Follow me on Twitter @AntonioMaio2

Tuesday, March 4, 2014

Notes from SPC14: Office 365 Identity Federation using Windows Azure and Windows Azure Active Directory

Tuesday March 4, 2014 9:00-10:15am
Speaker: Spencer Harbar
ITPro Session

  • Identity Management and the Cloud
  • Identity Federation for Office 365
  • Leveraging Windows Azure to accelerate directory synchronization

Identity Management and the Cloud
  • A SharePoint deployment means you are in the identity management business, whether you like it or not
  • Importance increases significantly with SharePoint 2013
    • User sign in, service interaction, virtually every investment area relies on profiles, App AuthZ, S2S, etc.
  • Key functional scenarios require a base level of identity federation
    • Hybrid, social
  • Office 365 increases this dependency on "plumbing"
  • Still a gap in how you deal with anonymous users - except for this, all key areas of SharePoint relies on profiles
  • Example: hybrid search scenario - the quality and relevance of search results will depend on the information available, including information user profiles 

  • There is no product better than SharePoint to expose the implications of weak identity management!
    • So, it's important - it exposes these weaknesses to end users via functionality available or not available to them, as opposed to IT operations
    • Office 365 amplifies that further - includes Exchange, Lync, etc… 

  • Advancing identity management initiatives within enterprises…
    • 10% technology, 90% everything else
    • Can be a big barrier to ramping up an Office 365 project within the enterprise
    • Primarily a political endeavor, not a technical one
      • Getting consensus, explaining to execs in non-technical terms, discussing pros/cons, etc.
    • No toolset from any vendor changes this - still new space, don't have all the tooling yet
    • IdM consulting skills a must have for successful implementation 

  • Example IdM Project Considerations…
    • Ownership: who owns which data? departmental controls, IS systems, organizational culture
    • Data Quality: is the data even there? is the data clean? is the data up to date?
    • System Quality: health of AD, too many forests or domains, line of business systems
      • Key decision when moving to Office 365: are we in a position to modify the AD topology (remove forests, re-organize)
    • Access Control: regulatory control, external data sources, authentication and authorization, SSL for sync
      • Microsoft will only allow federation with O365 over SSL, and rightly so 

  • These are the considerations that tend to cause project delays
  • It takes time for an organization to change in order to benefit from IdM initiatives - can be years
  • At MS change happens quickly so they may be used to this, but most organizations are not 

  • IdM and the cloud
    • Cloud deployment pushes identity considerations to the forefront
      • Commonly these issues are pushed off when working on-prem
    • Even simple scenarios simply don't work without it - for example federated search
    • Long term this is perhaps one of the best side benefits of cloud computing, especially for IT Pros or Infrastructure focused practitioners

Identity Federation for Office 365
  • Microsoft IdM Tooling
    • Microsoft is clear leader and innovator in identity federation and metadirectory tooling
      • Since 1999 - first commercial state based metadirectory
      • The implementation changes the core concepts and operations remain the same
    • Incredible pace of delivery with Windows Azure AD and related tooling
      • Examples: include the revisions in directory sync, support for complex scenarios as well as the core service offering
    • Remember: IdM tooling is only 10% of the battle 

  • Microsoft provides a fully documented connector that supports federated IdM to multi-forest environments
    • Understanding the concepts, and getting consensus and internal support is the other 90% 

  • Identity Options
    • Cloud Identity, Windows Azure AD
      • Appropriate for smaller orgs without AD on-prem
      • Pros: no servers requires on-prem
      • Cons: no SSO, no multi-factor authentication, 2 sets of creds to manage with differing password policies, IDs mastered in the cloud, No control over password policies
    • Cloud Identity and Directory Sync
      • Appropriate for medium/large orgs with AD on-prem
      • Pros: users and groups mastered on-prem, it enables coexistence scenarios
      • Cons: no SSO, no multi-factor authentication, 2 sets of creds to manage with differing password policies, single server deployment 

  • Federated Identity
    • Appropriate for larger enterprise orgs with AD on-prem
    • Pros: SSO with corp creds, IDs mastered on-prem, Password policies under your control, support for multi-factor authentication, could use FIM or your own identity manager
    • Cons: ??? 

  • Hidden Concepts
    • Anything other than cloud identity is a long term commitment to identity co-existence
      • Dir sync and federation the only sensible option really; implementation may change but core concepts remain
    • Journey to cloud requires more infrastructure on-prem
      • And potentially prep, clean-up activities on-prem 

  • Identity Federation
    • Will require ADFS 2 (both full and proxy deployment) and DirSync on-prem - Need 6 or 7 servers on-prem to enable this 

  • Example AD Considerations - Is AD in the right state to do identity federation?
    • Matching domains - internal domain and external domain are the same (ex.
      • Consideration: Nothing special
    • Sub-domain - internal domain is a subdomain of the external domain (ex.
      • Consideration: Requires domains to be registered in order, primary and then subdomains
    • Local domains - internal domain no publicly registered (ex. Contoso.local)
      • Consideration: Domain ownership can't be proved, must use different domain, requires all users to get new UPN, use SMTP address if possible
    • Multiple distinct UPN suffixes in single forest - mix users having login UPNs under different domains (ex. and
      • Consideration: AD FS QFE - to resolve this, requires new switch in windows PowerShell (SupportMutlipleDomain)
    • Multi-forest - multiple AD forest
      • Consideration: External FIM + guidance (guidance is good but its 180 pages) 

  • Other options
    • Office 365 Connector for FIM
    • Graph API
    • 'Works with Office 365 Identity' program
    • Simple options for identity management in Office 365 

Leveraging Windows Azure to accelerate directory synchronization
  • Windows Azure Active Directory Sync Tool (New name for 'dirsync')
  • Synchronizes on-prem AD users to O365
  • Traditionally deployed to a dedicated box on-prem 

  • Why deploy this to the cloud?
    • Reduce deployment time for O365 based services
    • Provide high availability for directory sync
    • Avoid barriers to deployment on-prem
    • Reduce on-prem server count 

  • Critical Considerations
    • Site to site VPN required
      • Could be RRAS, juniper, etc.
    • Windows Azure virtual network
      • Address space, routing tables, firewall rules
    • AD on-prem considerations remain 100% the same/valid
    • Still significantly less work and much faster than deploying directory sync from scratch to on-prem scenario
    • The change control aspects can be the real barriers when doing this for a real-world project

Solution Overview

Deployment Phases

Wrap Up
  • Identity Management and the Cloud
    • Cloud is driving identity management to the forefront
    • Microsoft the true leader in the cloud IdM space
  • Identity Federation for O365
    • Core concepts and options
  • Leveraging Windows Azure to accelerate directory sync
    • Deployment overview
  • Deploy Office 365 Direcotry Synchronization in Windows Azure

1 comment:

  1. IEEE Project Domain management in software engineering is distinct from traditional project deveopment in that software projects have a unique lifecycle process that requires multiple rounds of testing, updating, and faculty feedback. A IEEE Domain project Final Year Projects for CSE system development life cycle is essentially a phased project model that defines the organizational constraints of a large-scale systems project. The methods used in a IEEE DOmain Project systems development life cycle strategy Project Centers in India provide clearly defined phases of work to plan, design, test, deploy, and maintain information systems.

    This is enough for me. I want to write software that anyone can use, and virtually everyone who has an internet connected device with a screen can use apps written in JavaScript. JavaScript Training in Chennai JavaScript was used for little more than mouse hover animations and little calculations to make static websites feel more interactive. Let’s assume 90% of all websites using JavaScript use it in a trivial way. That still leaves 150 million substantial JavaScript Training in Chennai JavaScript applications.