Complete Study Guide
Identity Management Overview
1
Recently Announced‌
2
Identity Integration Options
3
Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.
Determining which actions an authenticated entity is authorized to perform on the network
http://www.pass4sureexam.co/70-346.html
the ability for two disjoint Identity Providers (IDP) to trust each other such that a user logged into one does not need to log in again for the second. YAUP is what you get if you don’t have SSO. The Relying Party (RP) is the system that relies on the Identity Provider to authenticate a user.
SAML is a public standard managed by OASIS. SAML is the identity token and also the protocol. SAML 2.0 is built on SAML 1.1, ID-FF and Shibboleth.
WS-Federation is used for web browser based authentication with an IDP. WSTrust is used by Office rich client apps to authenticate. http://www.pass4sureexam.co/70-346.html
Microsoft Account
Microsoft Account
User
Windows Azure Active Directory
Organizational Account
:
User http://www.pass4sureexam.co/70-346.html
Windows Azure Active Directory Authentication platform
Directory store
Your App
http://www.pass4sureexam.co/70-346.html
Cloud Identity
Single identity in the cloud Suitable for small organizations with no integration to onpremises directories
Directory Synchronization
Single identity suitable for medium and large organizations without federation
Federated Identity
Single federated identity and credentials suitable for medium and large organizations
http://www.pass4sureexam.co/70-346.html
SAML2 Identity Provider
More Details on TechNet: http://aka.ms/sync
http://www.pass4sureexam.co/70-346.html
Password Sync
SSO with AD FS
Same password to access resources Can control password policies onpremises Support for two factor authentication
*
No password re-entry if on premises Client access filtering by IP or by time schedule Authentication occurs on-premises. Can immediately block disabled accounts.
Change password available from web Works with Forefront Identity Manager * Azure AD offers some 2FA features that are available with ADFS deployment on-premises.
Your data and applications are under attack Passwords are easily compromised Consumerization of IT has only increased the scope of vulnerability Strengthening regulatory requirements call for strongly authenticating access http://www.pass4sureexam.co/70-346.html
http://www.pass4sureexam.co/70-346.html
1
Users sign in from any device using their existing username/password.
Credentials are checked in Windows Azure AD. Then Active Authentication is triggered for additional verification.
2
Users must also authenticate using their phone or mobile device before access is granted.
http://www.pass4sureexam.co/70-346.html
Azure Active Directory GRAPH API REST API for programmatic access to data in Azure AD Can build multi-tenant applications, or custom LOB Apps
Azure Active Directory Connector for FIM 2010 R2 Can be used for multi-forest synchronization and nonAD sources Public Beta starts on Connect soon
http://www.pass4sureexam.co/70-346.html
Cloud Identity
Directory Sync
Password Sync
Graph API
FIM
Single Sign-On
Org size
Small
All
All
Large
Large
Large
Control of attributes in directory
Least control
Full control via on-premises directory
Full control via on-premises directory
Can control core attributes and select optional
Can control core attributes and select optional
Full control via on-premises directory
Source of authority
Cloud
On-premises
On-Premises
Cloud
On-premises
On-premises
Hardware requirements
No on-premises hardware required
Windows Server OS for DirSync appliance
Windows Server OS for DirSync appliance
Machine to run Powershell jobs on
Federated Identity Manager with office 365 Connector
DirSync appliance ADFS (or other STS) deployment
Login experience
Disjoint username, password for onpremises and cloud
Disjoint username, password for onpremises and cloud
Same username, password for onpremises and cloud
Disjoint username, password for onpremises and cloud
Disjoint username, password for onpremises and cloud
Same username, password for onpremises and cloud
Enter credentials twice
Enter credentials twice
Enter credentials twice
Enter credentials twice
Enter credentials twice
Login once if onpremises
Windows Azure Active Directory
Cloud Identity
Ex: alice@contoso.com
User
Windows Azure Active Directory
Directory Synchronization
AD
Cloud Identity
Ex: alice@contoso.com
On-Premises Identity Ex: Domain\Alice
User
Windows Azure Active Directory Directory Synchronization with one way Password Hash
AD
Cloud Identity
Ex: alice@contoso.com
On-Premises Identity Ex: Domain\Alice
User
Customers can exclude objects from synchronizing to Office 365. Scoping can be done at the following levels: AD Domain-based Organizational Unit-based User Attribute based
Additional filtering capabilities will become available with the O365 Connector. Preventing the synchronization of specific attributes is not supported. http://www.pass4sureexam.co/70-346.html
Windows Azure Active Directory
Federation using ADFS
DirSync on FIM
AD
AD AD
On-Premises Identity Ex: Domain\Alice
User http://www.pass4sureexam.co/70-346.html
Start
Need onpremises org consolidation
After consolidation
Number Active Directory forests
Multi-forest decision flowchart Single (1)
Multiple (>1) No
Multiple (>1)
Number Exchange Orgs
Want to consolidate single forest?
None (0)
Single (1) “Disjoint” account forests and exchange Yes org accessed by accounts in the same forest? No
See consolidation whitepaper
Yes
“Disjoint” Account Forests?
After consolidation
No
Yes
Use Multi Forest DirSync
Use Office 365 Connector
Use Single Forest DirSync
Suitable for small/medium size organizations with AD or Non-AD Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)
http://www.pass4sureexam.co/70-346.html
Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses
http://www.pass4sureexam.co/70-346.html
Windows Azure Active Directory
Federation
Directory Synchronization
AD
or
Non-AD
On-Premises Identity Ex: Domain\Alice
User
Works with AD
Works with Office 365 - Identity
Shibboleth (SAML) Works with AD & Non-AD
Suitable for medium, large enterprises including educational organizations
Suitable for medium, large enterprises including educational organizations
Suitable for educational organizations
Recommended option for Active Directory (AD) based customers
Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Single sign-on
Single sign-on
Secure token based authentication
Secure token based authentication
Secure token based authentication
Support for web and rich clients
Support for web and rich clients
Support for web clients and outlook (ECP) only
Microsoft supported
Third-party supported
Works for Office 365 Hybrid Scenarios
Works for Office 365 Hybrid Scenarios
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers, licenses & support
Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program
Works for Office 365 Hybrid Scenarios
Requires on-premises servers & support Works with AD and other directories on-premises
Reuse Investments
Qualified by Microsoft
http://aka.ms/SSOProviders http://www.pass4sureexam.co/70-346.html
WS-Trust & WS-Federation
Active Directory with ADFS
WS-Federation
http://bit.ly/17D5Dq0 SAML-P
Block all external access to Office 365 based on the IP address of the external client Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online
http://www.pass4sureexam.co/70-346.html
Windows Azure Active Directory
Cloud Identity
Ex: alice@contoso.com
User
Cloud Identity
Ex: alice@contoso.com
ISV apps or SAAS providers or Your App
http://channel9.msdn.com/Events/TechEd/Australia/2013
http://www.microsoftvirtualacademy.com/
http://technet.microsoft.com/en-au/
http://msdn.microsoft.com/en-au/
1.
Keep up to date with all the latest Office 365 information at http://ignite.office.com
http://fastTrack.office.com http://office.microsoft.com