Using Active Directory with Microsoft Office 365

Ross Adams and Jono LukMicrosoft Online ServicesMicrosoft

SIM 320

Session Objectives

Provide an Overview of Integration requirements

Provide details of how Directory Synchronization integrates with AD FS and Office 365

Provide details on how AD FS can be integrated into a customers environment

Components of AD Directory Integration

Microsoft Active DirectoryDirectory SynchronizationAD FS 2.0Contoso customer premises

ADMS Online Directory

Sync

Identity Services

Provisioningplatform Lync

Online

SharePoint Online

Exchange Online

Active Directory Federation Server

2.0

Trust

IdPDirectory

Store

Admin Portal/PowerShell

Authentication platform

Microsoft Online Services

IdP

Why Integrate

Single place for managementUser and groups including security groupsPasswordsPassword policies

Support for Enterprise Single Sign onSupport for Hybrid environments for services such as Exchange OnlineSupport for Strong Authentication (e.g. Smart cards)

General Requirements

Active Directory Forest Functionality level 2003 Windows 2008 for AD FS 2.0 or aboveWindows 2003 or above for Directory Synchronization

32 Bit only

Support VirtualizationSingle Forest

Multiple domains in a single the forest supported

Hybrid DeploymentsExchange 2010 SP1 CAS and associated Schema

AD Naming v’s UPN Suffix

Number of different structures for Active Directory NamingPublicly routableSub domain of a publicly routable domainPrivate Domain (e.g. contoso.local)Single level Domain (e.g. contoso)

Must use a publicly routable or sub domain of a public routable Domain for your UPN Suffix

Required for Realm discoveryMust be able to prove ownership (via public DNS record)It does not need to be the same as your AD Domain Name

Domain name must be shorter than 48 characters

UPN Validations

All users should have a defined UPNWhere not set:

Enterprise Single Sign on Enabled – SAMAccountName@DomainNameCloud Based Identity – MailNickName@[company].onmicrosoft.com

Restrictions on allowed characters in cloud based UPNLetters, numbers, dot, underscore or dashNo dot before @ symbol (e.g. ross.adams@contoso.com is ok, but ross.adams.jr.@contoso.com is not)Username must not be longer than 64 characters

Non Validated DomainCustomer ready tool to verify data in AD

Microsoft Online Directory Synchronization

Synchronization Options

1 Way Sync from AD to CloudProvisions users, DLs, Security Groups and contactsCan move to 2 Way Sync laterOn-premise master for all objects and properties

2 Way Sync from AD to Cloud and Cloud to ADRequired for Hybrid Deployments e.g. co-existence with Exchange online and Exchange on-premiseCan not move back to 1 way syncCloud becomes master for certain properties

Sync’s all objects with some expectionsDoes not Default accounts (Administrator etc)Does not sync System Objects

Can not be turned off

Account Requirements

Must be an Enterprise AD Account to setup Directory Sync1 Way sync

creates a new account MSOL_AD_SyncRead on all objects

If 2 Way SyncSame as 1 WayAttribute write level permissions

2 Way Synchronization

Cloud masters values, will overwrite on-premise value.

Attribute Feature

SafeSendersHashBlockedSendersHashSafeRecipientHash

Safe Sender Filteringenables on-premise filtering using cloud safe/blocked sender info

msExchArchiveStatus Cloud ArchiveAllows users to archive mail to the Office 365 service

ProxyAddresses (cloudLegDN) Mailbox off-boardingEnables off-boarding of mailboxes back to on-premise

cloudmsExchUCVoiceMailSettings Voicemail Co-ExistenceEnables on-premise mailbox users to have Lync in the cloud

Directory Synchronization Validations

Licensed UsersAll Proxy Address (SMTP/SIP) must be against a verified domainAddresses dropped during licensingUPN not updated automatically for Cloud ID based Users

Will update automatically when domain is converted to Single Sign on

Unlicensed UsersSMTP Proxy Address can be against non-verified domainsSIP Address must match a verified domain

Drop if not valid

Verifying after Sync will add the removed proxy address back

Synchronization BehaviorsPart 1

Cloud objects hard matched through sourceAnchor (Base64 AD ObjectGUID)

Allows for any property to be updatedUsed by AD FS 2.0 for same purpose during Sign in

Directory Sync without verifying the domain Objects stamped with trial domain *.onmicrosoft.com

Customer can create objects in Office 365 before and after running Directory Sync

Additional Cloud based Admins etc.Pre-Production/Trial accounts for testing

Synchronization BehaviorsPart 2

Direcotry Sync will attempt to match users created in the cloud

Prevents duplicate usersChecks for SourceAnchor match first; if no matchChecks for SMTP address match Soft match

Will not match on users created in Exchange Online directly

For objects Soft match sourceAnchor value stamped on object so as to hard match in the future.

