Managing Identity Lifecycles at Scale

Transcription

1 Microsoft Azure Active Directory Deployment Guide for Retail Industry Customers Abstract This guide helps you deploy a unified identity and access management solution with Microsoft Azure Active Directory. The primary emphasis is on managing identity lifecycle across your corporate employees and thousands of seasonal and temporary staff. Intended Audience Identity Architects, Deployment Advisors, and System Integrators

2 The information contained in this document represents the current view of on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited. Microsoft and Windows are either registered trademarks of in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft Azure Active Directory Deployment Guide Page ii

3 Table of Contents Overview... 4 Key Concepts... 6 Azure AD Connect... 6 Partner Managed Identities (B2B)... 6 Consumer Identities (B2C)... 6 Single Sign-On... 6 Same Sign-On... 7 User Principal Name... 7 Identity Namespace... 7 Tenant Name... 7 Kiosk Worker... 7 Information Worker... 7 Identity Lifecycle... 8 Configure the Prerequisites... 9 Build Your Identity Organization Teams... 9 Architectural Options for Azure AD Identity Solutions Onboarding new off-premises identities (Kiosk Workers) Synchronize on-premises identities (Information Workers) What to expect during each phase of the Identity Lifecycle Key Infrastructure Design Considerations Tenant Name Design User Principal Name (UPN) patterns Sign-in Experience Organizational Security Reference Microsoft Azure Active Directory Deployment Guide Page 3

4 Overview Azure Active Directory (AD) Premium enables you to create a unified identity and access management (IAM) system that integrates different kinds of identities from multiple sources within your organization. Azure AD Premium makes it easier to cope with typical IAM challenges such as the following: Multiple identity repositories. Without a single authoritative source of identity, such as an Active Directory forest, Human Resources (HR) system, Lightweight Directory Access Protocol (LDAP) directory, relational database, and so on, some organizations have no unique identity for employees, particularly casual workers. Different identity types. Different categories of people, such as kiosk workers, full-time employees, hourly wage workers, consumers, suppliers, partners and so on have differing identity needs and characteristics. Disjointed or ad-hoc tools and solutions. The typical organic evolution of many organizations IT systems results in multiple, often incompatible solutions to address IAM challenges like group management, remote access, password management, provisioning, business to business collaboration and so on. Differing regulatory requirements. Specific industry sectors may need to address defined regulatory requirements. One example in the retail industry is Payment Card Industry (PCI). Multiple stakeholders. To compete effectively, modern agile organizations may define multiple reporting lines and areas of responsibility that span different business units within in the organization. Azure AD gives you effective solutions for extending on-premises identities into the cloud through single sign-on or same sign-on authentication techniques in order to address the above challenges. The following illustration provides an example of the identity lifecycle at scale solution that uses Azure AD cloud services to integrate with a complex retail on-premises infrastructure. Microsoft Azure Active Directory Deployment Guide Page 4

5 Figure 1: Identity Lifecycle at Scale Microsoft Azure Active Directory Deployment Guide Page 5

6 Key Concepts The following sections provide background to help you understand the benefits and technical considerations of deploying and managing Azure AD. Azure AD Connect Azure AD Connect integrates on-premises identity systems, such as Windows Server Active Directory, LDAP directories and transactional databases, with Azure Active Directory. It also connects and authenticates your users to Office 365, Azure and thousands of Software as a Service (SaaS) applications. This integration includes on-premises identity synchronization to and from the cloud and, optionally, single sign-on configuration with Active Directory Federation Services (AD FS). Learn More: Microsoft Azure Azure AD Connect Partner Managed Identities (B2B) Partner Managed Identities, such as suppliers and contractors, are not part of your organization but have a business relationship with it. An Identity-as-a-Service (IDaaS) solution would grant these identities access to your resources on a restricted basis only, with authentication through the partner organization s credentials. Learn More: Azure AD Business to Business collaboration (B2B) Consumer Identities (B2C) Consumer Identities represent customers to whom you want to provide services directly. In most cases, consumers either choose an existing social identity, such as Facebook, a Microsoft account or Twitter, or sign up for an account directly, typically using their address as an identity. A retail example would be a grocery delivery application, where customers log in and place orders online. Consumer identities can scale to large numbers. Learn More: Azure AD Business to Consumer (B2C) Single Sign-On Single sign-on lets you access all the resources you need to do business by signing in once using a single user account. After signing on via password, Personal Identification Number (PIN), or smartcard, you can run any of your authorized applications or connect to shares and data stores without having to authenticate a second time. Learn More: Azure AD Single Sign On Microsoft Azure Active Directory Deployment Guide Page 6

