sim 320. contoso customer premises ad ms online directory sync identity services provisioning...
TRANSCRIPT
Using Active Directory with Microsoft Office 365
Ross Adams and Jono LukMicrosoft Online ServicesMicrosoft
SIM 320
Session Objectives
Provide an Overview of Integration requirements
Provide details of how Directory Synchronization integrates with AD FS and Office 365
Provide details on how AD FS can be integrated into a customers environment
Components of AD Directory Integration
Microsoft Active DirectoryDirectory SynchronizationAD FS 2.0Contoso customer premises
ADMS Online Directory
Sync
Identity Services
Provisioningplatform Lync
Online
SharePoint Online
Exchange Online
Active Directory Federation Server
2.0
Trust
IdPDirectory
Store
Admin Portal/PowerShell
Authentication platform
Microsoft Online Services
IdP
Why Integrate
Single place for managementUser and groups including security groupsPasswordsPassword policies
Support for Enterprise Single Sign onSupport for Hybrid environments for services such as Exchange OnlineSupport for Strong Authentication (e.g. Smart cards)
General Requirements
Active Directory Forest Functionality level 2003 Windows 2008 for AD FS 2.0 or aboveWindows 2003 or above for Directory Synchronization
32 Bit only
Support VirtualizationSingle Forest
Multiple domains in a single the forest supported
Hybrid DeploymentsExchange 2010 SP1 CAS and associated Schema
AD Naming v’s UPN Suffix
Number of different structures for Active Directory NamingPublicly routableSub domain of a publicly routable domainPrivate Domain (e.g. contoso.local)Single level Domain (e.g. contoso)
Must use a publicly routable or sub domain of a public routable Domain for your UPN Suffix
Required for Realm discoveryMust be able to prove ownership (via public DNS record)It does not need to be the same as your AD Domain Name
Domain name must be shorter than 48 characters
UPN Validations
All users should have a defined UPNWhere not set:
Enterprise Single Sign on Enabled – SAMAccountName@DomainNameCloud Based Identity – MailNickName@[company].onmicrosoft.com
Restrictions on allowed characters in cloud based UPNLetters, numbers, dot, underscore or dashNo dot before @ symbol (e.g. [email protected] is ok, but [email protected] is not)Username must not be longer than 64 characters
Non Validated DomainCustomer ready tool to verify data in AD
Microsoft Online Directory Synchronization
Synchronization Options
1 Way Sync from AD to CloudProvisions users, DLs, Security Groups and contactsCan move to 2 Way Sync laterOn-premise master for all objects and properties
2 Way Sync from AD to Cloud and Cloud to ADRequired for Hybrid Deployments e.g. co-existence with Exchange online and Exchange on-premiseCan not move back to 1 way syncCloud becomes master for certain properties
Sync’s all objects with some expectionsDoes not Default accounts (Administrator etc)Does not sync System Objects
Can not be turned off
Account Requirements
Must be an Enterprise AD Account to setup Directory Sync1 Way sync
creates a new account MSOL_AD_SyncRead on all objects
If 2 Way SyncSame as 1 WayAttribute write level permissions
2 Way Synchronization
Cloud masters values, will overwrite on-premise value.
Attribute Feature
SafeSendersHashBlockedSendersHashSafeRecipientHash
Safe Sender Filteringenables on-premise filtering using cloud safe/blocked sender info
msExchArchiveStatus Cloud ArchiveAllows users to archive mail to the Office 365 service
ProxyAddresses (cloudLegDN) Mailbox off-boardingEnables off-boarding of mailboxes back to on-premise
cloudmsExchUCVoiceMailSettings Voicemail Co-ExistenceEnables on-premise mailbox users to have Lync in the cloud
Directory Synchronization Validations
Licensed UsersAll Proxy Address (SMTP/SIP) must be against a verified domainAddresses dropped during licensingUPN not updated automatically for Cloud ID based Users
Will update automatically when domain is converted to Single Sign on
Unlicensed UsersSMTP Proxy Address can be against non-verified domainsSIP Address must match a verified domain
Drop if not valid
Verifying after Sync will add the removed proxy address back
Synchronization BehaviorsPart 1
Cloud objects hard matched through sourceAnchor (Base64 AD ObjectGUID)
Allows for any property to be updatedUsed by AD FS 2.0 for same purpose during Sign in
Directory Sync without verifying the domain Objects stamped with trial domain *.onmicrosoft.com
Customer can create objects in Office 365 before and after running Directory Sync
Additional Cloud based Admins etc.Pre-Production/Trial accounts for testing
Synchronization BehaviorsPart 2
Direcotry Sync will attempt to match users created in the cloud
Prevents duplicate usersChecks for SourceAnchor match first; if no matchChecks for SMTP address match Soft match
Will not match on users created in Exchange Online directly
For objects Soft match sourceAnchor value stamped on object so as to hard match in the future.
