Mod 3: Office 365 DirSync, Single Sign-On & ADFS

Office 365 for SMB Jump Start Mod 3: Office 365 DirSync, Single Sign-On & ADFS Chris Oakman Managing Partner Infrastructure Team Eastridge Technology Stephen Hall CEO & SMB Technologist District Computers 1

Jump Start Schedule Target Agenda Day 1 Administering Office 365 Office 365 Overview & Infrastructure Office 365 User Management Office 365 DirSync, Single Sign-On & ADFS Day 2 Administering Exchange Online Exchange Online Deployment & Migration Exchange Online FOPE Exchange Online Archiving & Compliance MEAL BREAK Administering Lync Online Administering SharePoint Online Exchange Online Overview & User Management 2

Module 3: Office 365 DirSync, Single Sign-On & ADFS Reviewing Identities Understanding DirSync DirSync Requirements Understanding Single Sign-On & ADFS 3

Reviewing Identity Types Cloud Identity Separate credential from corporate credential Authentication occurs via cloud directory service Password policy stored in Office 365 Federated Identity Same credential as corporate credential Authentication occurs via onpremises Active Directory service Password policy is stored onpremises Requires Directory Synchronization 4

Reviewing Identity Usage Scenarios Scenario Pros Cons Cloud Identity Smaller organizations without on-premises Active Directory Does not require onpremises server deployment No Single Sign-On No 2 Factor Authentication options 2 sets of credentials to manage with, potentially, different password policies Cloud Identity + DirSync Medium to Large organizations with Active Directory onpremises Source of Authority is onpremises Enables coexistence No Single Sign-On No 2 Factor Authentication options 2 sets of credentials to manage with, potentially, different password policies Requires on-premises server deployment Federated Identity* Large enterprise organizations with Active Directory on-premises Requires DirSync Single Sign-On experience Source of Authority is onpremises 2 Factor Authentication options Enables coexistence Requires on-premises server deployment in high availability scenario 5

Module 3: Office 365 DirSync, Single Sign-On & ADFS Reviewing Identities Understanding DirSync DirSync Requirements Understanding Single Sign-On & ADFS 6

What is DirSync? Application that synchronizes on-premises Active Directory with Office 365 x64 version based on FIM Previous x86 versions based upon ILM 2007 Bundled with SQL 2008 R2 Express Edition Designed as an appliance Set it and forget it 7

DirSync Enables Coexistence Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment Provides unified Global Address List experience between on-premises and Office 365 Objects hidden from GAL on-premises also hidden from Office 365 GAL Enables mail routing between on-premises and Office 365 with a shared domain namespace Enables application coexistence for Microsoft Lync Enables Exchange coexistence scenarios simple and hybrid scenarios 8

DirSync Enables Single Sign-On Enables run state administration and management of users, groups, and contacts Synchronizes adds/deletes/modifications of users, groups, and contacts from on-premise to Office 365 Not intended as a single use bulk upload tool 9

DirSync Synchronization Entire Active Directory forest scoped for synchronization What is synchronized? All user objects All group objects Mail-enabled contact objects Passwords are not synchronized Synchronization is from on-premises to Office 365 only (unless writeback is enabled) Synchronization occurs every 3 hours Use Start-OnlineCoexistenceSync cmdlet to force a sync 10

DirSync Synchronization User Objects Mail-enabled/mailbox-enabled users are synchronized as mail-enabled users (not mailbox-enabled users) Visible in the Office 365 GAL (unless explicitly hidden from GAL) Logon enabled, but not automatically licensed to use services Target address is synchronized for mail-enabled users Regular NT users are synchronized as regular NT users Not automatically provisioned as mail-enabled in Office 365 Resource mailboxes are synchronized as resource mailboxes Synchronized users are not automatically assigned a license 11

DirSync Synchronization Group Objects Mail-enabled groups are synchronized as mail-enabled Group memberships are synchronized Security groups are synchronized as security groups Contacts Objects Only mail-enabled contacts are synchronized Target address is synchronized to Office 365 12

DirSync Synchronization New user, group, and contact objects that are added to on-premises are added to Office 365 Existing user, group, and contact objects that are deleted from on-premises are deleted from Office 365 Existing user objects that are disabled on-premises are disabled in Office 365 Existing user, group, or contact objects attributes (those that are synchronized) that are modified on-premises are modified in Office 365 13

