1. Identity and Directory
Synchronization in Office365 and
Azure AD
Brian Desmond

2. Intro
• Chicago based
• Active Directory & Identity consultant
– Edgile, Inc – www.edgile.com
• Microsoft MVP for Active Directory since 2003
• Author of Active Directory, 5th Ed from O’Reilly
– You should own a copy!
e-mail: brian.desmond@edgile.com
e-mail: brian@briandesmond.com
website & blog: www.briandesmond.com
@brdesmond

3. Agenda
• Identity Management in the Cloud
• Directory Synchronization with DirSync
• Federated Identity with Active Directory
Federation Services

4. IDENTITY IN OFFICE 365

5. Identity Options
• Identities can be mastered in
– Office365
– Active Directory
• Single Sign On (SSO) is optional
– Keeps passwords out of O365
– Greatly improves the end user experience
• DirSync and ADFS may be required to meet your goals

6. Mastering Identities in Office365
•
•
•
•
Separate Microsoft Online ID for each user
Separate passwords stored in the cloud
Very easy to deploy
Support costs may be higher with differing
passwords and password policies
• Manage your users with PowerShell or the Online
Services administration center

7. Mastering Identities in Active Directory
• Two options
– Separate Microsoft Online ID for each user
– Federated identities
• Requires Windows Azure Active Directory Directory Synchronization
for either option
– Sync Active Directory data to the cloud
– Passwords can be synchronized
• Without federation or password sync, users still maintain a separate
password in the cloud
• Enables rich coexistence scenarios

8. Federated Identity
• Users are authenticated via on-premise ADFS
environment
• DirSync sends objects and key attributes to the cloud
• Password is always maintained (and only exists) onpremise
• Requires additional infrastructure for ADFS
– Access to any Office 365 service requires ADFS to be
available!

9. Identity Architecture Comparison
Microsoft Online IDs
• Pros
• No servers required
• Simple setup
• Cons
• Separate user accounts
and password policies
• Potentially higher
support costs
Microsoft Online IDs with
DirSync
• Pros
• Coexistence possible
• Provisioning /
deprovisioning
performed on-premise
• Cons
• Requires additional
servers
• Separate user accounts
and password policies
• Potentially higher
support costs
Federated IDs with DirSync
• Pros
• Coexistence possible
• Provisioning /
deprovisioning
performed on-premise
• Passwords managed
on-premise
• Two-factor
authentication possible
• Cons
• Requires additional
servers
• Complex to implement
and manage

10. DIRSYNC – WINDOWS AZURE
ACTIVE DIRECTORY DIRECTORY
SYNCHRONIZATION

11. What Does DirSync Enable?
•
Enables Identity and Application coexistence
– Identities are managed on premises
•
•
Copies users, groups, and contacts into Office 365
Enables easy identity federation
– Enables application coexistence
•
•
On-premises Microsoft Exchange and Microsoft Lync services work with their corresponding cloud
services.
Lync users, on-premises IM cloud users, and on-premises mail routes to the cloud (and the cloud
routes back to on premises).
– Enables rich coexistence features in Exchange, including write-back to the on-premises
directory
•
Populates the Windows Azure Active Directory service
– Can be used with other Microsoft cloud services, federation with third party cloud services
and applications

12. What’s Under the Hood?
• Shrink wrapped appliance version of Forefront Identity Manager
(FIM)
– Frequent updates
– http://social.technet.microsoft.com/wiki/contents/articles/18429.win
dows-azure-active-directory-sync-tool-version-release-history.aspx
• Appliance is preconfigured to synchronize everything in your AD
with Office 365
– Passwords are not synchronized to Azure AD by default
• There are very few settings which can be configured in DirSync (in a
supported manner)

13. DirSync Challenges
•
The native DirSync appliance does not support a number of potential customer scenarios
–
–
•
A custom FIM deployment with the Azure AD connector can be built to address these
scenarios
–
–
•
Requires deep subject matter expertise in FIM
FIM deployment now has a dependency on changes and upgrade requirements for Azure
Many common Active Directory data errors will cause directory synchronization errors
–
•
Multi-forest Active Directory topologies
Authoritative data sources other than Active Directory
Use IdFix toolset to identify and correct data - http://www.microsoft.com/enus/download/details.aspx?id=36832
Tenants that require more than 100,000 synchronized objects must contact Microsoft
support to have their tenant limit raised
–
This can take some time – plan in advance

