Managing Identity Lifecycles at ScaleMicrosoft Azure™ Active Directory Deployment Guidefor Retail Industry Customers

AbstractThis guide helps you deploy a unified identity and access management solution with Microsoft Azure Active Directory. The primary emphasis is on managing identity lifecycle across your corporate employees and thousands of seasonal and temporary staff.

Intended Audience

Microsoft CorporationManaging Identity Lifecycles at Scale

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.

© 2016 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited.

Microsoft and Windows are either registered trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Table of ContentsOverview................................................................................................................................4Key Concepts.........................................................................................................................5

Azure AD Connect.............................................................................................................5Partner Managed Identities (B2B)......................................................................................5Consumer Identities (B2C).................................................................................................5Single Sign-On...................................................................................................................5Same Sign-On....................................................................................................................5User Principal Name..........................................................................................................6Identity Namespace...........................................................................................................6Tenant Name.....................................................................................................................6Kiosk Worker.....................................................................................................................6Information Worker...........................................................................................................6Identity Lifecycle...............................................................................................................7

Configure the Prerequisites....................................................................................................8Build Your Identity Organization Teams.................................................................................9Architectural Options for Azure AD Identity Solutions..........................................................10

Onboarding new off-premises identities (Kiosk Workers).................................................10Synchronize on-premises identities (Information Workers).............................................15What to expect during each phase of the Identity Lifecycle............................................18

Key Infrastructure Design Considerations............................................................................21Tenant Name Design.......................................................................................................21User Principal Name (UPN) patterns................................................................................22Sign-in Experience...........................................................................................................23Organizational Security...................................................................................................23

Reference............................................................................................................................25

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

OverviewAzure Active Directory (AD) Premium enables you to create a unified identity and access management (IAM) system that integrates different kinds of identities from multiple sources within your organization. Azure AD Premium makes it easier to cope with typical IAM challenges such as the following:

▪ Multiple identity repositories. Without a single authoritative source of identity, such as an Active Directory forest, Human Resources (HR) system, Lightweight Directory Access Protocol (LDAP) directory, relational database, and so on, some organizations have no unique identity for employees, particularly casual workers.

▪ Different identity types. Different categories of people, such as kiosk workers, full-time employees, hourly wage workers, consumers, suppliers, partners and so on have differing identity needs and characteristics.

▪ Disjointed or ad-hoc tools and solutions. The typical organic evolution of many organizations’ IT systems results in multiple, often incompatible solutions to address IAM challenges like group management, remote access, password management, provisioning, business to business collaboration and so on.

▪ Differing regulatory requirements. Specific industry sectors may need to address defined regulatory requirements. One example in the retail industry is Payment Card Industry (PCI).

▪ Multiple stakeholders. To compete effectively, modern agile organizations may define multiple reporting lines and areas of responsibility that span different business units within in the organization.

Azure AD gives you effective solutions for extending on-premises identities into the cloud through single sign-on or same sign-on authentication techniques in order to address the above challenges.

The following illustration provides an example of the “identity lifecycle at scale” solution that uses Azure AD cloud services to integrate with a complex retail on-premises infrastructure.

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Figure 1: Identity Lifecycle at Scale

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Key ConceptsThe following sections provide background to help you understand the benefits and technical considerations of deploying and managing Azure AD.

Azure AD ConnectAzure AD Connect integrates on-premises identity systems, such as Windows Server Active Directory, LDAP directories and transactional databases, with Azure Active Directory. It also connects and authenticates your users to Office 365, Azure and thousands of Software as a Service (SaaS) applications. This integration includes on-premises identity synchronization to and from the cloud and, optionally, single sign-on configuration with Active Directory Federation Services (AD FS).

Learn More: Microsoft Azure – Azure AD Connect

Partner Managed Identities (B2B)Partner Managed Identities, such as suppliers and contractors, are not part of your organization but have a business relationship with it. An Identity-as-a-Service (IDaaS) solution would grant these identities access to your resources on a restricted basis only, with authentication through the partner organization’s credentials.

