Introduction Please answer the survey questions posted at the end of this meeting. Let us know what...
-
Upload
theodore-matthews -
Category
Documents
-
view
214 -
download
0
Transcript of Introduction Please answer the survey questions posted at the end of this meeting. Let us know what...
Identities in Microsoft Office 365
Fulvio SalanitroPartner Services Account Manager - Microsoft corporationSupport Webcast Series
Management SurfacesIntroduction
3
• We are recording today’s session, and will have the slide show presentation and the video recording on the original blog post and the Office 365 Community. You can find the video recording on our Video Channel - http://www.youtube.com/microsoftoffice365
• Questions can be asked at the end of the presentation through the Lync Meeting Console.
• We are recording today’s session, please understand that you may be captured in the recording. If you do not wish to be recorded, please do not type in the Lync IM Window or please leave the meeting.
Welcome to the webcast
4
• Please answer the survey questions posted at the end of this meeting.
• Let us know what sessions you want! Email Josh Topal at [email protected].
• Feel free to give feedback too.
Feedback
Identities in Microsoft Office 365
Fulvio SalanitroPartner Services Account Manager - Microsoft corporationSupport Webcast Series
Session Agenda
Module 1: Understanding Identities
Module 2: Environment Preparation for Single Sign-On & Directory Synchronization (DirSync)
Module 3: Deploying SSO and ADFS 2.0
Module 4: Deploying Directory Synchronization (DirSync)
Assumed Knowledge
Server Technologies
• Active Directory• Active Directory
Federation Services (AD FS)
• Windows PowerShell™ 2.0
Network Technologies
• AD sites, trusts, & topology
• DNS & related technologies
• Wide area connectivity: networks, equipment, bandwidth, & latency
• Firewall technologies • SSL certificates
Module 1Understanding Identities
Module 1: Understanding Identities
Understanding Identities
Understanding Single Sign-On
Understanding DirSync
Understanding Identity Types
Cloud Identity
• Separate credential from corporate credential
• Authentication occurs via cloud directory service
• Password policy stored in Office 365
Federated Identity
• Same credential as corporate credential
• Authentication occurs via on-premises Active Directory service
• Password policy is stored on-premises
• Requires Directory Synchronization
Identity Usage Scenarios
Cloud Identity Cloud Identity + DirSync Federated Identity*
Scenario Smaller organizations
without on-premises Active Directory
Medium to Large organizations with Active Directory on-premises
Large enterprise organizations with Active Directory on-premises
Pros
Does not require on-premises server deployment
“Source of Authority” is on-premises
Enables coexistence
Password Synchronization (Optional)
Single Sign-On experience
“Source of Authority” is on-premises
2-Factor Authentication options
Enables coexistence
Cons
No Single Sign-On
No 2-Factor Authentication options
2 sets of credentials to manage with, potentially, different password policies
No Single Sign-On
No 2-Factor Authentication options
2 sets of credentials to manage with, potentially, different password policies
Requires on-premises server deployment
Requires on-premises server deployment in high availability scenario
* Requires DirSync
Understanding Single Sign-On(Federated Identity)
Identity Usage Scenarios
Cloud IdentityCloud Identity +
DirSyncFederated Identity*
Scenario• Smaller organizations
without on-premises Active Directory
• Medium to Large organizations with on-premises Active Directory
• Large enterprise organizations with on-premises Active Directory
Pros
• Does not require on-premises server deployment
• “Source of Authority” is on-premises
• Enables coexistence
• Password Synchronization (Optional)
• Single Sign-On experience
• “Source of Authority” is on-premises
• 2-Factor Authentication options
• Enables coexistence
Cons
• No Single Sign-On
• No 2-Factor Authentication options
