Microsoft Business Productivity Online Standard Suite (BPOS) v.Next: Identity and Access SolutionsDan KershawPrincipal Program ManagerMicrosoft Corporation

SESSION CODE: COS206

What we’re going to coverOverview of Microsoft Online ServicesCurrent in-market identity and access solutions

Microsoft Online identitiesSign in clientDirectory Synchronization

Future identity and access solutionsNew identity featuresIdentity Federation

Microsoft Online ServicesEnterprise class software delivered via subscription services hosted by Microsoft and sold with partners

Business Productivity Online Suite

• No hardware build-out cost• No more periodic server upgrade consulting projects• Software offered as a pure subscription

Reduce both capital expenditure and

operational expense

• Flat per-user, per-month fee• No need to renew software and hardware purchases

every few years• Your price is protected for the duration of your contract

Make your cost even and predictable

• Avoid over-purchasing• Scale as your business grows• Get the right license for the right users with deskless

worker option

Buy what you need when you need it

Finance benefits

“Not having to pay up front is a significant benefit.”

Ariejan van Saane, General Manager, Procore

“As a businessman, I have to control capital costs and my operating budget. Microsoft Online Services is a fraction of the cost and a quantum leap forward in capability”

Jeff Staser, Founder, Staser Consulting Group

“If we need to support 150 people, we can get 150 people up and running in a matter of days.”

Jennifer Boyd, Administrative Manager, Staser Consulting Group

Microsoft Online Service identities and authenticationManaging organizational identitiesSign in experience

Demo

Contoso customer premises

Current identity architecture

1. Microsoft Online IDs2. Microsoft Online IDs + DirSync

ADMS Online

Directory Sync

Identity platform

Microsoft Online Services

Provisioningplatform

CommunicatorOnline

SharePoint Online

Exchange Online

DirectoryStore

Admin Portal

Authentication platform

Live Meeting

IdPSign-in client

Current identity options summary

1. Microsoft Online IDs: IDs are mastered in the service/cloud. Password policy is in the cloud

2. Microsoft Online IDs + Directory Sync: IDs are mastered on premise, and synchronized to the service/cloud in the form of Microsoft Online IDs. Password policy is in the cloud

Directory synchronization to Microsoft Online ServicesSyncs Users, Groups and ContactsAll users are synced as logon disabled and deactivated users initially.

Identity and access solutionsWhat the future looks like…

Identity solution feedback for the current service

No SSO with corporate credentialPainful to manage separate corporate and cloud credentialPassword policy is not configurableRole-based administration not possibleStrong authentication (2FA) not availablePlatform provisioning APIs not available

MS Online identity features roadmap

Federated IDsDirectory Synchronization updatesRole-based administration

Five admin rolesCompany Admin, Billing Admin, User Account Admin, HelpDesk Admin, Service Support Admin

“Admin on behalf of” for support partners

Authentication optionsEnd user sign-in experience

Sign in with cloud identityAuthentication happens in the cloudUsers have two IDs – one to access on-premises services & one for cloud services

Users prompted for creds

Federated IDs (New)

Sign in with corporate IDAuthentication happens on premisesUsers have a single credential to provide SSO to on premises and cloud services

Users get true SSO

Microsoft Online IDs

Authentication optionsIT Administrator considerations

Manages password policy in cloud & on-premPassword reset for on-prem & MS Online IDsNo 2 Factor Auth integration

Federated IDs (New)

Manages password policy on-premise onlyPassword reset for on-premise IDs only2 Factor Auth integration options

Requires additional servers to enable identity federation

Microsoft Online IDs

Contoso customer premises

Identity architecture: Federated IDs

1. Microsoft Online IDs2. Microsoft Online IDs + DirSync3. Federated IDs + DirSync

ADMS Online

Directory Sync

Identity platform

Provisioningplatform

Sign in client

CommunicatorOnline

SharePoint Online

Exchange Online

FederationGateway

Active Directory Federation Server 2.0

Trust

IdPDirectory

Store

Admin Portal

Authentication platform

Live Meeting

IdP

Sign in assistant

Microsoft Online Services

Identity option summary

1. Microsoft Online IDs: IDs are mastered in the service/cloud. Password policy is in the cloud

2. Microsoft Online IDs + Directory Sync: IDs are mastered on premise, and synchronized to the service/cloud in the form of Microsoft Online IDs. Password policy is in the cloud

3. Federated IDs + Directory Sync: IDs are mastered on premise, and synchronized to the service in the form of Federated IDs.Password policy is controlled on premise.

