Agenda

Microsoft Directory Synchronization ToolActive Directory Federation ServerADFS ProxyHybrid Features – LAB

Microsoft Directory Synchronization

Directory Synchronization – Why to use

Easy to onboard large number of users – small to medium size companies Identities to be mastered/manage on premises Free / busy coexistence Support for identity federation Synchronization of photos, thumbnails, conference rooms, and security groups Filtering coexistence

Directory Synchronization – How it works

Deploying steps for Directory Synchronization tool

Step 1 –> system requirement / permission / performance consideration

Step 2 –> Activate Directory synchronization via MS online portal

Step 3 –> Install and configure DS tool – config wizard

Step 4 –> Synchronize your directory – write objects on Azure AD from on premises

Step 5 – > Activate synced users – individual / bulk

Step 6 –> Verify / Upgrade / Reinstall

What will it synchronizes & what not

Will All users, Mail-Enabled Contacts, Mail-Enabled Groups Only some attributes

Will not Built-in administrative user accounts Passwords Built-in administrative groups Default Exchange Administrative groups Exchange System Mailbox Accounts

Windows Azure Active Directory Sync Tool - UpdateThe tool is downloaded from the Office 365 admin portal.

Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it.

Synchronizes user passwords from on-premises AD to Azure AD (Office 365).

Respects on-premises password policies.

Can’t sync passwords for Federated Users, but can co-exist.

SAML2Identity Provider

Directory Sync Tool or Active Directory Federation Services

Password Sync SSO with AD FSSame password to access resources

Can control password policies on-premises

Support for two factor authentication *

No password re-entry if on premises

Client access filtering

Authentication occurs in on premises directory

Active Authentication: Why Multi-Factor

Your data and applications are under attack

Passwords are easily compromised

Consumerization of IT has only increased the scope of vulnerability

Strengthening regulatory requirements call for strongly authenticating access

Active Directory Federation Services

Active Directory Federation Services

Extremely important feature for many customers is Identity Federation

AD FS 2.0 to provide users with a single sign-on experience

Use corporate credentials to access their Office 365 services

Non federated users – Mailbox User Experiences:

◦ Logs in with cloud identity◦ User authentication takes place on cloud AD◦ Users have two IDs – one to access on-premise services & one for Online services◦ Users prompted for credentials even when logged into the domain when accessing Online Services

Administrator Experience:◦ Manages password policy in cloud & on premises◦ Password reset for on premises & MS Online IDs◦ No 2 Factor Authentication integration

Federated Users – Mailbox User Experiences:

◦ Users Sign in with corporate ID◦ Authentication happens on premises◦ Users have a single credential to provide SSO to on premises and Online services◦ Users get true SSO experience◦ 2 factor Authentication can be utilized if it is deployed on-premise

Administrator Experience:◦ Manages password policy on premise only◦ Password reset for on premise IDs only◦ 2 Factor Authentication integration options◦ Requires additional servers to enable identity federation so there will be an additional up front cost

ADFS Authentication Flow

Authentication for passive / web profile

Authentication for rich client profile

Authentication Exchange Active Sync / MS Outlook

ADFS 2.0 – Deployment OptionsSingle server configuration

AD FS 2.0 server farm and load-balancer

AD FS 2.0 proxy server or UAG/TMG (External Users, Active Sync, Down-level Clients with Outlook)

ADFS Certificates / Policy Store Certificates

Token signing Token decryption Secure Communication Certificate

Policy Store In AD FS 2.0 the policy is stored in a database that uses either Windows Internal Database or Microsoft

SQL Server as the dedicated store

AD FS 2.0 makes policy decisions based on identity information that is provided to it in the form of claims and other contextual information

What is ADFS proxy ?

A service that brokers a connection between external users and your internal AD FS 2.0 server

Three primary functions◦ Assertion provider: The proxy accepts token requests from users and passes the information over SSL (default port 443) to the

internal AD FS server. It receives the token from the internal AD FS server and passes it back to the user.

◦ Assertion consumer: The proxy accepts tokens from users and passes them over SSL (default port 443) to the internal AD FS server for processing.

◦ Metadata provider: The proxy will also respond to requests for Federation Metadata.

How does the AD FS 2.0 Proxy work

Troubleshooting O365 Issues

Certificates – on all ADFS servers / client browsers(default trusted certs.) ISA/TMG O365 Rules – Domains Network Firewall – IP white lists Internet – Backup ADFS / Proxy server event viewer – correlation ID DIR Sync server event viewerhttps://www.testexchangeconnectivity.com/

Additional reading…

Select an Office 365 plan for business (Trial) – http://office.microsoft.com/en-in/business/compare-office-365-for-business-plans-FX102918419.aspx

Explore the Community & Blogs -http://community.office365.com/en-us/default.aspx

-Office 365 for IT pros – Learn / Training / Try / Deploy-http://technet.microsoft.com/en-us/office365/hh528489.aspx

Questions?