70-346 Managing Office 365 Identities

1
Office 365 Identity Management

• Complete Study Guide

2
Agenda
Recently Announced
Identity Integration Options
Identity Management Overview
3
2
1
3
Identity management overview
4
Identity management
Identity management deals with identifying
individuals in a system and controlling access
to the resources in that system
Integral components of identity and access
management
Authentication
Authorization
Verifying that a user, device, or service such as
an application provided on a network server is
the entity that it claims to be.
Determining which actions an authenticated entity
is authorized to perform on the network
http//www.pass4sureexam.co/70-346.html
5
More identity terms
Single Sign On (SSO) is the ability for two
disjoint Identity Providers (IDP) to trust each
other such that a user logged into one does not
need to log in again for the second. YAUP is what
you get if you dont have SSO.
The Relying Party (RP) is the system that relies
on the Identity Provider to authenticate a user.
Security Assertion Markup Language
WS-Federation / WS-Trust
SAML is a public standard managed by OASIS. SAML
is the identity token and also the protocol. SAML
2.0 is built on SAML 1.1, ID-FF and Shibboleth.
WS-Federation is used for web browser based
authentication with an IDP. WS-Trust is used by
Office rich client apps to authenticate.
http//www.pass4sureexam.co/70-346.html
6
Microsoft cloud services
Microsoft Account
Windows Azure Active Directory
Organizational Account
Microsoft Account
http//www.pass4sureexam.co/70-346.html
7
Common identity platform for organizational
accounts

• Windows Azure Active Directory is the underlying
  identity platform for various cloud services that
  use Organizational Accounts

Windows Azure Active Directory
Authentication platform
Directorystore
Your App
http//www.pass4sureexam.co/70-346.html
8
Office 365 Identity
Cloud Identity

Directory Synchronization 

Federated Identity
Windows Azure Active Directory
Windows Azure Active Directory
Windows Azure Active Directory

Directory Sync
Federation
Directory Sync
On-Premises Identity
On-Premises Identity
Single identity in the cloud Suitable for small
organizations with no integration to on-premises
directories
Single identitysuitable for medium and large
organizations without federation
Single federated identity and credentials
suitable for medium and large organizations
9
Recent Additions
http//www.pass4sureexam.co/70-346.html
10
Windows Azure Active Directory Sync ToolUpdate

• The tool is downloaded from the Office 365 admin
  portal.
• Only a one way hash of the password will be
  synchronized to WAAD such that the original
  password cannot be reconstructed from it.
• Synchronizes user passwords from on-premises AD
  to Azure AD (Office 365).
• Respects on-premises password policies.
• Cant sync passwords for Federated Users, but can
  co-exist.

SAML2 Identity Provider
More Details on TechNet http//aka.ms/sync
http//www.pass4sureexam.co/70-346.html
11
Directory Sync Tool or Active Directory
Federation Services
Password Sync SSO with AD FS
Same password to access resources
Can control password policies on-premises
Support for two factor authentication
No password re-entry if on premises
Client access filtering by IP or by time schedule
Authentication occurs on-premises. Can immediately block disabled accounts.
Change password available from web
Works with Forefront Identity Manager

• Azure AD offers some 2FA features that are
  available with ADFS deployment on-premises.

12
Active Authentication Why Multi-Factor

• Your data and applications are under attack
• Passwords are easily compromised
• Consumerization of IT has only increased the
  scope of vulnerability
• Strengthening regulatory requirements call for
  strongly authenticating access

http//www.pass4sureexam.co/70-346.html
13
Enterprise authentication using any phone
?
Out-of-Band Push One-Time-Passcode
Out-of-Band Text One-Time Passcode
Out-of-Band Call
http//www.pass4sureexam.co/70-346.html
14
Architecture
Users sign in from any device using their
existing username/password.
1
Custom LOB Apps
Microsoft Apps
Windows Azure Active Directory
Credentials are checkedin Windows Azure AD.
Then Active Authentication is triggered for
additional verification.
ISV/CSV Apps
Active Authentication
Custom LOB Apps
Users must also authenticate using their phone or
mobile device before access is granted.
2
15
App Passwords

• Provides rich client login as alternative to
  Multi Factor Auth
• Not for administrators
• 16 characters randomly generated
• Currently in preview

http//www.pass4sureexam.co/70-346.html
16
Windows Azure Active Directory Provisioning
Updates