Learn More: Azure AD Business to Business collaboration (B2B)

Consumer Identities (B2C)Consumer Identities represent customers to whom you want to provide services directly. In most cases, consumers either choose an existing social identity, such as Facebook, a Microsoft account or Twitter, or sign up for an account directly, typically using their email address as an identity. A retail example would be a grocery delivery application, where customers log in and place orders online. Consumer identities can scale to large numbers.

Learn More: Azure AD Business to Consumer (B2C)

Single Sign-OnSingle sign-on lets you access all the resources you need to do business by signing in once using a single user account. After signing on via password, Personal Identification Number (PIN), or smartcard, you can run any of your authorized applications or connect to shares and data stores without having to authenticate a second time.

Learn More: Azure AD – Single Sign On

Same Sign-OnSame Sign-On enables use of the same set of credentials to access multiple resources. For example, an information worker logged onto his Windows computer with a username and password can go to a cloud resource and supply the same username and password to get access. Azure AD enables same sign-on through password hash synchronization.

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

User Principal NameA User Principal Name (or UPN) identifies an object uniquely within Azure Active Directory. UPNs typically have a structure similar to email addresses, such as bob@contoso.com.

Identity NamespaceThe Identity Namespace is the suffix of the UPN. In the case of bob@contoso.com, the identity namespace is “contoso.com.” The Identity Namespace is also known as the domain or UPN suffix.

Tenant NameThe Azure AD Tenant name is a string, e.g., “Contoso,” that you set when creating a tenant account in the Azure management portal. The tenant name is prepended to the onmicrosoft.com domain to create the initial tenant domain and UPN, in the form contoso.onmicrosoft.com. This name will be exposed to end users in some scenarios, so selecting the tenant name is a critical factor in the user experience. See Key Considerations – Tenant Name

Kiosk WorkerKiosk workers are users whose primary job does not involve the continual use of a dedicated device or computer. Examples include sales staff in retail stores, factory workers, or stores operatives. Typically, these employees do not require access to on-premises resources. Therefore, they might not even have an account in Active Directory—their identities are instead stored in the HR system. Azure AD enables these users to complete tasks like accessing SaaS applications for time card management (clocking in and out), collaborating, or initiating self-service HR queries such as holiday requests.

Information WorkerInformation workers are typically full-time employees. These users create and consume internal information and therefore require access to corporate data. Information workers include members of the marketing, sales or design departments and so on, and may manage other employees. They use dedicated devices or computers joined to the on-premises directory, and their identities are stored in Active Directory or another directory service.

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Identity LifecycleThe Identity Lifecycle consists of phases within the IDaaS solution. These phases include the following elements:

Figure 2: Identity Lifecycle

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Build Your Identity Organization Teams

Identity Organization teams and responsibilitiesTeam Responsibilities

Identity Architecture / Development team

▪ Designs the solution in cooperation with the stakeholders.▪ Owns the development process and creates the user acceptance

environments.▪ Implements prototypes and drives approvals.▪ Documents the solution design and operational procedures for hand-off

to the operations team.On-premises Identity Operations team

▪ Manages on-premises identity sources such as Active Directory Forests, LDAP directories, HR systems, and Federation Identity Providers.

▪ Perform any remediation tasks needed before synchronizing objects to the cloud.

▪ Provide the service accounts required for directory synchronization to take place.

▪ Provide access to configure federation to Azure AD.Application Technical Owners ▪ Own the cloud apps and services that will integrate with Azure AD.

▪ Provide the applications’ identity attributes that need to be synchronized.

Azure AD Administrator ▪ Manages the Azure AD configuration. ▪ Provides credentials to configure the synchronization service.

Database team ▪ Owns the database infrastructure. ▪ Procures any SQL Server instance(s) that a deployment requires, based

on corporate standards.Network team ▪ Owns the network infrastructure.

▪ Provides the required access at the network level for the synchronization service to access the data sources and cloud services (firewall rules, ports opened, IPsec rules and so on).

Privacy and Compliance team ▪ Certifies that the solution meets the organizational or governmental regulatory and information security requirements.

▪ Provides the necessary security oversight and approves the data being synchronized.

Help Desk ▪ Manages the support incidents connected to the migration process.Azure Subscription Administrator

▪ Manages the Azure AD subscriptions in the company.

