Follow me on Twitter @AntonioMaio2

Tuesday, March 4, 2014

Notes from SPC14: Office 365 Identity Federation using Windows Azure and Windows Azure Active Directory

Tuesday March 4, 2014 9:00-10:15am
Speaker: Spencer Harbar
ITPro Session

  • Identity Management and the Cloud
  • Identity Federation for Office 365
  • Leveraging Windows Azure to accelerate directory synchronization

Identity Management and the Cloud
  • A SharePoint deployment means you are in the identity management business, whether you like it or not
  • Importance increases significantly with SharePoint 2013
    • User sign in, service interaction, virtually every investment area relies on profiles, App AuthZ, S2S, etc.
  • Key functional scenarios require a base level of identity federation
    • Hybrid, social
  • Office 365 increases this dependency on "plumbing"
  • Still a gap in how you deal with anonymous users - except for this, all key areas of SharePoint relies on profiles
  • Example: hybrid search scenario - the quality and relevance of search results will depend on the information available, including information user profiles 

  • There is no product better than SharePoint to expose the implications of weak identity management!
    • So, it's important - it exposes these weaknesses to end users via functionality available or not available to them, as opposed to IT operations
    • Office 365 amplifies that further - includes Exchange, Lync, etc… 

  • Advancing identity management initiatives within enterprises…
    • 10% technology, 90% everything else
    • Can be a big barrier to ramping up an Office 365 project within the enterprise
    • Primarily a political endeavor, not a technical one
      • Getting consensus, explaining to execs in non-technical terms, discussing pros/cons, etc.
    • No toolset from any vendor changes this - still new space, don't have all the tooling yet
    • IdM consulting skills a must have for successful implementation 

  • Example IdM Project Considerations…
    • Ownership: who owns which data? departmental controls, IS systems, organizational culture
    • Data Quality: is the data even there? is the data clean? is the data up to date?
    • System Quality: health of AD, too many forests or domains, line of business systems
      • Key decision when moving to Office 365: are we in a position to modify the AD topology (remove forests, re-organize)
    • Access Control: regulatory control, external data sources, authentication and authorization, SSL for sync
      • Microsoft will only allow federation with O365 over SSL, and rightly so 

  • These are the considerations that tend to cause project delays
  • It takes time for an organization to change in order to benefit from IdM initiatives - can be years
  • At MS change happens quickly so they may be used to this, but most organizations are not 

  • IdM and the cloud
    • Cloud deployment pushes identity considerations to the forefront
      • Commonly these issues are pushed off when working on-prem
    • Even simple scenarios simply don't work without it - for example federated search
    • Long term this is perhaps one of the best side benefits of cloud computing, especially for IT Pros or Infrastructure focused practitioners

Identity Federation for Office 365
  • Microsoft IdM Tooling
    • Microsoft is clear leader and innovator in identity federation and metadirectory tooling
      • Since 1999 - first commercial state based metadirectory
      • The implementation changes the core concepts and operations remain the same
    • Incredible pace of delivery with Windows Azure AD and related tooling
      • Examples: include the revisions in directory sync, support for complex scenarios as well as the core service offering
    • Remember: IdM tooling is only 10% of the battle 

  • Microsoft provides a fully documented connector that supports federated IdM to multi-forest environments
    • Understanding the concepts, and getting consensus and internal support is the other 90% 

  • Identity Options
    • Cloud Identity, Windows Azure AD
      • Appropriate for smaller orgs without AD on-prem
      • Pros: no servers requires on-prem
      • Cons: no SSO, no multi-factor authentication, 2 sets of creds to manage with differing password policies, IDs mastered in the cloud, No control over password policies
    • Cloud Identity and Directory Sync
      • Appropriate for medium/large orgs with AD on-prem
      • Pros: users and groups mastered on-prem, it enables coexistence scenarios
      • Cons: no SSO, no multi-factor authentication, 2 sets of creds to manage with differing password policies, single server deployment 

  • Federated Identity
    • Appropriate for larger enterprise orgs with AD on-prem
    • Pros: SSO with corp creds, IDs mastered on-prem, Password policies under your control, support for multi-factor authentication, could use FIM or your own identity manager
    • Cons: ??? 

  • Hidden Concepts
    • Anything other than cloud identity is a long term commitment to identity co-existence
      • Dir sync and federation the only sensible option really; implementation may change but core concepts remain
    • Journey to cloud requires more infrastructure on-prem
      • And potentially prep, clean-up activities on-prem 

  • Identity Federation
    • Will require ADFS 2 (both full and proxy deployment) and DirSync on-prem - Need 6 or 7 servers on-prem to enable this 

  • Example AD Considerations - Is AD in the right state to do identity federation?
    • Matching domains - internal domain and external domain are the same (ex.
      • Consideration: Nothing special
    • Sub-domain - internal domain is a subdomain of the external domain (ex.
      • Consideration: Requires domains to be registered in order, primary and then subdomains
    • Local domains - internal domain no publicly registered (ex. Contoso.local)
      • Consideration: Domain ownership can't be proved, must use different domain, requires all users to get new UPN, use SMTP address if possible
    • Multiple distinct UPN suffixes in single forest - mix users having login UPNs under different domains (ex. and
      • Consideration: AD FS QFE - to resolve this, requires new switch in windows PowerShell (SupportMutlipleDomain)
    • Multi-forest - multiple AD forest
      • Consideration: External FIM + guidance (guidance is good but its 180 pages) 

  • Other options
    • Office 365 Connector for FIM
    • Graph API
    • 'Works with Office 365 Identity' program
    • Simple options for identity management in Office 365 

Leveraging Windows Azure to accelerate directory synchronization
  • Windows Azure Active Directory Sync Tool (New name for 'dirsync')
  • Synchronizes on-prem AD users to O365
  • Traditionally deployed to a dedicated box on-prem 

  • Why deploy this to the cloud?
    • Reduce deployment time for O365 based services
    • Provide high availability for directory sync
    • Avoid barriers to deployment on-prem
    • Reduce on-prem server count 

  • Critical Considerations
    • Site to site VPN required
      • Could be RRAS, juniper, etc.
    • Windows Azure virtual network
      • Address space, routing tables, firewall rules
    • AD on-prem considerations remain 100% the same/valid
    • Still significantly less work and much faster than deploying directory sync from scratch to on-prem scenario
    • The change control aspects can be the real barriers when doing this for a real-world project

Solution Overview

Deployment Phases

Wrap Up
  • Identity Management and the Cloud
    • Cloud is driving identity management to the forefront
    • Microsoft the true leader in the cloud IdM space
  • Identity Federation for O365
    • Core concepts and options
  • Leveraging Windows Azure to accelerate directory sync
    • Deployment overview
  • Deploy Office 365 Direcotry Synchronization in Windows Azure

No comments:

Post a Comment