CoLabora UC User Group Meeting - June 2015. Topic about: Identity in a World of Cloud - June 2015 Speaker: Jakob Østergaard Nielsen (www.mistercloudtech.com)

1. Jakob Østergaard Nielsen,
Cloud Solution Architect, EG A/S
Identity in A World of Cloud
Identity management with Azure Active Directory and Office 365

2. About me..
© EG A/S 2
Jakob Østergaard Nielsen
Cloud Solution Architect, EG A/S
Expertise:
Office 365, Microsoft Azure, Certifikat Service/PKI.
Federation Service, Exchange, Active Directory.
MCSE: Communication | MCSA: Office 365 |
MCTS: Exchange | MCSA: Windows Server 2012R2
Contact me:
E-mail: jakos@eg.dk
Blog: mistercloudtech.com
Twitter: twitter.com/JakobONielsen
Phone: +45 7260 2378/+45 2085 9156

3. Agenda
© EG A/S 3
 Identity models
 How to choose and identity model
 Identity Synchronization tools
 Azure AD Connect
 Password sync and Federated identity
 Azure Active Directory applications
 SourceAnchor and account matchning
 AD Sync Recommendations

4. The current reality…

5. Cloud
SaaS
Azure
Office 365Public
cloud
Other
Directories
Windows Server
Active Directory
On-premises Microsoft Azure Active Directory
Identity as the foundation

6. Office 365 Identity Models
© EG A/S 6

7. Identity Synchronization and Federation
WS-Federation
WS-Trust
SAML 2.0
Metadata
Shibboleth
Graph API
Synchronize
accounts
Authentication
Federated sign-in

8. Cloud Identity Model

9. Cloud identity model
“In Cloud”http://portal.office.com

10. © EG A/S 10

12. Synchronized Identity Model

13. Synchronized Identity Model
Password hashes
User accounts
User
Sign-on
Azure
AD Sync On-premise
directory“Same
Sign-On”
Authentication

14. Password hash sync security
AD Account password
is hashed twice
Twice through one-way hash algorithm
Not reversible to get users password
Result of the hashes is synced
Additional security
Connections are SSL encrypted
Connections are only to the Azure AD
Enables validation
Azure AD can validate the users password
when they log in
Azure
AD
Account
Password
On-premise
directory
Azure
AD Sync

15. Choosing between sync tools
 All the features from DirSync
 Support sync from multiple AD
forests incl. merge of duplicate
accounts to one Office 365
tenant.
 Support sync from LDAP v3, SQL
ID store (pending)
 Installs prerequisite software
components during install
 Upgrade from DirSync with
uninstall/install
 Will include all features from
DirSync and Azure AD Sync
(announced)
 Installer options to deploy Azure
AD Sync with password sync and
optionally ADFS
 Will support Azure AD Premium
features (password, device,
group writeback, +…)
 Released in GA on June 24, 2015
 Still default Sync tool linked
from the Office 365 Admin Portal
 Only support for sync from single
AD forest.
 Supports object filtering
(Domain, OU, attribute)
 Remains supported following
Microsoft Online Services Support
Lifecycle Policy (12 months)
- properly after AAD Connect GA*

16. Azure AD Connect – Identity Bridge
Azure AD
Connect
(sync + sign on)
Active
Directory
LDAP
directories

17. Azure AD Connect with Express Settings
Use one tool
instead of many
Get up and
running quickly
(5 clicks)
Start here, then
scale up or add
options
Custom options to
address more
complex scenarios

18. Demo
Azure AD Connect

20. Get up and running with:
Most common, simple options
Single AD forest
Synchronization of all on-premise objects
Password synchronization of all users
Creates default on-premise service account
Creates default cloud service account with tailored role
Enterprise admin requirement in on-premise AD
Global admin requirement in Cloud
Setup sync with AD Connector for on-premise AD and
Azure Connector for Azure AD
Azure AD Connect with Express Settings

21. Customize settings allows more advanced options
Supports multi-forest synchronization
Support for Hybrid scenarios and/or Single Sign-On using ADFS
Deploy pilot users using filtering of domain, OU or attribute
Assign custom lower privileges service account
Sync selected users using filtering (OU, domain, group, attribute)
Postpone initial full sync (‘staging mode’)
Support Azure AD premium features:
- writeback of passwords, users, groups, and devices from the cloud
Windows 10 Computer sync to Azure AD
Sync of custom and directory extension attributes
Azure AD Connect

22. Making hybrid identity simple
Azure Active Directory Connect
Deployment assistant for
identity bridge components.
Simplified deployment of
Federation components
Health – Operations and
monitoring of all Azure AD
Connect components

23. Federated Identity Model

24. Federated identity model
AD FS
User
Security token
Authentication
Sign-on
Federated identity
On-premises
directory
Azure
AD Sync
Password hashes
User accounts
Redirection
For alternatives to on-premise ADFS,
both ADFS and WAP can be hosted in
Azure, or using a hosting partner.
Single Sign-On for web apps, can also
use Azure AD Access Control Service
(ACS) as Secure Token Service (STS).

