Office 365 im Verbund mit Windows Azure und Windows Intune
advertisement
TechNet • Identity-Szenarien unter Office 365 Übersicht und Gegenüberstellung • Office 365, Windows Azure, Windows Intune und Dynamics CRM Nutzung gemeinsamer Synergien • Multi-Factor Authentication • Deployment von O365 Pro Plus mittels Windows Intune Office 365 im Verbund mit Windows Azure und Windows Intune • Information Rights Management (IRM) aus der Cloud • Ressourcen Identity-Szenarien unter Office 365 Übersicht und Gegenüberstellung http://technet.microsoft.com/en-us/library/jj573650.aspx Microsoft Account Microsoft Account Ex: alice@outlook.com User Organizational Account Organizational Account Ex: alice@contoso.com User Cloud Identity Single identity in the cloud Suitable for small organizations with no integration to onpremises directories Directory & Password Synchronization* Single identity suitable for medium and large organizations without federation Federated Identity Single federated identity and credentials suitable for medium and large organizations Windows Azure Active Directory Sync Tool Update The tool is downloaded from the Office 365 admin portal. Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it. Synchronizes user passwords from onpremises AD to Azure AD (Office 365). Respects on-premises password policies. Can’t sync passwords for Federated Users, but can co-exist. SAML2 Identity Provider More Details on TechNet: http://aka.ms/sync Directory Sync Tool or Active Directory Federation Services Password Sync Same password to access resources Can control password policies onpremises Support for two factor authentication * No password re-entry if on premises Client access filtering by IP or by time schedule Authentication occurs on-premises. Can immediately block disabled accounts. Change password available from web Works with Forefront Identity Manager * Azure AD offers some 2FA features that are available with ADFS deployment on-premises. SSO with AD FS Cloud Identity Directory Sync Password Sync Graph API FIM Single Sign-On Org size Small All All Large Large Large Control of attributes in directory Least control Full control via on-premises directory Full control via on-premises directory Can control core attributes and select optional Can control core attributes and select optional Full control via on-premises directory Source of authority Cloud On-premises On-Premises Cloud On-premises On-premises Hardware requirements No on-premises hardware required Windows Server OS for DirSync appliance Windows Server OS for DirSync appliance Machine to run Powershell jobs on Federated Identity Manager with office 365 Connector DirSync appliance ADFS (or other STS) deployment Login experience Disjoint username, password for onpremises and cloud Disjoint username, password for onpremises and cloud Same username, password for onpremises and cloud Disjoint username, password for onpremises and cloud Disjoint username, password for onpremises and cloud Same username, password for onpremises and cloud Enter credentials twice Enter credentials twice Enter credentials twice Enter credentials twice Enter credentials twice Login once if onpremises AD FS Proxy AD FS Proxy Active Directory Directory Synchronization AD FS AD FS VPN Active Directory Directory synchronization AD FS Proxy AD FS AD FS VPN Tunnel DATA CENTER 1 Active Directory VPN Active DIrectory VPN Directory synchronization AD FS Proxy AD FS VPN Tunnel AD FS AD FS Proxy AD FS Proxy AD FS Active Directory VPN AD FS Directory Synchronization http://www.microsoft.com/en-us/download/details.aspx?id=38845 http://technet.microsoft.com/en-us/library/hh852466.aspx http://www.flexecom.com/deploy-dirsync-on-windows-server2012-for-office-365-part-4 Office 365, Windows Azure, Windows Intune und Dynamics CRM Nutzung gemeinsamer Synergien AAD*: Azure Active Directory www.office365.ch https://portal.microsoftonline.com https://manage.windowsazure.com http://www.microsoft.com/en-us/windows/windowsintune/try.aspx https://manage.microsoft.com/WindowsIntune/App.aspx http://www.microsoft.com/en-us/windows/windowsintune/try.aspx https://portal.microsoftonline.com/Commerce/Catalog.aspx Demo Setup On-Prem Active Directory Directory Synchronization Microsoft Cloud Sync AD user data into the cloud Azure Active Directory dsdemo.onmicrosoft.com contoso.com (~250 accounts) Users dsdemo.onmicrosoft.com UPN-Suffix ergänzen (möglichst vor Installation von DirSync)! ADRAP O365 OnRamp Microsoft Office 365 Deployment Readiness Tool Windows Azure Active Directory Sync tool – 64 bit IdFix DirSync Error Remediation Tool Customers can exclude objects from synchronizing to Office 365. Scoping can be done at the following levels: • • • AD Domain-based Organizational Unit-based User Attribute based Additional filtering capabilities are available with the O365 Connector. Preventing the synchronization of specific attributes is not supported. Multi-Factor Authetication http://blogs.technet.com/b/ad/archive/2013/06/12/windows-azure-active-authentication-multi-factor-for-security-and-compliance.aspx 1 Users sign in from any device using their existing username/password. Credentials are checked in Windows Azure AD. Then Active Authentication is triggered for additional verification. 