Identity and Directory Synchronization in Office365 and Azure AD

Brian Desmond

Intro• Chicago based• Active Directory & Identity consultant

– Edgile, Inc – www.edgile.com• Microsoft MVP for Active Directory since 2003• Author of Active Directory, 5th Ed from O’Reilly

– You should own a copy!e-mail: brian.desmond@edgile.com e-mail: brian@briandesmond.com

website & blog: www.briandesmond.com

@brdesmond

Agenda• Identity Management in the Cloud• Directory Synchronization with DirSync• Federated Identity with Active Directory

Federation Services

IDENTITY IN OFFICE 365

Identity Options• Identities can be mastered in

– Office365– Active Directory

• Single Sign On (SSO) is optional– Keeps passwords out of O365 – Greatly improves the end user experience

• DirSync and ADFS may be required to meet your goals

Mastering Identities in Office365• Separate Microsoft Online ID for each user• Separate passwords stored in the cloud• Very easy to deploy• Support costs may be higher with differing passwords

and password policies• Manage your users with PowerShell or the Online

Services administration center

Mastering Identities in Active Directory• Two options

– Separate Microsoft Online ID for each user– Federated identities

• Requires Windows Azure Active Directory Directory Synchronization for either option– Sync Active Directory data to the cloud– Passwords can be synchronized

• Without federation or password sync, users still maintain a separate password in the cloud

• Enables rich coexistence scenarios

Federated Identity• Users are authenticated via on-premise ADFS environment• DirSync sends objects and key attributes to the cloud• Password is always maintained (and only exists) on-

premise• Requires additional infrastructure for ADFS

– Access to any Office 365 service requires ADFS to be available!

Identity Architecture ComparisonMicrosoft Online IDs

•Pros•No servers required•Simple setup•Cons•Separate user accounts and password policies•Potentially higher support costs

Microsoft Online IDs with DirSync

•Pros•Coexistence possible•Provisioning / deprovisioning performed on-premise

•Cons•Requires additional servers•Separate user accounts and password policies•Potentially higher support costs

Federated IDs with DirSync

•Pros•Coexistence possible•Provisioning / deprovisioning performed on-premise•Passwords managed on-premise•Two-factor authentication possible

•Cons•Requires additional servers•Complex to implement and manage

DIRSYNC – WINDOWS AZURE ACTIVE DIRECTORY DIRECTORY SYNCHRONIZATION

What Does DirSync Enable?• Enables Identity and Application coexistence

– Identities are managed on premises• Copies users, groups, and contacts into Office 365• Enables easy identity federation

– Enables application coexistence • On-premises Microsoft Exchange and Microsoft Lync services work with their corresponding cloud services.• Lync users, on-premises IM cloud users, and on-premises mail routes to the cloud (and the cloud routes

back to on premises).– Enables rich coexistence features in Exchange, including write-back to the on-premises directory

• Populates the Windows Azure Active Directory service– Can be used with other Microsoft cloud services, federation with third party cloud services and

applications

What’s Under the Hood?• Shrink wrapped appliance version of Forefront Identity Manager (FIM)

– Frequent updates– http://

social.technet.microsoft.com/wiki/contents/articles/18429.windows-azure-active-directory-sync-tool-version-release-history.aspx

• Appliance is preconfigured to synchronize everything in your AD with Office 365– Passwords are not synchronized to Azure AD by default

• There are very few settings which can be configured in DirSync (in a supported manner)

DirSync Challenges• The native DirSync appliance does not support a number of potential customer scenarios

– Multi-forest Active Directory topologies– Authoritative data sources other than Active Directory

• A custom FIM deployment with the Azure AD connector can be built to address these scenarios– Requires deep subject matter expertise in FIM– FIM deployment now has a dependency on changes and upgrade requirements for Azure

