Office 365 Identity Management - SMBNation 2015
-
Upload
robert-crane -
Category
Internet
-
view
36 -
download
0
Transcript of Office 365 Identity Management - SMBNation 2015
Office 365 Identity Management
Robert Crane
http://about.me/ciaops
Agenda
• Identity option comparisons
• Online identity
• Synchronised identity
• Federated identity
• Federated Identity set up demo
• Conclusions
1. MS Online IDs
Appropriate for• Smaller orgs without AD on
-premise
Pros• No servers required on-pre
mise
Cons• No SSO
• No 2FA
• 2 sets of credentials to manage with differing password policies
• IDs mastered in the cloud
2. MS Online IDs + DirSync
Appropriate for• Medium/Large orgs with A
D on-premise
Pros• Users and groups mastered
on-premise
• Enables co-existence scenarios
Cons• No SSO
• No 2FA
• 2 sets of credentials to manage with differing password policies
• Server deployment required
3. Federated IDs + DirSync
Appropriate for• Larger enterprise orgs with
AD on-premise
Pros• SSO with corporate cred
• IDs mastered on-premise
• Password policy controlled on-premise
• 2FA solutions possible
• Enables co-existence scenarios
Cons• High availability server depl
oyments required
Active DirectoryActive Directory
Online Identity
Cloud identity modelhttp://portal.office.com
Synchronised Identity
Office 365 Identity Models
Directory Sync
• Synchronizes users, groups, and contacts to Windows
Azure AD.
• Users will have a different password in Windows
Azure AD than they have for the on-premises AD.
DEPRECATED
Azure AD Sync tool
• Formerly known as Dirsync, this tool has been
updated to allow for the synchronization of local
Active Directory passwords to Azure Active Directory.
• Also synchronizes users, groups and contacts.
• This new feature will allow for same user sign in with
Microsoft cloud services such as Office 365 powered
by Azure Active Directory since the username and the
password from local AD will be synced up to Azure
AD.
DEPRECATED
Azure AD Connect
Active Directory
Synchronized Identity Model
Password hashes
User accounts
User
Sig
n-o
n
AAD Sync or Connect
On-premises
directory
Before installing Azure AD Connecthttps://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/
Active Directory remediation Run IdFix
Verify DNS domains with Office 365 Add these prior to syncing to preserve UPN
Directories other than Active Directory Works with Office 365 – Identity program
One server is most common Domain controller is supported Separate SQL Server is okay up to around 100,000 directory objects You can install to Azure IaaS
Migrating from DirSync or FIM 2010 Upgrade
Forest functional level Windows Server 2003
IdFix – DirSync AD Remediation
What errors does IdFix look for?
Duplicate proxyAddresses
Invalid characters in attributes
Over length attributes
Format errors in attributes
Use of non-routable domains
Blank attribute that requires a value
mailNickName
proxyAddresses
sAMAccountName
targetAddress
userPrincipalName
Install Azure AD Connect
Install the Azure AD Connect
Install the Azure AD Connect
Connect to Azure AD
Connect to on-premises Directories
User (and contact) matching
Filter users and devices
Optional features
Azure AD apps
Azure AD attributes
Configure AAD Connect
Done!
Review the configuration
Installation logs %windir%\temp\aadsync
Synchronization Rules Depending on if Exchange and Skype for Business is present in AD, different rules
will be generated
Depending on Exchange version attributes will be removed as needed
Only selected services will have outbound rules to AAD
Attributes you selected to not be included are removed from the outbound rules to AAD
Introducing the Sync Rule Editor A “Resource Kit Tool” to view, change and add Sync Rules
View the synchronisation
- Passwords synced every 2 minutes
- User attributes synced every 3 hours
- Manual sync via \program
files\microsoft azure ad
sync\bin\directorysyncclientcmd.exe
AAD Connect installation review
Be aware of directory object limits A new tenant can sync up to 50,000 directory objects
Register a vanity domain and it is increased to 300,000 objects
Sync now Expect about 1 hour per 5,000 objects
Password expiry for the sync account
Assign Office 365 licenses
High availability Can Backup and reinstall
Filtering AAD Connect By Domain and OUs
By attributes
Password hash sync security
Password hash AD DS It is not reversible to
get the users password
A Hash Hashes are mathematical
functions that are nearly impossibleto reverse
The result of the hash algorithm iscalled a digest
Additional Processing We further process it with a one way hash SHA256 algorithm Connections are only to the Azure AD service Connections are SSL encrypted
Enables Azure AD to validate the users password when they log in
User
Password On-premises
directory
Federated Identity
Federated identity model
On-premises
directory
AAD Sync
or Connect
Password Sync Backup for Federated Sign-In
This new backup option for Office 365 customers using federated sign-in provides the option to manually switch your domain in a short amount of time during outages such as on- premises power loss, internet connection interruption and any other on-premises outage.
