Office 365 Identity ManagementPaul Andrew

OSP225

Agenda

Recently Announced…

Identity Integration Options

2 3

Identity Management Overview

1

Identity management overview

Identity management deals with identifying individuals in a system and controlling access to the resources in that system

Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.

Integral components of identity and access management

Determining which actions an authenticated entity is authorized to perform on the network

Authentication Authorization

Identity management

Single Sign On (SSO) is the ability for two disjoint Identity Providers (IDP) to trust each other such that a user logged into one does not need to log in again for the second. YAUP is what you get if you don’t have SSO.

SAML is a public standard managed by OASIS. SAML is the identity token and also the protocol. SAML 2.0 is built on SAML 1.1, ID-FF and Shibboleth.

The Relying Party (RP) is the system that relies on the Identity Provider to authenticate a user.

WS-Federation is used for web browser based authentication with an IDP. WS-Trust is used by Office rich client apps to authenticate.

Security Assertion Markup Language WS-Federation / WS-Trust

More identity terms

Microsoft cloud services

User

Microsoft AccountEx: alice@outlook.com

User

Organizational AccountEx: alice@contoso.com

Microsoft Account Windows Azure Active Directory

Common identity platform for organizational accounts

Windows Azure Active Directory is the underlying identity platform for various cloud services that use Organizational Accounts

Directory

store

Authentication platform

Windows Azure Active

Directory

Your App

Office 365 Identity

Cloud Identity

Single identity in the cloud Suitable for small organizations with no integration to on-premises directories

Directory Synchronization 

Single identitysuitable for medium and large organizations without federation

Federated Identity

Single federated identity and credentials suitable for medium and large organizations

Recent Additions

Windows Azure Active Directory Sync ToolUpdate

The tool is downloaded from the Office 365 admin portal.Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it.Synchronizes user passwords from on-premises AD to Azure AD (Office 365).Respects on-premises password policies. Can’t sync passwords for Federated Users, but can co-exist.

SAML2Identity Provider

More Details on TechNet: http://aka.ms/sync

Directory Sync Tool or Active Directory Federation Services

* Azure AD offers some 2FA features that are available with ADFS deployment on-premises.

Password Sync SSO with AD FS

Same password to access resources

Can control password policies on-premises

Support for two factor authentication *

No password re-entry if on premises

Client access filtering by IP or by time schedule

Authentication occurs on-premises. Can immediately block disabled accounts.

Change password available from web

Works with Forefront Identity Manager

Active Authentication: Why Multi-Factor

Your data and applications are under attackPasswords are easily compromisedConsumerization of IT has only increased the scope of vulnerabilityStrengthening regulatory requirements call for strongly authenticating access

Mobile Apps

Enterprise authentication using any phone

Text MessagesPhone Calls

Out-of-Band PushOne-Time-Passcode Out-of-Band Call

Out-of-Band TextOne-Time Passcode

ISV/CSV Apps

Windows AzureActive Directory

Microsoft AppsCustom LOB Apps

Custom LOB Apps

ActiveAuthentication

Users sign in from any device using their existing username/password.

Users must also authenticate using their phone or mobile device before access is granted.

Credentials are checkedin Windows Azure AD. Then Active Authentication is triggered for additional verification.

1

2

Architecture

App Passwords

• Provides rich client login as alternative to Multi Factor Auth

• Not for administrators• 16 characters randomly

generated• Currently in preview

Windows Azure Active Directory Provisioning Updates

Azure Active Directory GRAPH APIREST API for programmatic access to data in Azure ADCan build multi-tenant applications, or custom LOB Apps

Azure Active Directory Connector for FIM 2010 R2Can be used for multi-forest synchronization and non-AD sourcesPublic Beta starts on Connect soon

Identity integration options

Identity integration options

1 2 3 4 5 6Cloud Identity Directory

SyncPassword Sync

Graph API FIM Single Sign-On

Org size Small All All Large Large Large

Control of attributes in directory

Least control Full control via on-premises directory

Full control via on-premises directory

Can control core attributes and select optional

Can control core attributes and select optional

Full control via on-premises directory

Source of authority

Cloud On-premises On-Premises Cloud On-premises On-premises

Hardware requirements

No on-premises hardware required

Windows Server OS for DirSync appliance

Windows Server OS for DirSync appliance

Machine to run Powershell jobs on

Federated Identity Manager with office 365 Connector

DirSync applianceADFS (or other STS) deployment

Login experience

Disjoint username, password for on-premises and cloud

Enter credentials twice

Disjoint username, password for on-premises and cloud

Enter credentials twice

Same username, password for on-premises and cloud

Enter credentials twice

Disjoint username, password for on-premises and cloud

Enter credentials twice

Disjoint username, password for on-premises and cloud

Enter credentials twice

Same username, password for on-premises and cloud

Login once if on-premises

Cloud identity

Rich experience with Office AppsEase of deployment, management and supportLower cost as no additional servers are required On-PremisesHigh availability and reliability as all Identities and Services are managed in the cloud

Windows Azure Active Directory

User

Cloud IdentityEx: alice@contoso.com

1

Directory Synchronization

Rich experience with Office AppsDirectory synchronization between on-premises and onlineIdentities are created and managed on-premises and synchronized to the cloudSingle identity and credentials but no single Sign-On for on-premises and office 365 servicesReuse existing directory implementation on-premises

