Office 365 brings a host of productivity options, but one of the most overlooked components is how we'll authenticate to The Cloud™. With Azure Active Directory (AAD) driving access and authentication to our Office 365 tenants, it is important to understand how we can interact with it. Join us as we explore Cloud Identity, identity federation, directory synchronisation, and most importantly Azure and its impacts on user experience and access Office 365. Throughout this session, we'll answer the questions that impact you and how your decisions around identity shape your Office 365 experience.
5. #auspc #nzspc
#spt1413
What is Identity Management?
“Identity management (IdM) describes the
management of individual principals, their
authentication, authorisation, and privileges within or
across system and enterprise boundaries with the goal
of increasing security and productivity while decreasing
cost, downtime and repetitive tasks.”
https://en.wikipedia.org/wiki/Identity_management
6. #auspc #nzspc
#spt1413
Authentication and Authorization
Verifying that a user, device, or
service such as an application
provided on a network server is
the entity that it claims to be.
Determining which actions an
authenticated entity is authorized
to perform on the network
Authentication Authorization
7. #auspc #nzspc
#spt1413
Single Sign On (SSO) is the ability for two disjoint Identity
Providers (IDP) to trust each other such that a user logged in to
one does not need to log in again for the second
Relying Party (RP) is the system that relies on the IDP to
authenticate a user
Security Assertion Markup
Language (SAML)
SAML is a public standard managed by OASIS.
SAML is the identity token and also the
protocol.
WSFED is used for web browser-based
authentication with an IDP. WS-Trust is used by
Office client apps to authenticate.*
WS-Federation (WSFED) / WS-Trust
10. #auspc #nzspc
#spt1413
What is AAD?
“Azure Active Directory is a comprehensive identity and
access management cloud solution that provides a
robust set of capabilities to manage users and groups
and help secure access to applications including
Microsoft online services like Office 365 and a world of
non-Microsoft SaaS applications.”
15. #auspc #nzspc
#spt1413
Federated Identity
Already have ADFS or
a 3rd party IDP
Require immediate
disable or Sign-in
Audit
SSO is required
Multiple Forests
CAC or on-premises
MFA
Business requires it
18. #auspc #nzspc
#spt1413
What are we going to do?
Office 365 E3 Tenant
Configure DirSync
Users in targeted OU
One way password sync
Alternate Login ID
19. #auspc #nzspc
#spt1413
Logon to the Portal
Select Users and groups and
then activate DirSync
Select Users and Groups and
click Set up Active Directory
synchronization
Activate Directory
Synchronization
Wait for DirSync to enable
Review all documentation,
follow the implementation
steps, and download DirSync
Form DirSync server
Download DirSync
20. #auspc #nzspc
#spt1413
Logon to DirSync server and
run setup
Follow setup wizard
When finished, option to start
the configuration wizard
21. #auspc #nzspc
#spt1413
Run configuration wizard
Provide O365admin creds
Provide AD admin creds
If Exchange hybrid, configure
“write-back”
Password sync option
Create configuration
When finished, option to run
synchronization
23. #auspc #nzspc
#spt1413
When your on-premises UPN is non-routable on the public
internet and you can’t easily update UPN suffixes
Requires Windows Server 2012 R2 for AD FS*
Requires comfort with FIM and editing Management Agents
24. #auspc #nzspc
#spt1413
DirSync for LDAPv3
Supports multiple forests
Doesn’t include password hash sync
Includes write back capability with Azure AD Premium subscription
Availability
Preview now available at: http://go.microsoft.com/?linkid=9845645
Release later in 2014
Target Identity Providers
Same as FIM 2010 R2 connector
FIM connector details at http://go.microsoft.com/fwlink/?LinkID=270179
25. #auspc #nzspc
#spt1413
SSO with passive authentication
Works with WSFED and SAML 2.0
Planned for later in 2014
Will require Office Client
updates
Move to Active Directory
Authentication Library (ADAL)
OAUTH for passive authentication
Support for MFA with AAD
CAC/PIV support
SAML 2.0
26. #auspc #nzspc
#spt1413
What is it?
Qualification of third party identity
providers for federation with Office 365.
Microsoft supports Office 365 only when
qualified third party identity providers are
used.
Program Requirements
Published Qualification Requirements
Published Technical Integration Docs
Automated Testing Tool
Self Testing work by Partner
Predictable and Shorter Qualification
http://aka.ms/ssoproviders
*For representative purposes
only.
WS-Trust & WS-
Federation
SAML (passive
auth)
Active Directory with ADFS
• Flexibility to reuse
existing identity
provider investments
• Confidence that the
solution is qualified by
Microsoft
• Coordinated support
between the partner
and Microsoft
Customer
Benefits
27. #auspc #nzspc
#spt1413
Suitable for medium,
large enterprises including
educational organizations
Suitable for medium,
large enterprises including
educational organizations
Suitable for educational
organizations
For organizations that
need to use SAML 2.0
32. #auspc #nzspc
#spt1413
Use third-party identity
providers to implement
single sign-on
Deployment scenarios for
Office 365 with single sign-
on and Azure
Choosing a sign-in model
for Office 365
Password hash sync
simplifies user management
for Office 365
Using Alternate Login IDs
with Azure Active Directory
Office 365 SAML 2.0
Federation Implementer’s
Guide
Simplified login to Yammer
from Office 365
Multi-Factor Authentication
for Office 365
Office 365 User Account
Management