One of the most compelling aspects of Office 365 is how it can be integrated into organization's existing IT infrastructures to provide users with a seamless experience; when implemented properly users shouldn't even realize a difference between on premise platforms and services in the cloud with Office 365. But while this is a situation that can be very simple for end users to work within, establishing and configuring the systems necessary to provide that simple experience can be very complex and confusing.
In this session, attendees will be introduced to the numerous ways that existing on premises systems, including Active Directory, Exchange, SharePoint, and Lync, can be seamlessly integrated into Office 365 by organizations of all shapes and sizes. We will walk through the decision process companies will need to follow to determine how to configure their coexistence and integration strategies, as well as provide hands-on examples of common set ups.
3. Outline
Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
3 | SharePoint Saturday Redmond 2012
4. Email and Calendaring
Websites and Collaboration
IM and Online Meetings
Office Client and Web Apps
Hosted by Microsoft – in the cloud!
4 | SharePoint Saturday Redmond 2012
5. Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
5 | SharePoint Saturday Redmond 2012
8. Identity’s impact on Office 365
End User Experience
Complexity
Scale
Manageability
Investment
8 | SharePoint Saturday Redmond 2012
9. Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
9 | SharePoint Saturday Redmond 2012
11. Who gets in?
Where do your Office 365
user accounts live?
What is needed to use them?
What can they do?
What are the limitations
of the approach?
11 | SharePoint Saturday Redmond 2012
12. Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
12 | SharePoint Saturday Redmond 2012
13. Identity Options
1. Microsoft Online (MSO) IDs
2. MSO IDs + Directory Synchronization
3. Single Sign On + Directory Synchronization Microsoft Online Services
Identity Services
Exchange
Your Environment Trust Authentication
Online
platform
Active Directory Admin Portal/
Federation PowerShell IdP SharePoint
Services 2.0 Online
IdP MS Online Provisioning
Directory Lync
AD Directory Sync platform Store Online
Office 365
Desktop Setup
13 | SharePoint Saturday Redmond 2012
14. What can they do?
Appropriate for
Appropriate for • Medium/Large orgs with Appropriate for
• Smaller orgs without AD on-premise • Larger enterprise orgs
AD on-premise with AD on-premise
Pros
Pros • Users and groups Pros
• No servers required on- mastered on-premise • SSO with corporate cred
premise • Enables co-existence • IDs mastered on-premise
scenarios • Password policy
Cons controlled on-premise
• No SSO Cons • 2FA solutions possible
• No 2FA • No SSO • Enables co-existence
• 2 sets of credentials to • No 2FA scenarios
manage with differing • 2 sets of credentials to
password policies manage with differing Cons
• IDs mastered in the password policies • High availability server
cloud • Single server deployments required
deployment
14 | SharePoint Saturday Redmond 2012
15. Sign On Experience *
SSO vs. Online IDs Summary
Outlook Web
Application ActiveSync,
Outlook 2007 or SharePoint Web Office 2010, or POP, IMAP,
Lync Online 2010 Application Office 2007 SP2 Entourage
Win7/Vista/XP Win7/Vista/XP Win 7/Vista/XP
MS Online IDs Online ID Online ID Online ID Online ID Online ID
SSO IDs
(domain
AD credentials AD credentials AD credentials AD credentials AD credentials
joined)
SSO IDs
(non-domain
AD credentials AD credentials AD credentials AD credentials AD credentials
joined)
*Requires ADFS 2.0 15 | SharePoint Saturday Redmond 2012
16. Active Directory
Federation Services (AD FS)
Microsoft Online Services
Identity Services
Exchange
Your Environment Trust Authentication
Online
platform
Active Directory
Federation IdP SharePoint
Services 2.0 Online
IdP MS Online
Directory Lync
AD Directory Sync Store Online
Office 365
Desktop Setup
16 | SharePoint Saturday Redmond 2012
17. How does AD FS work?
Claims authentication
Think of it like a passport
Passport Application
Visa Application
Submit for authorization
Allowed access
17 | SharePoint Saturday Redmond 2012
18. AD FS’s Authentication flow
Your Environment Microsoft Online Services
Active Directory
AD FS 2.0 Server (SAML 1.1) Token
Logon
UPN:user@contoso.com
Authentication platform
Source User ID: ABC123
Auth Token
UPN:user@contoso.com
Unique ID: 254729
`
Exchange Online or
Client
SharePoint Online
(joined to CorpNet)
18 | SharePoint Saturday Redmond 2012
19. AD FS 2.0 deployment options
1. Single server configuration
2. AD FS 2.0 server farm and load-balancer
3. AD FS 2.0 proxy server or UAG/TMG
(External Users, Active Sync, Outlook)
Active
Directory
AD FS 2.0 AD FS 2.0 AD FS 2.0
Server Server Server
Proxy
AD FS 2.0
Server
Proxy External
Internal Enterprise user
user DMZ
19 | SharePoint Saturday Redmond 2012
20. ADFS Considerations
Can you afford an outage?
How do you secure it?
It’s complex
Requires specific AD config Hat tip: @usher
UPN formatting
Requires DirSync
Other options available
Shibboleth (added August 2012)
20 | SharePoint Saturday Redmond 2012
21. Directory Synchronization
One-way copy of accounts
to Office 365
Required for SSO/AD FS
But can be used without AD FS
Required for Hybrid scenarios
Think of it as an appliance,
always running
21 | SharePoint Saturday Redmond 2012
22. How DirSync Fits in
Microsoft Online Services
Identity Services
Exchange
Your Environment Trust Authentication
Online
platform
Active Directory
Federation IdP SharePoint
Services 2.0 Online
IdP MS Online
Directory Lync
AD Directory Sync Store Online
Office 365
Desktop Setup
22 | SharePoint Saturday Redmond 2012
23. Getting to know DirSync
It’s actually Forefront Identity Manager
Copies AD accounts into Office 365
But not back down
Doesn’t sync passwords
Filtering now available
Can have sizing issues
Upload sizing
Database sizing
FIM: no touchy! (maybe) 23 | SharePoint Saturday Redmond 2012
24. Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
24 | SharePoint Saturday Redmond 2012
25. Who does what around here?
Role-based Administration (RBAC)
External access
25 | SharePoint Saturday Redmond 2012
27. Office 365 admin roles
Global administrator
Billing administrator
Password administrator
Services administrator
User management administrator
Delegated administrator
See the Office 365 Support Services Description document for more info:
http://tinyurl.com/o365SvcDescrs
27 | SharePoint Saturday Redmond 2012
28. External access
Allows external users access to SharePoint Online
No USLs required
Not full Extranet
Users can have:
MSO ID
Live ID
EASI ID
It’s a Feature Preview…
28 | SharePoint Saturday Redmond 2012
29. Office 365 Overview
Changing the Identity Perspective
Authentication vs. Authorization
Who Are You?
What Do You Do Here?
Who’s in Charge Here?
29 | SharePoint Saturday Redmond 2012
30. Managing Identity in Office 365
Admin activities do not go away
AD FS is complex
And important!
PowerShell is your friend
How’s your internet connection?
Office 365 is constantly changing
30 | SharePoint Saturday Redmond 2012