Enterprise Single Sign On
AD FS Office 365 Integration
All Accounts must be mapped to a Shadow account in the Cloud Identity Service
Directory Sync is the means of doing thisLinked via Base64 encoded AD Object GUID
During Logon AD FS looks up data in AD to generate a signed token containing
UPN, e.g. [email protected] Source ID = Base64 AD Object GUID = Directory Sync SourceAnchor
Identity Service validates the token and finds the user based on the User Source ID
SSO Steps
Recommended to start with Enterprise SSO if this is what you want ultimately, i.e. add and verify the domain before Directory Sync is run.Verify AD requirements to ensure accounts are readyDeploy AD FS with high availability
If AD FS is not available or AD you can’t access cloud services
Run Directory SynchronizationVerify login from internal/external and devices you use (e.g. phones etc) License users for services
Converting a Domain to SSO
A one step operation for this domain and any sub domainUsers must logon via AD FS and are converted at login, password lost at this point
Ensure you prepare byEnsure Directory Sync is healthyMaking sure all users have the right UPN in the cloud, remember a licensed user may not be updatedMake sure your AD FS server is accessible both internally and externally (required for Outlook connections)
After conversion Verify login both internally and externallyBackground operation will run to ensure all users have the right UPN
Converting a Domain back to Cloud IDs
Affects all users in the Domain and Sub DomainsShould be used with Caution
Users may require a new password when converted back to Cloud based IDs
Password of users that did not login can use old password
Runs through all AD users to convert them back to cloud based IDs, i.e. can be long running
Share Password with users that were converted from Enterprise SSO to Cloud IDs.
Trialing SSO Options
Staged RolloutStart with an Enterprise SSO Domain and license users over time
Piloting in a different domainSuitable for Existing production standard domain (running Directory Sync) containing production licensed usersSteps:1. Register a new pilot Domain for Enterprise SSO, cannot be a sub domain of an
existing domain2. Deploy AD FS with Production like settings to ensure easy transition at the end
to production usage3. Update Users UPN on premise to new pilot domain
Once completed the user must be moved back to their original domain before it is converted to Enterprise SSO, requires they get a password
Summary
Directory Sync and AD FS provide full integration of AD to Office 365Enable Hybrid deployments Allow for Password policies to be managed on premise Users have a single username and passwordBest end user experience
Office 365 Track Go Do’s
Get questions answered (and get a beta account): http://www.microsoft.com/en-us/office365/online-software.aspx
Office 365 Community (incl. blogs)http://community.office365.com/en-us/default.aspx
Continue the conversation:Office 365 Facebook Site: https://www.facebook.com/office365?v=app_177440328974903Office 365 Twitter Site: http://twitter.com/#!/office365Office 365 Linked In Site: http://www.linkedin.com/groups/Microsoft-Office-365-3724282Office 365 You Tube: http://www.youtube.com/microsoftoffice365
Office 365 Beta Service Descriptions: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6C6ECC6C-64F5-490A-BCA3-8835C9A4A2EA
Office 365 Developer Training: http://msdn.microsoft.com/en-us/hh181605
SharePoint Online for Office 365 Developer Guide: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4387e030-73dc-48e7-ac95-abc043b9335a
Office 365 Marketplace: http://office365.pinpoint.microsoft.com/en-US/default.aspx
Microsoft Office 365 for IT Professionals
May 24-26, 2011Week after TechEd Tailored for IT ProsLearn from the Best
Three-Day Jump Start CourseMay 24: “Office 365 Platform”May 25: “Exchange Online”May 26: “Lync & SharePoint Online”
Jump Start
Microsoft Productivity, Email & Collaboration in the Cloud. Training designed for experienced technologists and IT leaders whose jobs demand they know how to best leverage
new, emerging Microsoft technologies.
