This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Antonio MaioProtiviti - Senior SharePoint Architect & Senior ManagerMicrosoft SharePoint Server MVP
Hybrid Identity Managementwith SharePoint and Office 365
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.
• 2,500+ professionals
• 1,000+ clients
• 70+ offices
• Over 20 countries in the Americas, Europe and Asia-Pacific
Protiviti is one of the fastest growing consulting firms worldwide. Our revenues have increased from US $15 million in 2002, to US $423.8 million in 2011.
Ensure user authentications occur in on-premises Active Directory
Implement single sign-on using corporate credentials
Customize the user Sign-In page *
Limit access to cloud services based on the location, client type or Exchange endpoint of the client
?
* Available in Basic or Premium Edition of Azure Active Directory. See Chris Goosen’s Post for details on how to brand your Office 365 sign in page.: http://blog.enowsoftware.com/solutions-engine/bid/187358/Add-Custom-Branding-to-Your-Office-365-Sign-in-Page .
Azure ADConnect• New deployment & configuration tool for quickly
connecting on premise identities to the cloud• Express Settings: Easily connect a single AD forest (in minutes)• More options: Specify a group or OU to sync only specific identities• Built in Upgrade: Easily upgrade existing DirSync or AAD Sync
Available now: http://go.microsoft.com/fwlink/?LinkId=615771
• Includes Azure ADConnect Health• Monitors ADFS Servers (health, performance, login activity)• Only available for Azure AD Premium Edition
Azure ADConnect – Configuration Options• Synchronize multiple AD forests• User self-service password reset in the cloud with write-back to on premises AD• Provisioning from the cloud with user write back to on premises AD• Write back of “Groups in Office 365” to on premises distribution groups in a forest with
Exchange• Device write back so on-premises access
control policies in ADFS can recognize devices registered with Azure AD (includes support for Azure AD Join in Windows 10)
• Sync custom AD attributes to your Azure AD tenant - consume by your cloud apps
• Configure password sync or federation – selecting federation provides a simplified ADFS deployment
Steps - Configuring Azure ADConnect1. Prepare for Directory Synchronization
• Prerequisites, Permissions, Understand Limits• Alternate UPN Suffix for .local Domain• Clean Up UPNs & ProxyAddresses in AD (use Microsoft Office 365 IdFix)
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership• Activate Directory Sync in Office 365 > Admin > Users
3. Setup ADConnect on your Directory Synchronization Server• Provide Office 365 Service Admin Credentials• Provide on premise AD Enterprise Domain Admin Credentials
Assign Licenses/Location via Powershell• Office 365 Admin GUI allows for bulk assignment (limit 25 users at a time)• Useful Powershell Commands for bulk license assignment
Connect-MsolServiceConnect to your Office 365 Service.
Get-Commmand -Module MSOnlineDisplay available Powershell commands .
Get-MsolUserDisplay list of users currently within your Office 365 tenant.
Get-MsolUser –UnlicensedUsersOnlyDisplay only list of users in your Office 365 tenant which do not have a license.
Get-MsolAccountSkuDisplays your Office 365 tenant license SKU. Use this when assigning a license.
Set-MsolUser -UserPrincipalName “<user’s upn>” -UsageLocation "US“Set the location for a specific user by specifying the user principal name.
Set-MsolUserLicense -UserPrincipalName " <user’s upn> " -AddLicenses “<your license SKU“Set a license for the specified user. Use the SKU displayed by the command above.
• Combine Powershell commands to assign licenses to all unlicensed usersGet-MsolUser -UnlicensedUsersOnly | Set-Msoluser - UsageLocation "US“Get-MsolUser -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses “<your license SKU>"
Configuring Identity Federation1. Prepare for Single Sign On
• Prerequisites, Prepare Active Directory• Prepare Network infrastructure for Federation servers
2. Setup the On Premise Active Directory Federation Services (ADFS)• Set up Windows PowerShell for SSO with AD FS• Set up trust between AD FS and Azure AD
3. Setup Directory Synchronization with Azure ADConnect
• Reduced administration costsLeveraging your already existing on-premises user and group accounts
• Improved productivity Significantly reduce the amount of time it takes to make cloud based services accessible
• Increased securityEnsures that only appropriate users have access to your corporate assets. Retain strict control over user identities and related policies through on premise AD.
• Enable Hybrid ScenariosEnjoy the benefits of the cloud combined with your existing infrastructure through robust hybrid configuration scenarios
Please see 2 blog posts:• Part 1: http://sharepoint.protiviti.com/blog/Lists/Posts/Post.aspx?ID=142• Part 2: http://sharepoint.protiviti.com/blog/Lists/Posts/Post.aspx?ID=165
This deck will be posted to my blog: www.trustsharepoint.com
*Note: these posts refer to DirSync in several cases, but the activities for cleaning up AD and preparing for Identity Synchronization or Identity Federation are still applicable with Azure AD Connect.
Steps - Configuring Azure ADConnect1. Prepare for Directory Synchronization
• Prerequisites, Permissions, Understand Limits• Alternate UPN Suffix for .local Domain• Clean Up UPNs & ProxyAddresses in AD (use Microsoft Office 365 IdFix)
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership• Activate Directory Sync in Office 365 > Admin > Users
3. Setup ADConnect on your Directory Synchronization Server• Provide Office 365 Service Admin Credentials• Provide on premise AD Enterprise Domain Admin Credentials
Steps - Configuring Azure ADConnect1. Prepare for Directory Synchronization
• Prerequisites, Permissions, Understand Limits• Alternate UPN Suffix for .local Domain• Clean Up UPNs & ProxyAddresses in AD (use Microsoft Office 365 IdFix)
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership• Activate Directory Sync in Office 365 > Admin > Users
3. Setup ADConnect on your Directory Synchronization Server• Provide Office 365 Service Admin Credentials• Provide on premise AD Enterprise Domain Admin Credentials
Steps - Configuring Azure ADConnect1. Prepare for Directory Synchronization
• Prerequisites, Permissions, Understand Limits• Alternate UPN Suffix for .local Domain• Clean Up UPNs & ProxyAddresses in AD (use Microsoft Office 365 IdFix)
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership• Activate Directory Sync in Office 365 > Admin > Users
3. Setup ADConnect on your Directory Synchronization Server• Provide Office 365 Service Admin Credentials• Provide on premise AD Enterprise Domain Admin Credentials
Steps - Configuring Azure ADConnect1. Prepare for Directory Synchronization
• Prerequisites, Permissions, Understand Limits• Alternate UPN Suffix for .local Domain• Clean Up UPNs & ProxyAddresses in AD (use Microsoft Office 365 IdFix)
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership• Activate Directory Sync in Office 365 > Admin > Users
3. Setup ADConnect on your Directory Synchronization Server• Provide Office 365 Service Admin Credentials• Provide on premise AD Enterprise Domain Admin Credentials
Steps - Configuring Azure ADConnect1. Prepare for Directory Synchronization
• Prerequisites, Permissions, Understand Limits• Alternate UPN Suffix for .local Domain• Clean Up UPNs & ProxyAddresses in AD (use Microsoft Office 365 IdFix)
2. Activate Directory Synchronization• Register your Domain with Office 365 & Validate Ownership• Activate Directory Sync in Office 365 > Admin > Users
3. Setup ADConnect on your Directory Synchronization Server• Provide Office 365 Service Admin Credentials• Provide on premise AD Enterprise Domain Admin Credentials