Download presentation
Published byJewel Rodgers Modified over 9 years ago
1
Active Directory Integration with Microsoft Office 365
4/19/2017 4:19 AM OSP321 Active Directory Integration with Microsoft Office 365 Ross Adams Senior Program Manager Microsoft Corporation © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
Session Objectives Architecture for Office 365 and other services
Integration Options Planning for Directory Integration Single Sign on Experience How Single sign on works Options for strong authentication
3
Windows Azure Active Directory
Password policy controls for Cloud Accounts Password never expire Password complexity can be turned off Custom password policies for expiry/notification Single sign On with corporate credentials Role-based administration: Five administration roles Company Admin Billing Admin User Account Admin Help Desk Admin Service Support Admin
4
Windows Azure Active Directory Provisioning
Manual Simple Web based user interface Bulk import of user Best for small customers Scriptable PowerShell module for windows Programmable New REST based API Limited attribute set/object types Automated Directory Synchronization with delta Full fidelity of attributes and object types Optimized for large object sets
5
Architecture and Integration Options
No Integration Directory Data Only Directory and Single sign-on (SSO) Exchange Online Windows Azure Active Directory Authentication platform SharePoint Online Contoso customer premises Trust Active Directory Federation Server 2.0 Admin Portal/ PowerShell IdP Lync Online IdP Directory Store AD MS Online Directory Sync Provisioning platform Office Subscription Services Office 365 Desktop Setup
6
Why Directory and SSO Integration
Single place for management User and groups including security groups Passwords Password policies Support for Enterprise Single Sign on Support for Hybrid environments for services such as Exchange Online Options for Strong Authentication (e.g. Smart cards)
7
Integration Comparison
1. No Integration 2. Directory Only 3. Directory and SSO Appropriate for Smaller orgs without AD on-premises Pros No servers required on-premises Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies IDs mastered in the cloud Appropriate for Medium/Large orgs with AD on-premises Pros Users and groups mastered on-premises Enables co-existence scenarios Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies Single server deployment Appropriate for Larger enterprise orgs with AD on-premises Pros SSO with corporate cred IDs mastered on-premises Password policy controlled on-premises 2FA solutions possible Enables hybrid scenarios Location isolation Cons High availability server deployments required
8
General Integration Requirements
Active Directory Forest Functionality level 2003 Windows 2008 for AD FS 2.0 and SSO Windows 2003 or above for Directory Synchronization Depreciated 32 Bit (Windows 2003) Recommended 64 Bit (Windows 2008 and above) Support Virtualization Single Forest Multiple domains in a single the forest Multi forest support through premier engagement
9
Preparing for Directory integration and SSO
Design for a high availability of AD FS 2.0 services Every User must have a UPN UPN suffix must match a validated domain in Office 365 UPN Character restrictions Only certain characters allows: Letters, numbers and .-_!#^~ No dot symbol (for example is allowed but isn’t) Users need use UPN to logon to Office 365 Apps Office 365 Deployment Readiness Tool checks all of these and more
10
Directory Integration Validations
Licensed Users All Proxy Address (SMTP/SIP) must be against a verified domain Addresses dropped during licensing UPN not updated automatically for Cloud ID based Users Must be updated manually Will update automatically when domain is converted to Single Sign on Unlicensed Users SMTP Proxy Address can be against non-verified domains SIP Address must match a verified domain Drop if not valid Verifying after Sync will add the removed proxy address back Background process
11
Directory Sync Setup Options