• 2 sets of credentials to manage with, potentially, different password policies
• No Single Sign-On
• No 2-Factor Authentication options
• 2 sets of credentials to manage with, potentially, different password policies
• Requires on-premises server deployment
• Requires on-premises server deployment in high-availability scenario
* Requires DirSync
Enables users to access both the on-premises and cloud-based organizations with a single user name and password
Provides users with a familiar sign-on experience
Allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools
Single Sign-On | Purpose
Single Sign-On | Benefits
Policy Control
Access Control
Reduced Support
Calls
Security
ADFS 2.x and SSO in Action
Understanding DirSync
Identity Usage Scenarios
Cloud IdentityCloud Identity +
DirSyncFederated Identity*
Scenario• Smaller organizations
without on-premises Active Directory
• Medium to Large organizations with Active Directory on-premises
• Large enterprise organizations with Active Directory on-premises
Pros
• Does not require on-premises server deployment
• “Source of Authority” is on-premises
• Enables coexistence
• Password Synchronization (Optional)
• Single Sign-On experience
• “Source of Authority” is on-premises
• 2-Factor Authentication options
• Enables coexistence
Cons
• No Single Sign-On
• No 2-Factor Authentication options
• 2 sets of credentials to manage with, potentially, different password policies
• No Single Sign-On
• No 2-Factor Authentication options
• 2 sets of credentials to manage with, potentially, different password policies
• Requires on-premises server deployment
• Requires on-premises server deployment in high-availability scenario
* Requires DirSync
Application that synchronizes on-premises Active Directory with Office 365
x64 application based on FIM
Bundled with SQL Express 2012 SP1
Designed as an appliance: “Set it and forget it”
What is DirSync?
Entire Active Directory forest is scoped for synchronization
What is synchronized? All user objects All group objects Mail-enabled contact objects Passwords are not synchronized (by default, but now possible) Synchronization is from on-premises to Office 365 only Synchronization occurs every 3 hours
DirSync Synchronization
Prepare: Decide on Identity ScenarioFeature Dirsync +Password
SyncSSO with AD FS
Use same username + password Control password policy on-premises No password re-entry if on-premises Client access filtering Authentication occurs on-premises (no credentials on cloud) Support for multi-forest configurations (FIM)
Module 1Environment Preparation
Module 2: Environment Preparation
DNS Preparation
Active Directory Preparation
Office 365 OnRamp
DNS Preparation
Process Start wizard from admin portal Specify domain name Change DNS settings at registrar Verify domain Specify services Change DNS settings at registrar
TipsDNS record verification—be patient (can take up to 72 hours)
Adding a Domain
Add and Modify DNS Records
Verify Domain Ownership
Register Company’s TXT or MX Record
Active Directory(AD) Preparation
Minimum: User Name, First Name, Last Name, Display Name
Populate non-required attributes for GAL/SharePoint Online (Title, address, city, state, and zip)
Unsupported characters: Microsoft Online Deployment Guide lists all (e.g., Space ( ) @ ‘ | = ? /)
Preparing Active Directory Attribute Cleanup
Only routable domains can be used with ADFS deployment
Non-routable domains include .local OR .loc OR .internal
If organization has AD with only internal namespace, it must: Add a routable UPN suffix in Active Directory Forests and Trusts. Configure each user with that routable UserPrincipalName suffix
Preparing to Deploy Federation Server Farm
Preparing to Deploy Federation Server Farm
DEMO:Setting Up UPN Suffix
Office 365 OnRamp
OnRamp for Office 365 is an automated assistance tool that helps you gather configuration requirements and perform deployment readiness checks against your on-premises environment.
OnRamp can accelerate the deployment timeline, especially for organizations with requirements such as identity federation or hybrid deployment.
