Jakob Østergaard Nielsen, Cloud Solution Architect, EG A/S
Identity in A World of CloudIdentity management with Azure Active Directory and Office 365
© EG A/S 2
About me..
Jakob Østergaard NielsenCloud Solution Architect, EG A/S
Expertise:Office 365, Microsoft Azure, Certifikat Service/PKI. Federation Service, Exchange, Active Directory.
MCSE: Communication | MCSA: Office 365 | MCTS: Exchange | MCSA: Windows Server 2012R2
Contact me:E-mail: [email protected]: mistercloudtech.comTwitter: twitter.com/JakobONielsenPhone: +45 7260 2378/+45 2085 9156
© EG A/S 3
Agenda
Identity models
How to choose and identity model
Identity Synchronization tools
Azure AD Connect
Password sync and Federated identity
Azure Active Directory applications
SourceAnchor and account matchning
AD Sync Recommendations
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises
Microsoft Azure Active Directory
Identity as the foundation
© EG A/S 6
Office 365 Identity Models
Federated identitySynchronized identityCloud identity
Zero on-premises servers
Directory sync with password sync
On-premisesidentity
Between zero and three additional servers on-premise depending on the number of users
On-premisesidentity
Between two and eight servers on-premise and networking configuration depending on the sign-in availability requirements.
Directory syncFederation
Identity Synchronization and Federation
On-Premises
Azure Active Directory
WS-Federation
WS-Trust
SAML 2.0
MetadataShibboleth
Graph API
Directory
Synchronize accounts
Exchange Web Access
SharePoint Online
Exchange Mailbox Access
Outlook, Skype4B, etc
Authentication
Auth
ori
zati
on
Passive
Auth
Active
Auth
Identity Provider
Federated sign-in
Cloud identity model
“In Cloud”
Sign-in
UserCloud identity
http://portal.office.com
Authentication
Synchronized Identity Model
Password hashes
User accounts
User
Sig
n-o
n
Synchronized identity
Azure AD Sync On-premise
directory“SameSign-On”A
uth
enti
cati
on
Password hash sync securityAD Account password is hashed twice
Twice through one-way hash algorithmNot reversible to get users passwordResult of the hashes is synced
Additional securityConnections are SSL encryptedConnections are only to the Azure AD
Enables validationAzure AD can validate the users password when they log in
AzureAD
Hash x 2
EncryptSHA-256SSL
Account Password
On-premise
directory
Azure AD Sync
Choosing between sync tools
DirSync Azure AD Connect All the features from
DirSync
Support sync from multiple AD forests incl. merge of duplicate accounts to one Office 365 tenant.
Support sync from LDAP v3, SQL ID store (pending)
Installs prerequisite software components during install
Upgrade from DirSync with uninstall/install
Azure AD Sync Will include all features from
DirSync and Azure AD Sync (announced)
Installer options to deploy Azure AD Sync with password sync and optionally ADFS
Will support Azure AD Premium features (password, device, group writeback, +…)
Released in GA on June 24, 2015
Still default Sync tool linked from the Office 365 Admin Portal
Only support for sync from single AD forest.
Supports object filtering (Domain, OU, attribute)
Remains supported following Microsoft Online Services Support Lifecycle Policy (12 months) - properly after AAD Connect GA*
Azure AD Connect – Identity Bridge
Box
Citrix
Concur
GoToMeeting
Concur
Docusign
Azure AD Connect
(sync + sign on)
Active Directory
LDAPdirectorie
s
Other identity stores
DropBox
Google apps
Jive
Salesforce
Servicenow
Workday
…
Your CustomApps
CommonSign on
Azure AD
Azure AD Connect with Express Settings
Use one tool instead of manyGet up and running quickly (5 clicks)Start here, then scale up or add optionsCustom options to address more complex scenarios
Get up and running with:Most common, simple optionsSingle AD forestSynchronization of all on-premise objectsPassword synchronization of all usersCreates default on-premise service accountCreates default cloud service account with tailored roleEnterprise admin requirement in on-premise ADGlobal admin requirement in CloudSetup sync with AD Connector for on-premise AD and Azure Connector for Azure AD
Azure AD Connect with Express Settings
Customize settings allows more advanced optionsSupports multi-forest synchronizationSupport for Hybrid scenarios and/or Single Sign-On using ADFSDeploy pilot users using filtering of domain, OU or attributeAssign custom lower privileges service accountSync selected users using filtering (OU, domain, group, attribute)Postpone initial full sync (‘staging mode’)Support Azure AD premium features: - writeback of passwords, users, groups, and devices from the cloudWindows 10 Computer sync to Azure ADSync of custom and directory extension attributes
Azure AD Connect
Making hybrid identity simple
Azure AD Connect
Azure Active Directory Connect
Deployment assistant for identity bridge components.
Simplified deployment of Federation components
Health – Operations and monitoring of all Azure AD Connect components
Sync Services
DirSync
Azure AD Sync
FIM + Azure AD
Connector ADFS
ADFSHealth
Federated identity model
AD FS
User
Security token
Authentication
Sig
n-o
n
Federated identity
On-premisesdirectory
Azure AD Sync
Password hashes
User accounts
Redirection
For alternatives to on-premise ADFS, both ADFS and WAP can be hosted in Azure, or using a hosting partner.