1 Way Sync from AD to Cloud Provisions users, DLs, Security Groups and contacts Can move to 2 Way Sync later on-premises master for all objects and properties 2 Way Sync from AD to Cloud and Cloud to AD Required for Hybrid Deployments e.g. co-existence with Exchange online and Exchange on-premises Cannot move back to 1 way sync Cloud becomes master for certain properties (safe senders, mail co-existence, UM)
12
Directory Sync configuration options
Sync’s all objects with some exceptions Does not Default accounts (Administrator etc) Does not sync System Objects Directory Sync can be turned off but takes time Options that can’t be changed Scoping the attribute set Sync timeframe is every 3 hours
13
Sign in Experience for Single Sign On Rich/Web clients
Rich clients applications with Microsoft Online Sign In Assistant. Lync Online, Office Subscriptions, CRM Online Integrated experience on a domain joined PC on the corporate network Client connects directly to AD FS 2.0 server or proxy Web based applications SharePoint Online, OWA, Office Rich Applications (Word, PowerPoint etc) Prompts for username for realm discovery Can be bypassed “Keep me signed in”, still required to authenticate to AD FS. Integrated auth to AD FS on domain joined PC on the corporate network Smart links can help with username prompt for example
14
Sign in Experience for Single Sign On Exchange Online
Outlook/IMAP/Active Sync/Entourage Often refereed to Exchange Proxy authentication Basic credentials relayed through Exchange to AD FS proxy active end point Prompts for both username and password but can be saved Support for rules to control access based on Client IP/Device type/Exchange Endpoint filtering
15
Sign On Experience with SSO
Rich Applications (SIA) Lync Online Office Subscriptions CRM Rich Client Can save credentials Web Clients Office 2010, Office 2007 SP2 with SharePoint Online Outlook Web Application Remember last user Exchange Clients Office 2010, Office 2007 SP2 Active Sync/POP/IMAP Entourage Can save credentials Username and Password MS Online IDs Username and Password Username and Password Online ID Online ID Online ID SSO IDs (non-domain joined) Username and Password Username and Password Username and Password AD credentials AD credentials AD credentials SSO IDs (domain joined) No Prompt Username Username and Password AD credentials AD credentials AD credentials
16
Identity Integration/SSO Details
MS Online business scenarios always use WS-* WS-Federation for passive clients WS-Trust provides support for rich client authentication Identity federation supported through AD FS 2.0 SAML 1.1 Token Issuer URI : Used to locate the domain for certificate verifcation User Source Address : Unique, never changing identifier of the user UserPrincipalName (UPN) : Name the user uses to logon
17
Client to End Points usage
18
Client Access Filtering
Enabled through client issuance rules in AD FS 2.0 Targeted at blocking external access scenarios for Outlook Block all external access Allow external access for specific mail clients (Active Sync, POP/IMAP) Allow external access to web applications (OWA, SharePoint) Requires ADFS Proxy Allow external access for specific groups of users No granularity on limiting Lync Online/Office Subscription services externally i.e. any rule above blocks access 3rd Party Proxies are required additional work see
19
Identity Federation Authentication flow (Passive/Web profile)
Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token Source User ID: ABC123 Auth Token Unique ID:
20
Identity Federation Authentication flow (MEX/Rich Client Profile)
Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token Source User ID: ABC123 Auth Token Unique ID:
21
Identity Federation Active flow (Outlook/Active Sync) Always external
Customer Microsoft Online Services User Source ID Logon (SAML 1.1) Token Source User ID: ABC123 Auth Token Unique ID: Basic Auth Credentilas Username/Password
22
Single Forest AD Structures and Considerations
Description Considerations Matching domains Internal Domain and External domain are the same i.e. contoso.com No special requirements Sub domain Internal domains is a sub domain of the external domain i.e. corp.contoso.com Requires Domains registered in order, primary then sub domains .local domain Internal domain is not publicly “registered” i.e. contoso.local Domain ownership can’t be proved, must use a different domain Requires all users to get new UPN Use SMTP address if possible Smart Card issues Multiple distinct UPN suffixes in single forest Mix of users having login UPNs under different domains i.e. contoso.com & fabrikam.com Must use SupportMultipleDomain switch in PowerShell Sub domains require additional work Multi Forest Multiple AD Forest Premier engagement