Tool is available at: https://onramp.office365.com/onramp
Overview
Why SSL certificates? SSO experience; ActiveSync Secure communications Auto-discover the Exchange Server
Certificates required for these Office 365 components: Exchange on-premises Single sign-on (for both the ADFS federation servers and ADFS
federation server proxies) Auto-discover, Outlook Anywhere, Exchange ActiveSync, and
Exchange Web Service (EWS) Exchange hybrid server
Planning for SSL Certificates
Module 3: Deploying SSO & ADFS 2.0
Module 3: Deploying SSO & ADFS 2.0 Deploying Active Directory Federation Server
Deploying Active Directory Federation Server Proxy
AD FS 2.x ComponentsAD FS 2.x Server
• Default topology for Office 365 is an AD FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service
• Recommend using at least two federation servers in a load-balanced configuration
AD FS 2.x Proxy Server
• Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm
• Federation server proxies should be deployed in the DMZ
Windows Server 2008/2008R2 or Windows Server 2012
PowerShell
Web Server (IIS)
.NET 3.5 SP1
Windows Identity Foundation
Publicly registered domain name
SSL Trusted Public Certificates
Windows Azure Active Directory Module for Windows PowerShell
Microsoft Online Sign In Assistant
High availability design
Single Sign-On | Server Requirements
Internet Explorer 8.0 or later
Firefox 10.0
Chrome 17.0 or later
Safari 5.0 or later
Microsoft Office 2010/2007 (Latest Service Pack)
Microsoft Office for Mac 2011 (Latest Service Pack)
Microsoft Office 2008 for Mac version 12.2.9
Office 365 Desktop Setup (Suggested)
Microsoft Online Sign In Assistant
Single Sign-On | Client Requirements
1) Single server configuration
2) AD FS 2.x Server Farm and load-balancer
3) AD FS 2.x Proxy Server or UAG/TMG (External Users, Active Sync, Down-level Clients with Outlook)
AD FS 2.x Deployment Options
EnterprisePerimeter
AD FS 2.x ServerProxy
External UserInternal
user
ActiveDirectory
AD FS 2.x Server
AD FS 2.x Server
AD FS 2.x ServerProxy
Understanding client authentication path
Lync 2010/Office Subscription
Active Sync
Corporate Boundary
Exchange Online
AD FS 2.0Server
MEX
Web
Active
AD FS 2.0 Proxy
MEX
Web
Active
Outlook 2010/2007IMAP/POP
UsernamePassword
UsernamePassword
OWAInternal
Lync 2010/Office Subscription
Outlook 2010/2007IMAP/POP
OWAExternal
UsernamePassword
Active Sync
UsernamePassword
Basic auth proposal: Pass
client IP, protocol, device name
Preparing to Deploy Fed. Server FarmActive Directory running in Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 with a functional level of mixed or native mode
AD FS 2.x deployed on Windows Server 2008/R2 or Windows Server 2012
AD FS 2.x Proxy deployed, if some users are connecting from outside the company’s network
Windows Azure Active Directory Module for Windows PowerShell to establish a trust with Office 365
Required updates installed for Office 365
A unique third-party certificate when installing and configuring federation servers and federation server proxies
Only routable domains can be used with ADFS deployment
Non-routable domains include .local OR .loc OR .internal
If organization has AD with only internal namespace, it must: Add a routable UPN suffix in Active Directory Forests and Trusts. Configure each user with that routable UserPrincipalName suffix
See Module 2 for full procedure
Preparing to Deploy Fed. Server Farm
Deploying Active Directory Federation Server
AD FS 2.xAD FS 2.x Server
• The default topology for Office 365 is an AD FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service
• We recommend the use of at least two federation servers in a load-balanced configuration
DEMO:Creating a Certificate Request with Third-Party SSL Certificate Provider
Windows Server 2012
Buy and request a certificate from a Third-Party SSL Certificate Provider
DEMO:1. Download Windows
Azure Active Directory Module for Windows PowerShell
2. Create AD FS Service Account
Deploying a Federation Server Farm
Windows Server 2008
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Windows Server 2012
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
Deploying a Federation Server Farm
You must install AD FS 2.0 hotfixes after installing AD FS 2.0