Learn More: Assign administrator roles in Azure Active Directory, Office 365

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Configure the PrerequisitesBefore you design your Identity Lifecycle at Scale solution, review the following process for configuring the prerequisites:

Process for configuring prerequisitesSetup Common Infrastructure1. Create Azure AD Tenant(s).

Azure AD Tenant is the home for your organization’s directory in the cloud.

Get an Azure AD Tenant

2. Create and configure custom domains.Users reach your cloud and on-premises resources through domains.

Add Domain

3. Identify Information Worker (B2E) identities and separate them from B2B (partner) and B2C (consumer) identities that might be present in on-premises directories.Different identities have different roles in your organization.

Azure AD B2B collaborationAzure AD B2C

4. Identify the on-premises directories to synchronize with Azure AD.Examples include on-premises Active Directory Forest(s), HR databases etc.

Connectors Topologies for Azure AD Connect

Kiosk Worker5. Identify data sources for kiosk worker identities.

These are the repositories that store the kiosk employees’ information. Examples include HR systems, relational databases, or even text files or spreadsheets.

6. Identify SaaS applications for kiosk workers.Applications have different requirements for user information, expressed as identity claims, and may support user provisioning.

7. Identify the attributes of kiosk worker identities and normalize them across all sources.Identify name, phone number, employee ID, and so on, on each data source, and record the semantics and possible values of each.

Information Worker8. Filter out accounts that do not need to be synchronized.

Only specific users, groups and device objects needs to be synchronized with Azure AD.

Prepare for directory syncAzure AD Connect sync: Configure Filtering

9. Define a strategy to identify objects uniquely.This establishes the immutable link between an on-premises object and its manifestation in the cloud.

Azure AD Connect: Design concepts

10.

Identify the attributes of initial Azure AD workloads.Define the information on each object that you want to be available in the cloud.

Azure AD Connect sync: Attributes synchronized to Azure Active Directory

11.

Define features for Azure AD synchronization for on-premises objects.Check items such as whether to write back passwords/devices, synchronize passwords, or propagate accounts to the cloud automatically.

Integrating your on-premises identities with Azure Active Directory

12.

Define the authentication approach (Federation or password hash sync).Determine whether you want Azure AD or the on-premises federation service to perform authentication. In addition, determine whether you want to keep the on-premises usernames and domain names or clean them up.

Federated Identity PatternImplementing password synchronization with Azure AD Connect sync

13.

Remediate on-premises identities.Prepare all identities for error-free synchronization to the cloud.

Prepare directory attributes for synchronization with Office 365 by using the IdFix toolAzure AD service limits and

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Setup Common Infrastructurerestrictions

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Architectural Options forAzure AD Identity SolutionsThree main design aspects apply when managing identities at scale:

▪ How to onboard new identities that are not on-premises (kiosk workers) ▪ How to synchronize identities that are already on-premises (information workers) ▪ What to expect during each phase of the identity lifecycle

Onboarding new off-premises identities(Kiosk Workers)The option of a cloud directory opens up a new set of use cases; specifically, enabling identity management for users, such as kiosk workers, who are traditionally not represented in on-premises identity stores, but may have identities stored in the company HR system. This section presents options to create these new identities and enable the new use cases.

The options described assume that the provisioning and de-provisioning of these new identities ties into the company’s HR application as the authoritative identity source. In the following diagrams, the on-premises synchronization component is a generic process replaceable with any of the options described in the subsequent section Synchronize on-premises identities (Information Workers).

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Option 1: Single HR system to Azure AD integrationThe kiosk worker identity gets copied from the master HR system to Azure AD through an integration layer. Microsoft Identity Manager manages this layer using programmatic interfaces such as Azure AD PowerShell or Azure AD.

Figure 3: Single HR system to Azure AD integration

Advantages Tradeoffs▪ Kiosk Worker identities now stored in Azure AD,

while the HR system remains the authoritative source.

▪ Additional effort to design, implement, test and maintain the integration layer.

▪ Disparate tools and workflows required to manage the identity lifecycle for all the relevant identities.

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Option 2: Direct inbound provisioning with WorkdayWith inbound provisioning, every time a new kiosk worker identity is created in Workday, it is automatically added to Azure AD.

