5. Introduction to identity options
1. MS Online IDs
Appropriate for
• Smaller organizations without
AD on-premise
Pros
• No servers required on-
premise
Cons
• No SSO
• No 2FA (strong authentication)
• 2 sets of credentials to
manage with differing
password policies
• Users and groups mastered in
the cloud
2. MS Online IDs + Dir Sync
Appropriate for
• Orgs with AD on-premise
Pros
• Users and groups mastered on-
premise
• Enables co-existence scenarios
Cons
• No SSO – BUT PASSWORD
SYNC
• No 2FA
• 2 sets of credentials to manage
with differing password policies
• Single server deployment
3. Federated IDs + Dir Sync
Appropriate for
• Larger enterprise organizations
with AD on-premise
Pros
• SSO with corporate cred
• Users and groups mastered on-
premise
• Password policy controlled on-
premise
• 2FA solutions possible
• Enables co-existence scenarios
Cons
• High availability server
deployments required
7. What is DirSync?
•
“…is a Directory Synchronization engine
based on Forefront Identity Manager (FIM)
that will synchronize a subset of your on-
premise Active Directory with Windows Azure
Active Directory (Office 365).”
8. Why use DirSync?
Long term coexistence between Active Directory On Premise and
Windows Azure Active Directory.
(Easy/quick provisioning*)
Single place for managing identities including:
• Users
• Groups
• Memberships
• …
Enabler for Hybrid Deployments (required)
• Two-way Directory Synchronization
9. Deployment Considerations
Active Directory Assessment
• Prerequisites check (Readiness Tool)
Topology
• Single Forest?
• Multiple Domains?
Security
• Firewalls, Permissions
64-bit only!
De/Activation time; can take some time to complete
Object filtering required?
SQL Version - Windows 2012 Server Supported
11. What objects are synced?
From AD to Office 365: http://support.microsoft.com/kb/2256198
From Office 365 to AD (aka write-back):
Write-Back attribute Exchange "full fidelity" feature
SafeSendersHash
BlockedSendersHash
SafeRecipientHash
Filtering: Writes back on-premises filtering and online
safe and blocked sender data from clients.
msExchArchiveStatus Online Archive: Enables customers to archive mail.
ProxyAddresses
(LegacyExchangeDN <online LegacyDn> as X500)
Enable Mailbox: Off-boards an online mailbox back to on-
premises Exchange.
msExchUCVoiceMailSettings
Enable Unified Messaging (UM) - Online voice mail: This
new attribute is used only for UM-Microsoft Lync Server
2010 integration to indicate to Lync Server 2010 on-
premises that the user has voice mail in online services.
13. ADFS: On Premise Topology
Enterprise DMZ
AD FS 2.0
Server
Proxy
Internal
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
AD FS 2.0
Server
Proxy
14. ADFS: On Premise Topology
Enterprise DMZ
AD FS 2.0
Server
Proxy
Internal
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
AD FS 2.0
Server
Proxy
15. ADFS: Hybrid Topology: IAAS
Enterprise
Internal
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
IAAS
External
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
16. ADFS: Hybrid Topology: IAAS
Enterprise
Internal
user
Active
Directory
AD FS 2.0
Server
IAAS
External
user
Active
Directory
AD FS 2.0
Server
17. ADFS: Cloud Topology: IAAS
IAAS
Internal
External
user
Active
Directory
AD FS 2.0
Server
AD FS 2.0
Server
19. Windows Azure & ADFS
• Virtual Network Support – Site to Site VPN
• Computing: 99,95% SLA Uptime for High Available System
– 99,9% SLA Uptime for Single System
• Storage: 99,9%
• Full Control over your Virtual Machines
• Pay as you Go, OPEX vs CAPEX
• PowerShell Support
20. Windows Azure: Terminology
Cloud Service: Role which several VM’s take upon themselves to
execute. E.G. ADFS. Cloud services need to have two instances or more
to quality for the SLA of 99,95%. 1 External Virtual IP Address per Cloud
Service
Availability Set
21. Windows Azure: Terminology
EndPoints: You need to add an endpoint to a machine for other resources
on the Internet or other virtual networks to communicate with it. You can
associate specific ports and a protocol to endpoints. Resources can
connect to an endpoint by using a protocol of TCP or UDP. The TCP
protocol includes HTTP and HTTPS communication.
Virtual Network enables you to create secure site-to-site connectivity, as
well as protected private virtual networks in the cloud.
25. Migration
DirSync:
1. Shutdown DirSync on Premise
2. Install DirSync on Azure
3. Configure DirSync on Azure
4. Uninstall DirSync on Azure
ADFS:
1. Convert all ADFS Domains to Standard Domains
2. Logon to primary ADFS on Azure
3. Convert all Standard Domains back to Federated Domains
* Using DirSync for only provisioning is NOT supported!
Note: Passwords are NOT synced. If you want to use your on-premise passwords in Office 365/Azure, you will have to deploy ADFS.Future release of DirSync might support Password Synchronization** Functionality nor a release date have been confirmed by Microsoft. As far as I understood, this sync will not really sync the password, but it will rather use the password’s hash