As previously mentioned, an Update Rollup 2 for AD FS 2.0 is available
Only applicable with Windows 2008/2008R2
Important! Update Federation Server Farm
Complete Federation via PowerShell
Command Description
$cred=Get-Credential Prompt for Office 365 credentials and store them in a variable
Connect-MsolService –Credential $cred
Connect to Office 365 using stored credentials
Set-MSOLAdfscontext -Computer <AD FS 2.x primary server>
Specify the local AD FS 2.x Server
Convert-MSOLDomainToFederated –Domainname <domain.com>
Convert the standard local domain to an Identity Federated Domain
Get-MSOLFederationProperty Show Identity Federation Proprieties
Complete Federation via PowerShell
Complete Federation via PowerShell
Test Federation via PowerShell
DEMO:Create a New Host (A or AAAA)
Deploying Active Directory Federation Server Proxy
AD FS 2.x
AD FS 2.x Proxy Server
• Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm
• Federation server proxies should be deployed in the DMZ
External-facing federation server proxies are required if:
An organization will use Outlook clientsUsers will access Office 365 for enterprise from home or public locationsUsers will access Office 365 for enterprise via mobile devices
Prerequisites to deploy federation server proxies are:
Federation Server Proxy | Prerequisites
Federation server proxies deployed in the edge/DMZ networkFederation servers & federation server proxies able to communicate over TCP 443AD FS 2.x deployed on a Windows Server 2008/R2 or Windows Server 2012Internet Information Services (IIS) 7 or 7.5 installed + Imported Certificate.NET Framework 3.5 SP1 installed
DEMO:Deploying a Federation Proxy
Windows Server 2012
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
DEMO:Deploying a Federation Proxy
Windows Server 2008
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
Deploying a Federation Proxy
DEMO:Configure Host FileConfigure AD FS Proxy
Next Step: Synchronize with AD
AD FS 2.x and SSO are now in place, but there are no users inside the Office 365 subscriptionWe will need to replicate our users from the local AD to Office 365
We will deploy and use DirSync for that purpose (see Module 4)
Deployment Considerations
Deployment Architecture
Number of users Minimum number of servers
Fewer than 1,000 users0 dedicated federation servers0 dedicated federation server proxies 1 dedicated NLB server
1,000 to 15,000 users2 dedicated federation servers2 dedicated federation server proxies
15,000 to 60,000 usersBetween 3 and 5 dedicated federation serversAt least 2 dedicated federation server proxies
Revert from Federated to Cloud Identity
Use the following method only if this condition is true:The problem is caused by an on premise service outage that requires immediately restoring user access or the Active Directory Federation Services (AD FS) 2.0 server is available.
Additional Info:http://support.microsoft.com/kb/2662960/en-us
Revert from Federated to Cloud Identity
$cred = Get-CredentialWhen you are prompted, enter Office 365 administrator credentials that are not SSO-enabledConnect-MsolService –credential $credSet-MsolADFSContext –Computer <AD FS 2.x server name>Note In this command, the placeholder <AD FS 2.x server name> represents the name of the primary AD FS 2.x serverConvert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $false -PasswordFile c:\userpasswords.txt
The userpasswords.txt file will contain the Cloud Identity passwords for all users.
The AD FS 2.x federation service can support access policies for allowing or denying access based upon the combination of the user requesting access and the IP address of his devices.
Client Access Policy
Scenario Description
Block all external access to Office 365
Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client.
Block all external access to Office 365, except Exchange ActiveSync
Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked.
Block all external access to Office 365, except for browser-based applications
Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online.
Block all external access to Office 365 for members of designated Active Directory groups
This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group.
