Active Directory Integration with Microsoft Office 365 Ross Adams Senior Program Manager Microsoft...
-
Upload
jewel-rodgers -
Category
Documents
-
view
221 -
download
2
Transcript of Active Directory Integration with Microsoft Office 365 Ross Adams Senior Program Manager Microsoft...
Active Directory Integration with Microsoft Office 365Ross AdamsSenior Program ManagerMicrosoft Corporation
OSP321
Session Objectives
Architecture for Office 365 and other servicesIntegration OptionsPlanning for Directory IntegrationSingle Sign on ExperienceHow Single sign on worksOptions for strong authentication
Windows Azure Active Directory
Password policy controls for Cloud AccountsPassword never expirePassword complexity can be turned offCustom password policies for expiry/notification
Single sign On with corporate credentials Role-based administration:
Five administration rolesCompany Admin Billing AdminUser Account Admin Help Desk AdminService Support Admin
Windows Azure Active Directory Provisioning
ManualSimple Web based user interfaceBulk import of userBest for small customers
ScriptablePowerShell module for windowsProgrammable New REST based APILimited attribute set/object types
AutomatedDirectory Synchronization with delta Full fidelity of attributes and object typesOptimized for large object sets
Office Subscription
Services
Contoso customer premises
Architecture and Integration Options1. No Integration2. Directory Data Only3. Directory and Single sign-on (SSO)
ADMS Online
Directory Sync
Windows Azure Active Directory
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
Active Directory Federation Server
2.0
Trust
IdPDirectory
Store
Admin Portal/PowerShell
Authentication platform
Office 365 Desktop Setup
IdP
Why Directory and SSO Integration
Single place for managementUser and groups including security groupsPasswordsPassword policies
Support for Enterprise Single Sign onSupport for Hybrid environments for services such as Exchange OnlineOptions for Strong Authentication (e.g. Smart cards)
Integration Comparison1. No Integration
Appropriate for• Smaller orgs without AD
on-premises
Pros• No servers required on-
premises
Cons• No SSO• No 2FA• 2 sets of credentials to
manage with differing password policies
• IDs mastered in the cloud
2. Directory Only
Appropriate for• Medium/Large orgs with AD
on-premises
Pros• Users and groups mastered
on-premises• Enables co-existence
scenarios
Cons• No SSO• No 2FA• 2 sets of credentials to
manage with differing password policies
• Single server deployment
3. Directory and SSO
Appropriate for• Larger enterprise orgs with
AD on-premises
Pros• SSO with corporate cred• IDs mastered on-premises• Password policy controlled
on-premises• 2FA solutions possible• Enables hybrid scenarios• Location isolation
Cons• High availability server
deployments required
General Integration Requirements
Active Directory Forest Functionality level 2003 Windows 2008 for AD FS 2.0 and SSOWindows 2003 or above for Directory Synchronization
Depreciated 32 Bit (Windows 2003)Recommended 64 Bit (Windows 2008 and above)
Support VirtualizationSingle Forest
Multiple domains in a single the forestMulti forest support through premier engagement
Preparing for Directory integration and SSO
Design for a high availability of AD FS 2.0 servicesEvery User must have a UPNUPN suffix must match a validated domain in Office 365UPN Character restrictions
Only certain characters allows: Letters, numbers and .-_!#^~No dot before @ symbol (for example [email protected] is allowed but [email protected] isn’t)
Users need use UPN to logon to Office 365 AppsOffice 365 Deployment Readiness Tool checks all of these and more
Directory Integration Validations
Licensed UsersAll Proxy Address (SMTP/SIP) must be against a verified domainAddresses dropped during licensingUPN not updated automatically for Cloud ID based Users
Must be updated manuallyWill update automatically when domain is converted to Single Sign on
Unlicensed UsersSMTP Proxy Address can be against non-verified domainsSIP Address must match a verified domain
Drop if not valid
Verifying after Sync will add the removed proxy address back
Background process
Directory Sync Setup Options
1 Way Sync from AD to CloudProvisions users, DLs, Security Groups and contactsCan move to 2 Way Sync lateron-premises master for all objects and properties
