Upload
esperanza-chestnut
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Office 365 Identity Federation Technology Deep-DivePaul Black and Toby KnightTechnical Specialists
OSP224
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Session Objective(s): Identify the role that Provisioning & Synchronization plays in Directory IntegrationDiscuss available Provisioning & Synchronization Options Understand key directory concepts pertinent to Sync
Key Takeaway 1When to use which Directory Sync option/technology, and what’s supported
Key Takeaway 2Key architecture and design considerations of the end-to-end sync infrastructure
Session Objectives And Takeaways
Advanced Warning: Identity Crisis!!
Platform is being re-branded “Windows Azure Active Directory”
aka “Windows Azure AD” or just “AAD”
Windows Azure AD vs. Office 365
Go-to-market names for different packages of functionality (CRM Online, InTune as well!)
All GTMs share common platform pieces:Directory: “MSO DS”STS: OrgID
Platform pieces & tools will be branded Windows Azure AD
Powershell Module for Windows Azure Active DirectoryWindows Azure Active Directory Sync ToolWindows Azure Active Directory Connector for FIM 2010
Windows Azure AD vs. Office 365
AzureAD
AD
Cloudapp
Cloudapp
Cloudapp
AzureAD
AD
ExchangeOnline
SharePointOnline
LyncOnline
CRM Online
InTune
Provisioning vs Synchronization
The two are not the same!
Synchronization solutions are Provisioning solutions, but not the other way around!
Synchronization
Provisioning + long-term consistency/parity of state between
source objects and their representation in the external system.
Provisioning
Creation of objects and/or associated resources in a directory or external
system.
Directory Integration Options
Automated
How• DirSync, FIM +
Connector
Why• Large volume of
objects/churn• Require access to all
attributes in directory• Require consistency
between on-prem & cloud
• Want Single Sign-On
Scriptable
How• PowerShell cmdlets• GRAPH API
Why• Need automated
process, but don’t require access to all attributes in directory
• OK to not have full consistency between source and cloud
Manual
How• Create objects in
Windows Azure AD via Admin Portal or Bulk Import
Why• Low volume of objects to
create• No long term
management/consistency required
Examples of Integration - Manual
Example of Integration - Scriptable
PowershellNew-MsolUser -UserPrincipalName “[email protected]”
GRAPH
Example of Integration - Automated
(fill in DirSync picture here)
Directory Integration in the bigger picture
Directory Integration is the first half of a larger ecosystem
Single Sign-On solutions depend on successful Synchronization of data into the Directory!
Contoso customer premises
Architecture and Integration Options1. No Integration2. Directory Data Only3. Directory and Single sign-on (SSO)
ADMS Online
Directory Sync
Identity Services
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
Active Directory Federation Server
2.0
Trust
IdPDirectory
Store
Admin Portal/PowerShell
Authentication platform
Office 365 Desktop Setup
Windows Azure Active Directory
IdP
CRM Online
InTune
Why Directory and SSO Integration
Single place for managementUser and groups (including securityp-enabled groups)PasswordsPassword policies
Support for Enterprise Single Sign onSupport for Hybrid environments for Services such as Exchange OnlineOptions for Strong Authentication (e.g. Smart cards)
Architecture Deep Dive
Customer Network
AD
Office 365 Datacenter
AW
S
FEs
Microsoft Online ID
Exchange
…
SharePoint
Lync
O365 Directo
ry
Work
flow
AD FS
O3
65
MA
Meta
Vers
eAD MA
DirSync
GR
AP
H
Life as a sync’d object
When an object created in the cloud, “owned in the cloud”Changes can be made via Portal, Powershell or in the various cloud services
When an object is created by Sync, “owned by sync”Changes can only be made via on-prem directory and then sync to cloud
When an object is created in the cloud, but also exists on-prem
Sync will try to Soft-Match the object coming via SyncSoft-match uses SMTP addresses to “best guess”If matched, “owned by sync”
Life as a sync’d object
Objects “owned by Sync” can be deleted directly in the cloud!
Remove-MsolUser/Contact/Group will allow you to delete an object that is owned by SyncIf still on-prem, will be recreated on next Sync cycle
Tour as a sync’d object
Sync Tool reads data from on-prem directory sourceSync Tool pushes data to AWS FEsAWS FE tries to create object in MSODS (if user, OrgID first)Workflow evaluates objects and attributes such as User.ProxyAddresses
Data validations performedServices read from MSODS and sync into services
Validation required? Done here.
