Identity Management for Office

365/Microsoft Azure

PRESENTED BY:

David Pechon, Jr.

VCP5-DCV, MCSA

About David• Started in IT in 1997 as an Information

Systems Operator/Analyst in the US Army

• Spent most of IT career in the financial

services sector working for three banks and

a loan servicing company.

• Prior consulting work with managed service

providers and value added resellers.

• Certifications include Microsoft Certified

Solutions Associate: Office 365,VMware

Certified Professional 5 – Datacenter

Virtualization

• Married with two children, lives in

Ponchatoula, die hard Cubs fan, and likes

to grill meat.

• Fun Fact: I’m an amateur calligrapher and

has done so since I was 11.

david.pechon@sparkhound.com

@davidpechon

http://linkedin.com/in/davidpechonjr

3

What’s covered in this presentation?

4

• What is Azure Active Directory (AAD)

• Sync your on-prem AD with Azure Active Directory

• Active Directory Federation Services

• Azure Access Control Services

• Branding

What is Azure Active

Directory?

5

What is Azure Active Directory?

• Active Directory services hosted in Azure to allow for identity

management of Microsoft Cloud applications like Exchange Online,

SharePoint Online, Dynamics, Windows Intune, and apps hosted in

Azure.

• Third party cloud apps like SalesForce and Box can use Azure AD

• Integrates with on-premises Active Directory infrastructure using the

directory sync tool, allowing for password and attribute synchronization.

• Can manipulate accounts using PowerShell using the Azure PowerShell

Module and Microsoft Online Sign-on assistant

• With Active Directory Federation Services, you can provide single sign-

on services.

• Multi-factor authentication is available.

Common Features of Azure AD

7

• Directory as a service1

• User and group management using UI or PowerShell

• Access Panel portal for SSO-based user access to SaaS and

custom apps2

• User based application access management and provisioning

• Self-service password change for cloud users

• Directory Sync tool

• Standard security reports

1. Up to 500k objects for Free, unlimted for basic and premium. Does not apply to Office 365

and Windows Intune or any other Microsoft online service.

2. Up to 10 apps visible in the access panel for Free and Basic. No app limit in Premium.

Basic and Premium Features

8

Feature BASIC PREMIUM

99.9% SLA Uptime √ √

Group based application access management and

provisioning√ √

Custom branding of sign-on page and access √ √

Self service password reset √ √

App Proxy: Secure remote access and SSO to on-prem web. √ √

Self service group management for cloud users √

Microsoft Identity Manager Server Licenses for syncing √

Advanced anomaly security reports √

Advanced application usage reporting √

Multifactor authentication service for cloud users √

Multifactor authentication server for on-prem users √

Preparing the On-Premesis AD

9

• Active Directory attributes must be cleaned up before synchronization

• Cannot synchronize users with user principal names of non valid top

level domains. (e.g. domain.local)

• Remove duplicate UPNs and proxyAddress attributes

• Invalid characters in givenName, sn (surname), sAMAccountName,

displayName, mail, proxyAddress, mailNickname, and

userPrincipalName attributes.

Identifying Problems

10

Office 365 OnRamp

identifies issues but does

not correct them

IdFix can be used to

identify errors and allow

for remediating some

Fixing Errors: Use what your momma Microsoft

gave you:

11

$oldSuffix = 'domain.local'$newSuffix = 'example.com'Get-ADUser -SearchBase "ou=text,dc=domain,dc=local" -SearchScope OneLevel -filter * | ForEach-Object$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)$_ | Set-ADUser -server yourDomainController -UserPrincipalName $newUpn}

Microsoft gives you ADUC, ADSI Edit, PowerShell, and

other consoles and tools to correct attribute errors:

Synchronizing your on premises

Active Directory with Azure Active

Directory

12

Benefits of synchronizing Azure AD with on-

premises AD

13

• DirSync to synchronize objects

to Azure AD, or back to on-prem

• Users only see one account to

access on site applications and

cloud applications.

• Allows users to use existing AD

account for third party cloud

apps.

• Can be customized to sync a

subset of AD objects.

• Manage users from on-premises

AD environment

Azure Active Directory Sync (DirSync)

14

• Wizard only sets up initial

synchronization

• Supports a single forest

• Only writes back attributes for

hybrid Exchange 2010/2013

environment

• Must refer to another tool to setup

filtering (included in installation):

Forefront Identity Manager or

FIM.

• Download from Office365

dashboard when setting up AD

Sync.

Azure Active Directory Sync

15

• Released in October 2014, originally used to sync with just Azure AD but

now can be used to sync for Office 365

• Allows for multiple forest synchronization.

• More attribute sync options by selecting a minimal set and customize flows.

• Supports password writeback

• Forefront Identity Manager completely replaced but Synchronization

Service Manager (miisclient.exe) still exists with some changes.