2 Way Sync from AD to Cloud and Cloud to ADRequired for Hybrid Deployments e.g. co-existence with Exchange online and Exchange on-premisesCannot move back to 1 way syncCloud becomes master for certain properties (safe senders, mail co-existence, UM)
Directory Sync configuration options
Sync’s all objects with some exceptionsDoes not Default accounts (Administrator etc)Does not sync System Objects
Directory Sync can be turned off but takes timeOptions that can’t be changed
Scoping the attribute setSync timeframe is every 3 hours
Sign in Experience for Single Sign OnRich/Web clients
Rich clients applications with Microsoft Online Sign In Assistant.Lync Online, Office Subscriptions, CRM OnlineIntegrated experience on a domain joined PC on the corporate networkClient connects directly to AD FS 2.0 server or proxy
Web based applicationsSharePoint Online, OWA, Office Rich Applications (Word, PowerPoint etc) Prompts for username for realm discovery
Can be bypassed “Keep me signed in”, still required to authenticate to AD FS.Client connects directly to AD FS 2.0 server or proxyIntegrated auth to AD FS on domain joined PC on the corporate networkSmart links can help with username prompt for example http://www.outlook.com/contoso.com
Sign in Experience for Single Sign On Exchange Online
Outlook/IMAP/Active Sync/EntourageOften refereed to Exchange Proxy authenticationBasic credentials relayed through Exchange to AD FS proxy active end pointPrompts for both username and password but can be savedSupport for rules to control access based on Client IP/Device type/Exchange Endpoint filtering
Sign On Experience with SSOWeb Clients• Office 2010, Office
2007 SP2 with SharePoint Online
• Outlook Web Application
Remember last user
Exchange Clients• Office 2010, Office
2007 SP2 • Active Sync/POP/IMAP• Entourage
Can save credentials
Rich Applications (SIA)• Lync Online• Office Subscriptions• CRM Rich Client
Can save credentials
SSO IDs (domain joined)
MS Online IDs
No Prompt
Username and Password
Online ID
AD credentials
SSO IDs (non-domain joined)
Username and Password
AD credentials
Username
Username and PasswordOnline ID
AD credentials
Username and Password
AD credentials
Username and Password
Username and PasswordOnline ID
AD credentials
Username and Password
AD credentials
Identity Integration/SSO Details
MS Online business scenarios always use WS-*WS-Federation for passive clientsWS-Trust provides support for rich client authenticationIdentity federation supported through AD FS 2.0
SAML 1.1 TokenIssuer URI : Used to locate the domain for certificate verifcationUser Source Address : Unique, never changing identifier of the userUserPrincipalName (UPN) : Name the user uses to logon
Client to End Points usage
Lync 2010/Office Subscription
Active Sync
Corporate Boundary
Exchange Online
AD FS 2.0Server
MEX
Web
Active
AD FS 2.0 Proxy
MEX
Web
Active
Outlook 2010/2007IMAP/POP
UsernamePassword
UsernamePassword
OWAInternal
Lync 2010/Office Subscription
Outlook 2010/2007IMAP/POP
OWAExternal
UsernamePassword
Active Sync
UsernamePassword
Basic auth proposal: Pass
client IP, protocol, device name
Client Access Filtering
Enabled through client issuance rules in AD FS 2.0Targeted at blocking external access scenarios for Outlook
Block all external access Allow external access for specific mail clients (Active Sync, POP/IMAP)Allow external access to web applications (OWA, SharePoint)
Requires ADFS ProxyAllow external access for specific groups of users
No granularity on limiting Lync Online/Office Subscription services externally
i.e. any rule above blocks access3rd Party Proxies are required additional work see http://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx
Identity FederationAuthentication flow (Passive/Web profile)
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online orSharePoint Online
Active Directory
Customer Microsoft Online Services
User Source ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123
Auth TokenUPN:[email protected] ID: 254729
Identity FederationAuthentication flow (MEX/Rich Client Profile)
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Lync Online
Active Directory
Customer Microsoft Online Services
User Source ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123
Auth TokenUPN:[email protected] ID: 254729
Customer Microsoft Online Services
Identity FederationActive flow (Outlook/Active Sync) Always external
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online
Active Directory
User Source ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123
