Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office 365 Identity aka Azure Active Directory

Published byJayson Pritchett Modified over 9 years ago

Similar presentations

Presentation on theme: "Office 365 Identity aka Azure Active Directory"— Presentation transcript:

1 Office 365 Identity aka Azure Active Directory
Brian Arkills Software Engineer, UW Windows Infrastructure Svc Mgr, and Associate Troublemaking Officer  UW-IT, Identity and Access Management Microsoft Directory Services MVP ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

2 Goals Azure Active Directory Architecture Authentication Options
Provisioning Options Examine Complex Implementation Review Pitfalls ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

3 Azure Active Directory
AD revised to Internet-scale multi-tenant identity service Extends AD into cloud; cloud –based identity Connect from any platform, and device Connect hundreds of SaaS apps or your on-premise apps SharePoint Online Cloud App Exchange Online Cloud App Lync Online Azure AD Your Custom IT App General diagram. Shows relationships between AAD, SO AD, EO AD, LO AD. Includes public interfaces to each. AD ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

4 AAD Architecture

5 Protocols to Connect with AAD
Purpose Details REST/HTTP directory access Create, Read, Update, Delete directory objects and relationships Compatible with OData V3 Authenticate with OAuth 2.0 OAuth 2.0 Service to service authentication Delegated access JWT token format Open ID Connect Web application authentication Rich client authentication SAML 2.0 SAML 2.0 token format WS-Federation 1.3 SAML 1.1 token format

6 AAD Provisioning Options
AAD Graph API (RESTful web service) Remote PowerShell Multiple Directory Synchronization variants DirSync: original appliance FIM Sync: MS provides FIM connector, you provide business logic/code AAD Connect: appliance re-engineered to encompass scenarios FIM Sync covered NOTE: the UPN and the object identifier are important. The UPN is a key parameter, the objID survives renames and is what federated authN keys on has an excellent set of info focused around sync scenarios. is a good starter for PowerShell with AAD. & are good starter locations for AAD Graph. ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

7 AAD Authentication Options
Provision password in AAD Federated authentication More complex variations or mixes (e.g. UW) Also there is MFA for Office 365 (powered by Azure MFA), no cost above existing O365 licenses NOTE: MOSSIA is needed for older Windows OSes when using a native Office client (fat client) See & for more details and a comparison of MFA for O365 vs. Azure MFA See for more on MOSSIA ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

8 AuthN flow (Passive/Web profile)
Customer Microsoft Online Services User Source ID Azure Active Directory Logon (SAML 1.1) Token Source User ID: ABC123 Auth Token Unique ID:

9 AuthN flow (MEX/Rich Client Profile)
Customer Microsoft Online Services User Source ID Azure Active Directory Logon (SAML 1.1) Token Source User ID: ABC123 Auth Token Unique ID:

10 AuthN Active flow(Outlook/Active Sync)
Customer Microsoft Online Services User Source ID Azure Active Directory Logon (SAML 1.1) Token Source User ID: ABC123 Auth Token Unique ID: Basic Auth Credentilas Username/Password

11 AuthN Regroup/Review EO/SO/LO only trust logon tokens issued by AAD
In “bouncy slides” token issued b/c AAD trusts ADFS AAD knew meant your ADFS server Some clients/protocols can’t do federated authN, so service does them on behalf of client. Note: pwd sent over wire to service Just as easily could not federate, with pwd in AAD (pwd would always go over wire then) Multiple places to layer additional authN interactions (e.g. MFA or consent). Also multiple places to troubleshoot, if things go wrong

12 UW AuthN: ADFS + Shibboleth
Dueling Goals: trusted, well-known web-based login experience of Shibboleth Single sign-on experience for Windows domain joined clients via ADFS So we did both! AAD trusts ADFS, ADFS trusts Shibboleth. If client arrives at ADFS & has Windows token: done If client doesn’t have Windows token -> Shibboleth

13 Microsoft Online Services
UW: Example AuthN flow UW Microsoft Online Services User Source ID Logon (SAML 1.1) Token Source User ID: XYZ987 Logon (SAML 1.1) Token Source User ID: ABC123 Auth Token Unique ID:

14 UVM AuthN Flow Diagram With thanks to Greg McKinnon at University of Vermont. This slide illustrates some of the greater detail behind even the detail I’ve shown in the previous slide. ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

15 Duplicate slide: AAD Provisioning Options
AAD Graph API (RESTful web service) Remote PowerShell Multiple Directory Synchronization variants DirSync: original appliance FIM Sync: MS provides FIM connector, you provide business logic/code AAD Sync: appliance re-engineered to encompass scenarios FIM Sync covered NOTE: the UPN and the object identifier are important. The UPN is a key parameter, the objID survives renames and is what federated authN keys on has an excellent set of info focused around sync scenarios. is a good starter for PowerShell with AAD. & are good starter locations for AAD Graph. ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

16 UW Provisioning: DirSync
FERPA prevents us from exposing directory data. AAD has no read controls today. Need to filter out directory data that goes to AAD, until AAD has more capabilities Considered FIM Sync, but overkill. Considered Graph API, but can’t provision objectID. Considered PS, but know from that doesn’t scale well Used DirSync to filter out groups with sensitive memberships. This means we have ~60k groups not provisioned in AAD.  Lately, I’ve been rethinking whether sending pwd to AAD is such a bad thing …

17 Common Pitfalls Accepted domains--DirSync drops any UPN, mail or proxyAddresses value that isn't an accepted domain -> AD cleanup mini-project Notification s only to initial global admin Number of object sync limit SQL vs. WID for ADFS Full SQL vs. SQL Express for DirSync Tenant user size limit for SO User retraining: enter the UPN in username ADFS certificate expiration

18 Advanced Pitfalls Licensing (slightly outside O365 Identity, but you do need to assign users O365 licenses) Azure MFA for O365—who? And when? HA for ADFS (load balancer) ADFS Claims Transformation Language DirSync error troubleshooting & navigating Azure AD support AAD Premium & Enterprise Mobility Suite Myapps.Microsoft.com, SaaS password vaulting, legal implications …

19 The End Brian Arkills barkills@uw.edu @barkills
Author of LDAP Directories Explained ©2006 University of Washington. All rights reserved. This presentation is for informational purposes only. The University of Washington makes no warranties, express or implied, in this summary.

Download ppt "Office 365 Identity aka Azure Active Directory"

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Office 365 Identity Federation Technology Deep-Dive

Office 365 Identity Federation Technology Deep-Dive
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Azure AD & Office 365 1. Logon with Username / Password 2. MFA challenge 3. Reply to MFA challenge -1-way or 2-way SMS -Phone call -Mobile Application.

Azure AD & Office Logon with Username / Password 2. MFA challenge 3. Reply to MFA challenge -1-way or 2-way SMS -Phone call -Mobile Application.
Integration: Office 365 Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer Identity and Access Management, UW-IT.

Integration: Office 365 Brian Arkills Software Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer Identity and Access Management, UW-IT.
RequirementsDeployment Options 2 3 Dirsync Overview 1 Understanding Synchronization 4.

RequirementsDeployment Options 2 3 Dirsync Overview 1 Understanding Synchronization 4.
Identity management integration options for Office 365

Identity management integration options for Office 365
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Active Directory Integration with Microsoft Office 365

Active Directory Integration with Microsoft Office 365
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.

Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Windows Azure Active Directory.

User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Windows Azure Active Directory.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.

ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Similar presentations

Ads by Google