Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4

Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be. Determining which actions an authenticated entity is authorized to perform on the network

Cloud Identity Single identity in the cloud Suitable for small organizations with no integration to on- premises directories Directory & Password Synchronization* Single identity suitable for medium and large organizations without federation* Federated Identity Single federated identity and credentials suitable for medium and large organizations

Core identity scenarios

Windows Azure Active Directory User Rich experience with Office Apps Ease of deployment, management and support Lower cost as no additional servers are required On-Premises High availability and reliability as all Identities and Services are managed in the cloud Cloud Identity Ex:

Windows Azure Active Directory User Rich experience with Office Apps Directory synchronization between on- premises and online Identities are created and managed on-premises and synchronized to the cloud Single identity and credentials but no single Sign-On for on-premises and office 365 services Password synchronization enables single sign- on at lower cost than federation Reuse existing directory implementation on- premises On-Premises Identity Ex: Domain\Alice Directory Synchronization Password Synchronization Cloud Identity Ex: AD Non-AD (LDAP) Non-AD (LDAP) * Password Synchronization may not be available at GA, the target is to update the service in 1H CY2013

Windows Azure Active Directory User Single identity and sign-on for on-premises and office 365 services Identities mastered on-premises with single point of management Directory synchronization to synchronize directory objects into Office 365 Secure Token based authentication Client access control based on IP address with ADFS Strong fa ctor authentication options for additional security with ADFS On-Premises Identity Ex: Domain\Alice Federation AD Non-AD (LDAP) Non-AD (LDAP) Directory Synchronization

Federation and Synchronization options

Federation options Suitable for educational organizations j Recommended where customers may use existing non-ADFS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises Shibboleth (SAML*) Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Secure token based authentication Support for web and rich clients Microsoft supported Phonefactor can be used for two factor auth Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD Single sign-on Secure token based authentication Support for web and rich clients Third-party supported Phonefactor can be used for two factor auth Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program Works for Office 365 Hybrid Scenarios

Program for third party identity providers to interoperate with Office 365 Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365

Federation with Identity Partners Verified by MicrosoftReuse Investments

Directory Synchronization Options Suitable for small/medium size organizations with AD or Non-AD Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) PowerShell & Graph API Suitable for Organizations using Active Directory (AD) Provides best experience to most customers using AD Supports Exchange Co-existence scenarios Coupled with ADFS, provides best option for federation and synchronization Supports Password Synchronization with no additional cost Does not require any additional software licenses Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses

Identity Roadmap Shibboleth (SAML) SupportAvailable now New Works with Office 365 PartnersPing, Optimal IDM, Okta, IBM available now Novell, CA and Oracle in 1H CY2013 DirSync for Multi-forest ADAvailable now thru’ MCS and Partners Sync Solution for Non-AD using FIMAvailable now thru’ MCS and Partners Password Synchronization for AD1H CY2013 Broader SAML Support1H CY2013

Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers. From the Field

.When working through the firewall considerations ensure that MSO Datacentre IP ranges have been granted access to port 443 to the ADFS Proxy Server located in the DMZ. From the Field

Understanding client authentication path

Block all external access to Office 365 based on the IP address of the external client Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online Use the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default log all denied authorizations and the values it based the denial upon. From the Field

If the customer does not have a valid and routable UPN suffix then one can be added via Active Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix. From the Field

When utilising the full SQL option you must ensure that the EA account has “sysadmin” rights on the SQL database and that the Dirsync service account has “public” permissions on the Dirsync DB. From the Field Dirsync Server must be joined to a domain within the same forest that will be synchronized Dirsync Server should never be installed on a domain controller Dirsync Server should be Windows Server 2008 (x64) By default SQL Server 2008 R2 Express is installed. 10GB database limit (approx. 50,000 objects) Full SQL Option Available. Enterprise Administrator Credential should be used to install Dirsync, only required during setup. X64 Single\Multi Forest Appliance available (O365 connector also available for complex scenarios) X86 Dirsync now unsupported.

Windows Azure Active Directory User Multi-forest AD support is available through Microsoft-led deployments Multi-forest DirSync appliance supports multiple dis-joint account forests FIM 2010 Office 365 connector supports complex multi-forest topologies On-Premises Identity Ex: Domain\Alice Federation using ADFS AD DirSync on FIM AD

Windows Azure Active Directory User Preferred option for Directory Synchronization with Non-AD Sources Non-AD support with FIM is available through Microsoft-led deployments FIM 2010 Office 365 connector supports complex multi-forest topologies On-Premises Identity Ex: Domain\Alice Federation using Non- ADFS STS Office 365 Connector on FIM Non-AD (LDAP) Non-AD (LDAP)