DirSync Synchronization Exchange Server Active Directory On-premises Sync Cycle Step 1: Import Users, Groups, and Contacts from source Active Directory forest User Object Mailbox-Enabled ProxyAddresses: SMTP: John.Doe@contoso.com Sync Cycle Step 2: Imports Users, Groups, and Contacts from Microsoft Online Services via AWS DirSync (client side) Sync Cycle Step 3: Export Users, Groups, and Contacts that do not already exist in Microsoft Online Services Microsoft Online Services AWS (DirSync Web Service) Online Directory Live ID Exchange Online SharePoint Online Logon Enabled User Object (Unlicensed) Mail-Enabled User (not Mailbox-Enabled) ProxyAddresses: Lync Online SMTP: John.Doe@contoso.com smtp: John.Doe@contoso.onmicrosoft.com TargetAddress: John.Doe@contoso.com 14

DirSync Synchronization First synchronization cycle after installation is a full synchronization Time-consuming process relative to number of objects synchronized ~5000 objects per hour Subsequent synchronization cycles are deltas only Much faster Not all on-premises attributes synchronized for each object type, but 100+ attributes are synchronized 15

DirSync Synchronization Once implemented, on-premises AD becomes the source of authority for synchronized objects Modifications to synchronized objects must occur in the on-premises AD Synchronized objects cannot be modified or deleted via the portal unless DirSync is disabled for the tenant Scoping/Filtering Custom scoping or filtering is officially unsupported (guidance coming soon) V1 DirSync filter XML file no longer an available option for filtering 16

DirSync Synchronization On-premises objectguid AD attribute assigned value for sourceanchor attribute during initial object synchronization Referred to as a hard match DirSync knows which Office 365 objects it is the source of authority for by examining sourceanchor attribute DirSync can also match user objects created via the portal with on-premises objects if there is a match using the primary SMTP address Referred to as a soft match 17

DirSync Synchronization Synchronization errors are emailed to the Technical Contact for the subscription Recommend using distribution group as Technical Contact email address Example errors include: Synchronization health status Sent once a day if a synchronization cycle has not registered 24 hours after last successful synchronization Objects whose attributes contain invalid characters Objects with duplicate/conflicting email addresses Sync quota limit exceeded 18

Module 3: Office 365 DirSync, Single Sign-On & ADFS Reviewing Identities Understanding DirSync DirSync Requirements Understanding Single Sign-On & ADFS 19

DirSync Computer Requirements Must be joined to an Active Directory domain within the same forest that will be synchronized with Office 365 Does not have to be joined to the root domain Cannot be a domain controller Must be able to communicate with any/all domain controllers forest wide Should be located in an access controlled environment Should be limited to those with access to domain controllers and other security sensitive systems 20

DirSync AD Requirements Only routable domains can be used with DirSync deployment Non-routable domains include.local OR.loc OR.internal. If organization has AD w/ only internal namespace, must: Add a routable UPN suffix in Active Directory Forests and Trusts. Configure each user with that routable UserPrincipalName suffix user@domain.local must be changed do user@domain.com If this is not done, once DirSync runs, users will appear in Office365 as user@domain.onmicrosoft.com instead of user@domain.com 21

DirSync Software Requirements Windows Installer 4.5 or later Windows PowerShell version 2.0 Microsoft.NET Framework version 3.5 or later. Windows Server 2003/R2 x86 with Service Pack 2 or later, or Windows Server 2008 x86 with the latest service pack installed. x64 is supported Microsoft Online Services Sign-In Assistant Not a prerequisite for installation, but required when connecting to Office 365 22

DirSync Hardware Requirements Minimum of 1GB hard drive space 600 MB for a complete installation of all Directory Synchronization Tool components 400 MB required to create the initial database file Additional hard drive space most likely required for mid-size or larger companies Server hardware should meet minimum requirements For SQL Server 2008 R2 Express Edition and FIM (x64) or Identity Lifecycle Manager 2007 Feature Pack 1 (x86 - legacy) 23

DirSync Network Requirements Synchronization with Office 365 occurs over SSL Internal network communication will use typical Active Directory related ports Service Protocol Port LDAP TCP/UDP 389 Kerberos TCP/UDP 88 DNS TCP/UDP 53 Kerberos Change TCP/UDP 464 Password RPC TCP 135 RPC randomly allocated high TCP ports TCP SMB TCP 445 SSL TCP 443 SQL TCP 1433 1024-65535 49152-65535 1 1 This is the range in Windows Server 2008 and in Windows Vista. 24