• Many common Active Directory data errors will cause directory synchronization errors– Use IdFix toolset to identify and correct data - http://

www.microsoft.com/en-us/download/details.aspx?id=36832 • Tenants that require more than 100,000 synchronized objects must contact Microsoft support

to have their tenant limit raised– This can take some time – plan in advance

User Principal Names• Users will login to Office365 with their UPN

– Ideally this matches the user’s primary email address• UPN must be a routable domain that you can prove ownership of

– No .local domains– No domains that you don’t own

• Multiple UPN suffixes are acceptable• You may need to re-assign or scrub UPNs in your forest

– Communicate UPN to your users if it doesn’t match email address

IdFix Toolset

Server Requirements• Windows Server 2008 R2 or Windows Server 2012• Domain Joined

– Cannot be a domain controller• SQL Server Express Edition

– 50,000 or more objects requires full SQL Server installation– SQL Server 2008 R2 or better is supported

• Virtually no advantage to increasing CPU count– The FIM Synchronization Service is a single threaded application– Memory and disk I/O will improve sync performance if you have a large environment

• DirSync appliance could be installed on an Azure virtual machine– Configure a point-to-site virtual network VPN in Windows Azure

DirSync Installation Prerequisites• Enterprise Administrator level Active Directory permissions• Setup will perform a number of tasks

– Create a service account for DirSync in the forest root domain– Delegate the service account permissions to use the DirSync LDAP

control in Active Directory– Optionally delegate the service account access to write-back attributes

• Once setup is complete, elevated privileges are no longer necessary

DirSync On-Premises Active Directory ChangesExchange Full Fidelity feature Write Back To attribute

Filtering Coexistence provides on-premises filtering with cloud sourced safe/blocked sender data

SafeSendersHashBlockedSendersHashSafeRecipientHash

Online Archive mailbox in the cloud msExchArchiveStatus

Move mailboxes back and forth between cloud and on-premises; Outlook auto-complete and calendaring fidelity

proxyAddresses(Adds cloud LegacyExchangeDN value)

Enable cloud based Unified Messaging (voicemail) with on-premise Lync deployment

msExchUCVoiceMailSettings

Cross-premises mailbox delegation publicDelegates

Cross-premises litigation hold management msExchUserHoldPolicies

DirSync Installation

Password Synchronization• DirSync was updated in June 2013 to support synchronization of

password hashes to the cloud– Synchronizes passwords for all users in scope of DirSync– Hash of the on-premises Active Directory password hash is sent to the

cloud• Password changes are synchronized to the cloud every two minutes • Office365 Change password button is hidden for users that have a

synchronized password– User is also configured such that their cloud password never expires

Common DirSync Tweaks• Run DirSync manually

– %ProgramFiles%\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1– Start-OnlineCoexistenceSync

• Filter objects in specific organizational units or domains– Modify container selection in “Active Directory Connector” Management Agent

• Filter objects based on an attributes in AD– Create a connector filter in “Active Directory Connector” Management Agent

• If you make an error and erroneously filter objects, they will be deleted from Office 365– Deletes are “soft” and objects can be recovered for thirty days

C:\Program Files\Windows Azure Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe

Container Selection in DirSync

Configuring a Connector Filter

Troubleshooting Bad Data

FEDERATED AUTHENTICATION

Application Authentication Before Federation

• Standalone credential stores• Integrated with Active Directory via LDAP

– Forms based pages– Custom code

• Windows Integrated Authentication– NTLM– Kerberos

• How do we extend these options into the cloud?

What is Federation?• Standardized (sort of) mechanism to assert identity

across boundaries• Works great with web applications – all HTTP(S) • No Active Directory trusts required• No Kerberos or NTLM involved between parties• You take a federation token to the relying party and

present it to access the application

Federation Buzzwords: Tokens and Claims• How do I use/make/get tokens?