Module 4: Deploying Directory Synchronization (DirSync)
Enables “run state” administration and management of users, groups, and contactsSynchronizes adds/deletes/modifications of users, groups, and contacts from on-premise to Office 365
Not intended as a single use bulk upload tool
DirSync | Enables Single Sign-On
Do not install the Directory Synchronization tool on the same computer that has Active Directory Federation Services (AD FS) 2.0 installed on it
Install and Upgrade the Microsoft Online Services Directory Synchronization toolhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652545.aspx
Deploy and Configure AD FS 2.x and then DirSync
Important Deployment Notes
DirSync Requirements Overview
Computer must be joined to an Active Directory domain within the same forest that will be synchronized with Office 365Does not have to be joined to the root domain
Computer must be able to communicate with any/all domain controllers forest wide
Computer should be located in an access controlled environmentShould be limited to those with access to domain controllers and other security sensitive systems
DirSync | Server Requirements
DirSync | Software Requirements
Windows Installer 4.5 or
later
Windows PowerShell version 2.0
Microsoft .NET Framework
version 3.5 or later
Windows Server 2008 R2 x64
with the latest service pack
installed
Minimum of 1GB hard drive space600 MB for a complete installation of all Directory Synchronization Tool components400 MB required to create the initial database file
Additional hard drive space most likely required for mid-size or larger companies
Server hardware should meet the minimum requirements for SQL Server 2012 Express Edition and FIM (x64)
DirSync | Hardware Requirements
Recommend a system that exceeds the minimum requirements:
DirSync | Hardware Recommendations
Number of objects in Active Directory CPU Memory Hard disk size
Fewer than 10,000 1.6 GHz 4 GB 70 GB
10,000–50,000 1.6 GHz 4 GB 70 GB
50,000–100,000 1.6 GHz 16 GB 100 GB
100,000–300,000 1.6 GHz 32 GB 300 GB
300,000–600,000 1.6 GHz 32 GB 450 GB
More than 600,000 1.6 GHz 32 GB 500 GB
Account used to install DirSync must have:Local machine administrator permissionsIf using full SQL, rights within SQL to create the DirSync database, and to setup the SQL service account with the role of db_owner
Account used to configure DirSync must reside in the local machine MIISAdmins groupAccount used to install DirSync is automatically added
Administrator permission in the Office 365 tenant
DirSync uses an administrator account in the tenant to provision and update/modify objects
DirSync | Permission Requirements
Enterprise Administrator permission in the on-premise Active DirectoryCredential is not stored/saved by the configuration wizardUsed to create the “MSOL_AD_Sync” domain account in the “CN=Users” container of the root domain of the forest
Used to delegate the following permissions on each domain partition in the forest:
Replicating Directory Changes Replicating Directory Changes allReplication Synchronization
DirSync | Permission Requirements
DirSync Synchronization
Entire Active Directory forest is scoped for synchronization
What is synchronized? All user objects All group objects Mail-enabled contact objects Passwords are not synchronized (by default, but now
possible) Synchronization is from on-premises to Office 365 only
(unless “write-back” is enabled)
Synchronization occurs every 3 hours
Use “Start-OnlineCoexistenceSync” cmdlet to force a sync
DirSync Synchronization
First synchronization cycle after installation is a full synchronizationTime-consuming process relative to number of objects synchronized~5000 objects per hour
Subsequent synchronization cycles are deltas only Much faster
Not all on-premises attributes synchronized for each object type, but 100+ attributes are synchronized
DirSync Synchronization
Once implemented, on-premises AD becomes the “source of authority” for synchronized objects
Modifications to synchronized objects must occur in the on-premises ADSynchronized objects cannot be modified or deleted via the portal unless DirSync is disabled for the tenant
Scoping/FilteringCustom scoping or filtering is officially supported (guidance available here: http://technet.microsoft.com/en-us/library/jj710171.aspx )
DirSync Synchronization
Activate DirSync
DirSync activation could require up to 48 hours, plan this activity in advance!
Download DirSync
Installation
Installation
Configuration
Configuration
The configuration Wizard will enable this specific option ONLY if the forest schema has been already extended for Exchange 2010/2013
This is a requirement for an Hybrid Environment
Configuration
Configuration
Configuration
Configuration
Users Sync Results on Office 365 Portal
DEMO
Troubleshooting
In a SSO Enviroment, when I try to login to Office 365 I get (everytime) a popup window asking for my credentials.
Issue 1
In a SSO Enviroment, when I try to login to Office 365 from outside my organization(ADFS Proxy), I receive an error message.
Issue 2
Reference Number will be always different
Q&A and Feedback
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.