Choose your own Sync Adventure
3 options for Directory Sync1. Single-forest DirSync appliance2. Multi-forest DirSync appliance3. Windows Azure Active Directory Connector for FIM 2010 (aka “Multi-Forest”)
You don’t need to use SSO just because you sync but you should Sync in order to use SSO
Could use PowerShell, but lots of management overhead & not formally tested scenario
Sync solution doesn’t constrain SSO solutionYou can use any Sync solution with ADFS or non-AD STS (i.e. Shib)
Choose your own Sync Adventure
AAD Connector
When to use• Multiple AD Forests
containing directory data to synchronize to AAD
• Directory data “overlaps” (an object is represented in more than one forest)
• Non-AD directory sources*
Multi-Forest DirSync
When to use• More than 1 AD Forest
containing the directory data to synchronize to AAD
• ADs have “non-overlapping data” (no object in one forest is represented in another forest)
Single Forest DirSync
When to use• Single AD forest on-
prem that contains all data to synchronize to AAD
Choose your own Sync Adventure
A notable exception to previous slide:
This is a common pattern (prescribed by Exchange Product)Full migration to Exchange Online then collapse Resource Forest
Sync’ing the necessary core attributes from Exchange Auth forest can negate the need for multi-forest sync altogether
Including SourceAnchor, UserPrincipalName
Some things not supported at this time: Multiple Exchange Orgs
Pattern Consider…
2 Forests on-prem: • 1 Authentication/Logon forest• 1 Exchange/”Resource” Forest
• “Sync” data from Exchange forest Auth Forest
• Run single-forest DirSync against Auth Forest
Core Directory Sync Concepts
Source of AuthorityWhere changes can be made to an object (either “on-prem” or “cloud”)De-/activating DirSync in the Admin portal transfers source of authority
SourceAnchorused to uniquely identify objects created in cloud from on-prem directoryCritical for Single Sign-On scenario (ADFS will be configured to generate SourceAnchor on AuthN, this needs to match the ImmutableID stored in OrgId during user provisioning time)Can’t change after initial provision of object by Sync will error out
Core Directory Sync Concepts
UserPrincipalNameThe “sign-in name” for a userOn-prem UPN needs to match UPN in the cloud for login to succeedOnce licensed, user UPN won’t change even if changed on-prem
Can override using Set-MsolUserPrincipalName cmdlet
Hybrid Service DeploymentsSome attributes on on-prem objects are updated based on activities in the cloudOnly modify objects that were initially sync’d to the cloud from on-prem
Core Directory Sync Concepts
We validate (some) data to protect the Core Directory and services:
Attribute Validation
UserPrincipalName • UPNs must use verified domain• If not, will autoconstruct UPN value (won’t update local
AD):
[sAMAccountName] + ‘@’ + [moera.onmicrosoft.com]
• Must contain only supported characters
User.ProxyAddresses • Cannot have duplicate proxy addresses Sync Error
(on license for EXO)• Remove all proxyaddresses that are not using a verified
domain• Adding verified domain later will “re-hydrate” those PAs
removed earlier
Core Directory Sync Concepts
Most common sync validation failures:Duplicate proxy addresses Duplicate UPN valueErrors reported in Email
Run the Deployment Readiness Tool!
Core Directory Sync Concepts
Linking/Matching objects during syncFirst, check to see if object already exists with same SourceAnchor value
If object exists, update existing objectIf no objects hardmatch, try and soft match against existing objects (using SMTP addresses of on-prem object)
If candidate match exists, stamp SourceAnchor on the value on object for subsequent sync cycles
If no candidate match exists, create new object
DirSync QuotaProtect the directory for malicious “storage DOS”Default now 50K for tenants provisioned after 5/1
Core Directory Sync Concepts
Throttling SyncThroughput “shared” across tenants at AWS layer (throttled per partition)DirSync client automatically handles “Error Code 81” and retries againThrottling leads to variable sync times
V1/V2 differencesSome differences in what’s sync’d/not sync’dGroups without display names aren’t sync’d in v2!Contact migration team for documentation/list of deltas
Recovering deleted objects via Sync
Will be lighting up “soft delete” feature in PRODScenario:
On-prem AD Admin accidentally deletes a user object in ADDirSync “propagates delete” to the cloudUser object is deleted in the cloud (mailbox lost)
NOW WHAT?
Recovering deleted objects via Sync
Manual recoveryadmin identifies object to be recovered
Via DirSyncWhen admin restores the user object in AD (via W2K8R2 Recycle Bin), object is automatically recovered by DirSync – mailbox is recovered, etc.“recovery” is dependent on keeping the same SourceAnchor value! New SourceAnchor value with “same attribute values” will not recover the user object in the cloud!
Filtering Sync
2 kinds of filters customers ask for:Choose which objects get sync’d to the cloudChoose which attributes get sync’d to the cloud
We support the former, we don’t support the latter
Wiki post and UA documentation posted to walk customers through this customization
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Session Objective(s): Identify the role that Provisioning & Synchronization plays in Directory IntegrationDiscuss available Provisioning & Synchronization Options Understand key directory concepts pertinent to Sync
Key Takeaway 1When to use which Directory Sync option/technology, and what’s supported
Key Takeaway 2Key architecture and design considerations of the end-to-end sync infrastructure
In Review: Session Objectives And Takeaways
Related Content
Today OSE 225, Friday OSE 331, OSE 333, OSE 334
Hands-on Labs (OSPILL101 Designing a SharePoint site)
Office 365 @ The Microsoft Showcase
Find Me Later At The Microsoft Showcase Friday (9-12am)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.