Backup Password Hash Sync
User accounts
AAD Sync
On-premises
directory
Topology
Topology
10.0.0.4
10.0.0.5
DC Azure AD Connect
Sync
ADFS
Certificate
Web Server
PowerShell
1. 2.
10.0.0.4
10.0.0.5 10.32.0.4
DC Azure AD Connect
Sync
ADFS ProxyADFS
10.0.0.X
3.
DEMO
ADFS and SSO
Read all the TechNet Deployment Guidance http://technet.microsoft.com/en-us/library/jj205462.aspx
Only implement the Office 365 requirements The only certificate required is the SSL certificate
Prepare with firewall update permissions
Change between models as needs change
Cloud Identity to Synchronized Identity Deploy Azure AD Connect
Hard match or soft match of users
Synchronized Identity to Federated Identity Deploy AD FS
Can leave password sync enabled as backup
Federated identity to Synchronized Identity PowerShell Convert-MsolDomainToStandard
Takes 2 hours plus 1 additional hour per 2,000 users
Synchronized Identity to Cloud Identity PowerShell Set-MsolDirSyncEnabled
Takes 72 hours and you can monitor with Get-MsolCompanyInformation
Choose the simplest model for your needs
This is Microsoft’s recommendation
Cloud Identity is the simplest model
Choose cloud when You have no on-premises directory
There is on-premises directory restructuring
You are in pilot with Office 365
Choose synchronized identity if you have an on-premises directory
Password hash sync means federation is not required just to have the same password on the cloud
Same sign-on – the username and password is the same in the cloud as on-premises
Single sign-on – you log on to the PC and no password is required for cloud services
Save credentials for later uses Windows Credential Manager
Outlook does not support Single sign-on
Choose password hash sync unless you have one of the scenarios that requires federation
Scenarios for choosing federationExisting infrastructure
1. You already have an AD FS Deployment.
2. You already use a Third Party Federated Identity Provider.
3. You use Forefront Identity Manager.
4. You have an On-Premises Integrated Smart Card or Multi-Factor Authentication (MFA) Solution.
5. Custom Hybrid Applications or Hybrid Search is Required.
6. Web Accessible Forgotten Password Reset.
Scenarios for choosing federationPolicy requirements
7. You Require Sign-In Audit and/or Immediate Disable.
8. Single Sign-On minimizing prompts is Required.
9. Require Client Sign-In Restrictions by Network Location or Work Hours.
10. Policy preventing Synchronizing Password Hashes to Azure AD.
Office 365 federation options
Suitable for medium, large enterprises including educational organizations
Recommended option for Active Directory (AD) based customers
Single sign-on
Support for web and rich clients
Microsoft supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Suitable for medium, large enterprises including educational organizations
Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD
Single sign-on
Support for web and rich clients
Third-party supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Suitable for educational organizations
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
For organizations that need to use SAML 2.0
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no identity provider deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
What is it?
Program Requirements
http://aka.ms/ssoproviders
Works with Office 365 – Identity program
Yammer DIRSYNC
Will eventually be replaced with Azure AD Connect
After you set up this integration product, users will be able to be automatically: removed from your Yammer network when you disable them in AD
invited to your Yammer network when you add them to AD
updated with new profile information when you update their attributes in AD
Install a separate syncing program locally and configure http://blog.ciaops.com/2015/06/configuring-yammer-dirsync.html
Not recommended unless you have a specific need
Resources
Summary
Choose the simplest model for your needs
Change between models as needed.
Cloud identity model when there is no on-premises directory.
Synchronized identity model for most organizations.
Federated identity model for specific scenarios.
Federated and synchronised identities require on premise equipment.