3 Advanced Warning: Identity Crisis!! Platform is being re-branded “Windows Azure Active Directory”aka “Windows Azure AD” or just “AAD”
4 Windows Azure AD vs. Office 365 Go-to-market names for different packages of functionality (CRM Online, InTune as well!)All GTMs share common platform pieces:Directory: “MSO DS”STS: OrgIDPlatform pieces & tools will be branded Windows Azure ADPowershell Module for Windows Azure Active DirectoryWindows Azure Active Directory Sync ToolWindows Azure Active Directory Connector for FIM 2010
5 Windows Azure AD vs. Office 365 ExchangeOnlineSharePointLyncCRMInTuneCloudappAzureADCloudappCloudappAD
6 Provisioning vs Synchronization The two are not the same!Synchronization solutions are Provisioning solutions, but not the other way around!ProvisioningCreation of objects and/or associated resources in a directory or external system.SynchronizationProvisioning + long-term consistency/parity of state between source objects and their representation in the external system.
7 Directory Integration Options ManualHowCreate objects in Windows Azure AD via Admin Portal or Bulk ImportWhyLow volume of objects to createNo long term management/consistency requiredScriptableHowPowerShell cmdletsGRAPH APIWhyNeed automated process, but don’t require access to all attributes in directoryOK to not have full consistency between source and cloudAutomatedHowDirSync, FIM + ConnectorWhyLarge volume of objects/churnRequire access to all attributes in directoryRequire consistency between on-prem & cloudWant Single Sign-On
9 Example of Integration - Scriptable PowershellNew-MsolUser -UserPrincipalNameGRAPH
10 Example of Integration - Automated (fill in DirSync picture here)
11 Directory Integration in the bigger picture Directory Integration is the first half of a larger ecosystemSingle Sign-On solutions depend on successful Synchronization of data into the Directory!
12 Architecture and Integration Options No IntegrationDirectory Data OnlyDirectory and Single sign-on (SSO)Windows Azure Active DirectoryExchangeOnlineIdentity ServicesAuthentication platformSharePointOnlineTrustContoso customer premisesActive Directory Federation Server 2.0Admin Portal/PowerShellIdPLyncOnlineIdPDirectoryStoreADMS Online Directory SyncProvisioningplatformCRM OnlineInTuneOffice 365 Desktop Setup
13 Why Directory and SSO Integration Single place for managementUser and groups (including securityp-enabled groups)PasswordsPassword policiesSupport for Enterprise Single Sign onSupport for Hybrid environments for Services such as Exchange OnlineOptions for Strong Authentication (e.g. Smart cards)
14 Architecture Deep Dive AD FSMicrosoft Online IDCustomer NetworkOffice 365 DatacenterDirSyncWorkflowExchangeGRAPHAD MAMetaVerseO365 MALyncADO365 DirectoryAWS FEsSharePoint…
15 Life as a sync’d objectWhen an object created in the cloud, “owned in the cloud”Changes can be made via Portal, Powershell or in the various cloud servicesWhen an object is created by Sync, “owned by sync”Changes can only be made via on-prem directory and then sync to cloudWhen an object is created in the cloud, but also exists on-premSync will try to Soft-Match the object coming via SyncSoft-match uses SMTP addresses to “best guess”If matched, “owned by sync”
16 Life as a sync’d objectObjects “owned by Sync” can be deleted directly in the cloud!Remove-MsolUser/Contact/Group will allow you to delete an object that is owned by SyncIf still on-prem, will be recreated on next Sync cycle
17 Tour as a sync’d objectSync Tool reads data from on-prem directory sourceSync Tool pushes data to AWS FEsAWS FE tries to create object in MSODS (if user, OrgID first)Workflow evaluates objects and attributes such as User.ProxyAddressesData validations performedServices read from MSODS and sync into servicesValidation required? Done here.