Figure 4: Direct inbound provisioning with Workday

Advantages Tradeoffs▪ Simple integration, fully automated through the

SaaS HR application. ▪ Inbound provisioning limited to Workday as the

data source and a very narrow set of attributes.Learn More: Inbound Provisioning

▪ Disparate tools and workflows required to manage the identity lifecycle for all identities.

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Option 3: Multiple HR systems to Azure AD integrationIn some cases, such as mergers and acquisitions, multiple HR systems must be integrated into Azure AD. The kiosk worker identity is copied from various source repositories into a single view (metaverse) through an integration layer. Microsoft Identity Manager manages this layer using programmatic interfaces such as Azure AD PowerShell and Azure AD.

Figure 5: Multiple HR systems to Azure AD integration

Advantages Tradeoffs▪ Kiosk worker identities only present in Azure AD. ▪ Write-back opportunity through the MIM connector

infrastructure.

▪ Additional complexity from designing, implementing, testing and maintaining the MIM 2016 connectors and rules.

▪ Disparate tools and workflows required to manage the identity lifecycle for all identities.

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Option 4: Kiosk and information workers consolidated on-premises and synchronized to Azure ADCompanies that want to provide a consistent management experience for kiosk and information workers can integrate both kinds of identities into on-premises Active Directory, and use a common synchronization mechanism to propagate the identities into the cloud.

Learn More: Synchronize Information Worker

Figure 6: Kiosk and information workers consolidated on-premises and synchronized to Azure AD

Advantages Tradeoffs▪ Single cloud synchronization strategy through

Azure AD Connect.▪ Common tools to manage all identities in on-

premises Active Directory.▪ Common tools to unify the user experience, such as

federated login, password management, and so on.▪ Provision of additional features through MIM

connector infrastructure.

▪ Additional complexity from designing, implementing, testing and maintaining the MIM 2016 connectors and rules.

▪ Greater loading on the on-premises Active Directory from the kiosk identities, which affects factors such as the size of the directory information tree and replication latency.

▪ More identities on-premises, generating more risk of unintended access to on-premises resources.

Helpful TipsSince kiosk users will not log onto the on-premises Active Directory, consider the aspects below for Password Hash Sync domains:

Run the following PowerShell cmdlets from the Azure AD Connect Server to synchronize the passwords of kiosk workers who are marked as “users must change password at next logon” (common case when creating new user accounts):

Import-Module ADSyncSet-ADSyncAADCompanyFeature ` -ConnectorName "<case sensitive aad connector name>" ` -ForcePasswordResetOnLogonFeature $true

Contact Microsoft Support to enable expiration of the password in the cloud. This is needed because passwords in the cloud are marked to never expire when synchronized from on-premises.

If you disable the Kiosk workers’ user accounts on premises based on your security policies, then you need to perform the following steps to allow users to change their passwords in the cloud and write back on-premises:1. Re-execute the Azure AD Connect wizard, unchecking the password write back checkbox.2. Update the file “%ProgramFiles%\Microsoft Azure AD Sync\

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Bin\Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.dll.config” to contain the following value:<add key="ConvertChangePasswordToResetPasswordForDisabledUser" value="true"/>

3. Re-execute the Azure AD Connect wizard, checking the password writeback checkbox

Synchronize on-premises identities(Information Workers)The following three options enable you to synchronize existing on-premises identity stores—either traditional LDAP-based directories or a custom store, such as a relational database—with Azure AD. The following scenarios apply equally to identities from single or multiple stores.

Option 1: Integrate all repositories to the cloud with Azure AD Connect You can engage the services of the Azure AD product group, such as Microsoft Premier Support, Microsoft Consulting Services or a Microsoft Partner to assist you in deploying an advanced customization of Azure AD Connect.

Figure 7: Integrate all repositories to the cloud with Azure AD Connect

Advantages Tradeoffs▪ MIM supports multiple types of connectors so you

can connect directly to multiple data sources.Learn More: Connectors

▪ You benefit from optimizations and investments in Azure AD Connect. Improvements come automatically.

▪ Initial deployment and ongoing maintenance requires a complex engagement from the Azure AD product group, Microsoft Premier Support, Microsoft Consulting Services, or a Microsoft Partner.

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Option 2: Integrate all repositories to the cloud with MIM Instead of using Azure AD Connect, this option uses the MIM connector for Azure AD.

