CoLabora UC User Group Meeting - June 2015.
Topic about: Identity in a World of Cloud - June 2015
Speaker: Jakob Østergaard Nielsen (www.mistercloudtech.com)
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
CoLabora - Identity in a World of Cloud - June 2015
1. Jakob Østergaard Nielsen,
Cloud Solution Architect, EG A/S
Identity in A World of Cloud
Identity management with Azure Active Directory and Office 365
14. Password hash sync security
AD Account password
is hashed twice
Twice through one-way hash algorithm
Not reversible to get users password
Result of the hashes is synced
Additional security
Connections are SSL encrypted
Connections are only to the Azure AD
Enables validation
Azure AD can validate the users password
when they log in
Azure
AD
Account
Password
On-premise
directory
Azure
AD Sync
15. Choosing between sync tools
All the features from DirSync
Support sync from multiple AD
forests incl. merge of duplicate
accounts to one Office 365
tenant.
Support sync from LDAP v3, SQL
ID store (pending)
Installs prerequisite software
components during install
Upgrade from DirSync with
uninstall/install
Will include all features from
DirSync and Azure AD Sync
(announced)
Installer options to deploy Azure
AD Sync with password sync and
optionally ADFS
Will support Azure AD Premium
features (password, device,
group writeback, +…)
Released in GA on June 24, 2015
Still default Sync tool linked
from the Office 365 Admin Portal
Only support for sync from single
AD forest.
Supports object filtering
(Domain, OU, attribute)
Remains supported following
Microsoft Online Services Support
Lifecycle Policy (12 months)
- properly after AAD Connect GA*
16. Azure AD Connect – Identity Bridge
Azure AD
Connect
(sync + sign on)
Active
Directory
LDAP
directories
17. Azure AD Connect with Express Settings
Use one tool
instead of many
Get up and
running quickly
(5 clicks)
Start here, then
scale up or add
options
Custom options to
address more
complex scenarios
20. Get up and running with:
Most common, simple options
Single AD forest
Synchronization of all on-premise objects
Password synchronization of all users
Creates default on-premise service account
Creates default cloud service account with tailored role
Enterprise admin requirement in on-premise AD
Global admin requirement in Cloud
Setup sync with AD Connector for on-premise AD and
Azure Connector for Azure AD
Azure AD Connect with Express Settings
21. Customize settings allows more advanced options
Supports multi-forest synchronization
Support for Hybrid scenarios and/or Single Sign-On using ADFS
Deploy pilot users using filtering of domain, OU or attribute
Assign custom lower privileges service account
Sync selected users using filtering (OU, domain, group, attribute)
Postpone initial full sync (‘staging mode’)
Support Azure AD premium features:
- writeback of passwords, users, groups, and devices from the cloud
Windows 10 Computer sync to Azure AD
Sync of custom and directory extension attributes
Azure AD Connect
22. Making hybrid identity simple
Azure Active Directory Connect
Deployment assistant for
identity bridge components.
Simplified deployment of
Federation components
Health – Operations and
monitoring of all Azure AD
Connect components
24. Federated identity model
AD FS
User
Security token
Authentication
Sign-on
Federated identity
On-premises
directory
Azure
AD Sync
Password hashes
User accounts
Redirection
For alternatives to on-premise ADFS,
both ADFS and WAP can be hosted in
Azure, or using a hosting partner.
Single Sign-On for web apps, can also
use Azure AD Access Control Service
(ACS) as Secure Token Service (STS).
25. Password Sync Backup for Federated Sign-In
Password sync backup for
Office 365 federated sign-in
provides the option to
switch a federated domain
to synchronized domain in
the event of on-premise
outages or Internet access
disruption.
Federated identity
Backup Password Hash Sync
User accounts
AD FS
Azure
AD Sync
On-premises
directory
27. Choosing Password Sync or ADFS for Sign-On
• Choose simplest model that will fit business requirements
• Cloud identity when no on-premise AD exist
• Password sync for standard on-premise AD integrations
• Federated identity for the following scenarios:
Organization already have ADFS or another federation service
Hybrid integration with Cloud services (Exchange/SharePoint/Skype4B/..)
