Post on 17-Jan-2016
Office 365: Identity and access solutions
Office 365: Identity and access solutions
Identity changes for the next major service updateMicrosoft Online cloud IDs Federated IDs How federated authentication worksDeployment scenarios
Office 365 Identity featuresPassword policy controls for Microsoft Online IDsSingle sign-on with corporate credentialsDirectory Synchronization updatesRole-based administration: Five administration roles
Company Admin Billing AdminUser Account Admin HelpDesk AdminService Support Admin
“Admin on behalf of” for support partners
Bronze Sky customer premises
Identity architecture: Identity options1. Microsoft Online IDs
ADMS Online
Directory Sync
Identity platform
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
FederationGateway
Active Directory Federation Server
2.0
Trust
IdP DirectoryStore
Admin Portal
Authentication platform IdP
Service connector
Microsoft Office 365 Services
2. Microsoft Online IDs + DirSync3. Federated IDs + DirSync
Identity options comparison1. MS Online IDs
Appropriate for• Smaller organizations
without AD on-premise
Pros• No servers required on-
premise
Cons• No SSO• No 2FA• 2 sets of credentials to
manage with differing password policies
• Users and groups mastered in the cloud
2. MS Online IDs + Dir Sync
Appropriate for• Orgs with AD on-premise
Pros• Users and groups mastered
on-premise• Enables co-existence
scenarios
Cons• No SSO• No 2FA• 2 sets of credentials to
manage with differing password policies
• Single server deployment
3. Federated IDs + Dir Sync
Appropriate for• Larger enterprise
organizations with AD on-premise
Pros• SSO with corporate cred• Users and groups mastered
on-premise• Password policy controlled
on-premise• 2FA solutions possible• Enables co-existence
scenarios
Cons• High availability server
deployments required
Sign On Experience across apps and OSsFederated vs. Non-Federated Summary
A new “service connector” is needed – primarily for rich clientsInstalls client and operating system updates to enable best sign-on experienceEnables authentication support for rich clientsEnsures clients have all needed configuration data to enable service usage
Web kiosk scenarios (e.g. OWA) supported without the service connector
Outlook2010
Win 7 Vista/XP
Federated IDs,
domain joined
MS Online IDs
Outlook Web Application
No prompt No prompt
Each session
ActiveSync, POP, IMAP, Entourage
Once at setup No prompt
Outlook 2007
No prompt
Once at setupEach session Each session Each session
Outlook 2007 or 2010
Win 7
Online IDOnline IDOnline IDOnline IDOnline ID
AD credentials
Win 7/Vista/XP
No prompt
Each session
Office 2010, or Office 2007 SP2
SharePoint Online
Online ID
Identity federation details
Authentication flowsDeployment scenariosIdentity federation rollout
Identity FederationAuthentication flow (passive profile)
`
Client(joined to CorpNet)
Federation GatewayAD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Office 365
Identity FederationAuthentication flow (active profile)
`
Client(joined to CorpNet)
Federation GatewayAD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Office 365
AD FS 2.0 deployment options
1. Single server configuration2. AD FS 2.0 server farm and load-balancer3. AD FS 2.0 proxy server (offsite users)
Enterprise DMZ
AD FS 2.0 ServerProxy
Internaluser
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 ServerProxy
Piloting and rolling out identity federation
Starting out with a production federated domainRollout of identity federation to the organization can be staged.
Starting out with a production standard domain (running Directory Sync) containing production licensed users:
Domain conversion (to federated) is a big switch. Piloting or rolling out identity federation in a staged fashion to an existing production standard domain is not possibleHowever, piloting with production users is possible
Requires a federated test domain and changing pilot user’s UPNs
Identity Details
Microsoft Office 365 Services requirementsIdentity federation supported initially only through AD FS 2.0MS Online business scenarios always use WS-*
WS-Trust provides support for rich client authentication
Protocols supportedWS-*, SAML1.1SAML2.0 coming later (with Shibboleth support)
Strong authentication solutions for web applications Via ADFS Proxy sign in page or UAG SP1
Customer AD Structures
Matching domainsInternal Domain and External domain are the same
Eg. contoso.com
Sub DomainInternal domains is a sub domain of the external domain
Eg. Corp.contoso.com
Local DomainInternal domain is not publicly “registered”
Eg. Contoso.local
Multiple distinct login domainsEg, mix of users having login UPNs under contoso.com and fabrikam.com
Multi ForestNot Currently supported
Active Directory Considerations
Matching domainNo special requirements
Sub DomainRequires that Domains be registered in order, primary then sub domains
Local DomainDomain can not be registered thus cannot be used for federation
Requires all users to get new UPN
Multiple distinct domainsRequires deployment of separate AD FS 2.0 servers per distinct domain
General Rules
Every User must have a UPN
UPNs must match a validated domain in Office 365
Users may need to understand that they must use UPN to logon to Office 365
ResourcesRead more about Microsoft Online Services – www.microsoft.com/online
Learn about the next release of BPOS, the Microsoft Office 365 Suite - http://office365.microsoft.com
Continue the conversationMicrosoft Online Services Team Blog – http://blogs.technet.com/msonline Facebook Fan Page – http://www.facebook.com/MicrosoftOnlineServices You Tube Channel – http://www.youtube.com/user/msonlineservices Twitter – http://twitter.com/msonline
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.