23
Strong authentication approaches
Focuses on Strong authentication (e.g. Smart cards) for extranet access Two approaches possible Only provide strong auth for web applications (e.g. OWA, SPO) by configuring/customizing AD FS 2.0 proxy Rich clients cannot be supported Use VPN to internal network as the gate to require 2FA access when connecting from outside the internal network Will work for rich clients as well
24
Web applications only Configure AD FS 2.0 proxy for smartcard access using in-box support Customize AD FS 2.0 proxy with 3rd party 2FA solutions Use IIS HTTP module from 2FA provider to intercept & authenticate 2FA prior to providing AD username/pwd at forms login page in AD FS 2.0 proxy (RSA Example here) Customize AD FS 2.0 forms login page to add 2FA credential collection and authenticate to 2FA service via code behind No support for Rich clients
25
Authentication platform
Web Applications only INTRANET DMZ Other 2FA Access Smartcard Access AD DS Windows Azure Active Directory Authentication platform Redirect to Authentication platform Redirect to IdP AD FS AD FS Proxy Provide AD/Smartcard credentials Types User Name 2FA module Redirect Back Generate SAML token for authentication platform Authenticate 2FA response Redirect to Proxy Access Application 2FA Service Redirect to Strong auth provider Present ticket to Application Authenticate 2FA Present strong credentials Install 3rd party auth provider ADFS proxy No support for rich client apps
26
Strong Auth VPN to internal network
Configure extranet access to always require VPN access Integrate 2FA with VPN provider Allow Internal Outlook traffic to authenticate with Client Access Policies and AD FS 2.0 Optionally allow EAS traffic to authenticate via AD FS 2.0 proxy & Client Access Policy Support for Rich Clients
27
2FA – Web Applications only
Allow internal Outlook via ADFS proxy INTRANET DMZ Strong Auth VPN to internal network AD DS Windows Azure Active Directory Authentication platform AD FS AD FS Proxy Send Creds to Exchange Proxy Auth Disable passive pages on proxy Evaluate Client Access Rules, issue SAML Token Send AuthN request to ADFS 2FA Service Authenticate 2FA VPN Send Creds to Exchange Proxy Auth Connect to internal network Connect to VPN Provide 2FA creds
28
Questions
29
OSP Related Content Code Title Schedule OSP221
Microsoft Office 365 for Enterprises 6/26/ :30 OSP222 Empowering Small Businesses: Microsoft Office 365 P-Suite 6/27/ :15 OSP305 The Modern Compatibility Process to Accelerate Microsoft Office Deployment 6/27/ :00 OSP224 Microsoft Office 365 Management and Deployment 6/27/ :00 OSP321 Active Directory Integration with Microsoft Office 365 6/28/ :30 OSP303 Supporting Microsoft Office in an Enterprise Environment 6/28/ :00 OSP302 Building Integrated Microsoft Office 365, SharePoint Online, and Office Solutions Using BCS and LOB Data 6/28/ :45 OSP340 Office Deployment – Notes from the Field 6/28/ :30 OSP323 Microsoft Office 365 Security, Privacy, and Trust 6/29/ :30 OSP324 Microsoft Office 365 Service Reliability and Disaster Recovery 6/29/ :15 OSP350 Office 365 – evaluating, Deploying & Migrating – Notes from the field 6/29/ :00 OSP223 Microsoft Office 365 for Education 6/29/ :45
30
Related Resources Office 365 TechCenter: technet.microsoft.com/Office365 Office Client TechCenter: technet.microsoft.com/office Office, Office 365 and SharePoint Demo Area Includes: Office 365 IT Pro Command Center Office 365 Data Center Exhibit
31
Resources Learning TechNet http://europe.msteched.com
Connect. Share. Discuss. Microsoft Certification & Training Resources TechNet Resources for IT Professionals Resources for Developers
32
Submit your evals online
4/19/2017 4:19 AM Evaluations Submit your evals online © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
33
4/19/2017 4:19 AM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
34
4/19/2017 4:19 AM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.