Post on 11-Nov-2014
description
Identity and Directory Synchronization in Office365 and Azure AD
Brian Desmond
Intro• Chicago based• Active Directory & Identity consultant
– Edgile, Inc – www.edgile.com• Microsoft MVP for Active Directory since 2003• Author of Active Directory, 5th Ed from O’Reilly
– You should own a copy!e-mail: brian.desmond@edgile.com e-mail: brian@briandesmond.com
website & blog: www.briandesmond.com
@brdesmond
Agenda• Identity Management in the Cloud• Directory Synchronization with DirSync• Federated Identity with Active Directory
Federation Services
IDENTITY IN OFFICE 365
Identity Options• Identities can be mastered in
– Office365– Active Directory
• Single Sign On (SSO) is optional– Keeps passwords out of O365 – Greatly improves the end user experience
• DirSync and ADFS may be required to meet your goals
Mastering Identities in Office365• Separate Microsoft Online ID for each user• Separate passwords stored in the cloud• Very easy to deploy• Support costs may be higher with differing passwords
and password policies• Manage your users with PowerShell or the Online
Services administration center
Mastering Identities in Active Directory• Two options
– Separate Microsoft Online ID for each user– Federated identities
• Requires Windows Azure Active Directory Directory Synchronization for either option– Sync Active Directory data to the cloud– Passwords can be synchronized
• Without federation or password sync, users still maintain a separate password in the cloud
• Enables rich coexistence scenarios
Federated Identity• Users are authenticated via on-premise ADFS environment• DirSync sends objects and key attributes to the cloud• Password is always maintained (and only exists) on-
premise• Requires additional infrastructure for ADFS
– Access to any Office 365 service requires ADFS to be available!
Identity Architecture ComparisonMicrosoft Online IDs
•Pros•No servers required•Simple setup•Cons•Separate user accounts and password policies•Potentially higher support costs
Microsoft Online IDs with DirSync
•Pros•Coexistence possible•Provisioning / deprovisioning performed on-premise
•Cons•Requires additional servers•Separate user accounts and password policies•Potentially higher support costs
Federated IDs with DirSync
•Pros•Coexistence possible•Provisioning / deprovisioning performed on-premise•Passwords managed on-premise•Two-factor authentication possible
•Cons•Requires additional servers•Complex to implement and manage
DIRSYNC – WINDOWS AZURE ACTIVE DIRECTORY DIRECTORY SYNCHRONIZATION
What Does DirSync Enable?• Enables Identity and Application coexistence
– Identities are managed on premises• Copies users, groups, and contacts into Office 365• Enables easy identity federation
– Enables application coexistence • On-premises Microsoft Exchange and Microsoft Lync services work with their corresponding cloud services.• Lync users, on-premises IM cloud users, and on-premises mail routes to the cloud (and the cloud routes
back to on premises).– Enables rich coexistence features in Exchange, including write-back to the on-premises directory
• Populates the Windows Azure Active Directory service– Can be used with other Microsoft cloud services, federation with third party cloud services and
applications
What’s Under the Hood?• Shrink wrapped appliance version of Forefront Identity Manager (FIM)
– Frequent updates– http://
social.technet.microsoft.com/wiki/contents/articles/18429.windows-azure-active-directory-sync-tool-version-release-history.aspx
• Appliance is preconfigured to synchronize everything in your AD with Office 365– Passwords are not synchronized to Azure AD by default
• There are very few settings which can be configured in DirSync (in a supported manner)
DirSync Challenges• The native DirSync appliance does not support a number of potential customer scenarios
– Multi-forest Active Directory topologies– Authoritative data sources other than Active Directory
• A custom FIM deployment with the Azure AD connector can be built to address these scenarios– Requires deep subject matter expertise in FIM– FIM deployment now has a dependency on changes and upgrade requirements for Azure
• Many common Active Directory data errors will cause directory synchronization errors– Use IdFix toolset to identify and correct data - http://