Single Sign-On for web apps, can also use Azure AD Access Control Service (ACS) as Secure Token Service (STS).
Password Sync Backup for Federated Sign-In
Password sync backup for Office 365 federated sign-inprovides the option to switch a federated domain to synchronized domain in the event of on-premise outages or Internet access disruption.
Federated identity
Backup Password Hash Sync
User accounts
AD FS
Azure AD Sync
On-premisesdirectory
How to choose an identity model
Federated identitySynchronized identityCloud identity
Zero on-premises servers
Directory sync with password sync
On-premisesidentity
On-premisesidentity
Directory syncFederation
Choosing Password Sync or ADFS for Sign-On
• Choose simplest model that will fit business requirements
• Cloud identity when no on-premise AD exist
• Password sync for standard on-premise AD integrations
• Federated identity for the following scenarios:
Organization already have ADFS or another federation serviceHybrid integration with Cloud services (Exchange/SharePoint/Skype4B/..)Password prompts from domain joined computers must be minimized (SSO)Security Policy require Sign-In Auditing and/or Immediate Disable of accountsSecurity policy prohibits sync of password hashes to Azure ADClient sign-in restrictions by Network Location or Work HoursConditional Access for both on-premise and cloud resourcesUse FIM/MIM for the on-premise identity managementOn-premise Multi-Factor Authentication or Smart Card support for sign in
Change between models as needs change
Cloud Identity to Synchronized IdentityDeploy DirSync / Azure AD Sync / Azure AD Connect
Hard match or soft match of users
Synchronized Identity to Federated IdentityDeploy AD FS and configure a trust between ADFS and Azure AD
PowerShell: Convert-MsolDomainToFederated
Leave password sync enabled as backup
Federated identity to Synchronized IdentityPowerShell: Convert-MsolDomainToStandard
Takes 2 hours plus 1 additional hour per 2,000 users
Synchronized Identity to Cloud IdentityPowerShell: Set-MsolDirSyncEnabled
Takes 72 hours - monitor with PowerShell: Get-MsolCompanyInformation
Azure AD Connect: Federated Sign on
Active Directo
ry
Azure AD
SaaS Apps
UserDevic
e
Sign on
Fir
ew
all
Fir
ew
all
AD FS Web Applicatio
n Proxy
Making ADFS EasierGet familiar with the TechNet Deployment Guidance
Implement the ADFS and Office 365 requirements
Public SSL Certificate is required for ADFS/WAP
Use Azure AD Connect for easier deployment
Add Support for Multiple Domains during cloud federation
Change Token-Signing and Token-Decrypting certificates expiration
Currently ~2500 SaaS cloud apps
Integrate with Azure AD
Single Sign-On support
Central provisioning in Azure
User provisioning with local AD groups using Azure AD Premium
Full SaaS cloud app list at:Azure Active Directory Marketplace
Azure Active Directory applications
SourceAnchor (ImmutableID)Base64 encoding of on-premise account objectGUIDStatic (“Immutable”) during entire lifetime of an objectSourceAnchor value cannot (easily!) be changed after object is created in AAD !When the Immutable attribute is first selected, it CANNOT be changed!Recommended: ObjectGUID, EmployeeIDAvoid: mail, userPrincipalName
UserPrincipalNameThe default logon attribute of users login to Cloud servicesKeep default ! – don’t change if at all possibleChanging to another attribute is not supported with Hybrid Office 365 enabled
SourceAnchor and UserPrincipalName
Account matching
Hard matchFirst attempt; hard match based on ObjectGUID
Soft matchIf unsuccessful; attempt soft match based on Primary SMTP address
IMPORTANTBe sure all SMTP domains are validated in tenant before activating directory synchronizationIf neither objectGUID nor SMTP match can be made, a new object will be created in Azure AD.Reactivation of AD Sync overwrites all changes in Azure AD since last sync-> Perform backup of cloud user data before reactivation !
Directory Synchronization
IMPORTANTBefore activating AD Sync, be sure directory cleanup is completed !
Primary SMTP address must be unique in the entire enterprise
No duplicate proxyAddresses must exist
All UPNs and SMTP addresses must be correctly formatted
Only supported management tool is on-prem Exchange Admin Center/Shell
When the Immutable attribute is first selected, it CANNOT be changed !
Common multi-forest topologies
Forests with GALSyncUsers and Contacts should join on mail attribute and be represented only once.
Account-Resource forestsOne or many Account forests with enabled accounts and one Resource forest with disabled accounts. Joined on objectSID and msExchMasterAccountSID.
Separate forestsEach object in every forest will be represented in Azure AD.
Summary
Choose the simplest identity model for your requirements
Cloud identity for no on-premise AD
Synchronized identity for basic setup – add more later
Federated identity for additional requirements
Identity models can be changed as requirements change
Azure AD Connect will be the new primary sync tool
Easier ADFS deployment still needs preparation
Azure AD applications integration and Single Sign-On
Plan ImmutableID and Matching attributes ahead
Directory Synchronization require proper AD cleanup
© 2014 EG A/S. All rights reserved.
The content of this material, including the text, images and other graphics and their arrangement, are copyrighted by EG A/S or its affiliated, associated or related companies. EG A/S makes no warranties, express, implied or statutory, as to the informationin this presentation.
Top Related