Mod 3: Office 365 DirSync, Single Sign-On & ADFS

(1)

Office 365 for SMB Jump Start

Mod 3: Office 365 DirSync,

Single Sign-On & ADFS

(2)

Published: 9/10/2012

Office 365 for SMB Jump Start

Day 1

Administering Office 365

Administering Exchange Online

Day 2

Office 365 Overview & Infrastructure

Exchange Online Deployment & Migration

Office 365 User Management

Exchange Online FOPE

Office 365 DirSync, Single Sign-On & ADFS

Exchange Online Archiving & Compliance

MEAL BREAK

Administering Lync Online

Administering SharePoint Online

Exchange Online Overview & User Management

(3)

Module 3: Office 365 DirSync,

Single Sign-On & ADFS

Reviewing Identities

Understanding DirSync

DirSync Requirements

(4)

Published: 9/10/2012

Office 365 for SMB Jump Start

Cloud Identity

• Separate credential from

corporate credential

• Authentication occurs via cloud

directory service

• Password policy stored in

Office 365

Federated Identity

• Same credential as corporate

credential

• Authentication occurs via

on-premises Active Directory

service

• Password policy is stored

on-premises

• Requires Directory

Synchronization

(5)

Cloud Identity

Cloud Identity +

_DirSync

Federated Identity*

Scenario

• Smaller organizations

without on-premises Active

• Medium to Large organizations

with Active Directory

on-premises

• Large enterprise organizations

with Active Directory on-premises

• Requires DirSync

Pros

• Does not require

on-premises server

deployment

• “Source of Authority” is

on-premises

• Enables coexistence

• Single Sign-On experience

• “Source of Authority” is

on-premises

• 2 Factor Authentication options

• Enables coexistence

Cons

• No Single Sign-On

• No 2 Factor Authentication

options

• 2 sets of credentials to

manage with, potentially,

different password policies

• No Single Sign-On

• No 2 Factor Authentication

options

• 2 sets of credentials to manage

with, potentially, different

password policies

• Requires on-premises server

deployment in high availability

scenario

(6)

Published: 9/10/2012

Office 365 for SMB Jump Start

Module 3: Office 365 DirSync,

Single Sign-On & ADFS

Reviewing Identities

Understanding DirSync

DirSync Requirements

(7)

• Application that synchronizes on-premises Active

Directory with Office 365

• x64 version based on FIM

‒

Previous x86 versions based upon ILM 2007

• Bundled with SQL 2008 R2 Express Edition

• Designed as an “appliance”

‒

“Set it and forget it”

(8)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Provisions objects in Office 365 with same email

addresses as the objects in the on-premises environment

• Provides unified Global Address List experience between

on-premises and Office 365

‒

Objects hidden from GAL on-premises also hidden from Office 365

GAL

• Enables mail routing between on-premises and Office 365

with a shared domain namespace

• Enables application coexistence for Microsoft Lync

• Enables Exchange coexistence scenarios

‒

simple and hybrid scenarios

(9)

• Enables “run state” administration and management of

users, groups, and contacts

‒

Synchronizes adds/deletes/modifications of users, groups, and

contacts from on-premise to Office 365

• Not intended as a single use bulk upload tool

(10)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Entire Active Directory forest scoped for synchronization

• What is synchronized?

‒

All user objects

‒

All group objects

‒

Mail-enabled contact objects

‒

Passwords are not synchronized

‒

Synchronization is from on-premises to Office 365 only (unless

“write-back” is enabled)

• Synchronization occurs every 3 hours

‒

Use “Start-OnlineCoexistenceSync” cmdlet to force a sync

(11)

• Mail-enabled/mailbox-enabled users are synchronized

as mail-enabled users (not mailbox-enabled users)

‒

Visible in the Office 365 GAL (unless explicitly hidden from GAL)

‒

Logon enabled, but not automatically licensed to use services

‒

Target address is synchronized for mail-enabled users

• Regular NT users are synchronized as regular NT users

‒

Not automatically provisioned as mail-enabled in Office 365

• Resource mailboxes are synchronized as resource

mailboxes

• Synchronized users are not automatically assigned a

license

(12)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Group Objects

‒

Mail-enabled groups are synchronized as mail-enabled

‒

Group memberships are synchronized

‒

Security groups are synchronized as security groups

• Contacts Objects

‒

Only mail-enabled contacts are synchronized

‒

Target address is synchronized to Office 365

(13)

• New user, group, and contact objects that are added to

on-premises are added to Office 365

• Existing user, group, and contact objects that are deleted

from on-premises are deleted from Office 365

• Existing user objects that are disabled on-premises are

disabled in Office 365

• Existing user, group, or contact objects attributes (those

that are synchronized) that are modified on-premises are

modified in Office 365

(14)

