Identity in office 365 sps michigan 2013
Post on 21-Nov-2014
431 Views
Preview:
DESCRIPTION
Transcript
Identity in Office 365
3 | SharePoint Saturday Michigan 2013
Outline
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
4 | SharePoint Saturday Michigan 2013
Email and Calendaring
Websites and Collaboration
IM and Online Meetings
Office Client and Web Apps
Hosted by Microsoft – in the cloud!
5 | SharePoint Saturday Michigan 2013
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
6 | SharePoint Saturday Michigan 2013
Did Someone say Cloud?
7 | SharePoint Saturday Michigan 2013
What’s Your Perspective?
8 | SharePoint Saturday Michigan 2013
Identity’s impact on Office 365
End User Experience
Complexity
Scale
Manageability
Investment
9 | SharePoint Saturday Michigan 2013
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
10 | SharePoint Saturday Michigan 2013
Authentication vs. Authorization
Who gets in?
What can they do?
11 | SharePoint Saturday Michigan 2013
Who gets in?
Where do your Office 365 user accounts live?
What is needed to use them?
What can they do?
What are the limitations of the approach?
12 | SharePoint Saturday Michigan 2013
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
13 | SharePoint Saturday Michigan 2013
Identity Options 1. Microsoft Online (MSO) IDs
2. MSO IDs + Directory Synchronization
3. Single Sign On + Directory Synchronization
Your Environment
AD
MS Online Directory Sync
Identity Services
Provisioning platform
Lync Online
SharePoint Online
Exchange Online
Active Directory Federation
Services 2.0
Trust
IdP Directory
Store
Admin Portal/ PowerShell
Authentication platform
Office 365
Desktop Setup
Microsoft Online Services
IdP
14 | SharePoint Saturday Michigan 2013
What can they do?
Appropriate for
• Smaller orgs without AD on-premise
Pros • No servers required on-
premise
Cons
• No SSO • No 2FA
• 2 sets of credentials to manage with differing
password policies
• IDs mastered in the cloud
Appropriate for
• Medium/Large orgs with AD on-premise
Pros • Users and groups
mastered on-premise • Enables co-existence
scenarios
Cons
• No SSO • No 2FA
• 2 sets of credentials to
manage with differing password policies
• Single server deployment
Appropriate for
• Larger enterprise orgs with AD on-premise
Pros • SSO with corporate cred
• IDs mastered on-premise • Password policy
controlled on-premise
• 2FA solutions possible • Enables co-existence
scenarios
Cons
• High availability server deployments required
15 | SharePoint Saturday Michigan 2013
Sign On Experience *SSO vs. Online IDs Summary
Win7/Vista/XP
SSO IDs (domain joined)
MS Online IDs
Outlook Web Application
SharePoint Web Application
ActiveSync, POP, IMAP,
Entourage Outlook 2007 or
2010
Online ID Online ID Online ID
Win 7/Vista/XP
Office 2010, or Office 2007 SP2
Online ID
Win7/Vista/XP
Lync Online
Online ID
AD credentials AD credentials AD credentials AD credentials AD credentials
SSO IDs (non-domain joined)
AD credentials AD credentials AD credentials AD credentials AD credentials
*Requires ADFS 2.0
16 | SharePoint Saturday Michigan 2013
How does AD FS work?
Claims authentication
Think of it like a passport
Passport Application
Visa Application
Submit for authorization
Allowed access
17 | SharePoint Saturday Michigan 2013
AD FS’s Authentication flow
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online or
SharePoint Online
Active Directory
Your Environment Microsoft Online Services
Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123
Auth Token UPN:user@contoso.com Unique ID: 254729
18 | SharePoint Saturday Michigan 2013
AD FS 2.0 deployment options 1. Single server configuration
2. AD FS 2.0 server farm and load-balancer
3. AD FS 2.0 proxy server or UAG/TMG (External Users, Active Sync, Outlook)
Enterprise
DMZ
AD FS 2.0 Server Proxy
External user Internal
user
Active Directory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 Server Proxy
19 | SharePoint Saturday Michigan 2013
ADFS Considerations Can you afford an outage?
How do you secure it?
It’s complex
Requires specific AD config
UPN formatting
Requires DirSync
Other options available
Shibboleth
Ping
Okta
Hat tip: @usher
20 | SharePoint Saturday Michigan 2013
Directory Synchronization
One-way or two-way copy of accounts to Office 365
Required for SSO/AD FS
But can be used without AD FS
Required for Hybrid scenarios
Think of it as an appliance, always running
21 | SharePoint Saturday Michigan 2013
Your Environment
AD
MS Online Directory Sync
Identity Services
Lync Online
SharePoint Online
Exchange Online
Active Directory Federation
Services 2.0
Trust
IdP Directory
Store
Authentication platform
Office 365
Desktop Setup
Microsoft Online Services
IdP
How DirSync Fits in
22 | SharePoint Saturday Michigan 2013
Getting to know DirSync
It’s actually Forefront Identity Manager
Copies AD accounts into Office 365
But not back down
Doesn’t sync passwords
Filtering now available
Can have sizing issues
Upload sizing
Database sizing
FIM: no touchy! (maybe)
23 | SharePoint Saturday Michigan 2013
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
24 | SharePoint Saturday Michigan 2013
Office 365 admin roles
Global administrator
Billing administrator
Password administrator
Services administrator
User management administrator
Delegated administrator
See the Office 365 Support Services Description document for more info:
http://tinyurl.com/o365SvcDescrs
25 | SharePoint Saturday Michigan 2013
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
26 | SharePoint Saturday Michigan 2013
Managing Identity in Office 365
Admin activities do not go away
AD FS is complex
And important!
PowerShell is your friend
How’s your internet connection?
Office 365 is constantly changing
27 | SharePoint Saturday Michigan 2013
Troubleshooting Identity
Microsoft Online Diagnostics and Logging tool (MOSDAL)
Microsoft Remote Connectivity Analyzer: HTTP://testexchangeconnectivity.com
Fiddler
WireShark/Netmon
Office 365 Expert Discussion Series: http://tinyurl.com/o365ExptDisc
28 | SharePoint Saturday Michigan 2013
Tie IT All Together
top related