• Also will soon be replaced by…

More info:

https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx

Azure AD Connect

16

• Currently in public preview, will replace Azure Active Directory Sync Tool

(DirSync) and Azure Active Directory Sync.

• Goes further than DirSync and AADS in setting up Active Directory

Federation Services (ADFS) and assisting with domain name

federation.

• Writeback – AD objects can be synced back to on-prem AD in the form

of users, groups, and devices

• Windows 10 devices domain joined can be synced directly from Azure

AD.

• Sync filtering based on AD Groups, allows for a “Pilot Mode”

• Prevent accidental deletions by setting a threshold via PowerShell.

• Will be the single choice for Azure and Office 365 deployments.

Azure AD Connect tools

17

Wizard – Unlike the DirSync wizard,

you are given more options to setup

synchronization.

Like AADS, FIM is replaced by

Synchronization Service Manager

Filtering on DirSync

18

Using the miisclient.exe tool,

you can setup filtering via

attribute…

…or by organizational unit.

$ou = "<organizational unit>"get-aduser -Filter 'surname -Like "*"' -searchbase $ou | set-aduser -add @{extensionAttribute10='synctocloud'}

Filtering via Azure AD Sync/Connect

19

Filter by attribute by using the

Synchronization Rules Editor.

Filter by domain or OU by

using the Synchronization

Service Manager UI

Filtering via Azure AD Connect

20

Azure AD Connect now allows you to filter by group during

setup.

Active Directory Federated

Services

21

What is ADFS?

22

Active Directory Federation Services or ADFS is a server role that allows for

single sign-on for internal and external access to various web applications.

For Office 365, ADFS 2.0 is the minimum requirement and is a separate

installable for Windows Server 2008. On 2008 R2, 2012, and 2012 R2,

ADFS is a role that can be installed.

How SSO with ADFS works:

23

1. User logs onto Office 365

using a federated login

2. AzureAD detects the

domain is federated with an

ADFS Farm

3. For internal users, NTLM

credentials can be passed to

ADFS server to verify login

(setup in a GPO). External

users on a web proxy (and

non-IE users) are given a login

screen to enter a password.

4. When user credentials are

verified as correct, a token is

passed back to Office

365/Azure AD verifying the

user identity.

Claims rules with ADFS

24

Allows administrators to permit

or deny the access of

federated logins based on IP

address, group membership,

geolocation, etc.

Uses Claim Rule Language

but basic rules can be setup

using a wizard.

ADFS Setup Tips

25

Never name the federation

service or farm ADFS, or the

name of an existing object.

This will cause a conflict of

the service principle name

attribute. The service

account must have the ADFS

service name as the SPN

Never expose your ADFS server to the world, that’s what the ADFS Proxy (ADFS

2.x) or Web Application Proxy (ADFS 3.0) is for.

For larger deployments, use a load balancer between proxies and internal ADFS

servers.

Enable the relay trust via PowerShell, don’t manually create it:

$cred=Get-CredentialConnect-msolservice -credential $credSet-msoladfscontext -computer <FQDN of ADFS Server>Convert-MSOLDomainToFederated -Domainname <Federated domain>

Azure Access Control

Services

26

What is Azure ACS?

27

A claims based authentication mechanism that allows

application developers to use public authentication

providers (e.g. Facebook, Google, Windows Live ID) and

organization ADFS for authentication.

Integrates with Windows

Identity Foundation,

supports OAuth 2.0, and

can be used for .NET

Framework, PHP, Python,

Java and Ruby.

This is primarily used for

publicly available web

apps and SharePoint sites

where you don’t want to

manage user accounts but

still have people

authenticate to use your

app.Setting up ACS for SharePoint 2013:

https://technet.microsoft.com/en-us/library/dn635311.aspx

Branding

28

Branding the Office 365 Landing Page

29

In the Azure dashboard ->

Active Directory -> Configure,

you have the option to

customize branding

You can setup a default

branding page, by language,

and then add your images,

sign-in text, and background

colors.

Branding the Office 365 Landing Page

30

Branding the ADFS Login Page

31

The ADFS login page can be branded using two PowerShell commands:

For the logo banner on the right side (240x35px @ 96 dpi):

set-adfswebtheme -targetname default -logo @{path='c:\images\logo.png'}

For the image on the left:

set-adfswebtheme -targetname default -illustration @{path='c:\images\image.jpg'}

Source: https://technet.microsoft.com/en-us/library/dn280950.aspx

Branding the ADFS Login Page

32

BONUS: In the cloud or on

prem?

33

Can I setup my directory synchronization and

ADFS in the cloud too?

34

All services can be installed

in Azure, so long as you have

a VPN to your on-premises

environment.

Questions?

35

36