powerpoint presentationdownload.microsoft.com/documents/hk/technet/techdays2014/day1...no password...
TRANSCRIPT
http://technet.microsoft.com/en-us/library/dn511002.aspx
1.
2.
http://social.technet.microsoft.com/wiki/contents/articles/17857.how-to-switch-from-single-sign-on-to-password-sync.aspx
Password Sync SSO with AD FS
Same password to access resources
Control password policies on-
premises
Support for two factor authentication
*
No password re-entry if on premises
Client access filtering
Authentication occurs in on premises
directory (no credentials in the cloud)
Target customer
segment
What can I do?
Where do I make
changes?
What Hardware do I
need?
Where do users Sign-In?
User login experience
Complexity
• Small
• Small/Medium • Small/Medium • Small/Medium • Medium/Large
• Least • Least • Some limitation • Some limitations • All
• Cloud • Cloud
• On-premises • On-premises
• On-premises
• None • None
• DirSync
appliance
• DirSync
appliance
• DirSync
appliance
• ADFS/other STS,
HA
• Cloud • Cloud • Cloud • Cloud • On-premises
• Disjoint
username and
password
• Enter credentials
twice
• Disjoint
username and
password
• Enter credentials
twice
• Same username,
disjoint password
• Enter credentials
twice
• Same username
and password
• Enter credentials
twice
• Same username
and password
• Login once (if
on-premises)
• Low • Medium • Low • Low • High (setup SSO)
Portal PowerShell/
Directory GRAPH
DirSync w/Cloud
identities
DirSync
w/Password Sync DirSync w/SSO
On-premises Azure AD Supported? Sync Solution ADFS/SSO Solution
1 AD Forest 1 Tenant Yes DirSync Appliance ADFS or 3rd Party STS
n AD Forests* 1 Tenant Yes FIM + AAD Connector** ADFS or 3rd Party STS
1 AD Forest n Tenants Yes FIM + AAD Connector
OR
n DirSync Appliances
ADFS or 3rd Party STS
Non-AD directory n Tenants Yes FIM + AAD Connector 3rd Party STS
n AD Forests +
m non-AD
Directories
n Tenants Yes FIM + AAD Connector 3rd Party STS
Azure AD
Tenant DirSync
Account Forest
Resource Forest
(migrate Exchange data)
AD FS
(sync UPN, ImmutableID, etc.)
http://www.microsoft.com/downloads/details.aspx?FamilyID=72c15d25-6515-4763-9b76-054362b58398
Web Clients • Office 2010, Office 2007
SP2 with SharePoint
Online
• Outlook Web Application
Remember last user
Exchange Clients • Office 2010, Office 2007
SP2
• Active Sync/POP/IMAP
• Entourage
Can save credentials
Rich Applications (SIA) • Lync Online
• Office Subscriptions
• CRM Rich Client
• Office 2013
Can save credentials
SSO IDs (domain joined)
MS Online IDs
No Prompt
Username and Password
Cloud ID
AD credentials
SSO IDs (non-domain
joined)
Username and Password
AD credentials
Username
Username and Password
Cloud ID
AD credentials
Username and Password
AD credentials
Username and Password
Username and Password
Cloud ID
AD credentials
Username and Password
AD credentials
Lync 2010/Office Subscription
Active Sync
Corporate Boundary
Exchange Online
AD FS 2.0Server
MEX
Web
Active
AD FS 2.0 Proxy
MEX
Web
Active
Outlook 2010/2007IMAP/POP
UsernamePassword
UsernamePassword
OWAInternal
Lync 2010/Office Subscription
Outlook 2010/2007IMAP/POP
OWAExternal
UsernamePassword
Active Sync
UsernamePassword
Basic auth proposal: Pass
client IP, protocol, device name
http://technet.microsoft.com/en-us/library/jj151781.aspx
http://technet.microsoft.com/en-us/library/dn246918.aspx
http://social.technet.microsoft.com/wiki/contents/articles/18096.dirsyncwaad-password-sync-frequently-asked-questions.aspx
http://technet.microsoft.com/en-us/library/hh967628.aspx