Office 365 Identity Why do we care about
Office 365 Identity Why do we care about identity?
Office 365 Identity Rank Password Hash 1 password 5 f 4 dcc 3 b 5 aa 765 d 61 d 8327 deb 882 cf 99 2 123456 e 10 adc 3949 ba 59 abbe 56 e 057 f 20 f 883 e 3 12345678 25 d 55 ad 283 aa 400 af 464 c 76 d 713 c 07 ad 4 1234 81 dc 9 bdb 52 d 04 dc 20036 dbd 8313 ed 055 5 qwerty d 8578 edf 8458 ce 06 fbc 5 bb 76 a 58 c 5 ca 4 6 12345 827 ccb 0 eea 8 a 706 c 4 c 34 a 16891 f 84 e 7 b 7 dragon 8621 ffdbc 5698829397 d 97767 ac 13 db 3
Enable the right individuals to access the right resources at the right times and for the right reasons.
Office 365 Identity Protect Empower
Office 365 identity models Cloud/Managed Synchronized Federated On-premise directory On-premise direcotry Zero on-premise servers Azure AD Connect Federation On-premise identity Azure AD Connect
Enables Supported across platforms
BEGINNING DISCUSSION GROUP DRAFT OAUTH 1. 0 OAUTH 2. 0 MICROSOFT
Why Enterprises like it?
https: //blogs. technet. microsoft. com/office_sustained_engineering/
Update versions: https: //blogs. technet. microsoft. com/office_sustained_engineering/
Access Token Exchange Online Identity Provider (Evo. STS) Authentication stack HTTP transport stack ADAL MSO Web Browser Directory SAML Token Access and Refresh Tokens Identity Provider (AD FS or other) Directory
Modern Auth Exchange Online Federated POST https: //outlook. office 365. com/mapi/emsmdb/? Mailbox. Id=bd 6382 b 1 -d 54 e-4 cae 952 b-5 adaafe 3 e 3 bd@contoso. net HTTP/1. 1 401 Unauthorized Content-Type: application/mapi-http request-id: f 910 d 760 -5 a 2 f-4457 -bade-5671824 e 8576 Accept: application/mapi-http X-Calculated. BETarget: AM 5 PR 0701 MB 2737. namprd 06. prod. outlook. com Authorization: Bearer X-Back. End. Http. Status: 401 User-Agent: Microsoft Office/15. 0 (Windows NT 6. 3; Microsoft Outlook 16. 0. 7329; Pro) X-Request. Id: {51 D 3 E 2 BE-2415 -4049 -B 77 F-11 DBF 5 A 88 BB 9}: 1 Client-Request-Id: {5 A 866872 -7 E 74 -440 E-88 C 9 -48 D 30 A 6 DBB 41} X-Diag. Info: AM 5 PR 0701 MB 2737 X-Client. Application: Outlook/16. 0. 7329. 1000 X-BEServer: AM 5 PR 0701 MB 2737 X-User-Identity: john. doe@contoso. net X-FEServer: AM 4 PR 08 CA 0041 X-Request. Id: {51 D 3 E 2 BE-2415 -4049 -B 77 F-11 DBF 5 A 88 BB 9}: 1 WWW-Authenticate: Bearer client_id="00000002 -0000 -0 ff 1 -ce 00 -000000", trusted_issuers="00000001 -0000 X-Request. Type: Connect -0000 -c 000 -000000@*", token_types="app_asserted_user_v 1 service_asserted_app_v 1", authorization_uri="https: //login. windows. net/common/oauth 2/authorize", Basic Realm="" Host: outlook. office 365. com
Boarding Pass
Access Token (Bearer)
Access Token (Bearer)
Access Token (Bearer)
Modern Auth Exchange Online Federated 2 HTTP/1. 1 401 Unauthorized request-id: f 910 d 760 -5 a 2 f-4457 -bade-5671824 e 8576 X-Calculated. BETarget: AM 5 PR 0701 MB 2737. namprd 06. prod. outlook. com X-Back. End. Http. Status: 401 X-Request. Id: {51 D 3 E 2 BE-2415 -4049 -B 77 F-11 DBF 5 A 88 BB 9}: 1 X-Diag. Info: AM 5 PR 0701 MB 2737 X-BEServer: AM 5 PR 0701 MB 2737 X-FEServer: AM 4 PR 08 CA 0041 WWW-Authenticate: Bearer client_id="00000002 -0000 -0 ff 1 -ce 00 -000000", trusted_issuers="00000001 -0000 -c 000 -000000@*", token_types="app_asserted_user_v 1 service_asserted_app_v 1", authorization_uri="https: //login. windows. net/common/oauth 2/authorize", Basic Realm=""
