Identity in Office 365

Blog: http://www.MyCentralAdmin.com Twitter: @ferringer

http://www.mycentraladmin.com/

3 | SharePoint Saturday Redmond 2012

Outline

Office 365 Overview

Changing the Identity Perspective

Authentication vs. Authorization

Who Are You?

What Do You Do Here?

Who’s in Charge Here?


Email and Calendaring

Websites and Collaboration

IM and Online Meetings

Office Client and Web Apps

Hosted by Microsoft – in the cloud!


Office 365 Overview



Who Are You?




Did Someone say Cloud?


What’s Your Perspective?


Identity’s impact on Office 365

End User Experience

Complexity

Scale

Manageability

Investment


Office 365 Overview



Who Are You?





Who gets in?

What can they do?


Who gets in?

Where do your Office 365 user accounts live?

What is needed to use them?

What can they do?

What are the limitations of the approach?


Office 365 Overview



Who Are You?




Identity Options 1. Microsoft Online (MSO) IDs

2. MSO IDs + Directory Synchronization

3. Single Sign On + Directory Synchronization

Your Environment

AD

MS Online Directory Sync

Identity Services

Provisioning platform

Lync Online

SharePoint Online

Exchange Online

Active Directory Federation Services 2.0

Trust

IdP Directory

Store

Admin Portal/ PowerShell

Authentication platform

Office 365 Desktop Setup

Microsoft Online Services

IdP


What can they do?

Appropriate for • Smaller orgs without

AD on-premise

Pros • No servers required on-

premise

Cons • No SSO • No 2FA • 2 sets of credentials to

manage with differing password policies

• IDs mastered in the cloud

Appropriate for • Medium/Large orgs with

AD on-premise

Pros • Users and groups

mastered on-premise • Enables co-existence

scenarios Cons • No SSO • No 2FA • 2 sets of credentials to

manage with differing password policies

• Single server deployment

Appropriate for • Larger enterprise orgs

with AD on-premise Pros • SSO with corporate cred • IDs mastered on-premise • Password policy

controlled on-premise • 2FA solutions possible • Enables co-existence

scenarios Cons • High availability server

deployments required


Sign On Experience *SSO vs. Online IDs Summary

Win7/Vista/XP

SSO IDs (domain joined)

MS Online IDs

Outlook Web Application

SharePoint Web Application

ActiveSync, POP, IMAP, Entourage

Outlook 2007 or 2010

Online ID Online ID Online ID

Win 7/Vista/XP

Office 2010, or Office 2007 SP2

Online ID

Win7/Vista/XP

Lync Online

Online ID

AD credentials AD credentials AD credentials AD credentials AD credentials

SSO IDs (non-domain joined) AD credentials AD credentials AD credentials AD credentials AD credentials

*Requires ADFS 2.0


Your Environment

AD


Identity Services

Lync Online

SharePoint Online

Exchange Online


Trust

IdP Directory

Store




IdP

Active Directory Federation Services (AD FS)


How does AD FS work?

Claims authentication

Think of it like a passport

Passport Application

Visa Application

Submit for authorization

Allowed access


AD FS’s Authentication flow

`

Client

(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online or

SharePoint Online

Active Directory

Your Environment Microsoft Online Services

Logon (SAML 1.1) Token UPN:[email protected] Source User ID: ABC123

Auth Token UPN:[email protected] Unique ID: 254729


AD FS 2.0 deployment options 1. Single server configuration

2. AD FS 2.0 server farm and load-balancer

3. AD FS 2.0 proxy server or UAG/TMG (External Users, Active Sync, Outlook)

Enterprise

DMZ

AD FS 2.0 Server Proxy

External user Internal

user

Active Directory

AD FS 2.0 Server

AD FS 2.0 Server

AD FS 2.0 Server Proxy


ADFS Considerations

Can you afford an outage?

How do you secure it?

It’s complex

Requires specific AD config

UPN formatting

Requires DirSync

Other options available

Shibboleth (added August 2012)

Hat tip: @usher


Directory Synchronization

One-way copy of accounts to Office 365

Required for SSO/AD FS

But can be used without AD FS

Required for Hybrid scenarios

Think of it as an appliance, always running


Your Environment

AD


Identity Services

Lync Online

SharePoint Online

Exchange Online


Trust

IdP Directory

Store




IdP

How DirSync Fits in


Getting to know DirSync

It’s actually Forefront Identity Manager

Copies AD accounts into Office 365

But not back down

Doesn’t sync passwords

Filtering now available

Can have sizing issues

Upload sizing

Database sizing

FIM: no touchy! (maybe)


Office 365 Overview



Who Are You?




Who does what around here?

Role-based Administration (RBAC)

External access


Office 365 user roles

End Users

Service administrators

Exchange Online

SharePoint Online

Lync Online

Office 365 administrators

External users


Office 365 admin roles

Global administrator

Billing administrator

Password administrator

Services administrator

User management administrator

Delegated administrator

See the Office 365 Support Services Description document for more info:

http://tinyurl.com/o365SvcDescrs




External access

Allows external users access to SharePoint Online

No USLs required

Not full Extranet

Users can have:

MSO ID

Live ID

EASI ID

It’s a Feature Preview…


Office 365 Overview



Who Are You?




Managing Identity in Office 365

Admin activities do not go away

AD FS is complex

And important!

PowerShell is your friend

How’s your internet connection?

Office 365 is constantly changing


Troubleshooting Identity

Microsoft Online Diagnostics and Logging tool (MOSDAL)

Microsoft Remote Connectivity Analyzer: HTTP://testexchangeconnectivity.com

Fiddler

WireShark/Netmon

Office 365 Expert Discussion Series: http://tinyurl.com/o365ExptDisc

http://testexchangeconnectivity.com/

http://testexchangeconnectivity.com/

http://tinyurl.com/o365ExptDisc

http://tinyurl.com/o365ExptDisc


Tie IT All Together

Blog: http://www.MyCentralAdmin.com Twitter: @ferringer

http://www.mycentraladmin.com/

Identity in Office 365 - SPS Redmond 2012

Technology

Transcript of Identity in Office 365 - SPS Redmond 2012