Embed Size (px)
DESCRIPTION
Leveraging Your On-Premises Directory Infrastructure to Manage Your Microsoft Azure Active Directory Identities
Citation preview
Leveraging Your On-Premises Directory Infrastructure to Manage Your Microsoft Azure Active Directory IdentitiesAanchal SaxenaRoss Adams
DCIM-B301
Azure Active Directory
Active DirectoryAn identity management system spanning cloud and on-premises, providing authentication, federation, user provisioning, application access control, and data protection Combination of Windows Server AD and Azure AD to secure the hybrid enterprise
Microsoft’s Cloud
Azure Active Directory
3rd party apps
Windows Server Active
Directory
MicrosoftApps
On-PremisesApps
Microsoft Dynamics CRM
Your Apps
Relationship to Windows Server ADOn-premises and cloud Active Directory managed as oneDirectory information synchronized to cloud, made available to cloud apps via roles-based access control
Federated authentication enables single sign on to cloud applications
Windows Azure Active
Directory
Windows Server Active
Directory
Sync and Federation
Microsoft’s Cloud
3rd party apps
MicrosoftApps
Your Apps
No directory IntegrationProfile Data onlyProfile and Identity DataProfile Data and integrated Authentication (SSO)Profile and identity Data with integrated authentication (SSO and Password sync)
Directory Integration optionsMicrosoft’s Cloud
Windows Azure Active
Directory
3rd party apps
MicrosoftApps
Windows Server Active
DirectoryOn-Premises
Apps
Microsoft Dynamics CRM
Your Apps
Profi
le
Pass
word
s
Fede
ratio
n
Which sync option is right for you?No on-premises infrastructure Cloud Only
Profile data - Groups, users and contactsActive directory on-premisesLDAP compliant directory, CSV, SQL **Cloud passwords good enough
Identity Data, aka Password SyncSingle AD forest on-premisesSame Sign on is good enough, no room for additional infrastructure
Integrated Authentication AKA SSO STS infrastructure already existsCan’t sync passwords (Multi forest, smart cards)SSO Required, audit or network isolation
What to do when you can’t SyncSupport coming for sync’ing LDAP, CSV, SQL sourcesStill can’t sync - Scriptable optionsPowerShell Azure AD ModuleDirectory GRAPH
Some limitations here, such as setting certain properties e.g. Email Addresses
Synchronizing your data
Directory SyncEnables on-premises directory data to be projected into the cloudOnly synchronizes from single AD forestGroups, contacts and users ~ 150 propertiesProvides for a delta sync of changes - Sync timeframe is every 3 hoursLinks on-prem object to cloud object using ‘SourceAnchor’ – unique on-prem ID (By default: ObjectGUID)On-prem master for all objects and propertiesProactively reports errors via email: “No news is good news”
Provides for rich integration experiencesOffice Hybrid scenarios, requires two way sync for some properties
Directory SyncWhat gets written backONLY gets written back if Hybrid Deployment is enabledExchange hybrid scenario (7 attributes on users and contacts): safe senders, mail co-existence, UM
In future: Users, groups and devices
Attribute FeatureSafeSendersHashBlockedSendersHashSafeRecipientHash
Filtering Coexistence enables on-premise filtering using cloud safe/blocked sender info
msExchArchiveStatus Cloud ArchiveAllows users to archive mail to the Office 365 service
ProxyAddresses (cloudLegDN) Mailbox off-boardingEnables off-boarding of mailboxes back to on-premise
cloudmsExchUCVoiceMailSettings Voicemail Co-ExistenceEnables on-premise mailbox users to have Lync in the cloud
msExchUserHoldPoliciesLitigation Hold: Enables cloud services to determine which users are under Litigation Hold.