Modern Auth Exchange Online Federated GET https: //login. microsoftonline. com/common/oauth 2/authorize? response_type=code&client_ id=d 3590 ed 6 -52 b 3 -4102 -aeffaad 2292 ab 01 c&redirect_uri=urn%3 aietf%3 awg%3 aoauth%3 a 2. 0%3 aoob&resource=https% 3 a%2 f%2 foutlook. office 365. com%2 f&nux=1&login_hint=john. doe%40 contoso. net HTTP/1. 1 client-request-id: 34 d 8419 e-eb 4 b-47 b 3 -a 05 b-e 57 a 830338 b 5 User-Agent: Mozilla/4. 0 (compatible; MSIE 7. 0; Windows NT 6. 3; WOW 64; Trident/7. 0; . NET 4. 0 E; . NET 4. 0 C; Info. Path. 3; Microsoft Outlook 16. 0. 7329) Host: login. microsoftonline. com
Modern Auth Exchange Online Federated https: //sts. contoso. net: 443/adfs/ls/? login_hint=john. doe%40 contoso. net&username=john. doe%40 contoso. net&wa=wsignin 1. 0&wtrealm=urn%3 afederation%3 a. Microsoft. Online&wct x=estsredirect%3 d 2%26 estsrequest%3 dr. QII. . .
Modern Auth Exchange Online Federated GET ADFS https: //sts. contoso. net/adfs/ls/? login_hint=john. doe%40 contoso. net&wauth=http%3 a%2 f% 2 fschemas. microsoft. com%2 fws%2 f 2008%2 f 06%2 fidentity%2 fauthenticationmethod%2 fpas sword&username=john. doe%40 contoso. net&wa=wsignin 1. 0&wtrealm=urn%3 afederation% 3 a. Microsoft. Online&wctx=estsredirect%3 d 2%26 estsrequest%3 dr. QIIAe. Pi. Lj. PUM 9 Az. Mj. C 01 DP QYjb. UM 7 RSSTE 2 t. TRITTHTNTVKMt. Y 1 MTQw 0 k 1 MTUv. TTUx. MMTKy. NEp. MMj. BMLh. Li. Etj. VN 2 v 7 F -VDPv. ONV_WGB 4 Yu. Xc. Uo. WVq. UZ 5 WZWp. Jm. VZ 5 ul. Z 9 YWp. J h. Za. Rn. YJWfn 7 SDkf. ECIMLRs. ZJTKKJKYk 5 Jan. FJQ 7 FGYnlxa. U 5 OXp 5 q. SUXm Bhv. Mf. H 7 Ow. L 1 GIGI_KLMqt. RHGCINz. Ey. Tm. Pn. BRhvpgcjk_JTUVcz. KGSUl. Bc. VWvp. Aofy. Uz. OLk_LLUIt 1 ivfz. Skpz 8_Gy 95 Pxc_U 3 Mb. EAq. Nz 9 v. F 7 OKh. Xlicn. Kyh. Ymu. ZWKyqa 6 Ju. Um Sbl. KKWZKuob. Gx. QYq 5 ZYp. Zmpnx. DWb. GCyy. MP 1 g. YF 7 ECPXvcim. Xynkt. Lv. Ka. En. Tj 3 Vu. Uk 1 y 5 O 3 J 4 FAA 2 HTTP/1. 1 client-request-id: 34 d 8419 e-eb 4 b-47 b 3 -a 05 b-e 57 a 830338 b 5 Host: sts. contoso. net
Modern Auth Exchange Online Federated HTTP/1. 1 200 OK Connection: Keep-Alive Content-Length: 16056 Expires: -1 Date: Mon, 2 Feb 2017 18: 23: 20 GMT Content-Type: text/html; charset=utf-8 Server: Microsoft-HTTPAPI/2. 0 Cache-Control: no-cache, no-store Pragma: no-cache x-frame-options: DENY <!DOCTYPE html> <html lang="en-US"> < …ADFS Forms Based Auth page code…> </html> John. doe@contoso. net
Modern Auth Exchange Online Federated @("$(Get-Adfs. Global. Authentication. Policy | Convertto-json -Depth 10)", "$(Get-ADFSProperties | Convertto-Json -Depth 10)") | Out-File C: tempadfsauth. Ndump. txt -Force
Modern Auth Exchange Online Federated POST https: //sts. contoso. net/adfs/ls/? login_hint=john. doe%40 contoso. net&wauth=http%3 a%2 f% 2 fschemas. microsoft. com%2 fws%2 f 2008%2 f 06%2 fidentity%2 fauthenticationmethod%2 fpas sword&username=john. doe%40 contoso. net&wa=wsignin 1. 0&wtrealm=urn%3 afederation% 3 a. Microsoft. Online. . . Content-Type: application/x-www-form-urlencoded Host: sts. contoso. net User. Name=john. doe@contoso. net&Password=****%21&Auth. Method=Forms. Authentic ation
