Post on 12-Feb-2016
description
Microsoft O365 identity and authentication
Peter GinnegarTechnical Solution ProfessionalMicrosoft Corporation
Peter.Ginnegar@Microsoft.com
Topics Office 365 identity models Identity overview IdFix Tool (demo) O365 Directory Synchronization (demo) Active Directory Federation Services O365 Multifactor Authentication (demo)
O365 Active Directory• What is O365 Active Directory?- O365 uses Windows Azure Active Directory
• What services are provided by Windows Azure Active Directory
- Provides authentication, synchronization and federation services.
- An identity management system spanning cloud and On Premises.
• What systems make up a typical O365 Active Directory?
-On Premises Active Directory Servers and Windows Azure Active Directory.
Identity management
What is identity management?“Identity management deals with identifying individuals in a system and controlling access to the resources in that system.”
What are the major components of identity management? Authentication – Verifying that a user, device, or application is the entity that it claims to be.
Authorization - Determining which actions an authenticated entity is authorized to perform on the network.
Office 365 identity models
Office 365 identity Models
Cloud identity model
Synchronized accounts identity model
Federated identity model
Federated identity model- multiple forests
Third party federated model
Third party partners for federated identity
TechNet http://technet.microsoft.com/en-us/library/jj679342.aspx
Federation Terms - SSOWhat is SSO?
Single Sign On (SSO) is the ability for two disjointed Providers to trust each other such that a user logged on does not need to log in again for the second.
Authentication types Passive authentication – Web Based
SharePoint Online, Outlook Web Access
Active authentication – Office 365 Client Services that use the Sign-In assistant including Lync, Office 365 Pro
Plus, Word, Excel, Visio, PowerPoint, PowerShell access to O365.
Proxy authentication – Required for Outlook and Active sync clients.
Username and password proxy through Exchange Online. Uses WS-Trust or SAML ECP to authenticate
Federation protocols WS-* Supported by ADFS and works with Office 365
-Passive authentication – WS-Federation-Active authentication – WS-Trust- Exchange Online uses WS-Trust
Shibboleth-An Open source federated provider based on SAML
-Passive authentication only (Web Forms) -Exchange Online supports SAML 2.0 and ECP.
Federation Terms - WS*What is WS-Federation? WS-Federation is a protocol used for web browser based authentication.
What is WS-Trust? WS-Trust is a protocol used by Office rich client applications to authenticate (Sign-in Assistant)
Federation Terms - SAMLWhat is SAML? (Small Assertion Markup Language)
SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information
Developed by the Security Services Technical Committee of OASIS
Directory Sync Tool or Active Directory Federation Services
Password Sync SSO with AD FSSame password to access resourcesCan control password policies on-premisesSupport for two factor authenticationNo password re-entry if on premiseClient access filtering by IP or by time scheduleAuthentication occurs on-premises. Can immediately block disabled accountsChange password available from webWorks with Forefront Identity Manager
Identity Overview
Identities in Active Directory
IdFix Tool – Directory Remediation
Office 365 IdFix Tool Provides the ability to identify and remediate object synchronization issues in preparation for O365
Users Groups Contacts
Office 365 IdFix Tool Important Attributes that are update by the IdFix Tool for O365 identity Synchronization.
-displayName-givenName-Mail-mailNickName-proxyAddress-targetAddress-Sn-sAMAccountName-userPrincipalName
Office 365 IdFix Tool
• Query user identities• Identify attribute and issue
• Take action to correct• Apply changes
Office 365 Directory Synchronization
Office 365 Directory Synchronization components Windows Azure AD (O365 Identities) On Premise Active Directory (Local Identities)
Directory Synchronization Tool User Account Attributes User, Group, synchronization SourceAnchor, msDS-CloudAnchor (Windows 2012 R2)
Office 365 DirSync workflowAuthentication
O365 Synchronization results Accounts are still separate O365 Services are accessed using Cloud Identity
Password sync is enabled Password stored in double hashed format Not a true Single Sign On Solution Can be used as a backup to Federated Service Solution
Windows Azure Active Directory Sync Tool Synchronizes on premise Active Directory accounts to Windows Azure Active Directory.
Synchronizes passwords (double hashed) Synchronization of accounts occurs every 3 hours
Can for Synchronization using PowerShell command
SQL Express Database (10GB)
Azure AD Sync Services (Preview) Azure AD Sync Services is a new identity sync tool that provides customers with the ability to sync identity information from complex AD environments (i.e. multi-forest) and other identity directories
http://go.microsoft.com/?linkid=9845645
Demo Idfix tool Office 365 DirSync Tool
Active Directory Federation
Active Directory Federation Services Active Directory Federation Services (AD FS) 2.x provides access to applications and other systems with an open and interoperable claims-based model
The AD FS 2.x platform provides Windows-based Federation Service that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
Directory Federation Web Application Proxy can use AD FS for pre-authentication.
Unauthenticated client requests are redirected to the AD FS server for authentication and authorization before forwarding the request to the published web application.
O365 Active Directory Federated Service
ADFS and SSO with Online Services
Federated Trust
O365 Multifactor authentication
What is Multifactor Authentication? Is an approach to authentication which requires the presentation of two or more authentication factors.
Two-factor authentication seeks to decrease the probability that the requester is presenting false evidence of its identity.
What Components make up multifactor authentication? Two-factor authentication requires the use of two of the three authentication factors
Phone Call SMS Text message (On Time Passcode) Software Token Hardware Token
Multi-factor authentication using any Phone
O365 Multi-factor authentication administration
Office 365 User Setup for MFA
O365 App Password Mobile AppsEnd user Self ServiceEach user can have up to 40 app passwords
O365 App Passwords for Rich Client Applications
• End user Self Service• Each user can have up to 40 app passwords• 16 Character randomly generated once
Multifactor Authentication for Office 365Multifactor Authentication Features
Administrators can Enable and Enforce Multifactor authentication for O365 users
Use Mobile app (online and OPT) as a second authentication factor
Use phone call as a second authentication factor
Use SMS as a second authentication factor
App password for non browser clients (e.g Outlook and Lync)
Default Microsoft greeting during authentication phone calls.
O365 user setup
MFA Demo
Topics Office 365 identity models Identity overview IdFix Tool (demo) O365 Directory Synchronization (demo) Active Directory Federation Services O365 Multifactor Authentication (demo)
Reference ArticlesPeter.Ginnegar@Microsoft.com
http://technet.microsoft.com/en-us/video/office-365-identity-management-and-federation.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=36832
http://technet.microsoft.com/en-us/library/dn383636.aspx
http://technet.microsoft.com/en-us/library/hh852469.aspx
Thank You