7 Same Sign-On Same Sign-On enables use of the same set of credentials to access multiple resources. For example, an information worker logged onto his Windows computer with a username and password can go to a cloud resource and supply the same username and password to get access. Azure AD enables same sign-on through password hash synchronization. User Principal Name A User Principal Name (or UPN) identifies an object uniquely within Azure Active Directory. UPNs typically have a structure similar to addresses, such as bob@contoso.com. Identity Namespace The Identity Namespace is the suffix of the UPN. In the case of bob@contoso.com, the identity namespace is contoso.com. The Identity Namespace is also known as the domain or UPN suffix. Tenant Name The Azure AD Tenant name is a string, e.g., Contoso, that you set when creating a tenant account in the Azure management portal. The tenant name is prepended to the onmicrosoft.com domain to create the initial tenant domain and UPN, in the form contoso.onmicrosoft.com. This name will be exposed to end users in some scenarios, so selecting the tenant name is a critical factor in the user experience. See Key Considerations Tenant Name Kiosk Worker Kiosk workers are users whose primary job does not involve the continual use of a dedicated device or computer. Examples include sales staff in retail stores, factory workers, or stores operatives. Typically, these employees do not require access to on-premises resources. Therefore, they might not even have an account in Active Directory their identities are instead stored in the HR system. Azure AD enables these users to complete tasks like accessing SaaS applications for time card management (clocking in and out), collaborating, or initiating self-service HR queries such as holiday requests. Information Worker Information workers are typically full-time employees. These users create and consume internal information and therefore require access to corporate data. Information workers include members of the marketing, sales or design departments and so on, and may manage other employees. They use dedicated devices or computers joined to the on-premises directory, and their identities are stored in Active Directory or another directory service. Microsoft Azure Active Directory Deployment Guide Page 7

8 Identity Lifecycle The Identity Lifecycle consists of phases within the IDaaS solution. These phases include the following elements: Figure 2: Identity Lifecycle Microsoft Azure Active Directory Deployment Guide Page 8

9 Build Your Identity Organization Teams Identity Organization teams and responsibilities Team Identity Architecture / Development team On-premises Identity Operations team Application Technical Owners Azure AD Administrator Database team Network team Privacy and Compliance team Help Desk Azure Subscription Administrator Responsibilities Designs the solution in cooperation with the stakeholders. Owns the development process and creates the user acceptance environments. Implements prototypes and drives approvals. Documents the solution design and operational procedures for hand-off to the operations team. Manages on-premises identity sources such as Active Directory Forests, LDAP directories, HR systems, and Federation Identity Providers. Perform any remediation tasks needed before synchronizing objects to the cloud. Provide the service accounts required for directory synchronization to take place. Provide access to configure federation to Azure AD. Own the cloud apps and services that will integrate with Azure AD. Provide the applications identity attributes that need to be synchronized. Manages the Azure AD configuration. Provides credentials to configure the synchronization service. Owns the database infrastructure. Procures any SQL Server instance(s) that a deployment requires, based on corporate standards. Owns the network infrastructure. Provides the required access at the network level for the synchronization service to access the data sources and cloud services (firewall rules, ports opened, IPsec rules and so on). Certifies that the solution meets the organizational or governmental regulatory and information security requirements. Provides the necessary security oversight and approves the data being synchronized. Manages the support incidents connected to the migration process. Manages the Azure AD subscriptions in the company. Learn More: Assign administrator roles in Azure Active Directory, Office 365 Microsoft Azure Active Directory Deployment Guide Page 9