Published: 9/10/2012

Office 365 for SMB Jump Start

Microsoft Online Services

Logon Enabled User Object (Unlicensed)

Mail-Enabled User (not Mailbox-Enabled)

ProxyAddresses:

SMTP: [email protected]

smtp: [email protected]

TargetAddress:

[email protected]

DirSync Synchronization

On-premises

Active

Exchange

Server

DirSync

(client side)

Online

AWS

(DirSync Web Service)

SharePoint

Online

Live ID

Exchange

Online

Lync Online

Sync Cycle Step 1:

Import Users, Groups,

and Contacts from source

Active Directory forest

Sync Cycle Step 2:

Imports Users, Groups, and

Contacts from Microsoft

Online Services via AWS

Sync Cycle Step 3:

Export Users, Groups, and

Contacts that do not already

exist in Microsoft Online

Services

User Object

Mailbox-Enabled

ProxyAddresses:

(15)

• First synchronization cycle after installation is a full

synchronization

‒

Time-consuming process relative to number of objects synchronized

‒

~5000 objects per hour

• Subsequent synchronization cycles are deltas only

‒

Much faster

• Not all on-premises attributes synchronized for each

object type, but 100+ attributes are synchronized

(16)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Once implemented, on-premises AD becomes the

“source of authority” for synchronized objects

‒

Modifications to synchronized objects must occur in the on-premises

AD

‒

Synchronized objects cannot be modified or deleted via the portal

unless DirSync is disabled for the tenant

• Scoping/Filtering

‒

Custom scoping or filtering is officially unsupported (guidance

coming soon)

‒

V1 DirSync filter XML file no longer an available option for filtering

(17)

• On-premises objectGuid AD attribute assigned value for

sourceAnchor attribute during initial object synchronization

‒

Referred to as a “hard match”

‒

DirSync knows which Office 365 objects it is the “source of authority”

for by examining sourceAnchor attribute

• DirSync can also match user objects created via the

portal with on-premises objects if there is a match using

the primary SMTP address

‒

Referred to as a “soft match”

(18)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Synchronization errors are emailed to the Technical

Contact for the subscription

‒

Recommend using distribution group as Technical Contact email

address

• Example errors include:

‒

Synchronization health status

• Sent once a day if a synchronization cycle has not registered 24 hours

after last successful synchronization

‒

Objects whose attributes contain invalid characters

‒

Objects with duplicate/conflicting email addresses

‒

Sync quota limit exceeded

(19)

Module 3: Office 365 DirSync,

Single Sign-On & ADFS

Reviewing Identities

Understanding DirSync

DirSync Requirements

(20)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Must be joined to an Active Directory domain within the

same forest that will be synchronized with Office 365

‒

Does not have to be joined to the root domain

• Cannot be a domain controller

• Must be able to communicate with any/all domain

controllers forest wide

• Should be located in an access controlled environment

‒

Should be limited to those with access to domain controllers and

other security sensitive systems

(21)

• Only routable domains can be used with DirSync

deployment

‒

Non-routable domains include .local OR .loc OR .internal.

• If organization has AD w/ only internal namespace,

must:

‒

Add a routable UPN suffix in Active Directory Forests and Trusts.

‒

Configure each user with that routable UserPrincipalName suffix

‒

[email protected]

must be changed do

[email protected]

‒

If this is not done, once DirSync runs, users will appear in Office365

as

[email protected]

instead of

[email protected]

(22)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Windows Installer 4.5 or later

• Windows PowerShell version 2.0

• Microsoft .NET Framework version 3.5 or later.

• Windows Server 2003/R2 x86 with Service Pack 2 or

later, or Windows Server 2008 x86 with the latest

service pack installed.

‒

x64 is supported

• Microsoft Online Services Sign-In Assistant

‒

Not a prerequisite for installation, but required when connecting to

(23)

• Minimum of 1GB hard drive space

‒

600 MB for a complete installation of all Directory Synchronization

Tool components

‒

400 MB required to create the initial database file

• Additional hard drive space most likely required for mid-size or larger

companies

• Server hardware should meet minimum requirements

‒

For SQL Server 2008 R2 Express Edition and FIM (x64) or Identity

Lifecycle Manager 2007 Feature Pack 1 (x86 - legacy)

(24)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Synchronization with Office

365 occurs over SSL

• Internal network

communication will use typical

Active Directory related ports

Service

Protocol

Port

LDAP

TCP/UDP

389 Kerberos

TCP/UDP

88 DNS

TCP/UDP

53 Kerberos

Change

Password

TCP/UDP

464 RPC

TCP

135 RPC randomly

allocated high

TCP ports

TCP

1024 - 65535

49152 - 65535

1 SMB

TCP

445 SSL

TCP

443 SQL

TCP

1433

(25)

