Office 365: Identity and access solutions

Office 365: Identity and access solutions

Identity changes for the next major service updateMicrosoft Online cloud IDs Federated IDs How federated authentication worksDeployment scenarios

Office 365 Identity featuresPassword policy controls for Microsoft Online IDsSingle sign-on with corporate credentialsDirectory Synchronization updatesRole-based administration: Five administration roles

Company Admin Billing AdminUser Account Admin HelpDesk AdminService Support Admin

“Admin on behalf of” for support partners

Bronze Sky customer premises

Identity architecture: Identity options1. Microsoft Online IDs

ADMS Online

Directory Sync

Identity platform

Provisioningplatform

LyncOnline

SharePoint Online

Exchange Online

FederationGateway

Active Directory Federation Server

2.0

Trust

IdP DirectoryStore

Admin Portal

Authentication platform IdP

Service connector

Microsoft Office 365 Services

2. Microsoft Online IDs + DirSync3. Federated IDs + DirSync

Identity options comparison1. MS Online IDs

Appropriate for• Smaller organizations

without AD on-premise

Pros• No servers required on-

premise

Cons• No SSO• No 2FA• 2 sets of credentials to

manage with differing password policies

• Users and groups mastered in the cloud

2. MS Online IDs + Dir Sync

Appropriate for• Orgs with AD on-premise

Pros• Users and groups mastered

on-premise• Enables co-existence

scenarios

Cons• No SSO• No 2FA• 2 sets of credentials to

manage with differing password policies

• Single server deployment

3. Federated IDs + Dir Sync

Appropriate for• Larger enterprise

organizations with AD on-premise

Pros• SSO with corporate cred• Users and groups mastered

on-premise• Password policy controlled

on-premise• 2FA solutions possible• Enables co-existence

scenarios

Cons• High availability server

deployments required

Sign On Experience across apps and OSsFederated vs. Non-Federated Summary

A new “service connector” is needed – primarily for rich clientsInstalls client and operating system updates to enable best sign-on experienceEnables authentication support for rich clientsEnsures clients have all needed configuration data to enable service usage

Web kiosk scenarios (e.g. OWA) supported without the service connector

Outlook2010

Win 7 Vista/XP

Federated IDs,

domain joined

MS Online IDs

Outlook Web Application

No prompt No prompt

Each session

ActiveSync, POP, IMAP, Entourage

Once at setup No prompt

Outlook 2007

No prompt

Once at setupEach session Each session Each session

Outlook 2007 or 2010

Win 7

Online IDOnline IDOnline IDOnline IDOnline ID

AD credentials

Win 7/Vista/XP

No prompt

Each session

Office 2010, or Office 2007 SP2

SharePoint Online

Online ID

Identity federation details

Authentication flowsDeployment scenariosIdentity federation rollout

Identity FederationAuthentication flow (passive profile)

`

Client(joined to CorpNet)

Federation GatewayAD FS 2.0 Server

Exchange Online

Active Directory

Customer Microsoft Office 365

Identity FederationAuthentication flow (active profile)

`

Client(joined to CorpNet)

Federation GatewayAD FS 2.0 Server

Exchange Online

Active Directory

Customer Microsoft Office 365

AD FS 2.0 deployment options

1. Single server configuration2. AD FS 2.0 server farm and load-balancer3. AD FS 2.0 proxy server (offsite users)

Enterprise DMZ

AD FS 2.0 ServerProxy

Internaluser

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 Server

AD FS 2.0 ServerProxy

Piloting and rolling out identity federation

Starting out with a production federated domainRollout of identity federation to the organization can be staged.

Starting out with a production standard domain (running Directory Sync) containing production licensed users:

Domain conversion (to federated) is a big switch. Piloting or rolling out identity federation in a staged fashion to an existing production standard domain is not possibleHowever, piloting with production users is possible

Requires a federated test domain and changing pilot user’s UPNs

Identity Details

Microsoft Office 365 Services requirementsIdentity federation supported initially only through AD FS 2.0MS Online business scenarios always use WS-*

WS-Trust provides support for rich client authentication

Protocols supportedWS-*, SAML1.1SAML2.0 coming later (with Shibboleth support)

Strong authentication solutions for web applications Via ADFS Proxy sign in page or UAG SP1

Customer AD Structures

Matching domainsInternal Domain and External domain are the same

Eg. contoso.com

Sub DomainInternal domains is a sub domain of the external domain

Eg. Corp.contoso.com

Local DomainInternal domain is not publicly “registered”

Eg. Contoso.local

Multiple distinct login domainsEg, mix of users having login UPNs under contoso.com and fabrikam.com

Multi ForestNot Currently supported

Active Directory Considerations

Matching domainNo special requirements

Sub DomainRequires that Domains be registered in order, primary then sub domains

Local DomainDomain can not be registered thus cannot be used for federation

Requires all users to get new UPN

Multiple distinct domainsRequires deployment of separate AD FS 2.0 servers per distinct domain

General Rules

Every User must have a UPN

UPNs must match a validated domain in Office 365

Users may need to understand that they must use UPN to logon to Office 365

ResourcesRead more about Microsoft Online Services – www.microsoft.com/online

Learn about the next release of BPOS, the Microsoft Office 365 Suite - http://office365.microsoft.com

Continue the conversationMicrosoft Online Services Team Blog – http://blogs.technet.com/msonline Facebook Fan Page – http://www.facebook.com/MicrosoftOnlineServices You Tube Channel – http://www.youtube.com/user/msonlineservices Twitter – http://twitter.com/msonline

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.