10 Configure the Prerequisites Before you design your Identity Lifecycle at Scale solution, review the following process for configuring the prerequisites: Process for configuring prerequisites Setup Common Infrastructure 1. Create Azure AD Tenant(s). Azure AD Tenant is the home for your organization s directory in the cloud. 2. Create and configure custom domains. Users reach your cloud and on-premises resources through domains. 3. Identify Information Worker (B2E) identities and separate them from B2B (partner) and B2C (consumer) identities that might be present in on-premises directories. Different identities have different roles in your organization. 4. Identify the on-premises directories to synchronize with Azure AD. Examples include on-premises Active Directory Forest(s), HR databases etc. Kiosk Worker 5. Identify data sources for kiosk worker identities. These are the repositories that store the kiosk employees information. Examples include HR systems, relational databases, or even text files or spreadsheets. 6. Identify SaaS applications for kiosk workers. Applications have different requirements for user information, expressed as identity claims, and may support user provisioning. 7. Identify the attributes of kiosk worker identities and normalize them across all sources. Identify name, phone number, employee ID, and so on, on each data source, and record the semantics and possible values of each. Information Worker 8. Filter out accounts that do not need to be synchronized. Only specific users, groups and device objects needs to be synchronized with Azure AD. 9. Define a strategy to identify objects uniquely. This establishes the immutable link between an on-premises object and its manifestation in the cloud. 10. Identify the attributes of initial Azure AD workloads. Define the information on each object that you want to be available in the cloud. 11. Define features for Azure AD synchronization for on-premises objects. Check items such as whether to write back passwords/devices, synchronize passwords, or propagate accounts to the cloud automatically. 12. Define the authentication approach (Federation or password hash sync). Determine whether you want Azure AD or the on-premises federation service to perform authentication. In addition, determine whether you want to keep the onpremises usernames and domain names or clean them up. 13. Remediate on-premises identities. Prepare all identities for error-free synchronization to the cloud. Get an Azure AD Tenant Add Domain Azure AD B2B collaboration Azure AD B2C Connectors Topologies for Azure AD Connect Prepare for directory sync Azure AD Connect sync: Configure Filtering Azure AD Connect: Design concepts Azure AD Connect sync: Attributes synchronized to Azure Active Directory Integrating your on-premises identities with Azure Active Directory Federated Identity Pattern Implementing password synchronization with Azure AD Connect sync Prepare directory attributes for synchronization with Office 365 by using the IdFix tool Microsoft Azure Active Directory Deployment Guide Page 10

11 Setup Common Infrastructure Azure AD service limits and restrictions Microsoft Azure Active Directory Deployment Guide Page 11

12 Architectural Options for Azure AD Identity Solutions Three main design aspects apply when managing identities at scale: How to onboard new identities that are not on-premises (kiosk workers) How to synchronize identities that are already on-premises (information workers) What to expect during each phase of the identity lifecycle Onboarding new off-premises identities (Kiosk Workers) The option of a cloud directory opens up a new set of use cases; specifically, enabling identity management for users, such as kiosk workers, who are traditionally not represented in on-premises identity stores, but may have identities stored in the company HR system. This section presents options to create these new identities and enable the new use cases. The options described assume that the provisioning and de-provisioning of these new identities ties into the company s HR application as the authoritative identity source. In the following diagrams, the onpremises synchronization component is a generic process replaceable with any of the options described in the subsequent section Synchronize on-premises identities (Information Workers). Microsoft Azure Active Directory Deployment Guide Page 12

13 Option 1: Single HR system to Azure AD integration The kiosk worker identity gets copied from the master HR system to Azure AD through an integration layer. Microsoft Identity Manager manages this layer using programmatic interfaces such as Azure AD PowerShell or Azure AD. Figure 3: Single HR system to Azure AD integration Advantages Kiosk Worker identities now stored in Azure AD, while the HR system remains the authoritative source. Tradeoffs Additional effort to design, implement, test and maintain the integration layer. Disparate tools and workflows required to manage the identity lifecycle for all the relevant identities. Microsoft Azure Active Directory Deployment Guide Page 13

