Office 365 brings a host of productivity options, but one of the most overlooked components is how we'll authenticate to The Cloud™. With Microsoft Azure Active Directory driving access and authentication to our Office 365 tenants, it is important to understand how we can interact with it. Join us as we explore Cloud Identity, identity federation, directory synchronisation, and most importantly Azure and its impacts on user experience and access Office 365. Throughout this session, we'll answer the questions that impact you and how your decisions around identity shape your Office 365 experience.
5. Terminology
What is Identity Management?
“Identity management (IdM) describes the
management of individual principals, their
authentication, authorisation, and privileges within
or across system and enterprise boundaries with
the goal of increasing security and productivity
while decreasing cost, downtime and repetitive
tasks.”
https://en.wikipedia.org/wiki/Identity_management
6. Determining which actions an
authenticated entity is authorized
to perform on the network
Terminology
Verifying that a user, device, or
service such as an application
provided on a network server is
the entity that it claims to be.
Authentication Authorization
7. Terminology
Single Sign On (SSO) is the ability for two disjointed Identity
Providers (IDP) to trust each other such that a user logged in to one
does not need to log in again for the second
Relying Party (RP) is the system that relies on the IDP to
authenticate a user
Security Assertion Markup
Language (SAML)
SAML is a public standard managed by OASIS.
SAML is the identity token and also the
protocol.
WSFED is used for web browser-based
authentication with an IDP. WS-Trust is used by
Office client apps to authenticate.*
WS-Federation (WSFED) / WS-Trust
10. Azure Active Directory
What is AAD?
“Azure Active Directory is a comprehensive identity
and access management cloud solution that
provides a robust set of capabilities to manage
users and groups and help secure access to
applications including Microsoft online services like
Office 365 and a world of non-Microsoft SaaS
applications.”
16. Choosing a Model
Federated Identity
Already have ADFS or a
3rd party IDP
Require immediate
disable or Sign-in Audit
SSO is required
Multiple Forests
CAC or on-premises
MFA
Business requires it
18. 18
Synchronisation Landscape
Feature Azure Active Directory
Synchronization Tool
(DirSync)
Azure Active Directory
Synchronization Services
(AAD Sync)
Azure Active Directory
Connect
Forefront Identity
Manager 2010 R2 (FIM)
Connect to single on-
premises AD forest
X X PP X
Connect to multiple on-
premises AD forests
X PP X
Connect to single on-
premises LDAP directory
CS X
Connect to multiple on-
premises LDAP directories
CS X
Connect to on-premises
AD and on-premises LDAP
directories
CS X
Connect to custom
systems (i.e. SQL, Oracle,
MySQL, etc.)
X
Synchronize customer
defined attributes
(directory extensions)
CS
20. The Setup
What are we going to do?
• Office 365 E3 Tenant
• Configure Sync
‐ Users in targeted OU
‐ One way password sync
‐ Alternate Login ID
21. Prepare and Download DirSync
• Logon to the Portal
• Select Users and groups and then
activate DirSync
‐ Select Users and Groups and
click Set up Active Directory
synchronization
‐ Activate Directory
Synchronization
• Wait for Sync to enable
• Review all documentation, follow the
implementation steps, and download
Sync appliance
Form DirSync server
Download DirSync
41. Alternate Login ID
When your on-premises UPN is non-routable on the public internet and you
can’t easily update UPN suffixes
Requires Windows Server 2012 R2 for AD FS*
Requires comfort with FIM and editing Management Agents
42. Office Client Passive Authentication
• SSO with passive authentication
‐ Works with WSFED and SAML 2.0
• Went Tech Preview in Nov 2014
• Requires Office Client updates
‐ Move to Active Directory
Authentication Library (ADAL)
‐ OAUTH for passive authentication
‐ Support for MFA with AAD
‐ CAC/PIV support
SAML 2.0
43. Works with Office 365 – Identity program
• What is it?
‐ Qualification of third party identity
providers for federation with Office 365.
Microsoft supports Office 365 only
when qualified third party identity
providers are used.
• Program Requirements
‐ Published Qualification Requirements
‐ Published Technical Integration Docs
‐ Automated Testing Tool
‐ Self Testing work by Partner
‐ Predictable and Shorter Qualification
‐ http://aka.ms/ssoproviders
*For representative purposes
only.
WS-Trust & WS-
Federation
SAML (passive
auth)
• Flexibility to reuse
existing identity
provider investments
• Confidence that the
solution is qualified by
Microsoft
• Coordinated support
between the partner
and Microsoft
Customer
Benefits
44. Office 365 Federation Options
Suitable for medium, large
enterprises including
educational organizations
Suitable for medium, large
enterprises including
educational organizations
Suitable for educational
organizations
For organizations that
need to use SAML 2.0
46. The end to end Microsoft Stack
WS-Federation
WS-Trust
47. Agenda
Identity Management in Office 365
Identity Scenarios
Synchronisation Demo
Add-ons and More to Think About
48. Resources
• Use third-party identity providers to
implement single sign-on
• Deployment scenarios for Office 365
with single sign-on and Azure
• Choosing a sign-in model for Office
365
• Password hash sync simplifies user
management for Office 365
• Directory Integration Tools
• Using Alternate Login IDs with
Azure Active Directory
• Office 365 SAML 2.0 Federation
Implementer’s Guide
• Simplified login to Yammer from
Office 365
• Multi-Factor Authentication for
Office 365
• Office 365 User Account
Management