Office 365 Identity aka Azure Active Directory

Slides:



Advertisements
Similar presentations
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Advertisements

Office 365 Identity Federation Technology Deep-Dive
Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Azure AD & Office Logon with Username / Password 2. MFA challenge 3. Reply to MFA challenge -1-way or 2-way SMS -Phone call -Mobile Application.
Integration: Office 365 Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer Identity and Access Management, UW-IT.
RequirementsDeployment Options 2 3 Dirsync Overview 1 Understanding Synchronization 4.
Identity management integration options for Office 365
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Microsoft Ignite /16/2017 4:55 PM
GRDevDay March 21, 2015 Cloud-based Identity for Applications.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Active Directory Integration with Microsoft Office 365
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Windows Azure Active Directory.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Single Sign-On with Microsoft Azure
…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
Key Considerations in Architecting Active Directory Federation Alexander Yim WSHFC NCSHA, Nashville on Sept 28 th, 2015.
Microsoft NDA Confidential Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and.
A Lap Around Windows Azure Active Directory Stuart Kwan Lead Principal Program Manager Microsoft Corporation SIA209.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Office 365 deployment choices Cutover, Staged, Hybrid What is AD FS (Active Directory Federation Services) Attribute Stores, ADFS Configuration Database.
Windows Server Active Directory Intranet Managed Access Managed Identities Integrated Business Apps.
Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.
Office 365 Directory Synchronization Update: Deploying Password Sync.
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
Configuration Manager and InTune Gemeinsam oder einsam?
With ADFS and Azure Active Directory
Identities and Azure AD Premium
Microsoft Office 365: Identity and Access Solutions
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Martina Grom MVP Office 365 How to (remote) control Office 365 with Azure Toni Pohl MVP Client Dev
 Step 2 Deployment Overview  What is DirSync?  Purpose – What does it do?  Understanding Synchronization  Understanding Coexistence  Understanding.
 What is DirSync?  Purpose – What does it do?  Understanding Synchronization  Understanding Coexistence  Demo.
SaaS apps.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
61% of workers mix personal and work tasks in their devices* * Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise.
Recording Brief EMS Partner Bootcamp Variables Values Module Title
Web SSO with Cloud Resources using AD Federation Services
Application Authentication using Azure AD
Azure Active Directory - Business 2 Consumer
Azure Identity Premier Fast Start
Wait, Microsoft is in the Security Game?
9/13/2018 4:54 PM BRK How to get Office 365 to the next level with Azure Active Directory Premium Brjann Brekkan Program Manager Lead – Customer.
Azure Active Directory at UW February 2017
Azure AD Application Proxy
Brian Arkills Microsoft Solutions Architect
Azure Active Directory at UW February 2017
Local AD, Azure AD, & Google Suite User Management
Hybrid Search Planning Implementation.
TechEd /24/2018 4:00 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.
M7: New Features for Office 365 Identity Management
TechEd /7/2018 2:17 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Office 365 Identity Management
Office 365 Identity Management
Brian Arkills Microsoft Solutions Architect
Matthew Levy Azure AD B2B vs B2C Matthew Levy
OSP312 Office 365 Deployment Ben Walters Jeff Medford Mark Rhodes
SharePoint Online Authentication Patterns
M6: Advanced Identity Management topics for Office 365
A Lap Around Windows Azure Active Directory
Presentation transcript:

Office 365 Identity aka Azure Active Directory Brian Arkills Software Engineer, UW Windows Infrastructure Svc Mgr, and Associate Troublemaking Officer  UW-IT, Identity and Access Management Microsoft Directory Services MVP 2012-2014 ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

Goals Azure Active Directory Architecture Authentication Options Provisioning Options Examine Complex Implementation Review Pitfalls ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

Azure Active Directory AD revised to Internet-scale multi-tenant identity service Extends AD into cloud; cloud –based identity Connect from any platform, and device Connect hundreds of SaaS apps or your on-premise apps SharePoint Online Cloud App Exchange Online Cloud App Lync Online Azure AD Your Custom IT App General diagram. Shows relationships between AAD, SO AD, EO AD, LO AD. Includes public interfaces to each. AD ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

AAD Architecture

Protocols to Connect with AAD Purpose Details REST/HTTP directory access Create, Read, Update, Delete directory objects and relationships Compatible with OData V3 Authenticate with OAuth 2.0 OAuth 2.0 Service to service authentication Delegated access JWT token format Open ID Connect Web application authentication Rich client authentication SAML 2.0 SAML 2.0 token format WS-Federation 1.3 SAML 1.1 token format