Directory SyncMatching on-premises and Cloud usersIf user object in cloud has sourceAnchor value, match on sourceAnchor value
If no user object in cloud has sourceAnchor value, try and match based on SMTP addresses
If SMTP address match succeeds, sourceAnchor value stamped on object already in cloud, objects are “matched”
Subsequent sync runs will use sourceAnchor values
Directory SyncPreparing for Directory syncEvery User must have a unique “UPN” and proxy addressesSIP Address must match a verified domain UPN suffix must match a verified domain
UPN Character restrictionsOnly certain characters allows: Letters, numbers and .-_!#^~No dot before @ symbol
Directory SyncHandling DuplicatesFirst-in-wins i.e. duplicated object receives errors
Domain ValidationIf UPN uses a non-registered domain, it will be replaced with: mailNickName ‘@’ [domain].onmicrosoft.comSIP Address removed if not against a verified domainProxy Address removed if not against a verified domain and the user has an exchange license
Synchronization ErrorsSynchronization errors are communicated to the technical contact via emailAdministrators must address these errors through on-premises changes
Password SyncWhat is itFeature of the Directory Sync toolSynchronizes user password hash from your on-premises Active Directory to Azure Active Directory.Doesn’t require something to be installed on all DC’s
Why use itUsers can use the same credentials to login into both on-premisesNo additional infrastructure required on premisesNo dependency on on-premises infrastructure for authentication
How Password Sync works Azure Active
Directory
Windows Server Active
Directory
Directory Sync Tool
h(x)h(x)
h(x)
= f(h(x))
f(h(x))
DirSync polls one of your Domain Controller to get user password hash
It then re-hashes the password hash with SHA 256Re-hash of the password hash is sent to the cloud via SSL
Password hash stored in DC
Password Sync – How secure is it?We never see your plain text password. Ever.What we send – hash of your passwordWe re-hash password hash using multiple iterations of SHA256Cannot use password hash to access your resources All transportation done using SSLWe only send passwords for synced usersAfter initial sync, we only push updates
Password SyncManaging passwords policesPassword complexity policies configured in the on-premises AD apply in the cloud, i.e. you mange them on-premises. Cloud password is set to ‘Never Expire’
Managing user password resetsUsers cannot change their password in the cloudUsers can only change their passwords on-premisesAdmins can reset user’s password on the cloud
Password Write-back What is itPart of AAD PremiumOnly via Self-service password reset
How do I enable itAdmin needs to turn-on the feature using DirSync PSH commandlet: Enable-OnlinePasswordWriteBack
When does it write backCloud authenticated (managed) user and password sync is enabledOn-premises SSO authenticated (federated) user
SecurityAll communication takes place over SSLRegistration of public/private key pairs for transport and encryption, you keep the private keys
Password Write-Back(Registration)
Windows Azure Active
Directory
Windows Server Active
Directory
Public Key
Private Key
Directory Sync Tool
Admin turn on feature using: Enable-OnlinePasswordWriteBack
Generate two sets of private/public pair of keys:
AuthenticationPassword Encryption
Password Write-Back (Write-back flow)
Windows Azure Active
Directory
Windows Server Active
Directory
Directory Sync Tool
Reset password = x
x = f(x)
x g(x)
f(x)
f(x) = x
User resets password using SSPR
We encrypt the password using your tenant specific key that only you know how to decryptDirSync is listening for password resets. It gets user identity and encrypted password.It decrypts the password and sends it to your on-prem Active Directory. If password matches the on-prem password requirements, then user password is updated.Only after receiving success for on-prem write-back, we encrypt the password and store it in the cloud
x
Azure AD SyncWhat’s includedPossible to reduce set of attribute sync’d based on the servicesSupport for a number of Multi forest scenariosEasier management for filtering objects via simple UXSupport for attribute mapping rules via a simple UX
What’s missingPassword sync Password write backHybrid configuration, i.e. no write back today
What’s comingProduction Support, i.e. not for Production todaySupport for other directories, such as LDAP, SQL or CSV
http://social.technet.microsoft.com/wiki/contents/articles/24061.aadsync-scenario-overview.aspx
Multi-Forest sync with AAD SyncMulti-Forest ScenariosDisparate ForestsFull mesh forests, i.e. GAL syncAccount and Resources forest models
Complex Multi ForestAzure Active Directory Connector is still the tool of choice
Demo
Azure AD Sync
Federating your identities
What does SSO meanAdmin ViewSingle Credential to manage on-premisesSingle place to manage policesIDP is you
