Ask yourself and/or your vendors the questions below, and understand the impact on your organization. By doing so, you’ll be in a good position to choose the best way for your organization to integrate Office 365 with Active Directory and enable secure single sign-on across web, Outlook and mobile mail clients.
Microsoft has a rapidly evolving platform for cloud identity management that centers on their Active Directory brand. Below are a few questions to ponder as well as some FAQs that pertain to implementing a 100% Microsoft-based solution.
At a minimum, Office 365 will require the deployment of Azure Active Directory, Azure AD Directory Synchronization appliance (aka DirSync) and Active Directory Federation Services (AD FS). Azure AD Premium Edition includes a license to Microsoft’s MFA Server (for multi-factor authentication). The MFA Server can also enable VPN integration and RADIUS support.
Organizations with larger directories will need a full version of Microsoft SQL Server to handle the Azure AD Directory Synchronization database. Do you have more than one Active Directory forest? If so, then synchronizing multiple forests with Microsoft’s native solution set requires a custom deployment of Forefront Identity Manager 2010 R2 (FIM). Designing and deploying FIM for this purpose generally requires the use of specialized consultants plus the added burden of ongoing maintenance. If you only have one AD forest but want to sync with an additional LDAP directory then you’ll also need FIM.
As you may know, the service level agreements (SLAs) that cloud hosted services like Office 365 offer are a moot point if the AD FS infrastructure that brokers logins to these applications and services isn’t running at the same service level (or higher).
Highly available AD FS is primarily predicated on load balancing multiple sets of servers. For organizations with advanced requirements, SQL Server or a SQL Server cluster may be required to take advantage of advanced AD FS features like token replay detection and SAML artifact resolution. When AD FS is deployed in geographically dispersed data centers, then a global traffic management solution will be needed to manage requests across data centers.
The dependencies above add several layers of complexity to AD FS, and require collaboration across multiple teams. For example, in many enterprises, load balancers and global traffic management solutions (e.g. F5 Global Traffic Managers or Cisco Global Site Selectors) are generally managed by dedicated networking teams. SQL Server may require support from a database administration team, and the addition of SQL Server clustering will add a dependency on a storage management team as well.
While many of the basic directory and federation features are available for free in the basic edition, the features that make Azure AD a competitive cloud identity management solution are licensed via the premium edition. The Azure AD premium edition is licensed on a per user basis (as of the time of this writing $6 per user per month) and includes all of the premium features for each user. The premium feature set of Azure Active Directory is focused around branding and customization, group-based access control, selfservice password management, multi-factor authentication, and advanced reporting.
For a more detailed explanation of the Microsoft solution set, please refer to Choosing the Right Directory Integration Framework for Your Cloud Application Portfolio, written by Brian Desmond (a Microsoft MVP for Directory Services ten times over, author of Active Directory 5th edition, published by O’Reilly Media, and a world-renowned expert in Microsoft’s SSO solutions).
Independent identity solution providers (what Microsoft calls “third-party vendors”) have recognized the challenges of Microsoft’s native solution set. Some of these vendors have developed turnkey solutions that deliver rapid cloud identity management and SSO to Office 365 without the overhead and setup complexity of maintaining an AD FS infrastructure and related components. Below are some questions you should consider or directly ask any third party vendor vying for your business.
Independent vendor solutions come in two main deployment models: on-premises and Cloud. The cloud model offers compelling cost and security efficiencies across multiple dimensions, including patterns in infrastructure, greater automation, and discipline in process. Cloud-based identity management solutions take full advantage of these efficiencies, but is that enough for you to go cloud rather than on-premises for your Office 365 deployment?
Clearly, the more that’s happening beyond your corporate firewall, the more it makes sense to put identity in the cloud as it provides an innately more centralized control point for managing identities across all apps and devices, independent of access location (Office for iPad anyone?).
In addition to Office 365, consider your rate of adoption of additional cloud apps, how and where users will be accessing corporate applications and data, and your propensity to develop your own web apps accessible beyond your firewall.
This is especially important to understand with a cloud-based identity management solution. After all, one of the key benefits of going with Cloud IAM is to avoid the complexity of managing disparate pieces of software, hardware and tools. Most Cloud-based solutions will require an agent that sits behind your corporate firewall to securely sync back with the identity provider and out to cloud apps like Office 365. Beyond that, will you need to install a separate tool to enable Desktop SSO (integrated windows authentication)? Will you still need to use additional tools like DirSync to enable synchronization with Active Directory? Will you need to install and run PowerShell? Will you need to setup or configure any other services outside of the vendor’s solution to make it work with Office 365?
Smaller firms with less complicated directory infrastructures may never need to support more than one Active Directory forest with Office 365. However, if you do have multiple ADs and forests then make sure your vendor supports this requirement. If they do support it, be sure to ask if any additional infrastructure is required.
Many enterprises have LDAP or cloud directories like Workday and Google Apps. Is your vendor’s solution capable of creating a meta-directory from mixed directory types and presenting them as one unified cloud directory to Office 365 and other cloud apps?
Real-time directory integration means that all directories are updated whenever changes are made in one directory with the changes propagating through to connected services like Office 365 within seconds. This not only saves a tremendous amount of time and effort, but also acts as an effective “kill switch” for when employees leave the company. This is critical in order to eliminate backdoor access to Office 365 through protocols like IMAP. Unless the user is immediately disabled, unwarranted access can occur. If the vendor’s directory synchronization is batch and you are comfortable with that, then what is the default synchronization interval? Can this interval be shortened? If so, what are the implications on your infrastructure? Any scalability issues in synching at shorter intervals?
Will you ever need to manage Office 365 access outside of your on-premises Active Directory model? Today, many businesses are hiring temporary workers and external consultants. For example, let’s say you have an external graphic designer. If he was an internal employee he would belong to the marketing group in Active Directory. However, you only want the contractor to have access to a subset of the internal marketing team’s applications, including Office 365. Furthermore, you want to impose stricter security policies for outside consultants then you would for regular employees. Rather than having to modify Active Directory and create a whole new permission structure that supports this requirement, you might find it helpful to be able to do this in the identity management solution— outside of AD.
The validation by Microsoft provides the additional assurance that the identity provider has passed a series of interoperability tests with Office 365. In addition, Microsoft support teams will support your integration with the independent vendor. Microsoft maintains a list of qualified vendors on TechNet.
For each vendor, Microsoft does single sign-on interoperability tests across three sets of clients and then notes any exceptions. The three clients are:
If the vender has exceptions to their support for one or more types of clients, then how will these impact your Office 365 deployment? For example, if the vendor doesn’t support Desktop SSO (Integrated Windows Authentication) with SharePoint Online and your employees often access SharePoint while on the corporate network then what friction will that cause in the way they work? Does the vendor require the setup of additional on-premises infrastructure that you’ll have to maintain? If so, how will that affect the complexity of your network, maintenance overhead, etc.?
Automatic user provisioning allows a large user base to be quickly paired up with Office 365 licenses without having to manually update each user individually. Does the vendor’s automatic user provisioning capabilities allow you to create custom mappings based on Active Directory Groups as well as define rolebased access to Office 365? Can you preview what users will be affected by with your user provisioning mappings? Can you use the user management capabilities within the identity management solution or will you have to disable those capabilities when integrating with Office 365? Will you need to use any additional tools in order to automatically sync users?
In terms of manual Office 365 user provisioning, can you do this within the vendor’s solution or are you limited to simply importing users from Active Directory? Do you have to sync your identity management solution with Office 365 and then carry out a separate sync with Active Directory?