Figure 8: Integrate all repositories to the cloud with MIM

Advantages Tradeoffs▪ This option is easier to implement if you have

already deployed MIM in your organization.▪ You benefit from optimizations and investments in

Azure AD Connect. Improvements come automatically.

▪ Capabilities of the MIM connector to the cloud are limited compared to Azure AD Connect, which has features such as write-back.

▪ May not be a future-proof solution.

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Option 3: Integrate multiple repositories to Active Directory with MIM and use Azure AD Connect to connect to the cloud This approach combines multiple identity repositories into an Active Directory Forest using Microsoft Identity Manager. The on-premises Active Directory then synchronizes to the cloud through Azure AD Connect.

Figure 9: Integrate multiple repositories to Active Directory with MIM and use Azure AD Connect to connect to the cloud

Advantages Tradeoffs▪ MIM supports multiple types of connectors so you

can connect directly to multiple data sources.Learn More: Connectors

▪ You benefit from optimizations and investments in Azure AD Connect. Improvements come automatically.

▪ New identities from disparate HR systems get the same authentication experience once they are integrated into the on-premises Active Directory.

▪ You need enough Client Access Licenses (CALs) to incorporate users who have lacked on-premises accounts into your directory.

▪ Additional Infrastructure may be required.

Helpful TipsSince kiosk users will not log onto the on-premises Active Directory, consider the aspects below for Password Hash Sync domains:

Run the following powershell cmdlets from the Azure AD Connect Server to synchronize the passwords of kiosk workers who are marked as “users must change password at next logon” (common case when creating new users):

Import-Module ADSyncSet-ADSyncAADCompanyFeature ` -ConnectorName "<case sensitive aad connector name>" ` -ForcePasswordResetOnLogonFeature $true

Contact Microsoft Support to enable expiration of the password in the cloud. This is needed because passwords in the cloud are marked to never expire when synchronized from on-premises. If you disable the Kiosk worker user accounts on premises based on your security policies, then you need to perform the following steps to allow users to change their passwords in the cloud and write back on-premises:

1. Re-execute the Azure AD Connect wizard, unchecking the password writeback checkbox.2. Update the file “%ProgramFiles%\Microsoft Azure AD Sync\Bin\

Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.dll.config” to contain the following value:<add key="ConvertChangePasswordToResetPasswordForDisabledUser" value="true"/>

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Re-execute the Azure AD Connect wizard, checking the password writeback checkbox

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

What to expect during each phase of the Identity Lifecycle Azure AD helps IT departments ensure that individual accounts are properly maintained during the identity lifecycle, while following the organization’s policies and procedures for account creation, termination, and other events. This section describes each aspect of the identity lifecycle and what it takes to deliver the corresponding user experience.

Creating new identitiesAction: Create New Identity

Action Cloud-only Identity On-premises Identity In WorkdayUser can log in to Azure AD

Immediately After on-premises sync cycle occurs

After Workday – Azure AD sync cycle occurs

Identity entitlements are configured

Immediate if using attribute-based access control. Other techniques require manual intervention.

Immediately after an identity is in Azure AD, if using attribute-based access control. Other techniques require manual intervention.

Identity profiles created for Office 365 (Exchange Online, SharePoint, Skype for Business, etc.)

Once the identities are in the Azure AD Directory, you can assign office 365 licenses which in turn trigger the provisioning process. Learn more: Assign or remove licenses for Office 365 for business

Identity profiles created for SaaS applications that support provisioning

Immediate if using attribute-based access control. Other techniques require manual intervention.

Identity profiles created on SaaS Applications that do not support provisioning.

Manual intervention required.

ServicingExpected experience on password lifecycle events with self-service password management enabled.

Action: Update Expired PasswordAction Cloud-only Identity On-premises Identity

Redirect to Azure AD password change at login

Immediate For password hash sync tenants, the cloud account password is set to "Never Expire” for users whose passwords synchronize to the cloud. Users can then continue to sign in to cloud services using a synchronized password, even if it has expired in your on-premises environment. The cloud password updates when the password changes in the on-premises environment.For federated tenants, users need to update their password when logging in to the cloud.