Auth TokenUPN:[email protected] ID: 254729
Basic Auth CredentilasUsername/Password
Single Forest AD Structures and ConsiderationsStructure Description Considerations
Matching domains Internal Domain and External domain are the same i.e. contoso.com
No special requirements
Sub domain Internal domains is a sub domain of the external domain i.e. corp.contoso.com
Requires Domains registered in order, primary then sub domains
.local domain Internal domain is not publicly “registered” i.e. contoso.local
Domain ownership can’t be proved, must use a different domain• Requires all users to get new
UPN • Use SMTP address if possible• Smart Card issues
Multiple distinct UPN suffixes in single forest
Mix of users having login UPNs under different domains i.e. contoso.com & fabrikam.com
• Must use SupportMultipleDomain switch in PowerShell
• Sub domains require additional work
Multi Forest Multiple AD Forest Premier engagement
Strong authentication approaches
Focuses on Strong authentication (e.g. Smart cards) for extranet accessTwo approaches possible
Only provide strong auth for web applications (e.g. OWA, SPO) by configuring/customizing AD FS 2.0 proxy
Rich clients cannot be supported
Use VPN to internal network as the gate to require 2FA access when connecting from outside the internal network
Will work for rich clients as well
Web applications only
Configure AD FS 2.0 proxy for smartcard access using in-box supportCustomize AD FS 2.0 proxy with 3rd party 2FA solutions
Use IIS HTTP module from 2FA provider to intercept & authenticate 2FA prior to providing AD username/pwd at forms login page in AD FS 2.0 proxy (RSA Example here)Customize AD FS 2.0 forms login page to add 2FA credential collection and authenticate to 2FA service via code behind
No support for Rich clients
Web Applications only
DMZINTRANET
AD FS
AD DS
AD FSProxy
2FA module
Access Application
Redirect to Authentication platformRedirect to IdP
Types User NameProvide AD/Smartcard credentials
Generate SAML token for authentication platform
Redirect Back
Present ticket to Application
Install 3rd party auth provider ADFS proxy
2FA Service
Redirect to Strong auth provider
Present strong credentials
Authenticate 2FA
Redirect to ProxyAuthenticate 2FA response
No support for rich client apps
Smartcard Access
Other 2FA Access
Authentication platform
Windows Azure Active Directory
Strong Auth VPN to internal network
Configure extranet access to always require VPN accessIntegrate 2FA with VPN providerAllow Internal Outlook traffic to authenticate with Client Access Policies and AD FS 2.0Optionally allow EAS traffic to authenticate via AD FS 2.0 proxy & Client Access PolicySupport for Rich Clients
2FA – Web Applications only
DMZINTRANET
AD FS
AD DS
AD FSProxy
2FA Service
Authenticate 2FA
Allow internal Outlook via ADFS proxy
Send Creds to Exchange Proxy Auth
Send AuthN request to ADFSEvaluate Client Access Rules, issue SAML Token
Send Creds to Exchange Proxy Auth
Disable passive pages on proxy
VPN
Connect to VPNProvide 2FA creds
Connect to internal network
Strong Auth VPN to internal network
Authentication platform
Windows Azure Active Directory
Questions
OSP Related ContentCode Title Schedule
OSP221 Microsoft Office 365 for Enterprises6/26/2012 16:30
OSP222 Empowering Small Businesses: Microsoft Office 365 P-Suite6/27/2012 10:15
OSP305 The Modern Compatibility Process to Accelerate Microsoft Office Deployment6/27/2012 12:00
OSP224 Microsoft Office 365 Management and Deployment6/27/2012 17:00
OSP321 Active Directory Integration with Microsoft Office 3656/28/2012 8:30
OSP303 Supporting Microsoft Office in an Enterprise Environment6/28/2012 12:00
OSP302 Building Integrated Microsoft Office 365, SharePoint Online, and Office Solutions Using BCS and LOB Data6/28/2012 14:45
OSP340 Office Deployment – Notes from the Field6/28/2012 16:30
OSP323 Microsoft Office 365 Security, Privacy, and Trust6/29/2012 8:30
OSP324 Microsoft Office 365 Service Reliability and Disaster Recovery6/29/2012 10:15
OSP350 Office 365 – evaluating, Deploying & Migrating – Notes from the field6/29/2012 13:00
OSP223 Microsoft Office 365 for Education6/29/2012 14:45
Related Resources
Office 365 TechCenter: technet.microsoft.com/Office365
Office Client TechCenter: technet.microsoft.com/officeOffice, Office 365 and SharePoint Demo Area Includes:
Office 365 IT Pro Command CenterOffice 365 Data Center Exhibit
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.