• Azure Active Directory GRAPH API
• REST API for programmatic access to data in Azure
  AD
• Can build multi-tenant applications, or custom
  LOB Apps
• Azure Active Directory Connector for FIM 2010 R2
• Can be used for multi-forest synchronization and
  non-AD sources
• Public Beta starts on Connect soon

http//www.pass4sureexam.co/70-346.html
17
Identity integration options
18
Identity integration options
1
2
3
4
5
6
Cloud Identity Directory Sync Password Sync Graph API FIM Single Sign-On
Org size Small All All Large Large Large
Control of attributes in directory Least control Full control via on-premises directory Full control via on-premises directory Can control core attributes and select optional Can control core attributes and select optional Full control via on-premises directory
Source of authority Cloud On-premises On-Premises Cloud On-premises On-premises
Hardware requirements No on-premises hardware required Windows Server OS for DirSync appliance Windows Server OS for DirSync appliance Machine to run Powershell jobs on Federated Identity Manager with office 365 Connector DirSync appliance ADFS (or other STS) deployment
Login experience Disjoint username, password for on-premises and cloud Enter credentials twice Disjoint username, password for on-premises and cloud Enter credentials twice Same username, password for on-premises and cloud Enter credentials twice Disjoint username, password for on-premises and cloud Enter credentials twice Disjoint username, password for on-premises and cloud Enter credentials twice Same username, password for on-premises and cloud Login once if on-premises
19
Cloud identity
1

• Rich experience with Office Apps
• Ease of deployment, management and support
• Lower cost as no additional servers are required
  On-Premises
• High availability and reliability as all
  Identities and Services are managed in the cloud

Cloud Identity Ex alice_at_contoso.com
20
Directory Synchronization
2
Directory Synchronization

• Rich experience with Office Apps
• Directory synchronization between on-premises
  and online
• Identities are created and managed on-premises
  and synchronized to the cloud
• Single identity and credentials but no single
  Sign-On for on-premises and office 365 services
• Reuse existing directory implementation
  on-premises

AD
On-Premises Identity Ex Domain\Alice
Cloud Identity Ex alice_at_contoso.com
21
Password Synchronization
3
Directory Synchronization with one way Password
Hash

• Rich experience with Office Apps
• Directory synchronization between on-premises
  and online
• Identities are created and managed on-premises
  and synchronized to the cloud
• Single identity and password credentials but no
  single Sign-On for on-premises and office 365
  services
• Reuse existing directory implementation
  on-premises

AD
On-Premises Identity Ex Domain\Alice
Cloud Identity Ex alice_at_contoso.com
22
Scoping and Filtering for Synchronization

• Customers can exclude objects from synchronizing
  to Office 365.
• Scoping can be done at the following levels
• AD Domain-based
• Organizational Unit-based
• User Attribute based
• Additional filtering capabilities will become
  available with the O365 Connector.
• Preventing the synchronization of specific
  attributes is not supported.

http//www.pass4sureexam.co/70-346.html
23
Multi-forest AD
DirSync on FIM
Federation using ADFS
AD
AD
AD
On-Premises Identity Ex Domain\Alice
http//www.pass4sureexam.co/70-346.html
24
Multi-forest decision flowchart
Start
Number Active Directory forests
Single (1)
Need on-premises org consolidation
After consolidation
Multiple (gt1)
Want to consolidate single forest?
Use Single Forest DirSync
See consolidation whitepaper
Yes
After consolidation
No
Disjoint Account Forests?
Number Exchange Orgs
Multiple (gt1)
None (0)
No
Single (1)
Yes
Disjoint account forests and exchange org
accessed by accounts in the same forest?
Yes
Use Office 365 Connector
Use Multi Forest DirSync
No
25
Powershell / Graph REST API
4

• Suitable for small/medium size organizations
  with AD or Non-AD
• Performance limitations apply with PowerShell and
  Graph API provisioning
• PowerShell requires scripting experience
• PowerShell option can be used where the
  customer/partner may have wrappers around
  PowerShell scripts (eg Self Service Provisioning)

http//www.pass4sureexam.co/70-346.html
26
Office 365 Connector for Forefront Identity
Manager
5