Account used to install DirSync must have

1. local machine administrator permissions

2. If using full SQL, rights within SQL to create the DirSync database,

and to setup the SQL service account with the role of db_owner

Account used to configure DirSync must reside in the

local machine MIISAdmins group

1. Account used to install DirSync is automatically added

Administrator permission in the Office 365 tenant

1. DirSync uses an administrator account in the tenant to provision

and update/modify objects

(26)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Enterprise Administrator permission in the on-premise

Active Directory

‒

Credential is not stored/saved by the configuration wizard

‒

Used to create the “MSOL_AD_Sync” domain account in the

“CN=Users” container of the root domain of the forest

‒

Used to delegate the following permissions on each domain

partition in the forest

• Replicating Directory Changes

• Replicating Directory Changes all

• Replication Synchronization

(27)

Module 3: Office 365 DirSync,

Single Sign-On & ADFS

Reviewing Identities

Understanding DirSync

DirSync Requirements

(28)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Enables users to access both the on-premises and

cloud-based organizations with a single user name and

password

• Provides users with a familiar sign-on experience

• Allows administrators to easily control account policies

for cloud-based organization mailboxes by using

on-premises Active Directory management tools.

(29)

• Policy Control

• Access Control

• Reduced Support Calls

• Security

(30)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Windows Server 2008 or Windows Server 2008 R2

• Active Directory Federation Services 2.0 (ADFS 2.0)

• PowerShell

• Web Server (IIS)

• .NET 3.5 SP1

• Windows Identity Foundation

• Publicly registered domain name

• SSL Certificates

• Microsoft Online Services Module for Windows PowerShell

‒

Microsoft Online Sign In Assistant

• High availability design

(31)

• Internet Explorer 7.0 or later

• Firefox 3.0

• Chrome 6.0 or later

• Safari 4.0 or later

• Microsoft Office 2010/2007SP2

• Microsoft Office for Mac 2011 SP1

• Microsoft Office 2008 for Mac version 12.2.9

• Office 365 Desktop Setup

‒

Microsoft Online Sign In Assistant

(32)

Published: 9/10/2012

Office 365 for SMB Jump Start

• Office 365 Desktop Setup

• Automatically detects necessary updates for a computer

‒

Installs Microsoft Online Sign In Assistant

‒

Installs operating system and client software updates required for

connectivity with Office 365

• Automatically configures Internet Explorer and rich

clients for use with Office 365

• Office 365 Desktop Setup is not an authentication or

sign-in service and should not be confused with single

sign-on

(33)

• Microsoft Online Sign-In Assistant

• Can be installed automatically by Office 365 Desktop

Setup or manually

• Enables authentication support by obtaining a service

token from Office 365 and returning it to a rich client

(e.g. Lync)

• Not required for web kiosk scenarios (e.g. OWA)

• Required for on-premises computers connecting to

Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell)

(34)

Published: 9/10/2012

Office 365 for SMB Jump Start

ADFS 2.0 Components

ADFS 2.0 Server

• Default topology for Office 365 is an AD

FS 2.0 federation server farm that

consists of multiple servers hosting your

organization’s Federation Service.

• Recommend using at least two

federation servers in a load-balanced

configuration.

ADFS 2.0 Proxy Server

• Federation server proxies are used to

redirect client authentication requests

coming from outside your corporate

network to the federation server farm.

• A Federation server proxies should be

(35)

1. Single server configuration

2. AD FS 2.0 Server Farm and load-balancer

3. AD FS 2.0 Proxy Server or UAG/TMG

i.

(External Users, Active Sync, Down-level Clients with Outlook)

(36)

Published: 9/10/2012

Office 365 for SMB Jump Start

Number of users

Minimum number of servers

Fewer than 1,000 users

0 dedicated federation servers

0 dedicated federation server proxies

1 dedicated NLB server

1,000 to 15,000 users

2 dedicated federation servers

2 dedicated federation server proxies

15,000 to 60,000 users

Between 3 and 5 dedicated federation servers

At least 2 dedicated federation server proxies

(37)

Identity Federation | Authentication Flow

Web Profile

`

Authentication platform

AD FS 2.0 Server

Active Directory

Customer

Microsoft Online Services

User

Source

ID

Logon (SAML 1.1) Token

UPN:[email protected]

Source User ID: ABC123

Auth Token

(38)

Published: 9/10/2012

Office 365 for SMB Jump Start

• ADFS 2.0 Deployment

‒

http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx

‒

http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1

• More information on DirSync

‒

http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspx

‒

http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspx

• Check out the course appendix

(39)