Windows Azure Active Directory

User

On-Premises IdentityEx: Domain\Alice

Directory Synchronization

Cloud IdentityEx: alice@contoso.com

AD

2

Password Synchronization

Rich experience with Office AppsDirectory synchronization between on-premises and onlineIdentities are created and managed on-premises and synchronized to the cloudSingle identity and password credentials but no single Sign-On for on-premises and office 365 servicesReuse existing directory implementation on-premises

On-Premises IdentityEx: Domain\Alice

Directory Synchronization with one way Password Hash

Cloud IdentityEx: alice@contoso.com

AD

3

Windows Azure Active Directory

User

Scoping and Filtering for Synchronization

Customers can exclude objects from synchronizing to Office 365.Scoping can be done at the following levels:AD Domain-basedOrganizational Unit-basedUser Attribute based

Additional filtering capabilities will become available with the O365 Connector.Preventing the synchronization of specific attributes is not supported.

Multi-forest AD

On-Premises IdentityEx: Domain\Alice

Federation using ADFS

AD

DirSync on FIM

AD

AD

Windows Azure Active Directory

User

Number Active

Directory

forests

See consolidati

on whitepaper

UseSingle Forest

DirSync

UseOffice 365 Connector

UseMulti Forest

DirSync

Need on-premises

org consolidati

on

Number Exchange Orgs

“Disjoint”

Account Forests?

“Disjoint” account forests and exchange

org accessed by accounts in the same

forest?

Want to consolidate

single forest?

After consolidati

on

Single (1)

Multiple (>1)

Yes

None (0)Multiple (>1)

Start

After consolidati

on

No

Single (1) Yes

Yes

No

No

Multi-forest decision flowchart

Powershell / Graph REST API

Suitable for small/medium size organizations with AD or Non-ADPerformance limitations apply with PowerShell and Graph API provisioningPowerShell requires scripting experiencePowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)

4

Office 365 Connector for Forefront Identity Manager

Suitable for large organizations with certain AD and Non-AD scenariosComplex multi-forest AD scenariosNon-AD synchronization through Microsoft premier deployment supportRequires Forefront Identity Manager and additional software licenses

5

Federated identity

Single identity and sign-on for on-premises and office 365 servicesIdentities mastered on-premises with single point of managementDirectory synchronization to synchronize directory objects into Office 365Secure Token based authenticationClient access control based on IP address with ADFSStrong factor authentication optionsfor additional security with ADFS

Windows Azure Active Directory

User

On-Premises IdentityEx: Domain\Alice

Federation

AD

Non-AD

Directory Synchronization

or

6

Suitable for educational organizations

Recommended where customers may use existing non-ADFS Identity systems

Single sign-on

Secure token based authentication

Support for web clients and outlook (ECP) only

Microsoft supported for integration only, no shibboleth deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

Shibboleth (SAML)Works with AD & Non-AD

Suitable for medium, large enterprises including educational organizations

Recommended option for Active Directory (AD) based customers

Single sign-on

Secure token based authentication

Support for web and rich clients

Microsoft supported

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Works with AD

Suitable for medium, large enterprises including educational organizations

Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD

Single sign-on

Secure token based authentication

Support for web and rich clients

Third-party supported

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Verified through ‘works with Office 365’ program

Works for Office 365 Hybrid Scenarios

Works with Office 365 - Identity

Federation options

‘Works with Office 365 – Identity’

Program for third party on premises identity providers to interoperate with Office 365Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365On TechNet: http://aka.ms/SSOProviders

FlexibilityCoordinated

Support

Partner +

Confidence

Qualified by MicrosoftReuse Investments

‘Works with Office 365 – Identity’

On Premises Security Token Services

http://bit.ly/17D5Dq0

WS-Trust & WS-Federation

WS-Federation

SAML-P

Active Directory with ADFS

Client access control

Part of ADFSLimit access to Office 365 based on network connectivity (internet versus intranet)

Block all external access to Office 365 based on the IP address of the external clientBlock all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online

Windows Azure Active Directory

User

Cloud IdentityEx: alice@contoso.com

ISV apps orSAAS providers or Your App

Cloud IdentityEx: alice@contoso.com

WAAD Identity with other cloud services

Identity managed in Windows Azure AD single sign-on for Office 365 and other cloud services federated with single cloud identityISV Applications or SAAS providers can integrate using APIs on Windows Azure AD

Summary1. Cloud Identities – Windows Azure Active Directory2. Directory Sync from On-Premises3. Directory Sync from On-Premises (with Password

Sync)4. Graph API and Powershell5. Forefront Identity Manager6. Federation (or Single Sign-On)

• ADFS• WS-Federation and WS-Trust• Shibboleth SAML-P

Active Authentication for multifactorWorks with Office 365 – Identity

Developer Network

Resources for Developers

http://msdn.microsoft.com/en-au/

Learning

Virtual Academy

http://www.microsoftvirtualacademy.com/

TechNet

Resources

Sessions on Demand

http://channel9.msdn.com/Events/TechEd/Australia/2013

Resources for IT Professionals

http://technet.microsoft.com/en-au/

Keep Learning1. Keep up to date with all the latest Office 365 information

at http://ignite.office.com

2. Get on top of your pilot using the FastTrack deployment process http://fastTrack.office.com

3. Trial Office 365 http://office.microsoft.com

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.