14. User Principal Names
• Users will login to Office365 with their UPN
– Ideally this matches the user’s primary email address
• UPN must be a routable domain that you can prove ownership of
– No .local domains
– No domains that you don’t own
• Multiple UPN suffixes are acceptable
• You may need to re-assign or scrub UPNs in your forest
– Communicate UPN to your users if it doesn’t match email address

15. IdFix Toolset

16. Server Requirements
•
•
Windows Server 2008 R2 or Windows Server 2012
Domain Joined
– Cannot be a domain controller
•
SQL Server Express Edition
– 50,000 or more objects requires full SQL Server installation
– SQL Server 2008 R2 or better is supported
•
Virtually no advantage to increasing CPU count
– The FIM Synchronization Service is a single threaded application
– Memory and disk I/O will improve sync performance if you have a large environment
•
DirSync appliance could be installed on an Azure virtual machine
– Configure a point-to-site virtual network VPN in Windows Azure

17. DirSync Installation Prerequisites
• Enterprise Administrator level Active Directory permissions
• Setup will perform a number of tasks
– Create a service account for DirSync in the forest root domain
– Delegate the service account permissions to use the DirSync
LDAP control in Active Directory
– Optionally delegate the service account access to write-back
attributes
• Once setup is complete, elevated privileges are no longer
necessary

18. DirSync On-Premises Active Directory Changes
Exchange Full Fidelity feature
Write Back To attribute
Filtering Coexistence provides on-premises filtering with cloud
sourced safe/blocked sender data
SafeSendersHash
BlockedSendersHash
SafeRecipientHash
Online Archive mailbox in the cloud
msExchArchiveStatus
Move mailboxes back and forth between cloud and onpremises; Outlook auto-complete and calendaring fidelity
proxyAddresses
(Adds cloud LegacyExchangeDN value)
Enable cloud based Unified Messaging (voicemail) with onpremise Lync deployment
msExchUCVoiceMailSettings
Cross-premises mailbox delegation
publicDelegates
Cross-premises litigation hold management
msExchUserHoldPolicies

19. DirSync Installation

20. Password Synchronization
• DirSync was updated in June 2013 to support synchronization of
password hashes to the cloud
– Synchronizes passwords for all users in scope of DirSync
– Hash of the on-premises Active Directory password hash is sent to the
cloud
• Password changes are synchronized to the cloud every two minutes
• Office365 Change password button is hidden for users that have a
synchronized password
– User is also configured such that their cloud password never expires

21. Common DirSync Tweaks
• Run DirSync manually
–
–
%ProgramFiles%Windows Azure Active Directory SyncDirSyncConfigShell.psc1
Start-OnlineCoexistenceSync
• Filter objects in specific organizational units or domains
– Modify container selection in “Active Directory Connector” Management
Agent
• Filter objects based on an attributes in AD
– Create a connector filter in “Active Directory Connector” Management Agent
• If you make an error and erroneously filter objects, they will be deleted
from Office 365
– Deletes are “soft” and objects can be recovered for thirty days
C:Program FilesWindows Azure Directory SyncSYNCBUSSynchronization ServiceUIShellmiisclient.exe

22. Container Selection in DirSync

23. Configuring a Connector Filter

24. Troubleshooting Bad Data

25. FEDERATED AUTHENTICATION

26. Application Authentication Before Federation
• Standalone credential stores
• Integrated with Active Directory via LDAP
– Forms based pages
– Custom code
• Windows Integrated Authentication
– NTLM
– Kerberos
• How do we extend these options into the cloud?