REGISTER NOW: http://bit.ly/Office365-JUMP
Office 365 Track Sessions
Monday, May 16OSP212: Microsoft Office 365: The Future of Productivity (Room 307 | 1:15 PM)OSP216: Microsoft Office 365: Deployment Overview (Room B313 | 3:00 PM)
Tuesday, May 17OSP273-INT: Microsoft Office 365 Administration and Automation Using Windows PowerShell (Room B301 | 8:30 AM)OSP213: What Do Existing BPOS Customers Need to Do to Prepare for Microsoft Office 365? (Room C201 | 1:30 PM)OSP276-INT: Microsoft Office 365 Client Connectivity (Room B304 | 1:30PM)OSP215: Microsoft Office 365: Identity and Access Solutions (Room B314 | 3:15 PM)OSP324: The Taming of the Clouds: Integrating SaaS with Your On-Premise Environment (Room C211 | 5:00 PM)
Wednesday, May 18OSP272-INT: Licensing Microsoft Online Services (Room B302| 10:15 AM)OSP274-INT: What Do Existing BPOS Customers Need to Do to Prepare for Microsoft Office 365? Q&A Follow Up (Room B304 | 3:15 PM)OSP 325: Microsoft Office 365: Directory Synchronization (Room B313 | 3:15 PM)
Thursday, May 19OSP381-INT: Microsoft Office 365: Identity and Access Solutions - Q&A Follow Up (Room B301 | 10:15 AM)OSP219: Deploying Microsoft Office Professional Plus Subscription (Room B314 | 2:45 PM)OSP214: Security and Compliance on the Microsoft Business Productivity Online Standard Suite and Microsoft Office 365 Platforms (Room B313 | 4:30 PM)
Related Office 365 Sessions
Monday, May 16EXL202: Microsoft Lync 2010: In the Cloud (Room B206 | 3:00 PM)OSP210: Microsoft SharePoint Online Overview (Room B402 | 3:00 PM)
Tuesday, May 17OSP309: Integrating Microsoft SharePoint 2010 and Microsoft Dynamics CRM Online (Room C302 | 1:30 PM)EXL319: Microsoft Lync 2010: Setup, Deployment, Upgrade and Coexistence Scenarios (Room B206 | 3:15 PM)OSP301: Integrating Microsoft SharePoint 2010 with Windows Azure (Room C203 | 5:00PM)
Wednesday, May 18EXL302: Archiving and Discovery in Microsoft Exchange 2010 SP1 and Exchange Online (Room B207| 10:15 AM)OSP308: Claims Identity in Microsoft SharePoint 2010 (Room B314 | 10:15 AM)OSP372-INT: Building Cloud Apps Using Microsoft Dynamics CRM Online and Windows Azure (Room B303 | 10:15 AM)OSP305: Developing Collaboration Solutions in the Cloud with Microsoft SharePoint Online (Room B314 | 1:30 PM)EXL311: Microsoft Exchange Server & Microsoft Office 365: How to Set Up a Hybrid Deployment (Room B206 | 3:15 PM)
Thursday, May 19EXL375-INT: Understanding Archiving and Compliance in Microsoft Exchange Online (Room B302 | 8:30 AM)EXL322: Microsoft Exchange Online: Unified Messaging in Microsoft Office 365 (Room B207 | 1:00 PM)EXL309: Microsoft Exchange Online in Microsoft Office 365: Migration Case Study (Room B207 | 2:45 PM)OSP306: Developing Powerful Workflows in the Cloud with Microsoft SharePoint Online (Room C208 | 2:45 PM)
Questions?
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.