User ViewI have a single credential to log into my PC and my Cloud servicesI may be prompted to enter it more than once, but is always the same credential
Some differencesUsername must be in “email” notation, [email protected]
Azure Active Directory and FederationSupport for a variety of protocols and STSWS-Federation, WS-Trust, WS-MetadataExchangeSAML-POpenID Connect Oauth 2.0Support for third party STS same as works with Office 365 program
Office supportPrimarily WS-* for rich clientsLimited SAML support for passive (web) usageSupport coming for Oauth
Core Integration detailsThree things to rememberIssuerIDMust be unique per top level domainUsed to locate the domain to validate the token
ImmutableIDUsed to locate the user, must be provisioned before loginSource Anchor attribute in Directory Sync and AAD SyncCase sensitiveSAML-P uses NameID claim
UPNUser principal name, the common name of the user, should match what is in the Azure ADSAML-P uses IDPEmail claim
Setting up FederationNeed to prove you own the UPN domain of usersVerified by DNS TXT/MX recordsCan’t prove you own the domain, e.g. company.local, don’t panic we have an answer
Configuring the trustAD FS use New-MsolFederatedDomain, configures the cloud and AD FS for youNot using AD FS, use the New-MsolDomain, Confirm-MsolDomain
Converting a domain to federationAD FS Convert-MsolDomainToFederated, configures the cloud and AD FS for youNot using AD FS, use Set-MsolDomainAuthentication
Federation need to knowConversion is a big switch – all users must user federated credentials to logonEnsure you have a cloud based admin to revert in the event of a problem.
All authentication is dependent on your infrastructureEnsure you have the right redundancy, network and serverAzure may be an option but requires a DC too
Consider password sync as a backup planEnables users to use cloud based accounts with the same password if your STS is unavailableNOTE: it can take up to 2 hrs for the change from federated to managed to take affect
What if I use a .Local UPNCan you change it?Often easiest answer, but can be difficult, smart cards, legacy applications etc
I can’t change it? Now what?Get Windows Server 2012 R2 with the latest update
New support for Alternate Login IDAllows you to specify an alternate single value UPN like attribute as the login identifier, e.g. MailDoes mean additional lookups for authenticationSupport for cross forest lookup
http://technet.microsoft.com/en-us/library/dn659436.aspx for more information
Make sure you have an admin outside the domain to be updatedSetup a standard Trust via Azure AD PowerShell
Modify the claim rule as highlighted:c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalNameMail,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
Using Alternate Login ID
Demo
Alternate Login ID
I have Azure AD now whatAzure Active AuthenticationCloud based 2FA, powered by market-leading PhoneFactor platformAuthenticating millions of logins and transactions each monthSupport for controls based on locations, i.e. ip whitelist
Integrated control and access to SaaS applicationsUse your directory data to control access, by group or user
Build cloud based applications while maintaining control of authenticationUse the data in the cloud for your apps, for example group memberships, custom attributes etc.
Others services coming keep your eye on the Azure AD blog
External AccountsAccounts from outside your organizationOther Azure AD AccountsMicrosoft Accounts
Used today in SharePoint and Azure ManagementCan be used in your LOB appsManaged as you would any user in your tenant
Pre-integrated hundreds popular SaaS apps.
Easily add custom cloud-based apps. Facilitate developers with
identity management.
Connect and Sync Windows Server Active Directory with Windows Azure.
Windows Server Active Directory
Identities and applications in one place.
Consumer identity providersSaaS apps LOB & custom apps
Many applications, one identity repository
Come Visit Us in the Microsoft Solutions Experience!Look for Datacenter and Infrastructure Management
TechExpo Level 1 Hall CD
For More InformationWindows Server 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205286
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
DEV-B344 Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management
Related content
DCIM-B382 Cloud Identity and Access Management: Microsoft Azure Active Directory Premium OFC-B317 Microsoft Office 365 Directory Synchronization and Federation Options PCIT-B326 Providing SaaS Single Sign-on with Microsoft Azure Active Directory Azure Identity and Access Management or Office 365
ResourcesLearning
Microsoft Certification & Training Resourceswww.microsoft.com/learning
msdnResources for Developers
http://microsoft.com/msdn
TechNetResources for IT Professionals
http://microsoft.com/technet
Sessions on Demandhttp://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