14 Option 2: Direct inbound provisioning with Workday With inbound provisioning, every time a new kiosk worker identity is created in Workday, it is automatically added to Azure AD. Figure 4: Direct inbound provisioning with Workday Advantages Simple integration, fully automated through the SaaS HR application. Tradeoffs Inbound provisioning limited to Workday as the data source and a very narrow set of attributes. Learn More: Inbound Provisioning Disparate tools and workflows required to manage the identity lifecycle for all identities. Microsoft Azure Active Directory Deployment Guide Page 14

15 Option 3: Multiple HR systems to Azure AD integration In some cases, such as mergers and acquisitions, multiple HR systems must be integrated into Azure AD. The kiosk worker identity is copied from various source repositories into a single view (metaverse) through an integration layer. Microsoft Identity Manager manages this layer using programmatic interfaces such as Azure AD PowerShell and Azure AD. Figure 5: Multiple HR systems to Azure AD integration Advantages Kiosk worker identities only present in Azure AD. Write-back opportunity through the MIM connector infrastructure. Tradeoffs Additional complexity from designing, implementing, testing and maintaining the MIM 2016 connectors and rules. Disparate tools and workflows required to manage the identity lifecycle for all identities. Microsoft Azure Active Directory Deployment Guide Page 15

16 Option 4: Kiosk and information workers consolidated on-premises and synchronized to Azure AD Companies that want to provide a consistent management experience for kiosk and information workers can integrate both kinds of identities into on-premises Active Directory, and use a common synchronization mechanism to propagate the identities into the cloud. Learn More: Synchronize Information Worker Figure 6: Kiosk and information workers consolidated on-premises and synchronized to Azure AD Advantages Single cloud synchronization strategy through Azure AD Connect. Common tools to manage all identities in on-premises Active Directory. Common tools to unify the user experience, such as federated login, password management, and so on. Provision of additional features through MIM connector infrastructure. Tradeoffs Additional complexity from designing, implementing, testing and maintaining the MIM 2016 connectors and rules. Greater loading on the on-premises Active Directory from the kiosk identities, which affects factors such as the size of the directory information tree and replication latency. More identities on-premises, generating more risk of unintended access to on-premises resources. Helpful Tips Since kiosk users will not log onto the on-premises Active Directory, consider the aspects below for Password Hash Sync domains: Run the following PowerShell cmdlets from the Azure AD Connect Server to synchronize the passwords of kiosk workers who are marked as users must change password at next logon (common case when creating new user accounts): Import-Module ADSync Set-ADSyncAADCompanyFeature ` -ConnectorName "<case sensitive aad connector name>" ` -ForcePasswordResetOnLogonFeature $true Contact Microsoft Support to enable expiration of the password in the cloud. This is needed because passwords in the cloud are marked to never expire when synchronized from on-premises. If you disable the Kiosk workers user accounts on premises based on your security policies, then you need to perform the following steps to allow users to change their passwords in the cloud and write back on-premises: 1. Re-execute the Azure AD Connect wizard, unchecking the password write back checkbox. Microsoft Azure Active Directory Deployment Guide Page 16

17 2. Update the file %ProgramFiles%\Microsoft Azure AD Sync\ Bin\Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.dll.config to contain the following value: <add key="convertchangepasswordtoresetpasswordfordisableduser" value="true"/> 3. Re-execute the Azure AD Connect wizard, checking the password writeback checkbox Synchronize on-premises identities (Information Workers) The following three options enable you to synchronize existing on-premises identity stores either traditional LDAP-based directories or a custom store, such as a relational database with Azure AD. The following scenarios apply equally to identities from single or multiple stores. Option 1: Integrate all repositories to the cloud with Azure AD Connect You can engage the services of the Azure AD product group, such as Microsoft Premier Support, Microsoft Consulting Services or a Microsoft Partner to assist you in deploying an advanced customization of Azure AD Connect. Figure 7: Integrate all repositories to the cloud with Azure AD Connect Advantages MIM supports multiple types of connectors so you can connect directly to multiple data sources. Learn More: Connectors You benefit from optimizations and investments in Azure AD Connect. Improvements come automatically. Tradeoffs Initial deployment and ongoing maintenance requires a complex engagement from the Azure AD product group, Microsoft Premier Support, Microsoft Consulting Services, or a Microsoft Partner. Microsoft Azure Active Directory Deployment Guide Page 17

