Leveraging Your on-Premises Directory Infrastructure to Manage Your Microsoft Azure Active Directory Identities DCIM-B301

  • View
    17

  • Download
    0

Embed Size (px)

DESCRIPTION

Leveraging Your On-Premises Directory Infrastructure to Manage Your Microsoft Azure Active Directory Identities

Text of Leveraging Your on-Premises Directory Infrastructure to Manage Your Microsoft Azure Active Directory...

Leaveraging your on premises dirctory infrastructure to manage your microsoft azure active directory Identities

2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.5/14/20141Leveraging Your On-Premises Directory Infrastructure to Manage Your Microsoft Azure Active Directory IdentitiesAanchal SaxenaRoss AdamsDCIM-B301 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.5/14/20142Azure Active DirectoryActive DirectoryAn identity management system spanning cloud and on-premises, providing authentication, federation, user provisioning, application access control, and data protection Combination of Windows Server AD and Azure AD to secure the hybrid enterprise

Microsofts CloudAzure Active Directory3rd party appsWindows Server Active DirectoryMicrosoftAppsOn-PremisesApps

Microsoft Dynamics CRMYour Apps4Relationship to Windows Server ADOn-premises and cloud Active Directory managed as one

Directory information synchronized to cloud, made available to cloud apps via roles-based access control

Federated authentication enables single sign on to cloud applicationsWindows Azure Active DirectoryWindows Server Active DirectorySync and FederationMicrosofts Cloud3rd party appsMicrosoftApps

Your Apps5No directory IntegrationProfile Data onlyProfile and Identity DataProfile Data and integrated Authentication (SSO)Profile and identity Data with integrated authentication (SSO and Password sync)Directory Integration optionsMicrosofts CloudWindows Azure Active Directory3rd party appsMicrosoftAppsWindows Server Active DirectoryOn-PremisesApps

Microsoft Dynamics CRMYour AppsProfilePasswordsFederationWhich sync option is right for you?No on-premises infrastructure Cloud OnlyProfile data - Groups, users and contactsActive directory on-premisesLDAP compliant directory, CSV, SQL **Cloud passwords good enoughIdentity Data, aka Password SyncSingle AD forest on-premisesSame Sign on is good enough, no room for additional infrastructureIntegrated Authentication AKA SSO STS infrastructure already existsCant sync passwords (Multi forest, smart cards)SSO Required, audit or network isolationWhat to do when you cant SyncSupport coming for syncing LDAP, CSV, SQL sourcesStill cant sync - Scriptable optionsPowerShell Azure AD ModuleDirectory GRAPHSome limitations here, such as setting certain properties e.g. Email Addresses

Synchronizing your dataDirectory SyncEnables on-premises directory data to be projected into the cloudOnly synchronizes from single AD forestGroups, contacts and users ~ 150 propertiesProvides for a delta sync of changes - Sync timeframe is every 3 hoursLinks on-prem object to cloud object using SourceAnchor unique on-prem ID (By default: ObjectGUID)On-prem master for all objects and propertiesProactively reports errors via email: No news is good news

Provides for rich integration experiencesOffice Hybrid scenarios, requires two way sync for some properties

Directory SyncWhat gets written backONLY gets written back if Hybrid Deployment is enabledExchange hybrid scenario (7 attributes on users and contacts): safe senders, mail co-existence, UM

In future: Users, groups and devices

AttributeFeatureSafeSendersHashBlockedSendersHashSafeRecipientHashFiltering Coexistence enables on-premise filtering using cloud safe/blocked sender infomsExchArchiveStatusCloud ArchiveAllows users to archive mail to the Office 365 serviceProxyAddresses (cloudLegDN)Mailbox off-boardingEnables off-boarding of mailboxes back to on-premisecloudmsExchUCVoiceMailSettingsVoicemail Co-ExistenceEnables on-premise mailbox users to have Lync in the cloudmsExchUserHoldPoliciesLitigation Hold: Enables cloud services to determine which users are under Litigation Hold.Directory SyncMatching on-premises and Cloud users

If user object in cloud has sourceAnchor value, match on sourceAnchor value

If no user object in cloud has sourceAnchor value, try and match based on SMTP addresses