• Suitable for large organizations with certain AD
  and Non-AD scenarios
• Complex multi-forest AD scenarios
• Non-AD synchronization through Microsoft premier
  deployment support
• Requires Forefront Identity Manager and
  additional software licenses

http//www.pass4sureexam.co/70-346.html
27
Federated identity
6
Directory Synchronization
Federation

• Single identity and sign-on for on-premises and
  office 365 services
• Identities mastered on-premises with single point
  of management
• Directory synchronization to synchronize
  directory objects into Office 365
• Secure Token based authentication
• Client access control based on IP address with
  ADFS
• Strong factor authentication optionsfor
  additional security with ADFS

AD
or
Non-AD
On-Premises Identity Ex Domain\Alice
28
Federation options
Shibboleth (SAML) Works with AD Non-AD
ADFS Works with AD
Third-party STS Works with Office 365 - Identity
Suitable for educational organizations
Recommended where customers may use existing
non-ADFS Identity systems Single sign-on Secure
token based authentication Support for web
clients and outlook (ECP) only Microsoft
supported for integration only, no shibboleth
deployment support Requires on-premises servers
support Works with AD and other directories
on-premises
Suitable for medium, large enterprises including
educational organizations Recommended option for
Active Directory (AD) based customers Single
sign-on Secure token based authentication Support
for web and rich clients Microsoft
supported Works for Office 365 Hybrid
Scenarios Requires on-premises servers, licenses
support
Suitable for medium, large enterprises including
educational organizations Recommended where
customers may use existing non-ADFS Identity
systems with AD or Non-AD Single sign-on Secure
token based authentication Support for web and
rich clients Third-party supported Works for
Office 365 Hybrid Scenarios Requires on-premises
servers, licenses support Verified through
works with Office 365 program Works for Office
365 Hybrid Scenarios
29
Works with Office 365 Identity
Flexibility
Confidence

• Program for third party on premises identity
  providers to interoperate with Office 365
• Objective is to help customers that currently use
  Non-Microsoft identity solutions to adopt Office
  365
• On TechNet http//aka.ms/SSOProviders

Qualified by Microsoft
Reuse Investments
Partner
http//www.pass4sureexam.co/70-346.html
30
Works with Office 365 Identity
WS-Trust WS-Federation
Active Directory with ADFS

• On Premises Security Token Services
• http//bit.ly/17D5Dq0

WS-Federation
SAML-P
31
Client access control

• Block all external access to Office 365 based on
  the IP address of the external client
• Block all external access to Office 365 except
  Exchange Active Sync all other clients such as
  Outlook are blocked.
• Block all external access to Office 365 except
  for passive browser based applications such as
  Outlook Web Access or SharePoint Online

• Part of ADFS
• Limit access to Office 365 based on network
  connectivity (internet versus intranet)

http//www.pass4sureexam.co/70-346.html
32
WAAD Identity with other cloud services
Cloud Identity Ex alice_at_contoso.com

• Identity managed in Windows Azure AD single
  sign-on for Office 365 and other cloud services
  federated with single cloud identity
• ISV Applications or SAAS providers can integrate
  using APIs on Windows Azure AD

ISV apps or SAAS providers or Your App
Cloud Identity Ex alice_at_contoso.com
33
Summary

• Cloud Identities Windows Azure Active Directory
• Directory Sync from On-Premises
• Directory Sync from On-Premises (with Password
  Sync)
• Graph API and Powershell
• Forefront Identity Manager
• Federation (or Single Sign-On)
• ADFS
• WS-Federation and WS-Trust
• Shibboleth SAML-P
• Active Authentication for multifactor
• Works with Office 365 Identity

34
Resources
Learning
Developer Network
TechNet
35
Keep Learning

• Keep up to date with all the latest Office 365
  information at http//ignite.office.com
• Get on top of your pilot using the FastTrack
  deployment process http//fastTrack.office.com
• Trial Office 365 http//office.microsoft.com

36
2013 Microsoft Corporation. All rights
reserved. Microsoft, Windows and other product
names are or may be registered trademarks and/or
trademarks in the U.S. and/or other
countries. The information herein is for
informational purposes only and represents the
current view of Microsoft Corporation as of the
date of this presentation. Because Microsoft
must respond to changing market conditions, it
should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information
provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.