www.microsoft.com/en-us/download/details.aspx?id=36832 • Tenants that require more than 100,000 synchronized objects must contact Microsoft support
to have their tenant limit raised– This can take some time – plan in advance
User Principal Names• Users will login to Office365 with their UPN
– Ideally this matches the user’s primary email address• UPN must be a routable domain that you can prove ownership of
– No .local domains– No domains that you don’t own
• Multiple UPN suffixes are acceptable• You may need to re-assign or scrub UPNs in your forest
– Communicate UPN to your users if it doesn’t match email address
IdFix Toolset
Server Requirements• Windows Server 2008 R2 or Windows Server 2012• Domain Joined
– Cannot be a domain controller• SQL Server Express Edition
– 50,000 or more objects requires full SQL Server installation– SQL Server 2008 R2 or better is supported
• Virtually no advantage to increasing CPU count– The FIM Synchronization Service is a single threaded application– Memory and disk I/O will improve sync performance if you have a large environment
• DirSync appliance could be installed on an Azure virtual machine– Configure a point-to-site virtual network VPN in Windows Azure
DirSync Installation Prerequisites• Enterprise Administrator level Active Directory permissions• Setup will perform a number of tasks
– Create a service account for DirSync in the forest root domain– Delegate the service account permissions to use the DirSync LDAP
control in Active Directory– Optionally delegate the service account access to write-back attributes
• Once setup is complete, elevated privileges are no longer necessary
DirSync On-Premises Active Directory ChangesExchange Full Fidelity feature Write Back To attribute
Filtering Coexistence provides on-premises filtering with cloud sourced safe/blocked sender data
SafeSendersHashBlockedSendersHashSafeRecipientHash
Online Archive mailbox in the cloud msExchArchiveStatus
Move mailboxes back and forth between cloud and on-premises; Outlook auto-complete and calendaring fidelity
proxyAddresses(Adds cloud LegacyExchangeDN value)
Enable cloud based Unified Messaging (voicemail) with on-premise Lync deployment
msExchUCVoiceMailSettings
Cross-premises mailbox delegation publicDelegates
Cross-premises litigation hold management msExchUserHoldPolicies
DirSync Installation
Password Synchronization• DirSync was updated in June 2013 to support synchronization of
password hashes to the cloud– Synchronizes passwords for all users in scope of DirSync– Hash of the on-premises Active Directory password hash is sent to the
cloud• Password changes are synchronized to the cloud every two minutes • Office365 Change password button is hidden for users that have a
synchronized password– User is also configured such that their cloud password never expires
Common DirSync Tweaks• Run DirSync manually
– %ProgramFiles%\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1– Start-OnlineCoexistenceSync
• Filter objects in specific organizational units or domains– Modify container selection in “Active Directory Connector” Management Agent
• Filter objects based on an attributes in AD– Create a connector filter in “Active Directory Connector” Management Agent
• If you make an error and erroneously filter objects, they will be deleted from Office 365– Deletes are “soft” and objects can be recovered for thirty days
C:\Program Files\Windows Azure Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
Container Selection in DirSync
Configuring a Connector Filter
Troubleshooting Bad Data
FEDERATED AUTHENTICATION
Application Authentication Before Federation
• Standalone credential stores• Integrated with Active Directory via LDAP
– Forms based pages– Custom code
• Windows Integrated Authentication– NTLM– Kerberos
• How do we extend these options into the cloud?
What is Federation?• Standardized (sort of) mechanism to assert identity
across boundaries• Works great with web applications – all HTTP(S) • No Active Directory trusts required• No Kerberos or NTLM involved between parties• You take a federation token to the relying party and
present it to access the application
Federation Buzzwords: Tokens and Claims• How do I use/make/get tokens?