DirSync Permission Requirements Account used to install DirSync must have 1. local machine administrator permissions 2. If using full SQL, rights within SQL to create the DirSync database, and to setup the SQL service account with the role of db_owner Account used to configure DirSync must reside in the local machine MIISAdmins group 1. Account used to install DirSync is automatically added Administrator permission in the Office 365 tenant 1. DirSync uses an administrator account in the tenant to provision and update/modify objects 25

DirSync Permission Requirements Enterprise Administrator permission in the on-premise Active Directory Credential is not stored/saved by the configuration wizard Used to create the MSOL_AD_Sync domain account in the CN=Users container of the root domain of the forest Used to delegate the following permissions on each domain partition in the forest Replicating Directory Changes Replicating Directory Changes all Replication Synchronization 26

Module 3: Office 365 DirSync, Single Sign-On & ADFS Reviewing Identities Understanding DirSync DirSync Requirements Understanding Single Sign-On & ADFS 27

Single Sign-On Purpose Enables users to access both the on-premises and cloud-based organizations with a single user name and password Provides users with a familiar sign-on experience Allows administrators to easily control account policies for cloud-based organization mailboxes by using onpremises Active Directory management tools. 28

Single Sign-On Benefits Policy Control Access Control Reduced Support Calls Security 29

Single Sign-On Server Requirements Windows Server 2008 or Windows Server 2008 R2 Active Directory Federation Services 2.0 (ADFS 2.0) PowerShell Web Server (IIS).NET 3.5 SP1 Windows Identity Foundation Publicly registered domain name SSL Certificates Microsoft Online Services Module for Windows PowerShell Microsoft Online Sign In Assistant High availability design 30

Single Sign-On Client Requirements Internet Explorer 7.0 or later Firefox 3.0 Chrome 6.0 or later Safari 4.0 or later Microsoft Office 2010/2007SP2 Microsoft Office for Mac 2011 SP1 Microsoft Office 2008 for Mac version 12.2.9 Office 365 Desktop Setup Microsoft Online Sign In Assistant 31

Single Sign-On Requirements Office 365 Desktop Setup Automatically detects necessary updates for a computer Installs Microsoft Online Sign In Assistant Installs operating system and client software updates required for connectivity with Office 365 Automatically configures Internet Explorer and rich clients for use with Office 365 Office 365 Desktop Setup is not an authentication or sign-in service and should not be confused with single sign-on 32

Single Sign-On Requirements Microsoft Online Sign-In Assistant Can be installed automatically by Office 365 Desktop Setup or manually Enables authentication support by obtaining a service token from Office 365 and returning it to a rich client (e.g. Lync) Not required for web kiosk scenarios (e.g. OWA) Required for on-premises computers connecting to Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell) 33

ADFS 2.0 Components ADFS 2.0 Server Default topology for Office 365 is an AD FS 2.0 federation server farm that consists of multiple servers hosting your organization s Federation Service. Recommend using at least two federation servers in a load-balanced configuration. ADFS 2.0 Proxy Server Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm. A Federation server proxies should be deployed in the DMZ 34

AD FS 2.0 Deployment Options 1. Single server configuration 2. AD FS 2.0 Server Farm and load-balancer 3. AD FS 2.0 Proxy Server or UAG/TMG i. (External Users, Active Sync, Down-level Clients with Outlook) Active Directory AD FS 2.0 Server AD FS 2.0 Server AD FS 2.0 Server Proxy Internal user Enterprise AD FS 2.0 Server Proxy Perimeter External user 35

Deployment Architecture Number of users Fewer than 1,000 users 1,000 to 15,000 users 15,000 to 60,000 users Minimum number of servers 0 dedicated federation servers 0 dedicated federation server proxies 1 dedicated NLB server 2 dedicated federation servers 2 dedicated federation server proxies Between 3 and 5 dedicated federation servers At least 2 dedicated federation server proxies 36

Identity Federation Authentication Flow Web Profile Customer Microsoft Online Services Active Directory User Source ID AD FS 2.0 Server Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Authentication platform Auth Token UPN:user@contoso.com Unique ID: 254729 ` Client (joined to CorpNet) Exchange Online or SharePoint Online 37

Recommended Resources ADFS 2.0 Deployment http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start- 08-exchange-online-hybrid-scenarios-part-1 More information on DirSync http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspx http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start- 02-deploying-sso-part-1.aspx Check out the course appendix 38

2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. Some information relates to pre-released product which may be substantially modified before it s commercially released. MICROSOFT MAKES NO WARRANTIES, 39