Modern Auth Exchange Online Federated HTTP/1. 1 200 OK […] <html><head><title>Working. . . </title></head><body><form method="POST" name="hiddenform" action= "https: //login. microsoftonline. com: 443/login. srf"><input type="hidden" name="wa" value="wsignin 1. 0" /><input type="hidden" name="wresult" value="< t: Request. Security. Token. Response xmlns: t=" http: //schemas. xmlsoap. org/ws/2005/02/trust" >< t: Lifetime>< wsu: Created xmlns: wsu=" http: //docs. oasis-open. org/wss/2004/ 01/oasis-200401 -wssecurityutility-1. 0. xsd" >2016 -05 -19 T 13: 22: 31. 255 Z< /wsu: Created>< wsu: Expires xmlns: wsu=" http: //docs. oasis-open. org/wss/2004/01/oasis-200401 -wssecurityutility-1. 0. xsd" >2016 -05 -19 T 14: 22: 31. 255 Z< /wsu: Expires> < /t: Lifetime>[…] UPN" Attribute. Namespace=" http: //schemas. xmlsoap. org/claims" >< saml: Attribute. V alue>john. doe@contoso. net< /saml: Attribute. Value>< /saml: Attribute>< saml: Attribute. Name=" Immutable. ID" Attribute. Namespace=" http: //schemas. mic rosoft. com/Live. ID/Federation/2008/05" >< saml: Attribute. Value>AEq. Vh 3 bp. MUW 4 a Xf. Nl. FLPsw==< /saml: Attribute. Value>. . . […] ds: Signature. Value>
Modern Auth Exchange Online Federated POST https: //login. microsoftonline. com/login. srf? client-request-id=34 d 8419 e-eb 4 b-47 b 3 a 05 b-e 57 a 830338 b 5 Content-Type: application/x-www-form-urlencoded 302 response redirects the client to login. windows. net with an oob code <h 2>Object moved to <a href="urn%3 aietf%3 awg%3 aoauth%3 a 2. 0%3 aoob%3 fcode%<oobcode>… Resulting in redirected request: POST https: //login. windows. net/common/oauth 2/token HTTP/1. 1 Content-Type: application/x-www-form-urlencoded Client-request-id: 34 d 8419 e-eb 4 b-47 b 3 -a 05 b-e 57 a 830338 b 5 grant_type=authorization_code&code=<oob code>…
Modern Auth Exchange Online Federated HTTP/1. 1 200 OK Content-Type: application/json; charset=utf-8 x-ms-request-id: 6244 ce 53 -096 a-48 e 3 -9 a 61 -b 3 d 517 d 7625 b client-request-id: 34 d 8419 e-eb 4 b-47 b 3 -a 05 b-e 57 a 830338 b 5 {"token_type": "Bearer", "scope": "user_impersonation Contacts. Read. Write Calendars. Read. Write Mail. Send Mail. Read. Write Group. Read. Write. All Files. Read. Write. All", "expires_in": "3600", "expires_on": "1463515539", "not_before": "1463511639", "resource": "https: //outlook. office 365. com/", "access_token": "ey. J 0 e. XAi…", "refresh_token": "AA ABAAACIL 9 K…"
Modern Auth Exchange Online Federated POST https: //outlook. office 365. com/mapi/emsmdb/? Mailbox. Id=91158760 -975 b-4018 -a 0 cb -cb 562919 d 98 e@contoso. onmicrosoft. com HTTP/1. 1 Content-Type: application/mapi-http Accept: application/mapi-http Authorization: Bearer ey. J 0 e. XAi…
Modern Auth Exchange Online Federated HTTP/1. 1 200 OK Content-Type: application/mapi-http request-id: 7 d 8640 e 6 -9 d 97 -4013 -b 98 e-b 1 eb 6448 bbf 5 X-Back. End. Http. Status: 200 Set-Cookie: Mapi. Routing=Ul. VNOjcw. Nm. Vk. N 2 Nk. LTc 1 Mj. Mt. NDIx. MS 1 h. YTk 2 LTdl. NWQ 3 Yj. Bj. ODI 3 MDqkiig+ hn 7 TCA==; path=/mapi/; secure; Http. Only Set-Cookie: Mapi. Context=MAPIAAAAAOer/q 78 zf. W 4+sr+zvr. Z 69 vq 3 PHB 9 Nno 3//P+ML 3 xvz. N+KKBs 4 K wi. LGHvoa 2 gag. OAAAA; path=/mapi/emsmdb; secure; Http. Only Set-Cookie: Mapi. Sequence=0 -UO 0 MYQ==; path=/mapi/emsmdb; secure; Http. Only X-Request. Type: Connect
Modern Auth Exchange Online Federated
Modern Auth Exchange Online Federated
aka. ms/SSOProviders
Multifactor Authentication?