If SMTP address match succeeds, sourceAnchor value stamped on object already in cloud, objects are matched

Subsequent sync runs will use sourceAnchor values

Directory SyncPreparing for Directory syncEvery User must have a unique UPN and proxy addressesSIP Address must match a verified domain UPN suffix must match a verified domain

UPN Character restrictionsOnly certain characters allows: Letters, numbers and .-_!#^~No dot before @ symbol

Directory SyncHandling DuplicatesFirst-in-wins i.e. duplicated object receives errorsDomain ValidationIf UPN uses a non-registered domain, it will be replaced with: mailNickName @ [domain].onmicrosoft.comSIP Address removed if not against a verified domainProxy Address removed if not against a verified domain and the user has an exchange licenseSynchronization ErrorsSynchronization errors are communicated to the technical contact via emailAdministrators must address these errors through on-premises changes

Password SyncWhat is itFeature of the Directory Sync toolSynchronizes user password hash from your on-premises Active Directory to Azure Active Directory.Doesnt require something to be installed on all DCsWhy use itUsers can use the same credentials to login into both on-premisesNo additional infrastructure required on premisesNo dependency on on-premises infrastructure for authentication

How Password Sync works Azure Active DirectoryWindows Server Active DirectoryDirectory Sync Tool

h(x)h(x)

h(x)= f(h(x))

f(h(x))DirSync polls one of your Domain Controller to get user password hashIt then re-hashes the password hash with SHA 256Re-hash of the password hash is sent to the cloud via SSLPassword hash stored in DCPassword Sync How secure is it?We never see your plain text password. Ever.What we send hash of your passwordWe re-hash password hash using multiple iterations of SHA256Cannot use password hash to access your resources All transportation done using SSLWe only send passwords for synced usersAfter initial sync, we only push updatesPassword SyncManaging passwords policesPassword complexity policies configured in the on-premises AD apply in the cloud, i.e. you mange them on-premises. Cloud password is set to Never ExpireManaging user password resetsUsers cannot change their password in the cloudUsers can only change their passwords on-premisesAdmins can reset users password on the cloud

Password Write-back What is itPart of AAD PremiumOnly via Self-service password resetHow do I enable itAdmin needs to turn-on the feature using DirSync PSH commandlet: Enable-OnlinePasswordWriteBackWhen does it write backCloud authenticated (managed) user and password sync is enabledOn-premises SSO authenticated (federated) userSecurityAll communication takes place over SSLRegistration of public/private key pairs for transport and encryption, you keep the private keysPassword Write-Back(Registration)Windows Azure Active DirectoryWindows Server Active Directory

Public KeyPrivate KeyDirectory Sync ToolAdmin turn on feature using: Enable-OnlinePasswordWriteBackGenerate two sets of private/public pair of keys:AuthenticationPassword EncryptionPassword Write-Back (Write-back flow)

Windows Azure Active DirectoryWindows Server Active DirectoryDirectory Sync Tool

Reset password = x

x= f(x)

xg(x)

f(x)

f(x)= xUser resets password using SSPRWe encrypt the password using your tenant specific key that only you know how to decryptDirSync is listening for password resets. It gets user identity and encrypted password.It decrypts the password and sends it to your on-prem Active Directory. If password matches the on-prem password requirements, then user password is updated.Only after receiving success for on-prem write-back, we encrypt the password and store it in the cloud x

Azure AD SyncWhats includedPossible to reduce set of attribute syncd based on the servicesSupport for a number of Multi forest scenariosEasier management for filtering objects via simple UXSupport for attribute mapping rules via a simple UXWhats missingPassword sync Password write backHybrid configuration, i.e. no write back todayWhats comingProduction Support, i.e. not for Production todaySupport for other directories, such as LDAP, SQL or CSV

http://social.technet.microsoft.com/wiki/contents/articles/24061.aadsync-scenario-overview.aspx Multi-Forest sync with AAD SyncMulti-Forest ScenariosDisparate ForestsFull mesh forests, i.e. GAL syncAccount and Resources forest modelsComplex Multi ForestAzure Active Directory Connector is still the tool of choice

DemoAzure AD SyncFederating yo