18 Option 2: Integrate all repositories to the cloud with MIM Instead of using Azure AD Connect, this option uses the MIM connector for Azure AD. Figure 8: Integrate all repositories to the cloud with MIM Advantages This option is easier to implement if you have already deployed MIM in your organization. You benefit from optimizations and investments in Azure AD Connect. Improvements come automatically. Tradeoffs Capabilities of the MIM connector to the cloud are limited compared to Azure AD Connect, which has features such as write-back. May not be a future-proof solution. Microsoft Azure Active Directory Deployment Guide Page 18

19 Option 3: Integrate multiple repositories to Active Directory with MIM and use Azure AD Connect to connect to the cloud This approach combines multiple identity repositories into an Active Directory Forest using Microsoft Identity Manager. The on-premises Active Directory then synchronizes to the cloud through Azure AD Connect. Figure 9: Integrate multiple repositories to Active Directory with MIM and use Azure AD Connect to connect to the cloud Advantages MIM supports multiple types of connectors so you can connect directly to multiple data sources. Learn More: Connectors You benefit from optimizations and investments in Azure AD Connect. Improvements come automatically. New identities from disparate HR systems get the same authentication experience once they are integrated into the on-premises Active Directory. Tradeoffs You need enough Client Access Licenses (CALs) to incorporate users who have lacked on-premises accounts into your directory. Additional Infrastructure may be required. Helpful Tips Since kiosk users will not log onto the on-premises Active Directory, consider the aspects below for Password Hash Sync domains: Run the following powershell cmdlets from the Azure AD Connect Server to synchronize the passwords of kiosk workers who are marked as users must change password at next logon (common case when creating new users): Import-Module ADSync Set-ADSyncAADCompanyFeature ` -ConnectorName "<case sensitive aad connector name>" ` -ForcePasswordResetOnLogonFeature $true Contact Microsoft Support to enable expiration of the password in the cloud. This is needed because passwords in the cloud are marked to never expire when synchronized from on-premises. If you disable the Kiosk worker user accounts on premises based on your security policies, then you need to perform the following steps to allow users to change their passwords in the cloud and write back on-premises: 1. Re-execute the Azure AD Connect wizard, unchecking the password writeback checkbox. 2. Update the file %ProgramFiles%\Microsoft Azure AD Sync\Bin\Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.dll.config to contain the following value: <add key="convertchangepasswordtoresetpasswordfordisableduser" value="true"/> Re-execute the Azure AD Connect wizard, checking the password writeback checkbox Microsoft Azure Active Directory Deployment Guide Page 19

20 Microsoft Azure Active Directory Deployment Guide Page 20

21 What to expect during each phase of the Identity Lifecycle Azure AD helps IT departments ensure that individual accounts are properly maintained during the identity lifecycle, while following the organization s policies and procedures for account creation, termination, and other events. This section describes each aspect of the identity lifecycle and what it takes to deliver the corresponding user experience. Creating new identities Action: Create New Identity Action Cloud-only Identity On-premises Identity In Workday User can log in to Azure AD Immediately After on-premises sync cycle occurs Identity entitlements are configured Identity profiles created for Office 365 (Exchange Online, SharePoint, Skype for Business, etc.) Identity profiles created for SaaS applications that support provisioning Identity profiles created on SaaS Applications that do not support provisioning. Immediate if using attributebased access control. Other techniques require manual intervention. After Workday Azure AD sync cycle occurs Immediately after an identity is in Azure AD, if using attributebased access control. Other techniques require manual intervention. Once the identities are in the Azure AD Directory, you can assign office 365 licenses which in turn trigger the provisioning process. Learn more: Assign or remove licenses for Office 365 for business Immediate if using attribute-based access control. Other techniques require manual intervention. Manual intervention required. Servicing Expected experience on password lifecycle events with self-service password management enabled. Action: Update Expired Password Action Cloud-only Identity On-premises Identity Redirect to Azure AD password change at login Immediate For password hash sync tenants, the cloud account password is set to "Never Expire for users whose passwords synchronize to the cloud. Users can then continue to sign in to cloud services using a synchronized password, even if it has expired in your on-premises environment. The cloud password updates when the password changes in the on-premises environment. For federated tenants, users need to update their password when logging in to the cloud. Microsoft Azure Active Directory Deployment Guide Page 21

