Hybrid Identity Management with SharePoint and Office 365 - Antonio Maio

Antonio MaioProtiviti - Senior SharePoint Architect & Senior ManagerMicrosoft SharePoint Server MVP

Hybrid Identity Managementwith SharePoint and Office 365

Email: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2

© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed to another third party.

About Protiviti

INDIA (3)

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.

• 2,500+ professionals

• 1,000+ clients

• 70+ offices

• Over 20 countries in the Americas, Europe and Asia-Pacific

Protiviti is one of the fastest growing consulting firms worldwide. Our revenues have increased from US $15 million in 2002, to US $423.8 million in 2011.


Securing Identitiesand the Hybrid Cloud


Why Hybrid?


Identity Models for Office 365

Cloud Identity

Synchronized Identity

Federated Identity


Cloud Identity Model

• No on-premises directory• Very small number of users• On-premises directory is undergoing significant restructuring• Trialing Office 365


Synchronized Identity Model


Federated Identity Model


Selecting an Identity Model I need to… Synchronized

IdentityFederated Identity

(Directory Sync with Single Sign-On)

Sync new user, contact, groups created in on-premises AD to cloud automatically

Sync incremental updates to existing accounts in on-premises AD to cloud automatically

Set up my tenant for Office 365 hybrid scenarios Limited Support

Enable users to sign in to cloud services using on-premises password

Control password policies from on-premises Active Directory

Enable cloud-based multi-factor authentication solutions

Enable on-premises multi-factor authentication solutions

Ensure user authentications occur in on-premises Active Directory

Implement single sign-on using corporate credentials

Customize the user Sign-In page *

Limit access to cloud services based on the location, client type or Exchange endpoint of the client

?

* Available in Basic or Premium Edition of Azure Active Directory. See Chris Goosen’s Post for details on how to brand your Office 365 sign in page.: http://blog.enowsoftware.com/solutions-engine/bid/187358/Add-Custom-Branding-to-Your-Office-365-Sign-in-Page .

http://blog.enowsoftware.com/solutions-engine/bid/187358/Add-Custom-Branding-to-Your-Office-365-Sign-in-Page




History Lesson• DirSync

• Azure Active Directory Sync (AAD Sync)– Introduced Multi-Forest Support

•Azure ADConnect (GA June 24, 2015)–Replaces both DirSync and AADSync


Azure ADConnect• New deployment & configuration tool for quickly

connecting on premise identities to the cloud• Express Settings: Easily connect a single AD forest (in minutes)• More options: Specify a group or OU to sync only specific identities• Built in Upgrade: Easily upgrade existing DirSync or AAD Sync

Available now: http://go.microsoft.com/fwlink/?LinkId=615771

• Includes Azure ADConnect Health• Monitors ADFS Servers (health, performance, login activity)• Only available for Azure AD Premium Edition

http://go.microsoft.com/fwlink/?LinkId=615771

http://go.microsoft.com/fwlink/?LinkId=615771


Azure ADConnect – Configuration Options• Synchronize multiple AD forests• User self-service password reset in the cloud with write-back to on premises AD• Provisioning from the cloud with user write back to on premises AD• Write back of “Groups in Office 365” to on premises distribution groups in a forest with

Exchange• Device write back so on-premises access

control policies in ADFS can recognize devices registered with Azure AD (includes support for Azure AD Join in Windows 10)

• Sync custom AD attributes to your Azure AD tenant - consume by your cloud apps

• Configure password sync or federation – selecting federation provides a simplified ADFS deployment

• Other options…


Azure ADConnect Health• Email Notifications for Critical Alerts

– Events, configuration information, transactions, performance data

• Graphs – Usage Insights– Ex. Login Activity (number of successful logins,

failed logins, trends)– Available when enable auditing on your ADFS

servers– Based on audits generated when user's login and

tokens are generated for applications

• Performance monitoring across multiple servers– token request counters, processor, memory,

latency


Topology – Directory Synchronization

AD DCAzure ADConnect

DMZ Firewall

Internet Firewall


Topology – Federated Identity

AD DCAzure ADConnect

DMZ Firewall

Internet Firewall

ADFS

ADFS Proxy


Topology – Federated Identity(High Availability)

AD DC 1Azure ADConnect

DMZ Firewall

Internet Firewall

Azure ADConnect

(Staging Mode)

ADFS 1

ADFS Proxy 1

ADFS Proxy 2

ADFS 2AD DC 2

Load Balancer


Steps - Configuring Azure ADConnect1. Prepare for Directory Synchronization

• Prerequisites, Permissions, Understand Limits• Alternate UPN Suffix for .local Domain• Clean Up UPNs & ProxyAddresses in AD (use Microsoft Office 365 IdFix)