User experience Office 365 experience
User experience Office 365 experience
Always protected Identity driven security and realtime fraud alert Scalable Reliable, scalable service supports high-volume, mission critical scenarios Simplicity Additional layer of protection allows an easy setup and use of own devices
Access/refresh token exchange POST https: //login. windows. net/common/oauth 2/token HTTP/1. 1 Content-Type: application/x-www-form-urlencoded client-request-id: 34 d 8419 e-eb 4 b-47 b 3 -a 05 b-e 57 a 830338 b 5 grant_type=refresh_token&refresh_token=AAABAAAi. L 9 K…
Access/refresh token exchange
Client access filtering Conditional Access Policies
Access/refresh token exchange
Scenarios Clients
Pass-through Identity Model On-premises Agent Microsoft Azure Active Directory Agent Great user experience Secure Easy to deploy & administer • Same passwords to sign into cloud and on-premises apps • SSPR integrated • Secure validation of password onpremises • Conditional access policies apply • All AD changes take effect immediately • Deploy agents on existing servers (including DCs) • Auto-update & trust renewal • No DMZ requirements • Achieve high availability using multiple agents aka. ms/ptauth and aka. ms/hybrid/sso
Azure AD B 2 B Collaboration aka. ms/addb 2 busers
Alternate Login ID UPN: tim@contoso. com Email: tim@contoso. com Contoso. com UPN: tim@contoso. local Login: CONTOSODOMAINTim Email: tim@contoso. com
Outlook Disconnected at Startup
https: //technet. microsoft. com/enus/library/jj 683102. aspx
New Default Token lifetimes Configurate Token lifetimes
What you can do Terminate a session (such as Outlook on the web, Outlook, Exchange active sync, etc. ) and force to open a new session Terminate a session and block access to future sessions (for all protocols) How you do it Reset password Disable the account. For example (in the Exchange admin center or using Power. Shell): Set-Mailbox user@contoso. com Account. Disabled: $true Terminate the session for a particular protocol Disable the protocol. For example (in the (such as Active. Sync) Exchange admin center or using Power. Shell): Set-CASMailbox user@contoso. com Active. Sync. Enabled: $false If you terminate from How long it takes In the Exchange admin Expected delay is within 30 center or using Power. Shell min In the Azure Active Directory admin center Expected delay is 60 min In an on-premises environment Expected delay is 3 hours or more Remove a former employee from Office 365
https: //testconnectivity. microsoft. com/
Office Configuration Analyzer Test Connectivity Scenarios Office 365 Client Performance Analyzer
MA MFA Azure Multi-Factor Authentication - Microsoft Azure Multi-Factor Authentication Azure MFA Videos/ Demos http: //aka. ms/emsblog
Training available from Linked. In Learning on this sessions topic! Office 365: Manage Identities using Azure AD connect https: //aka. ms/365 enterpriseident Experience premium Office 365 IT Admin training for free at Support. Office. com Brought to you by Microsoft in partnership with Linked. In Learning. Free online training provides a ramp-up on the critical skills you need to deploy, manage, and support Office 365. Find our new training in the Office 365 Admin Center and online @ aka. ms/365 Enterprise
Please evaluate this session Your input is important! https: //myignite. microsoft. com/evaluations https: //aka. ms/ignite. mobileapp
- Slides: 70