– an STS: security-token service• transforms one set of claims to another, issues tokens with claims• aka. Identity Provider (IdP) / Claims Provider / Claims Transformer / Federation Provider (FP)

• What is a token?– Proof of identity for a given user– Contains a set of claims about the user

• What is a claim?• assertion made by the STS about its users• used to make authorization & personalization decisions

• Who & what supports them?– a “claims-aware application”

What’s a Claim?• Attribute Value Pairs

– Role : “Marketing”

• “I am a member of the Marketing group”– Email : “brian@briandesmond.com”

• “My email address is …”– HomeTown : “Chicago”

• “I am from Chicago.”• Populated using information from

– Active Directory– AD Lightweight Directory Service (AD LDS)– SQL database– Custom source

The CastA. DatumAccount Forest

Fabrikam(Users)

Contoso(Resource)

AD FS

Resource

Federation Trust

Active Directory

User

AD FS

The Federation Trust• The ADFS servers need to exchange information securely

– Send public key for the token-signing certificate– Tokens are verified by relying party using this key

• During the setup process you’ll agree on the signing keys, claims formats, etc.

• Each application will trust a single ADFS server (or server farm)– the ADFS server can have many applications that trust it– the ADFS server can trust one or more ADFS/federation servers

The ADFS Passive Logon ProcessA. DatumAccount Forest

Trey ResearchResource Forest

Fabrikam(Users)

Office365(Resource)

AD FS

SharePoint

AD FS

Federation Trust

Active Directory

User

ADFS with Outlook and ActiveSyncA. DatumAccount Forest

Trey ResearchResource Forest

Fabrikam(Users)

Office365(Resource)

AD FSAD FS

Federation Trust

Active Directory

User

Exchange

ADFS Server Topology Options• Single internal federation server and a single federation server proxy• Load balanced servers proxies

– You can use an alternative reverse proxy if you have a need or existing infrastructure• Geographically redundant ADFS servers

Two important points1. Treat your ADFS servers with the same level of security as AD Domain

Controllers2. Keep in mind that Office 365 availability depends on your ADFS service!

ADFS and SQL Server• ADFS requires SQL Server to store configuration information

– SQL Express– Full SQL Server installation

• ADFS will replicate data between servers if using SQL Express– SQL Express does not offer token replay detection or SAML artifact resolution

• If using full SQL install, don’t forget to account for SQL high availability– SQL Server clustering within a given site– SQL Server mirroring between sites

Highly Available Single Site ADFS Deployment

Enterprise Network DMZ

AD FS 2.X ServerProxy

ActiveDirectory

AD FS 2.X Server

AD FS 2.X Server

AD FS 2.X ServerProxy

NLB

Highly Available Multi Site ADFS DeploymentSite A Enterprise Network

ActiveDirectory

AD FS 2.X Server

AD FS 2.X Server

Site A DMZ

GLBNLBGLB NLB

AD FS 2.X ServerProxy

AD FS 2.X ServerProxy

SQL Server Cluster

Site B Enterprise Network

ActiveDirectory

AD FS 2.X Server

AD FS 2.X Server

Site B DMZ

GLBNLBGLB NLB

AD FS 2.X ServerProxy

AD FS 2.X ServerProxy

SQL Server Cluster

SQL

Mirr

orin

g

Office 365 ADFS Configuration• Install ADFS servers and ADFS proxies• Run configuration scripts to configure ADFS for Office365

integration• Setup federated domains in Office 365 tenant

– Use *-MsolFederated* PowerShell cmdlets• Testing

– www.testexchangeconnectivity.com– MOSDAL tool - http://support.microsoft.com/kb/960625

Third Party On-Premises STS’• Office365 supports a number of third party federation services

(STS – security token service)• The list continues to evolve however these third party options are

currently supported– OptimalIDM– Ping Federate– Shibboleth (common in Higher Education)

• Limitations may apply to third party solutions – be sure to do your research

Summary• AAD DirSync will connect your AD to Office365• Plan to spend time cleaning your AD data first• Federation is critical as applications move to

the cloud

Questions?

Please evaluate the session before you leave