22 Action Cloud-only Identity On-premises Identity Redirect to Azure AD password change on existing Azure AD sessions Password change on SaaS application session are redirected to Azure AD Windows receives the new password after it has changed in the cloud Immediate Dependent on the application. Azure AD cannot control the cookie lifetime of applications. Dependent on the application. Azure AD cannot control the cookie lifetime of applications. After a password sync cycle (near real time within minutes) Action: Password Reset and Change Action Cloud-only Identity On-premises Identity User can login to cloud resources with the new password User can login to on-premises resource with the new password Immediate N/A After a password sync cycle (near real time within minutes) After a password sync cycle (near real time within minutes) Action: Disable / Delete Identities Cloud-only Identity On-premises Identity In Workday synchronized via synchronized via password hash sync federation Mark account as disabled/deleted Immediate After a sync cycle After a sync cycle After a sync cycle in Azure AD with on-premises with on-premises from HR SaaS app Block new logins to Azure AD Immediate After a sync cycle with on-premises Invalidate existing Azure AD sessions Invalidate existing SaaS Application sessions Disable/Delete user profiles in SaaS applications that support outbound provisioning Disable/Delete user profiles in SaaS applications that do not support outbound provisioning Immediate Immediate Dependent on the application. Azure AD cannot control the cookie lifetime of applications. After a sync cycle from HR SaaS app 5 minutes by default, after the account is marked as disabled in Azure AD. (Configurable through provisioning properties.) Manual clean-up required. Helpful Tips Modeling access to resources through Azure AD groups will give you self-service group management, delegated administration and attribute-based access control to applications and license assignment. Learn More: Managing access to resources with Azure Active Directory groups Control functions such as auditing and attestation are built into Azure AD reporting. Learn More: Azure Active Directory audit report events Password management available through Azure AD for both on-premises and cloud identities. enables self-service password reset and change, as well as account unlock, freeing up help desk resources. Learn More: Getting started with Password Management Microsoft Azure Active Directory Deployment Guide Page 22

23 Key Infrastructure Design Considerations This section covers key considerations and techniques for creating a robust identity infrastructure implementation plan for the future. Tenant Name Design The tenant name appears in multiple use cases. For branding purposes, it therefore needs to be considered carefully. Assuming a tenant name of rcdemosnet.onmicrosoft.com, information and kiosk workers will see the following: SharePoint Figure 10: SharePoint namespace sample Figure 11: SharePoint namespace sample Yammer Figure 12: Yammer namespace sample Microsoft Azure Active Directory Deployment Guide Page 23

24 User Principal Name (UPN) patterns Since cloud identities sign in with a User Principal Name (UPN), defining requirements around domain and user naming is crucial to avoid the cost of having to rework the tenant account later. Having on-premises domain names or user accounts that should not be moved to the cloud is common. For example, names associated with old branding, domain names from acquired companies, domains from unused geographies or cost centers and bad usernames should not be migrated or synchronized with the cloud. The following table provides typical requirements, how they can be met with Azure AD, and the tradeoffs of each option: Typical namespace requirements and tradeoffs Requirements How to Accomplish Tradeoffs Clean up the on-premises namespace to use consistent branding Clean up the information worker usernames used on-premises For example: Instead of jx79872@na.contoso3928.com, sign in as joe.smith@contoso.com) Clean up cloud user names and namespace Do not change on-premises UPNs to avoid impacting legacy applications Clean up the UPN attribute onpremises Deploy alternate login ID using AD FS + Azure AD Connect. Learn More: Configuring Alternate Login ID The following table captures login experience implications with namespaces: Namespace implications for login experience Each on-premises forest must have a different namespace. Additional testing required of onpremises applications that might have taken a dependency on UPN attribute. Significant complexity added to the information worker s user experience causes challenges in hybrid Office 365 scenarios. Learn More: Configuring Alternate Login ID Requirements How to Accomplish Tradeoffs Single Sign-On using on-premises Provision kiosk workers in a different Kiosk workers and information credentials for information workers domain. Federate information workers will have different Same Sign-On for information workers Common namespace for kiosk and information workers Single Sign-On for information workers Consistent identity tools and management for both kiosk and information workers workers and use AD FS. Use password hash sync for information workers, and provision kiosk workers in the same domain. Synchronize kiosk workers to onpremises AD, and use the same tools for kiosk and information workers namespaces. For example: susie@contoso.com, sbob@stores.contoso.com) Write back capabilities will not be available. Information workers will not be able to use desktop SSO On-premises AD grows with identities that will never log in on-premises. New accounts might inadvertently have access to some on-premises resources. Microsoft Azure Active Directory Deployment Guide Page 24