18 Choose your own Sync Adventure 3 options for Directory SyncSingle-forest DirSync applianceMulti-forest DirSync applianceWindows Azure Active Directory Connector for FIM 2010 (aka “Multi-Forest”)You don’t need to use SSO just because you sync but you should Sync in order to use SSOCould use PowerShell, but lots of management overhead & not formally tested scenarioSync solution doesn’t constrain SSO solutionYou can use any Sync solution with ADFS or non-AD STS (i.e. Shib)
19 Choose your own Sync Adventure Single Forest DirSyncWhen to useSingle AD forest on-prem that contains all data to synchronize to AADMulti-Forest DirSyncWhen to useMore than 1 AD Forest containing the directory data to synchronize to AADADs have “non-overlapping data” (no object in one forest is represented in another forest)AAD ConnectorWhen to useMultiple AD Forests containing directory data to synchronize to AADDirectory data “overlaps” (an object is represented in more than one forest)Non-AD directory sources*
20 Choose your own Sync Adventure A notable exception to previous slide:This is a common pattern (prescribed by Exchange Product)Full migration to Exchange Online then collapse Resource ForestSync’ing the necessary core attributes from Exchange Auth forest can negate the need for multi-forest sync altogetherIncluding SourceAnchor, UserPrincipalNameSome things not supported at this time: Multiple Exchange OrgsPatternConsider…2 Forests on-prem:1 Authentication/Logon forest1 Exchange/”Resource” Forest“Sync” data from Exchange forest Auth ForestRun single-forest DirSync against Auth Forest
21 Core Directory Sync Concepts Source of AuthorityWhere changes can be made to an object (either “on-prem” or “cloud”)De-/activating DirSync in the Admin portal transfers source of authoritySourceAnchorused to uniquely identify objects created in cloud from on-prem directoryCritical for Single Sign-On scenario (ADFS will be configured to generate SourceAnchor on AuthN, this needs to match the ImmutableID stored in OrgId during user provisioning time)Can’t change after initial provision of object by Sync will error out
22 Core Directory Sync Concepts UserPrincipalNameThe “sign-in name” for a userOn-prem UPN needs to match UPN in the cloud for login to succeedOnce licensed, user UPN won’t change even if changed on-premCan override using Set-MsolUserPrincipalName cmdletHybrid Service DeploymentsSome attributes on on-prem objects are updated based on activities in the cloudOnly modify objects that were initially sync’d to the cloud from on-prem
23 Core Directory Sync Concepts We validate (some) data to protect the Core Directory and services:AttributeValidationUserPrincipalNameUPNs must use verified domainIf not, will autoconstruct UPN value (won’t update local AD):[sAMAccountName] + + [moera.onmicrosoft.com]Must contain only supported charactersUser.ProxyAddressesCannot have duplicate proxy addresses Sync Error(on license for EXO)Remove all proxyaddresses that are not using a verified domainAdding verified domain later will “re-hydrate” those PAs removed earlier
24 Core Directory Sync Concepts Most common sync validation failures:Duplicate proxy addressesDuplicate UPN valueErrors reported inRun the Deployment Readiness Tool!
25 Core Directory Sync Concepts Linking/Matching objects during syncFirst, check to see if object already exists with same SourceAnchor valueIf object exists, update existing objectIf no objects hardmatch, try and soft match against existing objects (using SMTP addresses of on-prem object)If candidate match exists, stamp SourceAnchor on the value on object for subsequent sync cyclesIf no candidate match exists, create new objectDirSync QuotaProtect the directory for malicious “storage DOS”Default now 50K for tenants provisioned after 5/1
26 Core Directory Sync Concepts Throttling SyncThroughput “shared” across tenants at AWS layer (throttled per partition)DirSync client automatically handles “Error Code 81” and retries againThrottling leads to variable sync timesV1/V2 differencesSome differences in what’s sync’d/not sync’dGroups without display names aren’t sync’d in v2!Contact migration team for documentation/list of deltas
27 Recovering deleted objects via Sync Will be lighting up “soft delete” feature in PRODScenario:On-prem AD Admin accidentally deletes a user object in ADDirSync “propagates delete” to the cloudUser object is deleted in the cloud (mailbox lost)NOW WHAT?
28 Recovering deleted objects via Sync Manual recoveryadmin identifies object to be recoveredVia DirSyncWhen admin restores the user object in AD (via W2K8R2 Recycle Bin), object is automatically recovered by DirSync – mailbox is recovered, etc.“recovery” is dependent on keeping the same SourceAnchor value! New SourceAnchor value with “same attribute values” will not recover the user object in the cloud!
29 Filtering Sync 2 kinds of filters customers ask for: Choose which objects get sync’d to the cloudChoose which attributes get sync’d to the cloudWe support the former, we don’t support the latterWiki post and UA documentation posted to walk customers through this customization
31 Related Content Today OSE 225, Friday OSE 331, OSE 333, OSE 334 Hands-on Labs (OSPILL101 Designing a SharePoint site)Office The Microsoft ShowcaseFind Me Later At The Microsoft Showcase Friday (9-12am)