Office 365 Identity Management

Robert Crane

http://about.me/ciaops

Agenda

• Identity option comparisons

• Online identity

• Synchronised identity

• Federated identity

• Federated Identity set up demo

• Conclusions

1. MS Online IDs

Appropriate for• Smaller orgs without AD on

-premise

Pros• No servers required on-pre

mise

Cons• No SSO

• No 2FA

• 2 sets of credentials to manage with differing password policies

• IDs mastered in the cloud

2. MS Online IDs + DirSync

Appropriate for• Medium/Large orgs with A

D on-premise

Pros• Users and groups mastered

on-premise

• Enables co-existence scenarios

Cons• No SSO

• No 2FA

• 2 sets of credentials to manage with differing password policies

• Server deployment required

3. Federated IDs + DirSync

Appropriate for• Larger enterprise orgs with

AD on-premise

Pros• SSO with corporate cred

• IDs mastered on-premise

• Password policy controlled on-premise

• 2FA solutions possible

• Enables co-existence scenarios

Cons• High availability server depl

oyments required

Active DirectoryActive Directory

Online Identity

Cloud identity modelhttp://portal.office.com

Synchronised Identity

Office 365 Identity Models

Directory Sync

• Synchronizes users, groups, and contacts to Windows

Azure AD.

• Users will have a different password in Windows

Azure AD than they have for the on-premises AD.

DEPRECATED

Azure AD Sync tool

• Formerly known as Dirsync, this tool has been

updated to allow for the synchronization of local

Active Directory passwords to Azure Active Directory.

• Also synchronizes users, groups and contacts.

• This new feature will allow for same user sign in with

Microsoft cloud services such as Office 365 powered

by Azure Active Directory since the username and the

password from local AD will be synced up to Azure

AD.

DEPRECATED

Azure AD Connect

Active Directory

Synchronized Identity Model

Password hashes

User accounts

User

Sig

n-o

n

AAD Sync or Connect

On-premises

directory

Before installing Azure AD Connecthttps://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/

Active Directory remediation Run IdFix

Verify DNS domains with Office 365 Add these prior to syncing to preserve UPN

Directories other than Active Directory Works with Office 365 – Identity program

One server is most common Domain controller is supported Separate SQL Server is okay up to around 100,000 directory objects You can install to Azure IaaS

Migrating from DirSync or FIM 2010 Upgrade

Forest functional level Windows Server 2003

IdFix – DirSync AD Remediation

What errors does IdFix look for?

Duplicate proxyAddresses

Invalid characters in attributes

Over length attributes

Format errors in attributes

Use of non-routable domains

Blank attribute that requires a value

mailNickName

proxyAddresses

sAMAccountName

targetAddress

userPrincipalName

Install Azure AD Connect

Install the Azure AD Connect

Install the Azure AD Connect

Connect to Azure AD

Connect to on-premises Directories

User (and contact) matching

Filter users and devices

Optional features

Azure AD apps

Azure AD attributes

Configure AAD Connect

Done!

Review the configuration

Installation logs %windir%\temp\aadsync

Synchronization Rules Depending on if Exchange and Skype for Business is present in AD, different rules

will be generated

Depending on Exchange version attributes will be removed as needed

Only selected services will have outbound rules to AAD

Attributes you selected to not be included are removed from the outbound rules to AAD

Introducing the Sync Rule Editor A “Resource Kit Tool” to view, change and add Sync Rules

View the synchronisation

- Passwords synced every 2 minutes

- User attributes synced every 3 hours

- Manual sync via \program

files\microsoft azure ad

sync\bin\directorysyncclientcmd.exe

AAD Connect installation review

Be aware of directory object limits A new tenant can sync up to 50,000 directory objects

Register a vanity domain and it is increased to 300,000 objects

Sync now Expect about 1 hour per 5,000 objects

Password expiry for the sync account

Assign Office 365 licenses

High availability Can Backup and reinstall

Filtering AAD Connect By Domain and OUs

By attributes

Password hash sync security

Password hash AD DS It is not reversible to

get the users password

A Hash Hashes are mathematical

functions that are nearly impossibleto reverse

The result of the hash algorithm iscalled a digest

Additional Processing We further process it with a one way hash SHA256 algorithm Connections are only to the Azure AD service Connections are SSL encrypted

Enables Azure AD to validate the users password when they log in

User

Password On-premises

directory

Federated Identity

Federated identity model

On-premises

directory

AAD Sync

or Connect

Password Sync Backup for Federated Sign-In

This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.