25 Sign-in Experience Deploying the cloud identity solution gives users single sign-on to SaaS applications including Office 365 and other services configured by the Azure AD tenant owner. The following table lists some important items to consider when you get close to launching the solution s infrastructure for your information and kiosk workers: Cloud Identity Solution pre-deployment considerations Item Password policy for cloud identities Consideration Cloud identities and on-premises identities have the following password policy differences: As an administrator, you can configure the following for cloud identities: Password expiration duration Password expiry notification Password never expires Azure AD manages the following aspects of the cloud identity password policy: Length requirements Complexity requirements Password history (duration and how many previous passwords are allowed) Account lockout Learn More: Password policy in Azure AD Azure AD allows to configure the password validity and notification window using PowerShell. Learn More: Set-MsolPasswordPolicy User Interface look and feel Before launching your cloud identity solution, it is important to determine branding, and appreciate its effect on the user experience. Ideally, you want to provide branding for information workers and kiosk workers that resembles their on-premises login experience. Learn More: Add company branding to your sign-in and Access Panel pages Organizational Security Using Azure AD, IT administrators can more easily identify and mitigate security threats, address regulatory compliance requests, and meet the reporting requirements of business owners. For a general discussion of security in the cloud, see the following articles: Azure AD Connect account privileges Azure AD Connect prerequisites URLs and Ports used by Azure AD Connect Security considerations for password hash sync Security considerations for Azure Cloud Classic Metadirectory Walkthrough: Administering MIIS 2003 Infrastructure Microsoft Azure Active Directory Deployment Guide Page 25

26 Azure AD Connect Health - Frequently Asked Questions (FAQ) Mapping Azure AD Connect Roles to Identity Organization Teams The following table maps Azure AD Connect roles to organizational team structure. Azure AD Connect roles and recommended responsibilities Azure AD Connect Role Recommended Responsibility ADSyncAdmins Have full access to everything in the Sync Engine. Identity Architecture / Development team ADSyncOperators ADSyncBrowse (Password Sync Service Only) ADSyncPasswordSet (Password Sync Service Only) Have access to Operations in the Sync Engine only. Can run management agents, view synchronization statistics for each run, and save the run histories to a file. Hold permission to gather information about a user's lineage when resetting passwords using Windows Management Interface (WMI) queries. Hold permission to perform all operations using WMI password management interfaces. On-Premises Identity Operations team On-Premises Identity Operations team On-Premises Identity Operations team Support for Privacy, Compliance, and Operations Because the identity system controls access to many high-value business assets, the identity service should be considered a key security asset and a likely target for attack. Organizations need to implement appropriate controls to protect their sensitive data, whether this data is hosted on-premises or in the cloud. Learn more via the links provided: Privacy Which attributes are sent to the cloud? Azure AD Connect sync: Attributes synchronized to Azure Active Directory How is privacy managed in the Azure Cloud? Microsoft Trust Center- Privacy Compliance What cloud certifications does Azure have? Microsoft Trust Center- Compliance What cloud certifications does Azure have for the retail industry? Microsoft Trust Center- PCI Operations Operational guide for Azure AD Connect. Azure AD Connect sync: Operational tasks and consideration Azure AD Connect Health. Monitor your on-premises identity infrastructure and synchronization services in the cloud Microsoft Azure Active Directory Deployment Guide Page 26

27 Reference For more information about Azure Active Directory, see Microsoft Azure Active Directory Deployment Guide Page 27