Professional Documents
Culture Documents
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided
to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in
such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or
implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond
to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft, Internet Explorer, Outlook, OneDrive, Windows Vista, Zune, Xbox 360, DirectX, Windows Server and
Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. All other trademarks are property of their respective owners.
Overview
Objectives
Identity
Management
Identities
for
Microsoft
Cloud
Services
A Common
Identity
Platform for
Organization
al Accounts
Core
Identity
Scenarios
with Office
365
The end to
end Microsoft
Stack
Cloud
Identity
Cloud identities are online accounts, with the user account and
password stored within the Azure Active Directory
Online administrators manage the identities through the
Office 365 Admin Center or through PowerShell
Administrators and end-users manage their passwords in
Office 365
Users usually end up managing two accounts (on-premises
and cloud)
The methods for cloud identity creation are:
Directory Synchronization (if using AD on-premises)
Office 365 Admin Center to create users manually
Bulk importation using a .csv file or via PowerShell using the
New-MsolUser cmdlet
10
Cloud Identity
with Password
Synchronizati
on
12
Federated
Identity
Federation
Options
15
Multi-Factor
Authentication
16
Multi-Factor
Authenticati
on for Office
365
17
Enabling
Multi-Factor
Authenticati
on
On the users and groups page in the Office 365 admin center,
you can enroll users for multi-factor authentication by clicking
the Set Multi-factor authentication requirements: Set up
link.
18
Multi-Factor
End User
Experience
After being enabled for multi-factor authentication, the next time a user signs in, they
see a message asking them to set up their second authentication factor
Any of the following may be used for the second factor of authentication.
Call my mobile phone. The user receives a phone call that asks them to press the
pound key. Once the pound key is pressed, the user is logged in
Text code to my mobile phone. The user receives a text message containing a
six-digit code that they must enter into the portal
Call my office phone. This is the same as Call my mobile phone, but it enables the
user to select a different phone if they do not have their mobile phone with them
Notify me through app. The user configured a smartphone app and they receive a
notification in the app that they must confirm the login. Smartphone apps are
available for Windows Phone, iPhone, and Android devices
Show one-time code in app. The same smartphone app is used. Instead of
receiving a notification, the user starts the app and enters the six-digit code from the
app into the portal
19
App
Passwords for
Multi-Factor
Authenticatio
n
When your account is enabled for multi-factor authentication, you will not be able
to use non-browser applications such as Microsoft Outlook, Lync, and Windows
PowerShell because these clients do not natively support multi-factor
authentication
In order to continue to use your applications, you must set up App Passwords for
your clients.
Once a user has logged in with multi-factor authentication, they will be able to
create one or more App Passwords for use in Office client applications
After youve created an App Password for an Office desktop application, such as
Outlook, it is indicated in a list in your account
The App Password is what the user needs to enter when challenged for
authentication by the Office desktop applications
20
Domain
Management
21
Overview of
Domains
22
Default
Microsoft
Online
Domain
23
Custom
Domains
Custom domains are those that you add to your Office 365 tenant
Custom domains added through the Office 365 Admin Center are by
default set as managed domains
Adding custom domains does not impact or change mail routing onpremises
Adding
Custom
Domains
Add
Verify
Add
Add the
the domain
domain via
via the
the Portal
Portal or
or PowerShell
PowerShell
Domain
Domain status
status goes
goes to
to Pending
Pending Verification
Verification
Create
Create aa TXT
TXT or
or MX
MX record
record in
in the
the public
public DNS
DNS zone
zone
Office
Office 365
365 verifies
verifies TXT
TXT record
record exists
exists proving
proving ownership
ownership
Configure
Configure domain
domain intent
intent for
for the
the new
new domain
domain in
in Office
Office 365
365
Create or
or change
change the
the MX
MX and
and AutoDiscover
AutoDiscover DNS
DNS records
records
Configure Create
25
Claims Based
Identity Overview
26
What is
SAML?
27
What is a
Claim?
28
Security
Tokens
29
Relying
Party Trust
Authenticati
on Process
Alternate
Login ID
To solve this problem, you can now enable the alternate login ID
functionality which allows you to configure a sign-in experience where
this alternate login ID is an attribute of a user object in AD other than
the UPN that can be set to the public routable federated domain
32
Configuring
Alternate
Login ID
33
Active Directory
Federation Services
34
AD FS
Prerequisite
s
An installation of AD FS requires:
Windows Server 2008 (SP2), Windows Server 2008 R2, or Windows Server 2012
Internet Information Services (IIS) 7 or 7.5 depending on the Windows Server
version
Microsoft .NET Framework 3.5 SP1
AD FS RTW (Release To Web) download. Windows Server 2012 includes the
correct AD FS version as a role
Update Rollup 3 for AD FS is recommended in order to take advantage of new
features such as Multi Issuer Support and Client Access Policies
The AD FS endpoints need to be accessible from the internet and secured with a
public certificate:
You can reverse publish AD FS through TMG or equivalent 3rd party product
AD FS
Federation
Servers
AD FS
Federation
Server
Proxy
Proxy placement:
Perimeter network
Firewall requirements for the Proxy:
HTTPS port 443
DNS requirements for the Proxy:
Must use the same URL as the internal AD FS 2.0 server
Use split DNS for external users
Use HOSTS file on the proxy for resolving internal AD FS 2.0
Role of the Proxy:
Presents a forms based authentication page to external users (if using a browser)
Collect and submit the user credentials to AD FS on-premise (claims provider)
Security token redirection to Office 365 (relying party)
The Proxy Server does not:
Generate tokens
Sign tokens
Proxy Authentication:
Uses a long-lived SAML token to authenticate itself to the AD FS farm
37
AD FS
Database
Secondary federation servers connect to and synchronize the data with the
primary federation server in the farm, by polling every 5 minutes, to check
whether any data has changed
The secondary federation servers exist to provide fault tolerance for the
primary federation server while also acting to load-balance access requests
Configuration information can alternatively be stored in a SQL Server database,
which provides additional capabilities:
The ability to scale out using more than 5 federation servers (the limit for
WID per farm)
38
AD FS
Deploymen
t Options
40
AD FS
Authenticatio
n Options
41
Configuring
AD FS
AD FS
Configured
45
Federated
Authenticatio
n in Office
365
The are three authentication profiles for a Federated Identity depending on what
client is being used:
46
Federated
Authenticatio
n in Office
365
(continued)
47
Client
Authenticati
on Flow
User signs in with
Lync
External Network
48
Third Party
Browser
leveraging
and ADFS
49
Deploying
Password
Sync as a
backup for
Single SignOn
In light of this you can now elect to deploy the Password Sync feature for your
federated domain(s) to provide a backup solution for your Single Sign-On
infrastructure
Switching from Single Sign-On to using Synchronized Passwords for Sign-In is not
instantaneous
50
51
Module
Review
52
Module
Summary
54
2013
2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks
in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of
this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION