70-346 Managing Office 365 Identities

Views:
 
     
 

Presentation Description

No worries now for 70-346 exam because Pass4Sure leaves no chance for failure. 100% guaranteed success with Pass4Sure 70-346 preparation material.

Comments

Presentation Transcript

Office 365 Identity Management:

Office 365 Identity Management Complete Study Guide

Agenda:

Agenda Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1

Identity management overview:

Identity management overview

Identity management:

Identity management deals with identifying individuals in a system and controlling access to the resources in that system Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be. Integral components of identity and access management Determining which actions an authenticated entity is authorized to perform on the network Authentication Authorization Identity management http:// www.pass4sureexam.co/70-346.html

More identity terms:

Single Sign On (SSO) is the ability for two disjoint Identity Providers (IDP) to trust each other such that a user logged into one does not need to log in again for the second . YAUP is what you get if you don’t have SSO. SAML is a public standard managed by OASIS. SAML is the identity token and also the protocol. SAML 2.0 is built on SAML 1.1, ID-FF and Shibboleth. The Relying Party (RP) is the system that relies on the Identity Provider to authenticate a user . WS-Federation is used for web browser based authentication with an IDP. WS-Trust is used by Office rich client apps to authenticate. Security Assertion Markup Language WS-Federation / WS-Trust More identity terms http:// www.pass4sureexam.co/70-346.html

Microsoft cloud services:

Microsoft cloud services User Microsoft Account User Organizational Account : Microsoft Account Windows Azure Active Directory http:// www.pass4sureexam.co/70-346.html

Common identity platform for organizational accounts:

Common identity platform for organizational accounts Windows Azure Active Directory is the underlying identity platform for various cloud services that use Organizational Accounts Directory store Authentication platform Windows Azure Active Directory Your App http:// www.pass4sureexam.co/70-346.html

Office 365 Identity:

Office 365 Identity Cloud Identity Single identity in the cloud Suitable for small organizations with no integration to on-premises directories Windows Azure Active Directory On-Premises Identity Directory Sync Directory Synchronization  Single identity suitable for medium and large organizations without federation Windows Azure Active Directory Federated Identity On-Premises Identity Federation Single federated identity and credentials suitable for medium and large organizations Windows Azure Active Directory Directory Sync

Recent Additions:

Recent Additions http:// www.pass4sureexam.co/70-346.html

Windows Azure Active Directory Sync Tool Update:

Windows Azure Active Directory Sync Tool Update The tool is downloaded from the Office 365 admin portal. Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it. Synchronizes user passwords from on-premises AD to Azure AD (Office 365). Respects on-premises password policies. Can’t sync passwords for Federated Users, but can co-exist. SAML2 Identity Provider More Details on TechNet: http://aka.ms/sync http:// www.pass4sureexam.co/70-346.html

Directory Sync Tool or Active Directory Federation Services:

Directory Sync Tool or Active Directory Federation Services * Azure AD offers some 2FA features that are available with ADFS deployment on-premises . Password Sync SSO with AD FS Same password to access resources Can control password policies on-premises Support for two factor authentication * No password re-entry if on premises Client access filtering by IP or by time schedule Authentication occurs on-premises. Can immediately block disabled accounts. Change password available from web Works with Forefront Identity Manager

Active Authentication: Why Multi-Factor:

Active Authentication: Why Multi-Factor Your data and applications are under attack Passwords are easily compromised Consumerization of IT has only increased the scope of vulnerability Strengthening regulatory requirements call for strongly authenticating access http:// www.pass4sureexam.co/70-346.html

Enterprise authentication using any phone:

Mobile Apps Enterprise authentication using any phone Text Messages Phone Calls Out-of-Band Push One-Time-Passcode Out-of-Band Call Out-of-Band Text One-Time Passcode  http://www.pass4sureexam.co/70-346.html

Architecture:

ISV/CSV Apps Windows Azure Active Directory Microsoft Apps Custom LOB Apps Custom LOB Apps Active Authentication Users sign in from any device using their existing username/password. Users must also authenticate using their phone or mobile device before access is granted. Credentials are checked in Windows Azure AD. Then Active Authentication is triggered for additional verification. 1 2 Architecture

App Passwords:

App Passwords Provides rich client login as alternative to Multi Factor Auth Not for administrators 16 characters randomly generated Currently in preview http:// www.pass4sureexam.co/70-346.html

Windows Azure Active Directory Provisioning Updates:

Windows Azure Active Directory Provisioning Updates Azure Active Directory GRAPH API REST API for programmatic access to data in Azure AD Can build multi-tenant applications, or custom LOB Apps Azure Active Directory Connector for FIM 2010 R2 Can be used for multi-forest synchronization and non-AD sources Public Beta starts on Connect soon http:// www.pass4sureexam.co/70-346.html

Identity integration options:

Identity integration options

Identity integration options:

Identity integration options 1 2 3 4 5 6 Cloud Identity Directory Sync Password Sync Graph API FIM Single Sign-On Org size Small All All Large Large Large Control of attributes in directory Least control Full control via on-premises directory Full control via on-premises directory Can control core attributes and select optional Can control core attributes and select optional Full control via on-premises directory Source of authority Cloud On-premises On-Premises Cloud On-premises On-premises Hardware requirements No on-premises hardware required Windows Server OS for DirSync appliance Windows Server OS for DirSync appliance Machine to run Powershell jobs on Federated Identity Manager with office 365 Connector DirSync appliance ADFS (or other STS) deployment Login experience Disjoint username, password for on-premises and cloud Enter credentials twice Disjoint username, password for on-premises and cloud Enter credentials twice Same username, password for on-premises and cloud Enter credentials twice Disjoint username, password for on-premises and cloud Enter credentials twice Disjoint username, password for on-premises and cloud Enter credentials twice Same username, password for on-premises and cloud Login once if on-premises

