39.
Attribute Object Type
MSExchArchiveStatus User
MSExchBlockedSendersHash User
SExchSafeRecipientsHash User
MSExchSafeSendersHash User
MSExchUCVoiceMailSettings User
ProxyAddresses User, Contact, Group
57. Microsoft Online Services
Logon Enabled User Object (Unlicensed)
Mail-Enabled User (not Mailbox-Enabled)
ProxyAddresses:
SMTP: John.Doe@contoso.com
smtp: John.Doe@contoso.onmicrosoft.com
TargetAddress:
John.Doe@contoso.com
On-premises
Active
Directory
Exchange
Server
DirSync
Online
Directory
DirSync
Web Service
SharePoint
Online
Live ID
Exchange
Online
Lync Online
Sync Cycle Step 1:
Import Users, Groups,
and Contacts from source
Active Directory forest
Sync Cycle Step 2:
Imports Users, Groups, and
Contacts from Microsoft
Online Services via AWS
Sync Cycle Step 3:
Export Users, Groups, and
Contacts that do not already
exist in Microsoft Online
Services
User Object
Mailbox-Enabled
ProxyAddresses:
SMTP: John.Doe@contoso.com
72. Scenario Description
Block all external access to Office 365
Office 365 access is allowed from all clients on the internal
corporate network, but requests from external clients are
denied based on the IP address of the external client.
Block all external access to Office 365, except Exchange
ActiveSync
Office 365 access is allowed from all clients on the internal
corporate network, as well as from any external client
devices, such as smart phones, that make use of Exchange
ActiveSync. All other external clients, such as those using
Outlook, are blocked.
Block all external access to Office 365, except for browser-
based applications such as Outlook Web Access or
SharePoint Online
Blocks external access to Office 365, except for passive
(browser-based) applications such as Outlook Web Access
or SharePoint Online.
Block all external access to Office 365 for members of
designated Active Directory groups
This scenario is used for testing and validating client access
policy deployment. It blocks external access to Office 365
only for members of one or more Active Directory group. It
can also be used to provide external access only to
members of a group.
77. Cloud identity
Single identity in the cloud
Suitable for small organizations
with no integration to on-
premises directories
Cloud identity with
directory synchronization
Single identity
suitable for medium
and large organizations
without federation*
Federated identity
Single federated identity
and credentials suitable
for medium and large
organizations
78. Federation options
Suitable for educational organizations
j
Recommended where customers may use existing
non-ADFS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook only
Microsoft supported for integration only, no
shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
Shibboleth
Works with AD & Non-AD
Suitable for medium, large enterprises
including educational organizations
Recommended option for Active Directory (AD)
based customers
Single sign-on
Secure token based authentication
Support for web and rich clients
Microsoft supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Works with AD
Suitable for medium, large enterprises
including educational organizations
Recommended where customers may use existing
non-ADFS Identity systems with AD or Non-AD
Single sign-on
Secure token based authentication
Support for web and rich clients
Third-party supported
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Works for Office 365 Hybrid Scenarios
Works with AD & Non-AD
79. What is it?
• Qualification of third party identity
providers for federation with Office
365. Microsoft supports Office 365
only when qualified third party
identity providers are used.
Program Update Jan 2014:
• Published Qualification
Requirements
• Published Technical Integration Docs
• Automated Testing Tool
• Self Testing work by Partner
• Predictable and Shorter Qualification
WS-Trust & WS-Federation
WS-Federation
SAML
Active Directory with ADFS
Customer Benefits
• Flexibility to reuse
existing identity
provider investments
• Confidence that the
solution is qualified by
Microsoft
• Coordinated support
between the partner
and Microsoft
85. Two or more of the following factors:
Types of multi-factor authentication:
Hardware OTP Tokens
Certificates
Smart Cards
Phone-Based Authentication:
Phone Call, Text Message, and Push
Software OTP Tokens
Multiple factors are required for sign-In
Familiar to consumer cloud service users such as the Microsoft Account
Simple block to password compromise from another country
Addresses regulatory compliance and high risk user scenarios
AKA two-factor, 2FA, MFA, strong authentication
86. Powered by PhoneFactor, acquired by
Microsoft in 2012
Trusted by thousands of enterprises to
authenticate employee, customer, and
partner access
Secures applications and identities in
the cloud and on-premises
89. Multi-Factor
Authentication for Office
365
Windows Azure Multi-
Factor Authentication
Administrators can Enable/Enforce MFA to end-users Yes Yes
Use Mobile app (online and OTP) as second authentication
factor
Yes Yes
Use Phone call as second authentication factor Yes Yes
Use SMS as second authentication factor Yes Yes
App passwords for non-browser clients (e.g. Outlook, Lync) Yes Yes
Default Microsoft greetings during authentication phone calls Yes Yes
Custom greetings during authentication phone calls Yes
Fraud alert Yes
Event Confirmation Yes
Security Reports Yes
Block/Unblock Users Yes
One-Time Bypass Yes
Customizable caller ID for authentication phone calls Yes
MFA Server - MFA for on-premises applications Yes
MFA SDK – MFA for custom apps Yes