Microsoft O365 identity and authentication

Peter GinnegarTechnical Solution ProfessionalMicrosoft Corporation

Peter.Ginnegar@Microsoft.com

Topics Office 365 identity models Identity overview IdFix Tool (demo) O365 Directory Synchronization (demo) Active Directory Federation Services O365 Multifactor Authentication (demo)

O365 Active Directory• What is O365 Active Directory?- O365 uses Windows Azure Active Directory

• What services are provided by Windows Azure Active Directory

- Provides authentication, synchronization and federation services.

- An identity management system spanning cloud and On Premises.

• What systems make up a typical O365 Active Directory?

-On Premises Active Directory Servers and Windows Azure Active Directory.

Identity management

What is identity management?“Identity management deals with identifying individuals in a system and controlling access to the resources in that system.”

What are the major components of identity management? Authentication – Verifying that a user, device, or application is the entity that it claims to be.

Authorization - Determining which actions an authenticated entity is authorized to perform on the network.

Office 365 identity models

Office 365 identity Models

Cloud identity model

Synchronized accounts identity model

Federated identity model

Federated identity model- multiple forests

Third party federated model

Third party partners for federated identity

TechNet http://technet.microsoft.com/en-us/library/jj679342.aspx

Federation Terms - SSOWhat is SSO?

Single Sign On (SSO) is the ability for two disjointed Providers to trust each other such that a user logged on does not need to log in again for the second.

Authentication types Passive authentication – Web Based

SharePoint Online, Outlook Web Access

Active authentication – Office 365 Client Services that use the Sign-In assistant including Lync, Office 365 Pro

Plus, Word, Excel, Visio, PowerPoint, PowerShell access to O365.

Proxy authentication – Required for Outlook and Active sync clients.

Username and password proxy through Exchange Online. Uses WS-Trust or SAML ECP to authenticate

Federation protocols WS-* Supported by ADFS and works with Office 365

-Passive authentication – WS-Federation-Active authentication – WS-Trust- Exchange Online uses WS-Trust

Shibboleth-An Open source federated provider based on SAML

-Passive authentication only (Web Forms) -Exchange Online supports SAML 2.0 and ECP.

Federation Terms - WS*What is WS-Federation? WS-Federation is a protocol used for web browser based authentication.

What is WS-Trust? WS-Trust is a protocol used by Office rich client applications to authenticate (Sign-in Assistant)

Federation Terms - SAMLWhat is SAML? (Small Assertion Markup Language)

SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information

Developed by the Security Services Technical Committee of OASIS

Directory Sync Tool or Active Directory Federation Services

Password Sync SSO with AD FSSame password to access resourcesCan control password policies on-premisesSupport for two factor authenticationNo password re-entry if on premiseClient access filtering by IP or by time scheduleAuthentication occurs on-premises. Can immediately block disabled accountsChange password available from webWorks with Forefront Identity Manager

Identity Overview

Identities in Active Directory

IdFix Tool – Directory Remediation

Office 365 IdFix Tool Provides the ability to identify and remediate object synchronization issues in preparation for O365

Users Groups Contacts

Office 365 IdFix Tool Important Attributes that are update by the IdFix Tool for O365 identity Synchronization.

-displayName-givenName-Mail-mailNickName-proxyAddress-targetAddress-Sn-sAMAccountName-userPrincipalName

Office 365 IdFix Tool

• Query user identities• Identify attribute and issue

• Take action to correct• Apply changes

Office 365 Directory Synchronization

Office 365 Directory Synchronization components Windows Azure AD (O365 Identities) On Premise Active Directory (Local Identities)

Directory Synchronization Tool User Account Attributes User, Group, synchronization SourceAnchor, msDS-CloudAnchor (Windows 2012 R2)

Office 365 DirSync workflowAuthentication

O365 Synchronization results Accounts are still separate O365 Services are accessed using Cloud Identity

Password sync is enabled Password stored in double hashed format Not a true Single Sign On Solution Can be used as a backup to Federated Service Solution

Windows Azure Active Directory Sync Tool Synchronizes on premise Active Directory accounts to Windows Azure Active Directory.

Synchronizes passwords (double hashed) Synchronization of accounts occurs every 3 hours

Can for Synchronization using PowerShell command

SQL Express Database (10GB)

Azure AD Sync Services (Preview) Azure AD Sync Services is a new identity sync tool that provides customers with the ability to sync identity information from complex AD environments (i.e. multi-forest) and other identity directories

http://go.microsoft.com/?linkid=9845645

Demo Idfix tool Office 365 DirSync Tool

Active Directory Federation

Active Directory Federation Services Active Directory Federation Services (AD FS) 2.x provides access to applications and other systems with an open and interoperable claims-based model

The AD FS 2.x platform provides Windows-based Federation Service that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.

Directory Federation Web Application Proxy can use AD FS for pre-authentication.

Unauthenticated client requests are redirected to the AD FS server for authentication and authorization before forwarding the request to the published web application.

O365 Active Directory Federated Service

ADFS and SSO with Online Services

Federated Trust

O365 Multifactor authentication

What is Multifactor Authentication? Is an approach to authentication which requires the presentation of two or more authentication factors.

Two-factor authentication seeks to decrease the probability that the requester is presenting false evidence of its identity.

What Components make up multifactor authentication? Two-factor authentication requires the use of two of the three authentication factors

Phone Call SMS Text message (On Time Passcode) Software Token Hardware Token

Multi-factor authentication using any Phone

O365 Multi-factor authentication administration

Office 365 User Setup for MFA

O365 App Password Mobile AppsEnd user Self ServiceEach user can have up to 40 app passwords

O365 App Passwords for Rich Client Applications

• End user Self Service• Each user can have up to 40 app passwords• 16 Character randomly generated once

Multifactor Authentication for Office 365Multifactor Authentication Features

Administrators can Enable and Enforce Multifactor authentication for O365 users

Use Mobile app (online and OPT) as a second authentication factor

Use phone call as a second authentication factor

Use SMS as a second authentication factor

App password for non browser clients (e.g Outlook and Lync)

Default Microsoft greeting during authentication phone calls.

O365 user setup

MFA Demo

Topics Office 365 identity models Identity overview IdFix Tool (demo) O365 Directory Synchronization (demo) Active Directory Federation Services O365 Multifactor Authentication (demo)

Reference ArticlesPeter.Ginnegar@Microsoft.com

http://technet.microsoft.com/en-us/video/office-365-identity-management-and-federation.aspx

http://www.microsoft.com/en-us/download/details.aspx?id=36832

http://technet.microsoft.com/en-us/library/dn383636.aspx

http://technet.microsoft.com/en-us/library/hh852469.aspx

Thank You