27. What is Federation?
• Standardized (sort of) mechanism to assert
identity across boundaries
• Works great with web applications – all HTTP(S)
• No Active Directory trusts required
• No Kerberos or NTLM involved between parties
• You take a federation token to the relying party
and present it to access the application

28. Federation Buzzwords: Tokens and Claims
•
How do I use/make/get tokens?
– an STS: security-token service
•
•
•
transforms one set of claims to another, issues tokens with claims
aka. Identity Provider (IdP) / Claims Provider / Claims Transformer / Federation Provider (FP)
What is a token?
– Proof of identity for a given user
– Contains a set of claims about the user
•
What is a claim?
•
•
•
assertion made by the STS about its users
used to make authorization & personalization decisions
Who & what supports them?
– a “claims-aware application”

29. What’s a Claim?
•
Attribute Value Pairs
– Role : “Marketing”
• “I am a member of the Marketing group”
– Email : “brian@briandesmond.com”
• “My email address is …”
– HomeTown : “Chicago”
• “I am from Chicago.”
•
Populated using information from
–
–
–
–
Active Directory
AD Lightweight Directory Service (AD LDS)
SQL database
Custom source

30. The Cast
A. DatumFabrikam
Account Forest
(Users)
Federation Trust
Contoso
(Resource)
Active Directory
AD FS
User
AD FS
Resource

31. The Federation Trust
• The ADFS servers need to exchange information securely
– Send public key for the token-signing certificate
– Tokens are verified by relying party using this key
• During the setup process you’ll agree on the signing keys,
claims formats, etc.
• Each application will trust a single ADFS server (or server
farm)
– the ADFS server can have many applications that trust it
– the ADFS server can trust one or more ADFS/federation servers

32. The ADFS Passive Logon Process
A. DatumFabrikam
Account Forest
(Users)
Trey
Office365
Federation Trust Research
Resource Forest
(Resource)
Active Directory
AD FS
User
AD FS
SharePoint

33. ADFS with Outlook and ActiveSync
A. DatumFabrikam
Account Forest
(Users)
Trey
Office365
Federation Trust Research
Resource Forest
(Resource)
Active Directory
AD FS
User
AD FS
Exchange

34. ADFS Server Topology Options
• Single internal federation server and a single federation server proxy
• Load balanced servers proxies
– You can use an alternative reverse proxy if you have a need or existing
infrastructure
• Geographically redundant ADFS servers
Two important points
1. Treat your ADFS servers with the same level of security as AD Domain
Controllers
2. Keep in mind that Office 365 availability depends on your ADFS service!

35. ADFS and SQL Server
• ADFS requires SQL Server to store configuration information
– SQL Express
– Full SQL Server installation
• ADFS will replicate data between servers if using SQL Express
– SQL Express does not offer token replay detection or SAML artifact
resolution
• If using full SQL install, don’t forget to account for SQL high
availability
– SQL Server clustering within a given site
– SQL Server mirroring between sites

36. Highly Available Single Site ADFS Deployment
Enterprise Network
DMZ
Active
Directory
AD FS 2.X
Server
AD FS 2.X
Server
AD FS 2.X
Server
Proxy
AD FS 2.X
Server
Proxy
NLB

37. Highly Available Multi Site ADFS Deployment
Site A Enterprise Network
Site A DMZ
Active
Directory
GLB
NLB
AD FS 2.X
Server
AD FS 2.X
Server
NLB
GLB
AD FS 2.X
Server
Proxy
SQL Server
Cluster
SQL Mirroring
AD FS 2.X
Server
Proxy
Site B Enterprise Network
Site B DMZ
Active
Directory
AD FS 2.X
Server
GLB
AD FS 2.X
Server
Proxy
AD FS 2.X
Server
SQL Server
Cluster
NLB
AD FS 2.X
Server
Proxy
NLB
GLB

38. Office 365 ADFS Configuration
• Install ADFS servers and ADFS proxies
• Run configuration scripts to configure ADFS for
Office365 integration
• Setup federated domains in Office 365 tenant
– Use *-MsolFederated* PowerShell cmdlets
• Testing
– www.testexchangeconnectivity.com
– MOSDAL tool - http://support.microsoft.com/kb/960625

39. Third Party On-Premises STS’
• Office365 supports a number of third party federation
services (STS – security token service)
• The list continues to evolve however these third party
options are currently supported
– OptimalIDM
– Ping Federate
– Shibboleth (common in Higher Education)
• Limitations may apply to third party solutions – be sure to
do your research

40. Summary
• AAD DirSync will connect your AD to Office365
• Plan to spend time cleaning your AD data first
• Federation is critical as applications move to
the cloud

41. Questions?

42. Please evaluate the session
before you leave