Redirect to Azure AD password change on existing Azure AD

Immediate

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Action Cloud-only Identity On-premises IdentitysessionsPassword change on SaaS application session are redirected to Azure AD

Dependent on the application. Azure AD cannot control the cookie lifetime of applications.

Dependent on the application. Azure AD cannot control the cookie lifetime of applications.

Windows receives the new password after it has changed in the cloud

After a password sync cycle (near real time – within minutes)

Action: Password Reset and ChangeAction Cloud-only Identity On-premises Identity

User can login to cloud resources with the new password

Immediate After a password sync cycle(near real time – within minutes)

User can login to on-premises resource with the new password

N/A After a password sync cycle(near real time – within minutes)

Action: Disable / Delete IdentitiesCloud-only Identity On-premises Identity In Workday

synchronized via password hash

sync

synchronized via federation

Mark account as disabled/deleted in Azure AD

Immediate After a sync cycle with on-premises

After a sync cycle with on-premises

After a sync cycle from HR SaaS app

Block new logins to Azure AD Immediate After a sync cycle with on-premises

Immediate After a sync cycle from HR SaaS app

Invalidate existing Azure AD sessions

Immediate

Invalidate existing SaaS Application sessions

Dependent on the application. Azure AD cannot control the cookie lifetime of applications.

Disable/Delete user profiles in SaaS applications that support outbound provisioning

5 minutes by default, after the account is marked as disabled in Azure AD. (Configurable through provisioning properties.)

Disable/Delete user profiles in SaaS applications that do not support outbound provisioning

Manual clean-up required.

Helpful Tips

Modeling access to resources through Azure AD groups will give you self-service group management, delegated administration and attribute-based access control to applications and license assignment.Learn More: Managing access to resources with Azure Active Directory groupsControl functions such as auditing and attestation are built into Azure AD reporting.Learn More: Azure Active Directory audit report events Password management available through Azure AD for both on-premises and cloud identities. enables self-service password reset and change, as well as account unlock, freeing up help desk resources. Learn More: Getting started with Password Management

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Key Infrastructure Design ConsiderationsThis section covers key considerations and techniques for creating a robust identity infrastructure implementation plan for the future.

Tenant Name DesignThe tenant name appears in multiple use cases. For branding purposes, it therefore needs to be considered carefully. Assuming a tenant name of rcdemosnet.onmicrosoft.com, information and kiosk workers will see the following:

SharePoint

Figure 10: SharePoint namespace sample

Figure 11: SharePoint namespace sample

Yammer

Figure 12: Yammer namespace sample

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

User Principal Name (UPN) patternsSince cloud identities sign in with a User Principal Name (UPN), defining requirements around domain and user naming is crucial to avoid the cost of having to rework the tenant account later.

Having on-premises domain names or user accounts that should not be moved to the cloud is common. For example, names associated with old branding, domain names from acquired companies, domains from unused geographies or cost centers and bad usernames should not be migrated or synchronized with the cloud.

The following table provides typical requirements, how they can be met with Azure AD, and the tradeoffs of each option:

Typical namespace requirements and tradeoffsRequirements How to Accomplish Tradeoffs

▪ Clean up the on-premises namespace to use consistent branding

▪ Clean up the information worker usernames used on-premises For example: Instead of jx79872@NA.contoso3928.com, sign in as joe.smith@contoso.com)

Clean up the UPN attribute on-premises

▪ Each on-premises forest must have a different namespace.

▪ Additional testing required of on-premises applications that might have taken a dependency on UPN attribute.

▪ Clean up cloud user names and namespace

▪ Do not change on-premises UPNs to avoid impacting legacy applications

Deploy alternate login ID using AD FS + Azure AD Connect. Learn More: Configuring Alternate Login ID

Significant complexity added to the information worker’s user experience causes challenges in hybrid Office 365 scenarios. Learn More: Configuring Alternate Login ID

The following table captures login experience implications with namespaces:Namespace implications for login experience

Requirements How to Accomplish Tradeoffs▪ Single Sign-On using on-premises

credentials for information workersProvision kiosk workers in a different domain. Federate information workers and use AD FS.

Kiosk workers and information workers will have different namespaces.For example: susie@contoso.com, sbob@stores.contoso.com)

▪ Same Sign-On for information workers▪ Common namespace for kiosk and

information workers

Use password hash sync for information workers, and provision kiosk workers in the same domain.

