AZR320: Integration with Windows Azure AD and Office 365 – Identity and Access Management

• OSP126: An Introduction to Windows Azure Active Directory and Office 365

• AZR314: Integration with Windows Azure AD and Office 365 – Provisioning and Synchronization

• AZR320: Integration with Windows Azure AD and Office 365 – Identity and Access Management

• OSP269: A tour through integration scenarios with Windows Azure AD and Office 365

Directory Management

Managing directory data (on-

prem and cloud).

Access Management

Controlling the AuthN/Z of

users and other identities

We’re spending time here

Appropriate for

• Smaller to medium/large orgs

Pros

• No additional hardware

requirements

Cons

• No SSO

• No 2FA

• 2 sets of credentials to

manage with differing

password policies

• IDs mastered in the cloud

Appropriate for

• Larger enterprise orgs with AD

on-premises

Pros

• SSO with corporate cred

• IDs mastered on-premises

• Password policy controlled on-

premises

• 2FA solutions possible

• Client Access Filtering

Cons

• High availability server

deployments required

Contoso customer premises

AD

Azure Active

Directory Sync

Identity Services

Provisioning

platform

Lync

Online

SharePoint

Online

Exchange

Online

Active Directory

Federation Server 2.0

Trust

IdPDirectory

Store

Admin Portal/

PowerShell

Authentication

platform

Office 365 Desktop

Setup

Windows Azure Active Directory

IdP

Office

365 ProPlus

Use third-party identity providers to implement single sign-on

AD

ADFS

AD

ADFS 1

AD

ADFS 2

???

OnRamp for Office 365

• UPN constraints:• cannot have dot ‘.’ immediately preceding ‘@’• Bob.jones@contoso.com valid

• Bob.jones.jr.@contoso.com invalid

• cannot exceed 113 chars (64 for username, 48 for domain)

• cannot contain ! # $ % & \ * + - / = ? ^ _` { | } ~ < > ( )

• cannot have duplicate UPNs

• Connectivity Analyzer• Test your setup:

https://testconnectivity.microsoft.com/?tabid=client

http://www.outlook.com/contoso.com

Web Clients• Office 2010, Office 2007

SP2 with SharePoint

Online

• Outlook Web Application

Remember last user

Exchange Clients• Office 2010, Office 2007

SP2

• Active Sync/POP/IMAP

• Entourage

Can save credentials

Rich Applications (SIA)• Lync Online

• Office Subscriptions

• CRM Rich Client

Can save credentials

SSO IDs (on corp

network)

Cloud IDs

No Prompt

Username and Password

Cloud ID

AD credentials

SSO IDs (not on corp

network)

Username and Password

AD credentials

Username

Username and Password

Cloud ID

AD credentials

Username and Password

AD credentials

Username and Password

Username and Password

Cloud ID

AD credentials

Username and Password

AD credentials

http://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx

`

Client

(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online or

SharePoint Online

Active Directory

Customer Windows Azure Active Directory

Logon (SAML 1.1) Token

UPN:user@contoso.com

Source User ID: ABC123

Auth Token

UPN:user@contoso.com

Unique ID: 254729

`

Client

(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Lync Online

Active Directory

Customer Windows Azure Active Directory

Logon (SAML 1.1) Token

UPN:user@contoso.com

Source User ID: ABC123

Auth Token

UPN:user@contoso.com

Unique ID: 254729

Customer Windows Azure Active Directory

`

Client

(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online

Active Directory

Logon (SAML 1.1) Token

UPN:user@contoso.com

Source User ID: ABC123

Auth Token

UPN:user@contoso.com

Unique ID: 254729

Basic Auth Credentilas

Username/Password

Structure Description Considerations

Matching domains Internal Domain and External domain are

the same i.e. contoso.com, and publically

routable

No special requirements. Good to go!

Register and verify them all.

Multiple (sub)

domains

Internal domain is a sub domain of the

external domain i.e. corp.contoso.com

Requires Domains registered in order,

primary then sub domains

.local domain Internal domain is not publicly “registered”

i.e. contoso.local

Domain ownership can’t be verified,

must use a different domain

• Requires all users to get new UPN

• Use SMTP address if possible

• Smart Card issues?

Multiple distinct UPN

suffixes in single

forest

Mix of users having login UPNs under

different domains

i.e. contoso.com & fabrikam.com

• Must use SupportMultipleDomain

switch in PowerShell when

configuring federation

• Sub domains require additional work

Multi Forest Multiple UPN Domains Register all domains. Same as Multiple

distinct UPN suffixes consideration

here

DMZINTRANET

AD FS

AD

DS

AD FS

Proxy

2FA

module

Access Application

Redirect to Authentication

platform

Types User Name

Generate SAML token

for authentication

platform

Redirect Back

Present ticket to

Application

Install 3rd party auth

provider ADFS proxy

2FA

Service

Authenticate 2FA

Authenticate 2FA

response

Smartcard Access

Other 2FA Access

Authentication

platform

Windows Azure Active Directory

DMZINTRANET

AD FS

AD

DS

AD FS

Proxy

2FA

Service

Authenticate 2FA

Allow internal Outlook via ADFS proxy

Send Creds to Exchange Proxy Auth

Evaluate Client

Access Rules, issue

SAML Token

Send Creds to Exchange Proxy Auth

Disable passive

pages on proxy

VPN

Connect to

internal network

Strong Auth VPN to internal network

Authentication

platform

Windows Azure Active Directory