2 Users must also authenticate using their phone or mobile device before access is granted. Deployment von O365 Pro Plus mittels Windows Intune Anatomy of the Click-to-Run Installation Process •Virtual File System Added in Initiator Context •Runs until 10% progress Virtual File System Streaming Service •Streaming begins •IntegratedOffice.exe process moves to System Context at 10% •Office apps may be launched at ≈ 15% •Usually 2 minutes or less Apps ready for use Caching •Office caching focuses on launched apps and features •Total 3-5 minutes depending on connection •Final ≈ 10% installs addins, licensing, etc. Finalizing Office 365 Service Add users to Office 365 tenant 2. Download Office Deployment Tool (setup) 3. Use setup to download C2R packages 4. Customize configuration XML 5. Add C2R packages to software distribution infrastructure 6. Deploy C2R packages with setup and configuration XML 7. Layer on add-ins and customizations 1. End Users’ PCs Optional add-ins dependent apps Office files, etc. † As applicable Streamlining the Deployment Tool Belt Windows Intune *VLSC Intune Windows Intune Intune Office_CDN.xml demo Windows Intune • • Deployment options (full package or just setup) Intune initiated with streaming from Office CDN Mobile Device Management with Windows Intune On-Prem Active Directory Users Directory Synchronization Microsoft Cloud Sync AD user data into the cloud Azure Active Directory Sync user data to Windows Intune & O365 Demo Setup On-Prem Active Directory Directory Synchronization Microsoft Cloud Sync AD user data into the cloud Azure Active Directory dsdemo.onmicrosoft.com contoso.com Users dsdemo.onmicrosoft.com dsdemo.onmicrosoft.com Windows Intune for the Enterprise Windows PCs (x86/64, Intel SoC), Windows to Go Windows Embedded Mac OS X IT Single Admin Console Windows RT, Windows Phone 8 iOS, Android Unified infrastructure enables IT to manage devices “where they live” Comprehensive settings management across platforms, including certificates, VPNs, and wireless network profiles IT can manage the device and application lifecycle Windows Intune for SMB Windows PCs (x86/64, Intel SoC) IT Web-based Admin Console Windows RT, Windows Phone 8 iOS, Android Manage up to 4,000 users and 7,000 devices Platforms Line-of business apps (sideloaded) Windows 8/Windows RT Windows Phone 8 iOS Android *.appx *.xap *.ipa *.apk Yes Yes Yes Yes Deep links to store apps – install from store Web-shortcuts installed on device desktop Windows 8/8.1 Enterprise/Pro Windows 8/8.1 RT Windows Phone 8 iOS Android Enroll (local device) Yes Yes Yes Yes EAS Rename devices Yes Yes Yes Yes No Retire (un-enroll local device) Yes Yes Yes No No Wipe (remotely other devices) Yes Yes Yes No No Install enterprise LOB applications Yes Yes Yes Yes (via MWP) Yes Install publicly available applications Yes Yes Yes Yes yes Browse to web links Yes Yes Yes Yes Yes Contact IT Yes Yes Yes Yes Yes Information Rights Management (IRM) mittels RMS* aus der Cloud RMS*: Rights Management Service Information Protection in 2013: Hybrid RMS, Generic Protection, and iOS/Android/WinRT Support (Video): http://channel9.msdn.com/Events/TechEd/Europe/2013/WCA-B322 Information Protection in 2013: Hybrid RMS, Generic Protection, and iOS/Android/WinRT Support (Slides): http://video.ch9.ms/sessions/teched/eu/2013/WCA-B322.pptx Sally Ellen Ressourcen http://msdn.microsoft.com/library/windowsazure/jj673460.aspx http://blogs.technet.com/b/ad/archive/2013/06/12/windows-azure-active-authentication-multi-factor-forsecurity-and-compliance.aspx http://technet.microsoft.com/en-us/library/dn249479.aspx http://www.microsoft.com/en-us/windows/windowsintune/try-and-buy http://community.office365.com/en-us/blogs/office_365_community_blog/archive/2012/04/26/deployingoffice-365-client-applications-with-windows-intune.aspx https://onramp.office365.com/OnRamp Appendix Office 365 Security & Privacy No advertising We don’t build advertising products out of customer data No data mining We don’t scan the contents of customer email or documents for analytics or data mining No co-mingling Business data and consumer data are stored separately Data is portable Customers own the data and can remove their data whenever they choose Data Maps Customers know where their data is stored Role based Access Customers know who can access their data and why Compliance Notifications Customers can stay in the know by choosing to receive updates regarding changes to security, privacy, and audit information Independently Verified ISO 27001 EU Model Clauses HIPAA-HITECH FERPA FISMA U.K. G-Cloud IL2 CJIS Relentless on Security Service Continuity 24 hour monitored physical datacenters 99.9% uptime Logical isolation of data between tenants Segregation of internal datacenter network from the external networks Encryption at rest and in transit (AD-RMS) Securing access to services via identity Data loss prevention Anti-virus/anti spam Financial guarantees on uptime Redundancy in both functionality as well as data Automated monitoring and recovery systems 24x7 on-call engineering team available to handle issues We use customer data for just what they pay us for - to maintain and provide Office 365 Service Microsoft Online Services Customer Data1 Usage Data Account and Address Book Data Customer Data (excluding Core Customer data) Core Customer Data Operating and Troubleshooting the Service Yes Yes Yes Yes Security, Spam and Malware Prevention Yes Yes Yes Yes Improving the Purchased Service, Analytics Yes Yes Yes No Personalization, User Profile, Promotions No Yes No No Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No Voluntary Disclosure to Law Enforcement No No No No Advertising5 No No No No Usage Data Address Book Data Customer Data (excluding Core Customer Data*) Core Customer Data Operations Response Team (limited to key personnel only) Yes. Yes, as needed. Yes, as needed. Yes, by exception. Support Organization Yes, only as required in response to Support Inquiry. Yes, only as required in response to Support Inquiry. Yes, only as required in response No. to Support Inquiry. Engineering Yes. No Direct Access. May Be Transferred During Trouble-shooting. No Direct Access. May Be Transferred During Troubleshooting. No. Partners With customer permission. See Partner for more information. With customer permission. See Partner for more information. With customer permission. See Partner for more information. With customer permission. See Partner for more information. Others in Microsoft No. No (Yes for Office 365 for small business Customers for marketing purposes). No. No.