Cloud identity:

Cloud identity Rich experience with Office Apps Ease of deployment, management and support Lower cost as no additional servers are required On-Premises High availability and reliability as all Identities and Services are managed in the cloud Windows Azure Active Directory User Cloud Identity Ex: [email protected] 1

Directory Synchronization:

Directory Synchronization Rich experience with Office Apps Directory synchronization between on-premises and online Identities are created and managed on-premises and synchronized to the cloud Single identity and credentials but no single Sign-On for on-premises and office 365 services Reuse existing directory implementation on-premises Windows Azure Active Directory User On-Premises Identity Ex: Domain\Alice Directory Synchronization Cloud Identity Ex: [email protected] AD 2

Password Synchronization:

Password Synchronization Rich experience with Office Apps Directory synchronization between on-premises and online Identities are created and managed on-premises and synchronized to the cloud Single identity and password credentials but no single Sign-On for on-premises and office 365 services Reuse existing directory implementation on-premises On-Premises Identity Ex: Domain\Alice Directory Synchronization with one way Password Hash Cloud Identity Ex: [email protected] AD 3 Windows Azure Active Directory User

Scoping and Filtering for Synchronization:

Scoping and Filtering for Synchronization Customers can exclude objects from synchronizing to Office 365. Scoping can be done at the following levels: AD Domain-based Organizational Unit-based User Attribute based Additional filtering capabilities will become available with the O365 Connector. Preventing the synchronization of specific attributes is not supported. http:// www.pass4sureexam.co/70-346.html

Multi-forest AD:

Multi-forest AD On-Premises Identity Ex: Domain\Alice Federation using ADFS AD DirSync on FIM AD AD Windows Azure Active Directory User http:// www.pass4sureexam.co/70-346.html

Multi-forest decision flowchart:

Number Active Directory forests See consolidation whitepaper Use Single Forest DirSync Use Office 365 Connector Use Multi Forest DirSync Need on-premises org consolidation Number Exchange Orgs “Disjoint” Account Forests? “Disjoint” account forests and exchange org accessed by accounts in the same forest ? Want to consolidate single forest ? After consolidation Single (1) Multiple (>1) Yes None (0) Multiple (>1) Start After consolidation No Single (1) Yes Yes No No Multi-forest decision flowchart

Powershell / Graph REST API:

Powershell / Graph REST API Suitable for small/medium size organizations with AD or Non-AD Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts ( eg : Self Service Provisioning) 4 http:// www.pass4sureexam.co/70-346.html

Office 365 Connector for Forefront Identity Manager:

Office 365 Connector for Forefront Identity Manager Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses 5 http:// www.pass4sureexam.co/70-346.html

Federated identity:

Federated identity Single identity and sign-on for on-premises and office 365 services Identities mastered on-premises with single point of management Directory synchronization to synchronize directory objects into Office 365 Secure Token based authentication Client access control based on IP address with ADFS Strong factor authentication options for additional security with ADFS Windows Azure Active Directory User On-Premises Identity Ex: Domain\Alice Federation AD Non-AD Directory Synchronization or 6

Federation options:

Suitable for educational organizations Recommended where customers may use existing non-ADFS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook (ECP) only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises Shibboleth ( SAML) Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Secure token based authentication Support for web and rich clients Microsoft supported Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support ADFS Works with AD Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD Single sign-on Secure token based authentication Support for web and rich clients Third-party supported Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program Works for Office 365 Hybrid Scenarios Third-party STS Works with Office 365 - Identity Federation options

‘Works with Office 365 – Identity’:

‘Works with Office 365 – Identity’ Program for third party on premises identity providers to interoperate with Office 365 Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365 On TechNet: http:// aka.ms/SSOProviders Flexibility Coordinated Support Partner + Confidence Qualified by Microsoft Reuse Investments http:// www.pass4sureexam.co/70-346.html

‘Works with Office 365 – Identity’:

‘Works with Office 365 – Identity ’ On Premises Security Token Services http:// bit.ly/17D5Dq0 WS-Trust & WS-Federation WS-Federation SAML-P Active Directory with ADFS

Client access control:

Client access control Part of ADFS Limit access to Office 365 based on network connectivity (internet versus intranet) Block all external access to Office 365 based on the IP address of the external client Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online http:// www.pass4sureexam.co/70-346.html

WAAD Identity with other cloud services:

Windows Azure Active Directory User Cloud Identity Ex: [email protected] ISV apps or SAAS providers or Your App Cloud Identity Ex: [email protected] WAAD Identity with other cloud services Identity managed in Windows Azure AD single sign-on for Office 365 and other cloud services federated with single cloud identity ISV Applications or SAAS providers can integrate using APIs on Windows Azure AD

Summary:

Summary Cloud Identities – Windows Azure Active Directory Directory Sync from On-Premises Directory Sync from On-Premises (with Password Sync) Graph API and Powershell Forefront Identity Manager Federation (or Single Sign-On) ADFS WS-Federation and WS-Trust Shibboleth SAML-P Active Authentication for multifactor Works with Office 365 – Identity

Resources:

Developer Network Resources for Developers http:// msdn.microsoft.com /en-au/ Learning Virtual Academy http://www.microsoftvirtualacademy.com/ TechNet Resources Sessions on Demand http://channel9.msdn.com/Events/ TechEd /Australia/2013 Resources for IT Professionals http://technet.microsoft.com/en-au/

Keep Learning:

Keep Learning Keep up to date with all the latest Office 365 information at http:// ignite.office.com Get on top of your pilot using the FastTrack deployment process http:// fastTrack.office.com Trial Office 365 http://office.microsoft.com

Slide36:

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

authorStream Live Help