25. Password Sync Backup for Federated Sign-In
Password sync backup for
Office 365 federated sign-in
provides the option to
switch a federated domain
to synchronized domain in
the event of on-premise
outages or Internet access
disruption.
Federated identity
Backup Password Hash Sync
User accounts
AD FS
Azure
AD Sync
On-premises
directory

26. How to choose an identity model

27. Choosing Password Sync or ADFS for Sign-On
• Choose simplest model that will fit business requirements
• Cloud identity when no on-premise AD exist
• Password sync for standard on-premise AD integrations
• Federated identity for the following scenarios:
Organization already have ADFS or another federation service
Hybrid integration with Cloud services (Exchange/SharePoint/Skype4B/..)
Password prompts from domain joined computers must be minimized (SSO)
Security Policy require Sign-In Auditing and/or Immediate Disable of accounts
Security policy prohibits sync of password hashes to Azure AD
Client sign-in restrictions by Network Location or Work Hours
Conditional Access for both on-premise and cloud resources
Use FIM/MIM for the on-premise identity management
On-premise Multi-Factor Authentication or Smart Card support for sign in

28. Change between models as needs change
Cloud Identity to Synchronized Identity
Deploy DirSync / Azure AD Sync / Azure AD Connect
Hard match or soft match of users
Synchronized Identity to Federated Identity
Deploy AD FS and configure a trust between ADFS and Azure AD
PowerShell: Convert-MsolDomainToFederated
Leave password sync enabled as backup
Federated identity to Synchronized Identity
PowerShell: Convert-MsolDomainToStandard
Takes 2 hours plus 1 additional hour per 2,000 users
Synchronized Identity to Cloud Identity
PowerShell: Set-MsolDirSyncEnabled
Takes 72 hours - monitor with PowerShell: Get-MsolCompanyInformation

29. Azure AD Connect: Federated Sign on
Active
Directory
Azure
AD
Firewall
Firewall

30. Making ADFS Easier
Get familiar with the TechNet Deployment Guidance
Implement the ADFS and Office 365 requirements
Public SSL Certificate is required for ADFS/WAP
Use Azure AD Connect for easier deployment
Add Support for Multiple Domains during cloud federation
Change Token-Signing and Token-Decrypting certificates expiration

31. Currently ~2500 SaaS cloud apps
Integrate with Azure AD
Single Sign-On support
Central provisioning in Azure
User provisioning with local AD
groups using Azure AD Premium
Full SaaS cloud app list at:
Azure Active Directory Marketplace
Azure Active Directory applications

32. SourceAnchor (ImmutableID)
Base64 encoding of on-premise account objectGUID
Static (“Immutable”) during entire lifetime of an object
SourceAnchor value cannot (easily!) be changed after object is created in AAD !
When the Immutable attribute is first selected, it CANNOT be changed!
Recommended: ObjectGUID, EmployeeID
Avoid: mail, userPrincipalName
UserPrincipalName
The default logon attribute of users login to Cloud services
Keep default ! – don’t change if at all possible
Changing to another attribute is not supported with Hybrid Office 365 enabled
SourceAnchor and UserPrincipalName

33. Account matching
Hard match
First attempt; hard match based on ObjectGUID
Soft match
If unsuccessful; attempt soft match based on Primary SMTP address
IMPORTANT
Be sure all SMTP domains are validated in tenant before activating
directory synchronization
If neither objectGUID nor SMTP match can be made, a new object will be
created in Azure AD.
Reactivation of AD Sync overwrites all changes in Azure AD since last sync
-> Perform backup of cloud user data before reactivation !

34. Directory Synchronization
IMPORTANT
Before activating AD Sync, be sure directory cleanup is completed !
Primary SMTP address must be unique in the entire enterprise
No duplicate proxyAddresses must exist
All UPNs and SMTP addresses must be correctly formatted
Only supported management tool is on-prem Exchange Admin Center/Shell
When the Immutable attribute is first selected, it CANNOT be changed !

35. Common multi-forest topologies
Forests with GALSync
Users and Contacts should join on mail attribute
and be represented only once.
Account-Resource forests
One or many Account forests with enabled accounts
and one Resource forest with disabled accounts.
Joined on objectSID and msExchMasterAccountSID.
Separate forests
Each object in every forest will be represented in
Azure AD.

36. Summary
 Choose the simplest identity model for your requirements
 Cloud identity for no on-premise AD
 Synchronized identity for basic setup – add more later
 Federated identity for additional requirements
 Identity models can be changed as requirements change
 Azure AD Connect will be the new primary sync tool
 Easier ADFS deployment still needs preparation
 Azure AD applications integration and Single Sign-On
 Plan ImmutableID and Matching attributes ahead
 Directory Synchronization require proper AD cleanup

37. Questions !
© EG A/S 37

38. © 2014 EG A/S. All rights reserved.
The content of this material, including the text, images and other graphics and their arrangement, are copyrighted by EG A/S
or its affiliated, associated or related companies. EG A/S makes no warranties, express, implied or statutory, as to the information
in this presentation.