Enterprise Single Sign On

AD FS Office 365 Integration

All Accounts must be mapped to a Shadow account in the Cloud Identity Service

Directory Sync is the means of doing thisLinked via Base64 encoded AD Object GUID

During Logon AD FS looks up data in AD to generate a signed token containing

UPN, e.g. user@domain.comUser Source ID = Base64 AD Object GUID = Directory Sync SourceAnchor

Identity Service validates the token and finds the user based on the User Source ID

SSO Steps

Recommended to start with Enterprise SSO if this is what you want ultimately, i.e. add and verify the domain before Directory Sync is run.Verify AD requirements to ensure accounts are readyDeploy AD FS with high availability

If AD FS is not available or AD you can’t access cloud services

Run Directory SynchronizationVerify login from internal/external and devices you use (e.g. phones etc) License users for services

Converting a Domain to SSO

A one step operation for this domain and any sub domainUsers must logon via AD FS and are converted at login, password lost at this point

Ensure you prepare byEnsure Directory Sync is healthyMaking sure all users have the right UPN in the cloud, remember a licensed user may not be updatedMake sure your AD FS server is accessible both internally and externally (required for Outlook connections)

After conversion Verify login both internally and externallyBackground operation will run to ensure all users have the right UPN

Converting a Domain back to Cloud IDs

Affects all users in the Domain and Sub DomainsShould be used with Caution

Users may require a new password when converted back to Cloud based IDs

Password of users that did not login can use old password

Runs through all AD users to convert them back to cloud based IDs, i.e. can be long running

Share Password with users that were converted from Enterprise SSO to Cloud IDs.

Trialing SSO Options

Staged RolloutStart with an Enterprise SSO Domain and license users over time

Piloting in a different domainSuitable for Existing production standard domain (running Directory Sync) containing production licensed usersSteps:1. Register a new pilot Domain for Enterprise SSO, cannot be a sub domain of an

existing domain2. Deploy AD FS with Production like settings to ensure easy transition at the end

to production usage3. Update Users UPN on premise to new pilot domain

Once completed the user must be moved back to their original domain before it is converted to Enterprise SSO, requires they get a password

Summary

Directory Sync and AD FS provide full integration of AD to Office 365Enable Hybrid deployments Allow for Password policies to be managed on premise Users have a single username and passwordBest end user experience

Office 365 Track Go Do’s

Get questions answered (and get a beta account): http://www.microsoft.com/en-us/office365/online-software.aspx

Office 365 Community (incl. blogs)http://community.office365.com/en-us/default.aspx

Continue the conversation:Office 365 Facebook Site: https://www.facebook.com/office365?v=app_177440328974903Office 365 Twitter Site: http://twitter.com/#!/office365Office 365 Linked In Site: http://www.linkedin.com/groups/Microsoft-Office-365-3724282Office 365 You Tube: http://www.youtube.com/microsoftoffice365

Office 365 Beta Service Descriptions: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6C6ECC6C-64F5-490A-BCA3-8835C9A4A2EA

Office 365 Developer Training: http://msdn.microsoft.com/en-us/hh181605

SharePoint Online for Office 365 Developer Guide: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4387e030-73dc-48e7-ac95-abc043b9335a

Office 365 Marketplace: http://office365.pinpoint.microsoft.com/en-US/default.aspx

Microsoft Office 365 for IT Professionals

May 24-26, 2011Week after TechEd Tailored for IT ProsLearn from the Best

Three-Day Jump Start CourseMay 24: “Office 365 Platform”May 25: “Exchange Online”May 26: “Lync & SharePoint Online”

Jump Start

Microsoft Productivity, Email & Collaboration in the Cloud. Training designed for experienced technologists and IT leaders whose jobs demand they know how to best leverage

new, emerging Microsoft technologies.