Identity FederationConfiguration and management

GOAL: Establish a trust relationship with Microsoft Online ServicesAccomplished via the MS Online Identity Federation Management tool Configuring identity federation is a 2-step process

Install and configure AD FS 2.0 serverRun the tool to establish trust for a domain

Enterprise

Server Apps

AD FS 2.0

ActiveDirectory

Microsoft Online Services

Federation Gateway

Identity Platform

Directory store

Trust

IdPSharePoint

Online

Exchange Online

Identity federationSet up identity federationSeamless sign-in experience using a corporate credential

demo

Identity FederationMicrosoft Online Identity Management Tool

PowerShell cmdlets and UI toolTool functionality

Add a new identity federated domainConvert a standard domain to an identity federated domainConvert an identity federated domain back to a standard domain

Converts users back to Microsoft Online IDs

Update the identity federated domainGet the identity federated domain propertiesRemove the identity federated domain

Identity federationActive Directory Federation Server 2.0 deployment options

1. Single server configuration2. AD FS 2.0 server farm and load-balancer3. AD FS 2.0 proxy server (offsite users)

Enterprise DMZ

AD FS 2.0 ServerProxy

Internaluser

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 Server

Identity FederationAuthentication flow (passive profile)

`

Client(joined to CorpNet)

Federation GatewayAD FS 2.0 Server

Exchange Online orSharePoint Online

Active Directory

Customer Microsoft Online Services

Identity federationFutures: what you need to know

Protocols supportedWS-*, SAML1.1SAML2.0 (for EDUs) coming later (Shibboleth)AD FS 2.0 supports SAML2.0

Microsoft Online Services requirementsMS Online business scenarios always use WS-*WS-Trust provides support for rich client authentication

Strong authentication solutions for web applications Via ADFS Proxy sign in page

Related ContentBreakout Sessions

SIA326: Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture DrilldownCOS204: Microsoft Business Productivity Online Standard Suite (BPOS) v.Next: Administration Automation Using Windows PowerShell

Interactive SessionsCOS12-INT: Microsoft Online Services (BPOS) Futures: ID and Access Solutions DrilldownSIA01-INT: Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0

Product Demo Stations (demo station title and location)TLC-70: TLC Yellow: Business Productivity Online Suite (BPOS)

Track ResourcesRead more about Microsoft Online Services – www.microsoft.com/onlineSign up for a 30-Day Trial of the Business Productivity Online Suite:

https://mocp.microsoftonline.comUse Promo Code TENA2010

Continue the conversationMicrosoft Online Services Team Blog – http://blogs.technet.com/msonlineFacebook Fan Page – http://www.facebook.com/MicrosoftOnlineServices You Tube Channel – http://www.youtube.com/user/msonlineservices Twitter – http://twitter.com/msonline

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Directory SyncCoexistence Overview

Core Coexistence Features SupportedFull Shared GALRich messaging (Full format)Meeting requests

Top innovationsWorks over the internetOptimized for midmarketAppliance-like setup‘Try before you buy’

Directory SyncWhat objects get sync’d?

Directory synchronization to MSOSyncs Users, Groups and ContactsAll users are synced as logon disabled and inactivated users initially.

Considers customer as source of authorityIdentities mastered on-premise. Mail properties, UPN are mastered in MSO when licensed. No changes made to on premise identities. Groups are synced as Groups

On premise mail enabled SGs are synced as DG

MS Online Directory Sync and coexistenceFuture features

Identity coexistence – where identities are mastered on-premises.Conf room as Conf roomsSupports Identity FederationSyncs Security GroupsSyncs additional on-premise data (ie. photos) enabling a richer experience.

Optional features Free busy coexistence w/ (Exchange 2010 CAS server on premise)Supports additional Rich Coexistence with Exchange 2010 (Cloud Archive, Filtering Coexistence, and Delegation)

JUNE 7-10, 2010 | NEW ORLEANS, LA