Identity and Authentication Management for Office 365

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Identity and Authentication Management for Office 365


@enowconsulting

Find us!

ENow Software

ENowSoftware

ENowSoftware.com

Some of ENow’s Loyal Customers

• Microsoft Silver ISV & Messaging Microsoft Partner

• Focused on building software solutions that simplify the life of IT administrators

• Software architected by MVPs with >15 years experience in high-end Microsoft

consulting and management

• Customers in over 60 countries ENow Software

About ENow


IDENTITY MANAGEMENT OVER THE HORIZON: WHAT’S NEW AND WHAT’S NEXTBy CTO Paul Robichaux

http://enowsoftware.com/webinar/identity-management-over-the-horizon/

http://enowsoftware.com/webinar/identity-management-over-the-horizon/


About the speaker – Nathan O’Bryan

MVP: Office Servers and ServicesMCSM: Messaging

Consultant @ SPS/ExtraTeamspscom.com/ExtraTeam.com

@MCSMLabhttp://www.mcsmlab.com


Please save your questions for the end of the presentation.

We will be giving away two “Office 365 for Exchange Professionals” e-books for our favorite questions!

Ask & Win!

http://exchangeserverpro.com/ebooks/


IntroductionIn order to make Office 365 a viable option for as many organizations as possible, Microsoft has built a lot of flexibility into their identity management platformOptions cause complexityToday I am going to clearly explain your options for identity and authentication managementOffice 365 moves fast


Provides “SSO”Control account policiesMulti-factor authentication*Claims rulesSign in auditing/Immediate disableAuthentication authority for other applications

Why deploy ADFS?


“Single Sign on”Web client

Domain joined on internal network does not need passwordWindows 10 Azure AD joined PC gets single sign on (AD FS not required)

Rich clientActual Single Sign on

Outlook (basic proxy auth)No SSO


ADFS 3.0 – New features

No longer dependent on IISResponsive design for multiple form factorsSupport for changing passwords*Login page customization


AD FS vNext new featuresAuthenticate users from non-AD directories (LDAP, SQL)Access Control PoliciesImproved update processImproved logging/auditing


Alternate login IDsIf you cannot use UPNAssign another attribute at the login ID

1.Update attribute flow in DirSync2.Install KB2919355 on ADFS 3.03.Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID <attribute you

have chosen> -LookupForests <forest list>4.Update first claims rule

Not supported for Exchange Hybrid


Multi-factor authenticationCan be done with ADFS via 3rd party integrationBuilt-in to all Office 365 enterprise tenantsADFS 3.0 supports Workplace Join featureOutlook does not support Multi-factor authentication*


Modern AuthenticationAllows multi-factor authentication to work for Outlook 2016Can be enabled for Outlook 2013 SP1Multi-factor authentication (MFA) for Office 2013 client applicationsSAML-based third-party identity provider sign inSmart card and certificate-based authenticationOutlook no longer requiring the basic authentication protocol


ADFS proxy/Windows Application ProxyProxy in DMZProxy provides FBA login, ADFS provides integrated loginWeb.config file to modify local authentication typeSome HLBs can replace functionality of ADFS proxyWAP replaces ADFS proxy for ADFS 3.0WAP also replaces some TMG functionality


Sizing and securing ADFSADFS capacity planning worksheetConsider SQL and HA options

Security Configuration Wizard (SCW)ADFS setup creates role extension files for SCW security policiesRegister the appropriate role extension file using Scwcmd command-line tool


High availability options for ADFS4 servers (2 ADFS + 2 ADFS proxy/WAP) + 2 HLBHLB + 2 ADFS serversADFS uses Windows Internal Database by defaultSQL standardSQL Enterprise replication for multi-site HA


Virtualizing ADFSHosted in your own Virtual environmentHosted in 1st or 3rd party Requires a DC in hosted environmentAzure requires availability sets for SLA


ClaimsStatements made about users and understood by both partners in ID federation that are used for authorization purposesClaims rulesCan allow complex authentication scenariosClaims processing processes all rules. Last matching rule appliesClaims rules can be used to control client, or location


Troubleshooting ADFSVerify Metadata endpoints are available

https:// hostname/adfs/services/trust/mex https:// hostname/FederationMetadata/2007-06/FederationMetadata.xml

Confirm service account SPNsetspn -l contoso\adfssrvuser

Verify certificateIntermediate and root chainsCertificate valid

Event view Debug logCheck troubleshooting guide


Recovering from ADFS failureConvert-MsolDomainToStandardRebuild ADFS server(s) and Update-MsolFederatedDomain


Directory Synchronization ToolsAzure Active Directory Connect

Default choiceHigh resource requirements

DirSyncOld defaultShould be upgraded if possible

Microsoft Identity ManagerNew version of FIMNo charge for server, CALs available via Azure AD Premium license


AAD Connect OverviewLite version of Microsoft Identity ManagerAAD Connect features

“4 Click setup”Full shared GALSyncs security groupsSyncs on-premises photosProxies for mail-enabled users and contacts are retainedFree/Busy coexistenceCan configure AD FS


Why deploy AAD Connect?Required for hybrid and staged deploymentsRequired for ID federation


Sync processPull all objects from on-premises environment into metaversePull all objects from cloud into metaverse and match objects via source anchor (Object guid base 64 encoded)Write objects to cloud(optional) Write objects to AD


Filtering AAD ConnectOriginally not supported because there was no soft delete functionality in Exchange OnlineMoving account from in-scope OU to an out-of-scope OU will cause that account to be “deleted” as far as DirSync is concernedCan be filtered by OU or AD attribute


How does it create the right objects?MSExchRecipientType17 recipient types (Exchange 2013)


Installing AAD ConnectClick next…“4 click setup”Required permissionsKeeping up with new versionsForcing a manual sync


After installing AAD ConnectCan I still create users on portal ?

Sort of, but remember MsExchRecipientTypeDoes running sync assign licenses?

NoUse PowerShellGet-MsolUser –UnlicensedUsersOnly | Set-MsolUser –UsageLocation US | Set-MsolUserLicense –AddLicenses Tenant:AccountSku


What will sync and will not sync?Will syncAll usersMail-enabled contactsMail-enabled groups…and sometimes passwords

Will not syncBuilt-in admin accountsBuilt-in admin groupsMail-enabled Public FoldersDefault AD admin groupsDefault Exchange admin groupsExchange system mailbox accountsContact objects ending with MSOLDefault FIM filters


Password Sync“Same sign-on” vs “Single sign-on”Double hashed passwords are copied to WAADAAD passwords may not expirePassword Sync process occurs every 2 minutes


Password write backRequires Azure Active Directory PremiumSupports resetting passwords for users using AD FS or other federation technologiesSupports resetting passwords for users using password syncEnforces your on-premises AD password policiesDoesn’t require any inbound firewall rules


Password Sync as a backup to ADFSDeploy ADFS and AAD Connect as normal, but turn on password syncTakes up to 2 hours to switch domain from Federated to StandardAlternately - Set-MsolDomainAuthentication -DomainName contoso.com –Authentication ManagedDifferent names spaces within the same tenant can use ADFS or Password Sync


Troubleshooting SyncIDFixAzure AD Connect Health for syncAccidental deletion protectionCan’t do initial syncVerify accepted domainVerify users UPN (or other source anchor)Force syncMIISClient


SummaryActive Directory Federation ServicesAzure Active Directory Connect

Questions?


Q&A


Thank Youwww.enowsoftware.com

Technology

Identity and Authentication Management for Office 365