▪ Write back capabilities will not be available.

▪ Information workers will not be able to use desktop SSO

▪ Single Sign-On for information workers▪ Consistent identity tools and

management for both kiosk and information workers

Synchronize kiosk workers to on-premises AD, and use the same tools for kiosk and information workers

▪ On-premises AD grows with identities that will never log in on-premises.

▪ New accounts might inadvertently have access to some on-premises resources.

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Sign-in ExperienceDeploying the cloud identity solution gives users single sign-on to SaaS applications including Office 365 and other services configured by the Azure AD tenant owner. The following table lists some important items to consider when you get close to launching the solution’s infrastructure for your information and kiosk workers:

Cloud Identity Solution pre-deployment considerationsItem Consideration

Password policy for cloud identities

Cloud identities and on-premises identities have the following password policy differences:▪ As an administrator, you can configure the following for cloud identities:

− Password expiration duration − Password expiry notification− Password never expires

▪ Azure AD manages the following aspects of the cloud identity password policy:− Length requirements− Complexity requirements − Password history (duration and how many previous passwords are

allowed)− Account lockout

Learn More: Password policy in Azure AD ▪ Azure AD allows to configure the password validity and notification

window using PowerShell. Learn More: Set-MsolPasswordPolicy

User Interface look and feel Before launching your cloud identity solution, it is important to determine branding, and appreciate its effect on the user experience. Ideally, you want to provide branding for information workers and kiosk workers that resembles their on-premises login experience.Learn More: Add company branding to your sign-in and Access Panel pages

Organizational SecurityUsing Azure AD, IT administrators can more easily identify and mitigate security threats, address regulatory compliance requests, and meet the reporting requirements of business owners.

For a general discussion of security in the cloud, see the following articles:

▪ Azure AD Connect account privileges ▪ Azure AD Connect prerequisites ▪ URLs and Ports used by Azure AD Connect ▪ Security considerations for password hash sync ▪ Security considerations for Azure Cloud ▪ Classic Metadirectory Walkthrough: Administering MIIS 2003 Infrastructure ▪ Azure AD Connect Health - Frequently Asked Questions (FAQ)

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

Mapping Azure AD Connect Roles to Identity Organization Teams

The following table maps Azure AD Connect roles to organizational team structure.Azure AD Connect roles and recommended responsibilities

Azure AD Connect Role Recommended ResponsibilityADSyncAdmins Have full access to everything in the Sync

Engine.Identity Architecture / Development team

ADSyncOperators Have access to Operations in the Sync Engine only. Can run management agents, view synchronization statistics for each run, and save the run histories to a file.

On-Premises Identity Operations team

ADSyncBrowse(Password Sync Service Only)

Hold permission to gather information about a user's lineage when resetting passwords using Windows Management Interface (WMI) queries.

On-Premises Identity Operations team

ADSyncPasswordSet(Password Sync Service Only)

Hold permission to perform all operations using WMI password management interfaces.

On-Premises Identity Operations team

Support for Privacy, Compliance, and Operations

Because the identity system controls access to many high-value business assets, the identity service should be considered a key security asset and a likely target for attack. Organizations need to implement appropriate controls to protect their sensitive data, whether this data is hosted on-premises or in the cloud. Learn more via the links provided:

Privacy

▪ Which attributes are sent to the cloud? Azure AD Connect sync: Attributes synchronized to Azure Active Directory

▪ How is privacy managed in the Azure Cloud? Microsoft Trust Center- Privacy

Compliance

▪ What cloud certifications does Azure have? Microsoft Trust Center- Compliance▪ What cloud certifications does Azure have for the retail industry? Microsoft Trust Center-

PCI

Operations

▪ Operational guide for Azure AD Connect. Azure AD Connect sync: Operational tasks and consideration

▪ Azure AD Connect Health. Monitor your on-premises identity infrastructure and synchronization services in the cloud

Microsoft Azure Active Directory Deployment Guide Page

Microsoft CorporationManaging Identity Lifecycles at Scale

ReferenceFor more information about Azure Active Directory, see https://azure.microsoft.com/en-gb/services/active-directory/

Microsoft Azure Active Directory Deployment Guide Page