REGISTER NOW: http://bit.ly/Office365-JUMP

Office 365 Track Sessions

Monday, May 16OSP212: Microsoft Office 365: The Future of Productivity (Room 307 | 1:15 PM)OSP216: Microsoft Office 365: Deployment Overview (Room B313 | 3:00 PM)

Tuesday, May 17OSP273-INT: Microsoft Office 365 Administration and Automation Using Windows PowerShell (Room B301 | 8:30 AM)OSP213: What Do Existing BPOS Customers Need to Do to Prepare for Microsoft Office 365? (Room C201 | 1:30 PM)OSP276-INT: Microsoft Office 365 Client Connectivity (Room B304 | 1:30PM)OSP215: Microsoft Office 365: Identity and Access Solutions (Room B314 | 3:15 PM)OSP324: The Taming of the Clouds: Integrating SaaS with Your On-Premise Environment (Room C211 | 5:00 PM)

Wednesday, May 18OSP272-INT: Licensing Microsoft Online Services (Room B302| 10:15 AM)OSP274-INT: What Do Existing BPOS Customers Need to Do to Prepare for Microsoft Office 365? Q&A Follow Up (Room B304 | 3:15 PM)OSP 325: Microsoft Office 365: Directory Synchronization (Room B313 | 3:15 PM)

Thursday, May 19OSP381-INT: Microsoft Office 365: Identity and Access Solutions - Q&A Follow Up (Room B301 | 10:15 AM)OSP219: Deploying Microsoft Office Professional Plus Subscription (Room B314 | 2:45 PM)OSP214: Security and Compliance on the Microsoft Business Productivity Online Standard Suite and Microsoft Office 365 Platforms (Room B313 | 4:30 PM)

Related Office 365 Sessions

Monday, May 16EXL202: Microsoft Lync 2010: In the Cloud (Room B206 | 3:00 PM)OSP210: Microsoft SharePoint Online Overview (Room B402 | 3:00 PM)

Tuesday, May 17OSP309: Integrating Microsoft SharePoint 2010 and Microsoft Dynamics CRM Online (Room C302 | 1:30 PM)EXL319: Microsoft Lync 2010: Setup, Deployment, Upgrade and Coexistence Scenarios (Room B206 | 3:15 PM)OSP301: Integrating Microsoft SharePoint 2010 with Windows Azure (Room C203 | 5:00PM)

Wednesday, May 18EXL302: Archiving and Discovery in Microsoft Exchange 2010 SP1 and Exchange Online (Room B207| 10:15 AM)OSP308: Claims Identity in Microsoft SharePoint 2010 (Room B314 | 10:15 AM)OSP372-INT: Building Cloud Apps Using Microsoft Dynamics CRM Online and Windows Azure (Room B303 | 10:15 AM)OSP305: Developing Collaboration Solutions in the Cloud with Microsoft SharePoint Online (Room B314 | 1:30 PM)EXL311: Microsoft Exchange Server & Microsoft Office 365: How to Set Up a Hybrid Deployment (Room B206 | 3:15 PM)

Thursday, May 19EXL375-INT: Understanding Archiving and Compliance in Microsoft Exchange Online (Room B302 | 8:30 AM)EXL322: Microsoft Exchange Online: Unified Messaging in Microsoft Office 365 (Room B207 | 1:00 PM)EXL309: Microsoft Exchange Online in Microsoft Office 365: Migration Case Study (Room B207 | 2:45 PM)OSP306: Developing Powerful Workflows in the Cloud with Microsoft SharePoint Online (Room C208 | 2:45 PM)

Questions?

Track Resources

Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.

You can also find the latest information about our products at the following links:

Windows Azure - http://www.microsoft.com/windowsazure/

Microsoft System Center - http://www.microsoft.com/systemcenter/

Microsoft Forefront - http://www.microsoft.com/forefront/

Windows Server - http://www.microsoft.com/windowsserver/

Cloud Power - http://www.microsoft.com/cloud/

Private Cloud - http://www.microsoft.com/privatecloud/

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.