity and access management Access Authentication Authorization Getting access is the first step. What device is being used and what network is being connected from. Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be. Determining which actions an authenticated entity is authorized to perform on the network

Identity terms WS-Federation / WS-Trust Single Sign On (SSO) is the ability for two disjoint Identity Providers (IDP) to trust each other such that a user logged into one does not need to log in again for the second. YAUP is the opposite to SSO. The Relying Party (RP) is the system that relies on the Identity Provider to authenticate a user. Security Assertion Markup Language WS-Federation / WS-Trust SAML is a public standard managed by OASIS. SAML is the identity token and also the protocol. SAML 2.0 is built on SAML 1.1, ID-FF and Shibboleth. WS-Federation is used for web browser based authentication with an IDP. WS- Trust is used by Office rich client apps to authenticate.

Microsoft cloud services Microsoft Account Microsoft Azure Active Directory Microsoft Account Ex: alice@outlook.com Organizational Account Ex: alice@contoso.com User User

Common identity platform for organizational accounts Azure Active Directory is the underlying identity platform for various cloud services that use Organizational Accounts Azure Active Directory Authentication platform Directory store Your App

Office 365 identity models Cloud identity Synchronized identity Federated identity On-premises directory On-premises directory Zero on-premises servers Directory sync with password sync Federation Directory sync On-premises identity On-premises identity Between zero and three additional servers Between two and eight on-premises servers

Identity synchronization and federation Passive Auth Azure Active Directory WS-Fed WS-Trust SAML 2.0 Metadata Shibboleth Graph API Microsoft Authentication SharePoint Online Exchange Web Access Authorization Active Auth Exchange Mailbox Access Outlook, Lync, Word, etc Directory Synchronize accounts Identity Provider Federated sign-in On-Premises

Cloud identity model User Cloud identity User accounts

Synchronized identity model Password hashes User accounts Synchronized identity DirSync / AAD Sync Sign-on User On-premises directory

Federated identity model Password hashes User accounts Federated identity DirSync / AAD Sync AD FS Sign-on Authentication User On-premises directory Authentication

Password sync backup for federated sign-in On-premises directory DirSync / AAD Sync Federated identity Backup Password Hash Sync User accounts AD FS This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.

ADFS can also be easy Use trained and experienced deployment staff 12/24/2018 ADFS can also be easy Use trained and experienced deployment staff Use Azure AD Connect Tool Read all the TechNet Deployment Guidance http://technet.microsoft.com/en-us/library/jj205462.aspx Only implement the Office 365 requirements The only certificate required is the SSL certificate Prepare with firewall update permissions © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Active Directory Connect Tool 12/24/2018 Azure Active Directory Connect Tool © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Active Directory Premium Added value for Office 365 customers Security Reporting/Alerting Self-Service Password Management Self-Service Group Management Single Sign-on/MFA for Other Cloud Applications Logon screen /Access Panel customization Enterprise Mobility Suite is the best way to get Azure AD Premium

user experience for Azure AD Premium demo user experience for Azure AD Premium

M1 Summary: Introduction to Identity Management concepts and integration options Key concepts in identity management Microsoft Account and Organizational Account Cloud Identity Synchronized Identity Federated Identity Azure AD Premium