Backup Password Hash Sync

User accounts

AAD Sync

On-premises

directory

Topology

Topology

10.0.0.4

10.0.0.5

DC Azure AD Connect

Sync

ADFS

Certificate

Web Server

PowerShell

1. 2.

10.0.0.4

10.0.0.5 10.32.0.4

DC Azure AD Connect

Sync

ADFS ProxyADFS

10.0.0.X

3.

DEMO

ADFS and SSO

Read all the TechNet Deployment Guidance http://technet.microsoft.com/en-us/library/jj205462.aspx

Only implement the Office 365 requirements The only certificate required is the SSL certificate

Prepare with firewall update permissions

Change between models as needs change

Cloud Identity to Synchronized Identity Deploy Azure AD Connect

Hard match or soft match of users

Synchronized Identity to Federated Identity Deploy AD FS

Can leave password sync enabled as backup

Federated identity to Synchronized Identity PowerShell Convert-MsolDomainToStandard

Takes 2 hours plus 1 additional hour per 2,000 users

Synchronized Identity to Cloud Identity PowerShell Set-MsolDirSyncEnabled

Takes 72 hours and you can monitor with Get-MsolCompanyInformation

Choose the simplest model for your needs

This is Microsoft’s recommendation

Cloud Identity is the simplest model

Choose cloud when You have no on-premises directory

There is on-premises directory restructuring

You are in pilot with Office 365

Choose synchronized identity if you have an on-premises directory

Password hash sync means federation is not required just to have the same password on the cloud

Same sign-on – the username and password is the same in the cloud as on-premises

Single sign-on – you log on to the PC and no password is required for cloud services

Save credentials for later uses Windows Credential Manager

Outlook does not support Single sign-on

Choose password hash sync unless you have one of the scenarios that requires federation

Scenarios for choosing federationExisting infrastructure

1. You already have an AD FS Deployment.

2. You already use a Third Party Federated Identity Provider.

3. You use Forefront Identity Manager.

4. You have an On-Premises Integrated Smart Card or Multi-Factor Authentication (MFA) Solution.

5. Custom Hybrid Applications or Hybrid Search is Required.

6. Web Accessible Forgotten Password Reset.

Scenarios for choosing federationPolicy requirements

7. You Require Sign-In Audit and/or Immediate Disable.

8. Single Sign-On minimizing prompts is Required.

9. Require Client Sign-In Restrictions by Network Location or Work Hours.

10. Policy preventing Synchronizing Password Hashes to Azure AD.

Office 365 federation options

Suitable for medium, large enterprises including educational organizations

Recommended option for Active Directory (AD) based customers

Single sign-on

Support for web and rich clients

Microsoft supported

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Suitable for medium, large enterprises including educational organizations

Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD

Single sign-on

Support for web and rich clients

Third-party supported

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Verified through ‘works with Office 365’ program

Suitable for educational organizations

Recommended where customers may use existing non-ADFS Identity systems

Single sign-on

Support for web clients and outlook (ECP) only

Microsoft supported for integration only, no shibboleth deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

For organizations that need to use SAML 2.0

Recommended where customers may use existing non-ADFS Identity systems

Single sign-on

Support for web clients and outlook (ECP) only

Microsoft supported for integration only, no identity provider deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

What is it?

Program Requirements

http://aka.ms/ssoproviders

Works with Office 365 – Identity program

Yammer DIRSYNC

Will eventually be replaced with Azure AD Connect

After you set up this integration product, users will be able to be automatically: removed from your Yammer network when you disable them in AD

invited to your Yammer network when you add them to AD

updated with new profile information when you update their attributes in AD

Install a separate syncing program locally and configure http://blog.ciaops.com/2015/06/configuring-yammer-dirsync.html

Not recommended unless you have a specific need

Resources

Summary

Choose the simplest model for your needs

Change between models as needed.

Cloud identity model when there is no on-premises directory.

Synchronized identity model for most organizations.

Federated identity model for specific scenarios.

Federated and synchronised identities require on premise equipment.

QUESTIONS / FEEDBACK?

director@ciaops.com

@directorcia