2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership• Activate Directory Sync in Office 365 > Admin > Users

3. Setup ADConnect on your Directory Synchronization Server• Provide Office 365 Service Admin Credentials• Provide on premise AD Enterprise Domain Admin Credentials

4. Synchronize Directories

5. Activate Users & Assign Office 365 Licenses

6. Manage Directory Synchronization


DEMONSTRATIONINSTALLING & CONFIGURING AZURE AD CONNECT


Assign Licenses/Location via Powershell• Office 365 Admin GUI allows for bulk assignment (limit 25 users at a time)• Useful Powershell Commands for bulk license assignment

Connect-MsolServiceConnect to your Office 365 Service.

Get-Commmand -Module MSOnlineDisplay available Powershell commands .

Get-MsolUserDisplay list of users currently within your Office 365 tenant.

Get-MsolUser –UnlicensedUsersOnlyDisplay only list of users in your Office 365 tenant which do not have a license.

Get-MsolAccountSkuDisplays your Office 365 tenant license SKU. Use this when assigning a license.

Set-MsolUser -UserPrincipalName “<user’s upn>” -UsageLocation "US“Set the location for a specific user by specifying the user principal name.

Set-MsolUserLicense -UserPrincipalName " <user’s upn> " -AddLicenses “<your license SKU“Set a license for the specified user. Use the SKU displayed by the command above.

• Combine Powershell commands to assign licenses to all unlicensed usersGet-MsolUser -UnlicensedUsersOnly | Set-Msoluser - UsageLocation "US“Get-MsolUser -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses “<your license SKU>"


DEMONSTRATIONACTIVATING USERS IN OFFICE 365 WITH POWERSHELL


Configuring Identity Federation1. Prepare for Single Sign On

• Prerequisites, Prepare Active Directory• Prepare Network infrastructure for Federation servers

2. Setup the On Premise Active Directory Federation Services (ADFS)• Set up Windows PowerShell for SSO with AD FS• Set up trust between AD FS and Azure AD

3. Setup Directory Synchronization with Azure ADConnect

4. Verify & Manage Single Sign On


Overall Benefits

• Reduced administration costsLeveraging your already existing on-premises user and group accounts

• Improved productivity Significantly reduce the amount of time it takes to make cloud based services accessible

• Increased securityEnsures that only appropriate users have access to your corporate assets. Retain strict control over user identities and related policies through on premise AD.

• Enable Hybrid ScenariosEnjoy the benefits of the cloud combined with your existing infrastructure through robust hybrid configuration scenarios


Step by Step Procedures

Please see 2 blog posts:• Part 1: http://sharepoint.protiviti.com/blog/Lists/Posts/Post.aspx?ID=142• Part 2: http://sharepoint.protiviti.com/blog/Lists/Posts/Post.aspx?ID=165

This deck will be posted to my blog: www.trustsharepoint.com

*Note: these posts refer to DirSync in several cases, but the activities for cleaning up AD and preparing for Identity Synchronization or Identity Federation are still applicable with Azure AD Connect.

http://sharepoint.protiviti.com/blog/Lists/Posts/Post.aspx?ID=142




http://www.trustsharepoint.com/

Antonio MaioProtiviti - Senior SharePoint Architect & Senior ManagerMicrosoft SharePoint Server MVP

Thank You – Questions & Answer

Email: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2


Appendix






4. Synchronize Directories5. Activate Users & Assign Office 365 Licenses6. Manage Directory Synchronization


• Alternate UPN Suffix for .local Domain

Steps - Configuring Azure ADConnect


Steps - Configuring Azure ADConnect• Alternate UPN Suffix for .local Domain


Steps - Configuring Azure ADConnect• Clean up Active Directory – set UPN for each user identity


Steps - Configuring Azure ADConnect• Clean up Active Directory – set proxyAddresses each user identity


Steps - Configuring Azure ADConnect• Register Domain with Office 365 & Validate Ownership


Steps - Configuring Azure ADConnect• Activate Directory Synchronization


Steps - Configuring Azure ADConnect• Deploying and Configuring Azure AD Connect – Express Settings


Steps - Configuring Azure ADConnect• After users & groups are synchronized

Hybrid Identity Management with SharePoint and Office 365 - Antonio Maio

Software

Transcript of Hybrid Identity Management with SharePoint and Office 365 - Antonio Maio