AAD Provisioning Options AAD Graph API (RESTful web service) Remote PowerShell Multiple Directory Synchronization variants DirSync: original appliance FIM Sync: MS provides FIM connector, you provide business logic/code AAD Connect: appliance re-engineered to encompass scenarios FIM Sync covered NOTE: the UPN and the object identifier are important. The UPN is a key parameter, the objID survives renames and is what federated authN keys on http://technet.microsoft.com/en-us/library/jj573653.aspx has an excellent set of info focused around sync scenarios. http://technet.microsoft.com/en-us/library/jj151815.aspx is a good starter for PowerShell with AAD. http://blogs.msdn.com/b/aadgraphteam/ & http://msdn.microsoft.com/library/azure/hh974476.aspx are good starter locations for AAD Graph. ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

AAD Authentication Options Provision password in AAD Federated authentication More complex variations or mixes (e.g. UW) Also there is MFA for Office 365 (powered by Azure MFA), no cost above existing O365 licenses NOTE: MOSSIA is needed for older Windows OSes when using a native Office client (fat client) See http://msdn.microsoft.com/en-us/library/azure/dn383636.aspx & http://blogs.technet.com/b/ad/archive/2014/02/11/mfa-for-office-365-and-mfa-for-azure.aspx for more details and a comparison of MFA for O365 vs. Azure MFA See http://www.microsoft.com/en-us/download/details.aspx?id=28971 for more on MOSSIA ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

AuthN flow (Passive/Web profile) Customer Microsoft Online Services User Source ID Azure Active Directory Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729

AuthN flow (MEX/Rich Client Profile) Customer Microsoft Online Services User Source ID Azure Active Directory Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729

AuthN Active flow(Outlook/Active Sync) Customer Microsoft Online Services User Source ID Azure Active Directory Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729 Basic Auth Credentilas Username/Password

AuthN Regroup/Review EO/SO/LO only trust logon tokens issued by AAD In “bouncy slides” token issued b/c AAD trusts ADFS AAD knew user@upn.com meant your ADFS server Some clients/protocols can’t do federated authN, so service does them on behalf of client. Note: pwd sent over wire to service Just as easily could not federate, with pwd in AAD (pwd would always go over wire then) Multiple places to layer additional authN interactions (e.g. MFA or consent). Also multiple places to troubleshoot, if things go wrong

UW AuthN: ADFS + Shibboleth Dueling Goals: trusted, well-known web-based login experience of Shibboleth Single sign-on experience for Windows domain joined clients via ADFS So we did both! AAD trusts ADFS, ADFS trusts Shibboleth. If client arrives at ADFS & has Windows token: done If client doesn’t have Windows token -> Shibboleth

Microsoft Online Services UW: Example AuthN flow UW Microsoft Online Services User Source ID Logon (SAML 1.1) Token UPN:user@uw.edu Source User ID: XYZ987 Logon (SAML 1.1) Token UPN:user@uw.edu Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729

UVM AuthN Flow Diagram With thanks to Greg McKinnon at University of Vermont. This slide illustrates some of the greater detail behind even the detail I’ve shown in the previous slide. ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

Duplicate slide: AAD Provisioning Options AAD Graph API (RESTful web service) Remote PowerShell Multiple Directory Synchronization variants DirSync: original appliance FIM Sync: MS provides FIM connector, you provide business logic/code AAD Sync: appliance re-engineered to encompass scenarios FIM Sync covered NOTE: the UPN and the object identifier are important. The UPN is a key parameter, the objID survives renames and is what federated authN keys on http://technet.microsoft.com/en-us/library/jj573653.aspx has an excellent set of info focused around sync scenarios. http://technet.microsoft.com/en-us/library/jj151815.aspx is a good starter for PowerShell with AAD. http://blogs.msdn.com/b/aadgraphteam/ & http://msdn.microsoft.com/library/azure/hh974476.aspx are good starter locations for AAD Graph. ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

UW Provisioning: DirSync FERPA prevents us from exposing directory data. AAD has no read controls today. Need to filter out directory data that goes to AAD, until AAD has more capabilities Considered FIM Sync, but overkill. Considered Graph API, but can’t provision objectID. Considered PS, but know from Live@EDU that doesn’t scale well Used DirSync to filter out groups with sensitive memberships. This means we have ~60k groups not provisioned in AAD.  Lately, I’ve been rethinking whether sending pwd to AAD is such a bad thing …

Common Pitfalls Accepted domains--DirSync drops any UPN, mail or proxyAddresses value that isn't an accepted domain -> AD cleanup mini-project Notification emails only to initial global admin Number of object sync limit SQL vs. WID for ADFS Full SQL vs. SQL Express for DirSync Tenant user size limit for SO User retraining: enter the UPN in username ADFS certificate expiration

Advanced Pitfalls Licensing (slightly outside O365 Identity, but you do need to assign users O365 licenses) Azure MFA for O365—who? And when? HA for ADFS (load balancer) ADFS Claims Transformation Language DirSync error troubleshooting & navigating Azure AD support AAD Premium & Enterprise Mobility Suite Myapps.Microsoft.com, SaaS password vaulting, legal implications …

The End Brian Arkills barkills@uw.edu @barkills http://blogs.uw.edu/barkills http://www.netid.washington.edu Author of LDAP Directories Explained ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.