Upload
toby-woods
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Microsoft O365 identity and authentication
Peter GinnegarTechnical Solution ProfessionalMicrosoft Corporation
Topics Office 365 identity models Identity overview IdFix Tool (demo) O365 Directory Synchronization (demo) Active Directory Federation Services O365 Multifactor Authentication (demo)
O365 Active Directory• What is O365 Active Directory?- O365 uses Windows Azure Active Directory
• What services are provided by Windows Azure Active Directory
- Provides authentication, synchronization and federation services.
- An identity management system spanning cloud and On Premises.
• What systems make up a typical O365 Active Directory?
-On Premises Active Directory Servers and Windows Azure Active Directory.
What is identity management?
“Identity management deals with identifying individuals in a system and controlling access to the resources in that system.”
What are the major components of identity management? Authentication – Verifying that a user, device, or application is the entity that it claims to be.
Authorization - Determining which actions an authenticated entity is authorized to perform on the network.
Third party partners for federated identity
TechNet http://technet.microsoft.com/en-us/library/jj679342.aspx
Federation Terms - SSO
What is SSO?
Single Sign On (SSO) is the ability for two disjointed Providers to trust each other such that a user logged on does not need to log in again for the second.
Authentication types Passive authentication – Web Based
SharePoint Online, Outlook Web Access
Active authentication – Office 365 Client Services that use the Sign-In assistant including Lync, Office 365 Pro
Plus, Word, Excel, Visio, PowerPoint, PowerShell access to O365.
Proxy authentication – Required for Outlook and Active sync clients.
Username and password proxy through Exchange Online. Uses WS-Trust or SAML ECP to authenticate
Federation protocols WS-* Supported by ADFS and works with Office 365
-Passive authentication – WS-Federation-Active authentication – WS-Trust- Exchange Online uses WS-Trust
Shibboleth-An Open source federated provider based on SAML
-Passive authentication only (Web Forms) -Exchange Online supports SAML 2.0 and ECP.
Federation Terms - WS*
What is WS-Federation? WS-Federation is a protocol used for web browser based authentication.
What is WS-Trust? WS-Trust is a protocol used by Office rich client applications to authenticate (Sign-in Assistant)
Federation Terms - SAML
What is SAML? (Small Assertion Markup Language)
SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information
Developed by the Security Services Technical Committee of OASIS
Directory Sync Tool or Active Directory Federation Services
Password Sync SSO with AD FS
Same password to access resources
Can control password policies on-premises
Support for two factor authentication
No password re-entry if on premise
Client access filtering by IP or by time schedule
Authentication occurs on-premises. Can immediately block disabled accounts
Change password available from web
Works with Forefront Identity Manager
Office 365 IdFix Tool Provides the ability to identify and remediate object synchronization issues in preparation for O365
Users Groups Contacts
Office 365 IdFix Tool Important Attributes that are update by the IdFix Tool for O365 identity Synchronization.
-displayName-givenName-Mail-mailNickName-proxyAddress-targetAddress-Sn-sAMAccountName-userPrincipalName
Office 365 IdFix Tool
• Query user identities
• Identify attribute and issue
• Take action to correct
• Apply changes
Office 365 Directory Synchronization components Windows Azure AD (O365 Identities) On Premise Active Directory (Local Identities)
Directory Synchronization Tool User Account Attributes User, Group, synchronization SourceAnchor, msDS-CloudAnchor (Windows 2012 R2)
O365 Synchronization results Accounts are still separate O365 Services are accessed using Cloud Identity
Password sync is enabled Password stored in double hashed format Not a true Single Sign On Solution Can be used as a backup to Federated Service Solution
Windows Azure Active Directory Sync Tool Synchronizes on premise Active Directory accounts to Windows Azure Active Directory.
Synchronizes passwords (double hashed) Synchronization of accounts occurs every 3 hours
Can for Synchronization using PowerShell command
SQL Express Database (10GB)
Azure AD Sync Services (Preview) Azure AD Sync Services is a new identity sync tool that provides customers with the ability to sync identity information from complex AD environments (i.e. multi-forest) and other identity directories
http://go.microsoft.com/?linkid=9845645
Active Directory Federation Services Active Directory Federation Services (AD FS) 2.x provides access to applications and other systems with an open and interoperable claims-based model
The AD FS 2.x platform provides Windows-based Federation Service that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
Directory Federation Web Application Proxy can use AD FS for pre-authentication.
Unauthenticated client requests are redirected to the AD FS server for authentication and authorization before forwarding the request to the published web application.
What is Multifactor Authentication? Is an approach to authentication which requires the presentation of two or more authentication factors.
Two-factor authentication seeks to decrease the probability that the requester is presenting false evidence of its identity.
What Components make up multifactor authentication? Two-factor authentication requires the use of two of the three authentication factors
Phone Call SMS Text message (On Time Passcode) Software Token Hardware Token
O365 App Passwords for Rich Client Applications
• End user Self Service• Each user can have up to 40 app passwords• 16 Character randomly generated once
Multifactor Authentication for Office 365Multifactor Authentication Features
Administrators can Enable and Enforce Multifactor authentication for O365 users
Use Mobile app (online and OPT) as a second authentication factor
Use phone call as a second authentication factor
Use SMS as a second authentication factor
App password for non browser clients (e.g Outlook and Lync)
Default Microsoft greeting during authentication phone calls.
O365 user setup
Topics Office 365 identity models Identity overview IdFix Tool (demo) O365 Directory Synchronization (demo) Active Directory Federation Services O365 Multifactor Authentication (demo)
Reference [email protected]
http://technet.microsoft.com/en-us/video/office-365-identity-management-and-federation.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=36832
http://technet.microsoft.com/en-us/library/dn383636.aspx
http://technet.microsoft.com/en-us/library/hh852469.aspx