– an STS: security-token service• transforms one set of claims to another, issues tokens with claims• aka. Identity Provider (IdP) / Claims Provider / Claims Transformer / Federation Provider (FP)
• What is a token?– Proof of identity for a given user– Contains a set of claims about the user
• What is a claim?• assertion made by the STS about its users• used to make authorization & personalization decisions
• Who & what supports them?– a “claims-aware application”
What’s a Claim?• Attribute Value Pairs
– Role : “Marketing”
• “I am a member of the Marketing group”– Email : “brian@briandesmond.com”
• “My email address is …”– HomeTown : “Chicago”
• “I am from Chicago.”• Populated using information from
– Active Directory– AD Lightweight Directory Service (AD LDS)– SQL database– Custom source
The CastA. DatumAccount Forest
Fabrikam(Users)
Contoso(Resource)
AD FS
Resource
Federation Trust
Active Directory
User
AD FS
The Federation Trust• The ADFS servers need to exchange information securely
– Send public key for the token-signing certificate– Tokens are verified by relying party using this key
• During the setup process you’ll agree on the signing keys, claims formats, etc.
• Each application will trust a single ADFS server (or server farm)– the ADFS server can have many applications that trust it– the ADFS server can trust one or more ADFS/federation servers
The ADFS Passive Logon ProcessA. DatumAccount Forest
Trey ResearchResource Forest
Fabrikam(Users)
Office365(Resource)
AD FS
SharePoint
AD FS
Federation Trust
Active Directory
User
ADFS with Outlook and ActiveSyncA. DatumAccount Forest
Trey ResearchResource Forest
Fabrikam(Users)
Office365(Resource)
AD FSAD FS
Federation Trust
Active Directory
User
Exchange
ADFS Server Topology Options• Single internal federation server and a single federation server proxy• Load balanced servers proxies
– You can use an alternative reverse proxy if you have a need or existing infrastructure• Geographically redundant ADFS servers
Two important points1. Treat your ADFS servers with the same level of security as AD Domain
Controllers2. Keep in mind that Office 365 availability depends on your ADFS service!
ADFS and SQL Server• ADFS requires SQL Server to store configuration information
– SQL Express– Full SQL Server installation
• ADFS will replicate data between servers if using SQL Express– SQL Express does not offer token replay detection or SAML artifact resolution
• If using full SQL install, don’t forget to account for SQL high availability– SQL Server clustering within a given site– SQL Server mirroring between sites
Highly Available Single Site ADFS Deployment
Enterprise Network DMZ
AD FS 2.X ServerProxy
ActiveDirectory
AD FS 2.X Server
AD FS 2.X Server
AD FS 2.X ServerProxy
NLB
Highly Available Multi Site ADFS DeploymentSite A Enterprise Network
ActiveDirectory
AD FS 2.X Server
AD FS 2.X Server
Site A DMZ
GLBNLBGLB NLB
AD FS 2.X ServerProxy
AD FS 2.X ServerProxy
SQL Server Cluster
Site B Enterprise Network
ActiveDirectory
AD FS 2.X Server
AD FS 2.X Server
Site B DMZ
GLBNLBGLB NLB
AD FS 2.X ServerProxy
AD FS 2.X ServerProxy
SQL Server Cluster
SQL
Mirr
orin
g
Office 365 ADFS Configuration• Install ADFS servers and ADFS proxies• Run configuration scripts to configure ADFS for Office365
integration• Setup federated domains in Office 365 tenant
– Use *-MsolFederated* PowerShell cmdlets• Testing
– www.testexchangeconnectivity.com– MOSDAL tool - http://support.microsoft.com/kb/960625
Third Party On-Premises STS’• Office365 supports a number of third party federation services
(STS – security token service)• The list continues to evolve however these third party options are
currently supported– OptimalIDM– Ping Federate– Shibboleth (common in Higher Education)
• Limitations may apply to third party solutions – be sure to do your research
Summary• AAD DirSync will connect your AD to Office365• Plan to spend time cleaning your AD data first• Federation is critical as applications move to
the cloud
Questions?
Please evaluate the session before you leave