Identity in Office 365
Blog: http://www.MyCentralAdmin.com Twitter: @ferringer
3 | SharePoint Saturday Redmond 2012
Outline
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
4 | SharePoint Saturday Redmond 2012
Email and Calendaring
Websites and Collaboration
IM and Online Meetings
Office Client and Web Apps
Hosted by Microsoft – in the cloud!
5 | SharePoint Saturday Redmond 2012
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
6 | SharePoint Saturday Redmond 2012
Did Someone say Cloud?
7 | SharePoint Saturday Redmond 2012
What’s Your Perspective?
8 | SharePoint Saturday Redmond 2012
Identity’s impact on Office 365
End User Experience
Complexity
Scale
Manageability
Investment
9 | SharePoint Saturday Redmond 2012
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
10 | SharePoint Saturday Redmond 2012
Authentication vs. Authorization
Who gets in?
What can they do?
11 | SharePoint Saturday Redmond 2012
Who gets in?
Where do your Office 365 user accounts live?
What is needed to use them?
What can they do?
What are the limitations of the approach?
12 | SharePoint Saturday Redmond 2012
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
13 | SharePoint Saturday Redmond 2012
Identity Options 1. Microsoft Online (MSO) IDs
2. MSO IDs + Directory Synchronization
3. Single Sign On + Directory Synchronization
Your Environment
AD
MS Online Directory Sync
Identity Services
Provisioning platform
Lync Online
SharePoint Online
Exchange Online
Active Directory Federation Services 2.0
Trust
IdP Directory
Store
Admin Portal/ PowerShell
Authentication platform
Office 365 Desktop Setup
Microsoft Online Services
IdP
14 | SharePoint Saturday Redmond 2012
What can they do?
Appropriate for • Smaller orgs without
AD on-premise
Pros • No servers required on-
premise
Cons • No SSO • No 2FA • 2 sets of credentials to
manage with differing password policies
• IDs mastered in the cloud
Appropriate for • Medium/Large orgs with
AD on-premise
Pros • Users and groups
mastered on-premise • Enables co-existence
scenarios Cons • No SSO • No 2FA • 2 sets of credentials to
manage with differing password policies
• Single server deployment
Appropriate for • Larger enterprise orgs
with AD on-premise Pros • SSO with corporate cred • IDs mastered on-premise • Password policy
controlled on-premise • 2FA solutions possible • Enables co-existence
scenarios Cons • High availability server
deployments required
15 | SharePoint Saturday Redmond 2012
Sign On Experience *SSO vs. Online IDs Summary
Win7/Vista/XP
SSO IDs (domain joined)
MS Online IDs
Outlook Web Application
SharePoint Web Application
ActiveSync, POP, IMAP, Entourage
Outlook 2007 or 2010
Online ID Online ID Online ID
Win 7/Vista/XP
Office 2010, or Office 2007 SP2
Online ID
Win7/Vista/XP
Lync Online
Online ID
AD credentials AD credentials AD credentials AD credentials AD credentials
SSO IDs (non-domain joined) AD credentials AD credentials AD credentials AD credentials AD credentials
*Requires ADFS 2.0
16 | SharePoint Saturday Redmond 2012
Your Environment
AD
MS Online Directory Sync
Identity Services
Lync Online
SharePoint Online
Exchange Online
Active Directory Federation Services 2.0
Trust
IdP Directory
Store
Authentication platform
Office 365 Desktop Setup
Microsoft Online Services
IdP
Active Directory Federation Services (AD FS)
17 | SharePoint Saturday Redmond 2012
How does AD FS work?
Claims authentication
Think of it like a passport
Passport Application
Visa Application
Submit for authorization
Allowed access
18 | SharePoint Saturday Redmond 2012
AD FS’s Authentication flow
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online or
SharePoint Online
Active Directory
Your Environment Microsoft Online Services
Logon (SAML 1.1) Token UPN:[email protected] Source User ID: ABC123
Auth Token UPN:[email protected] Unique ID: 254729
19 | SharePoint Saturday Redmond 2012
AD FS 2.0 deployment options 1. Single server configuration
2. AD FS 2.0 server farm and load-balancer
3. AD FS 2.0 proxy server or UAG/TMG (External Users, Active Sync, Outlook)
Enterprise
DMZ
AD FS 2.0 Server Proxy
External user Internal
user
Active Directory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 Server Proxy
20 | SharePoint Saturday Redmond 2012
ADFS Considerations
Can you afford an outage?
How do you secure it?
It’s complex
Requires specific AD config
UPN formatting
Requires DirSync
Other options available
Shibboleth (added August 2012)
Hat tip: @usher
21 | SharePoint Saturday Redmond 2012
Directory Synchronization
One-way copy of accounts to Office 365
Required for SSO/AD FS
But can be used without AD FS
Required for Hybrid scenarios
Think of it as an appliance, always running
22 | SharePoint Saturday Redmond 2012
Your Environment
AD
MS Online Directory Sync
Identity Services
Lync Online
SharePoint Online
Exchange Online
Active Directory Federation Services 2.0
Trust
IdP Directory
Store
Authentication platform
Office 365 Desktop Setup
Microsoft Online Services
IdP
How DirSync Fits in
23 | SharePoint Saturday Redmond 2012
Getting to know DirSync
It’s actually Forefront Identity Manager
Copies AD accounts into Office 365
But not back down
Doesn’t sync passwords
Filtering now available
Can have sizing issues
Upload sizing
Database sizing
FIM: no touchy! (maybe)
24 | SharePoint Saturday Redmond 2012
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
25 | SharePoint Saturday Redmond 2012
Who does what around here?
Role-based Administration (RBAC)
External access
26 | SharePoint Saturday Redmond 2012
Office 365 user roles
End Users
Service administrators
Exchange Online
SharePoint Online
Lync Online
Office 365 administrators
External users
27 | SharePoint Saturday Redmond 2012
Office 365 admin roles
Global administrator
Billing administrator
Password administrator
Services administrator
User management administrator
Delegated administrator
See the Office 365 Support Services Description document for more info:
http://tinyurl.com/o365SvcDescrs
28 | SharePoint Saturday Redmond 2012
External access
Allows external users access to SharePoint Online
No USLs required
Not full Extranet
Users can have:
MSO ID
Live ID
EASI ID
It’s a Feature Preview…
29 | SharePoint Saturday Redmond 2012
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
30 | SharePoint Saturday Redmond 2012
Managing Identity in Office 365
Admin activities do not go away
AD FS is complex
And important!
PowerShell is your friend
How’s your internet connection?
Office 365 is constantly changing
31 | SharePoint Saturday Redmond 2012
Troubleshooting Identity
Microsoft Online Diagnostics and Logging tool (MOSDAL)
Microsoft Remote Connectivity Analyzer: HTTP://testexchangeconnectivity.com
Fiddler
WireShark/Netmon
Office 365 Expert Discussion Series: http://tinyurl.com/o365ExptDisc
32 | SharePoint Saturday Redmond 2012
Tie IT All Together
Blog: http://www.MyCentralAdmin.com Twitter: @ferringer
Top Related