Password prompts from domain joined computers must be minimized (SSO)
Security Policy require Sign-In Auditing and/or Immediate Disable of accounts
Security policy prohibits sync of password hashes to Azure AD
Client sign-in restrictions by Network Location or Work Hours
Conditional Access for both on-premise and cloud resources
Use FIM/MIM for the on-premise identity management
On-premise Multi-Factor Authentication or Smart Card support for sign in
28. Change between models as needs change
Cloud Identity to Synchronized Identity
Deploy DirSync / Azure AD Sync / Azure AD Connect
Hard match or soft match of users
Synchronized Identity to Federated Identity
Deploy AD FS and configure a trust between ADFS and Azure AD
PowerShell: Convert-MsolDomainToFederated
Leave password sync enabled as backup
Federated identity to Synchronized Identity
PowerShell: Convert-MsolDomainToStandard
Takes 2 hours plus 1 additional hour per 2,000 users
Synchronized Identity to Cloud Identity
PowerShell: Set-MsolDirSyncEnabled
Takes 72 hours - monitor with PowerShell: Get-MsolCompanyInformation
29. Azure AD Connect: Federated Sign on
Active
Directory
Azure
AD
Firewall
Firewall
30. Making ADFS Easier
Get familiar with the TechNet Deployment Guidance
Implement the ADFS and Office 365 requirements
Public SSL Certificate is required for ADFS/WAP
Use Azure AD Connect for easier deployment
Add Support for Multiple Domains during cloud federation
Change Token-Signing and Token-Decrypting certificates expiration
31. Currently ~2500 SaaS cloud apps
Integrate with Azure AD
Single Sign-On support
Central provisioning in Azure
User provisioning with local AD
groups using Azure AD Premium
Full SaaS cloud app list at:
Azure Active Directory Marketplace
Azure Active Directory applications
32. SourceAnchor (ImmutableID)
Base64 encoding of on-premise account objectGUID
Static (“Immutable”) during entire lifetime of an object
SourceAnchor value cannot (easily!) be changed after object is created in AAD !
When the Immutable attribute is first selected, it CANNOT be changed!
Recommended: ObjectGUID, EmployeeID
Avoid: mail, userPrincipalName
UserPrincipalName
The default logon attribute of users login to Cloud services
Keep default ! – don’t change if at all possible
Changing to another attribute is not supported with Hybrid Office 365 enabled
SourceAnchor and UserPrincipalName
33. Account matching
Hard match
First attempt; hard match based on ObjectGUID
Soft match
If unsuccessful; attempt soft match based on Primary SMTP address
IMPORTANT
Be sure all SMTP domains are validated in tenant before activating
directory synchronization
If neither objectGUID nor SMTP match can be made, a new object will be
created in Azure AD.
Reactivation of AD Sync overwrites all changes in Azure AD since last sync
-> Perform backup of cloud user data before reactivation !
34. Directory Synchronization
IMPORTANT
Before activating AD Sync, be sure directory cleanup is completed !
Primary SMTP address must be unique in the entire enterprise
No duplicate proxyAddresses must exist
All UPNs and SMTP addresses must be correctly formatted
Only supported management tool is on-prem Exchange Admin Center/Shell
When the Immutable attribute is first selected, it CANNOT be changed !
35. Common multi-forest topologies
Forests with GALSync
Users and Contacts should join on mail attribute
and be represented only once.
Account-Resource forests
One or many Account forests with enabled accounts
and one Resource forest with disabled accounts.
Joined on objectSID and msExchMasterAccountSID.
Separate forests
Each object in every forest will be represented in
Azure AD.
36. Summary
Choose the simplest identity model for your requirements
Cloud identity for no on-premise AD
Synchronized identity for basic setup – add more later
Federated identity for additional requirements
Identity models can be changed as requirements change
Azure AD Connect will be the new primary sync tool
Easier ADFS deployment still needs preparation
Azure AD applications integration and Single Sign-On
Plan ImmutableID and Matching attributes ahead
Directory Synchronization require proper AD cleanup