Centrify for Office 365 Deployment Guide

Centrify for Office 365 Deployment Guide Abstract This document is a step by step configuration guide to deploy Office 365 with Centrify Identity Serv...
Author: Doris Bailey
5 downloads 0 Views 3MB Size
Centrify for Office 365 Deployment Guide Abstract This document is a step by step configuration guide to deploy Office 365 with Centrify Identity Service for Federation and is intended for IT professionals with basic understanding of computing systems.

© 2014 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 1

CENTRIFY O365

DEPLOYEMNT GUIDE

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2015 Centrify Corporation. All rights reserved. Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, DirectSecure and DirectManage are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 2

CENTRIFY O365

DEPLOYEMNT GUIDE

Contents Contents ............................................................................................................ 3 Overview ........................................................................................................... 4 Where will your identities live? ................................................................... 4 Prepare Your Centrify Identity Service Environment...................................... 5 Add Your UPN Domain to Office 365 ........................................................... 5 Connect Centrify with Office 365 and Synchronize Active Directory User IDs .... 6 Validate Synchronization and Verify Federation in a Test Environment ............ 6 Prerequisites: .................................................................................................... 7 Configure Office 365 .......................................................................................... 7 Federating Centrify User Suite with O365 ........................................................ 15 How to delete users from O365 using PowerShell ........................................... 32 How to Contact Centrify ................................................................................... 33

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 3

CENTRIFY O365

DEPLOYEMNT GUIDE

Overview Many people are moving to an Office 365 environment to simplify control and maintenance of some of their core systems. These benefits can include the following: 

Overtime reduced for technical staff’s support for email systems.



Reduction in on-premises storage requirements.



Reduction in on-premises hardware requirements.



Improved availability of service and redundancy (99.9% up SLA).



Less concern for individual mailbox storage requirements.



The ability to have a hybrid exchange model for hosting mailboxes locally, for situations where the hosted solution may not work.



Single Sign-on (SSO) federated to your on premises Active Directory (AD).



And last but not least, automated provisioning of users from AD.

But before you run out and sign up for Office 365 and implement SSO, there are some best practices and considerations you should review. This document will highlight the key things you should know before you go to an Office 365 federated environment.

Where will your identities live? For most of you going to Office 365, you probably have an on premises Active Directory environment. Some of you may use SSO vendors which require you to replicate all of your AD identities to their cloud service. Centrify feels that this is an unnecessary step that forces customers to give up a degree of control, is less secure, and forces vendor lock-in. Some SSO solutions require you to have up to eight different servers to provide the same functionality that Centrify can achieve with our Identity Service Cloud Connectors that can be deployed on existing servers. We believe that your FTE identities should stay on premise and that your 3rd party or contractor identities should live separately. We provide our Cloud User Identity Service for just that hybrid scenario. We provide a model that addresses the complete application end-user life-cycle. We handle the process from on-boarding to application authorization for both mobile and web, and when the time comes you have a single point of de-provisioning. Having said that, this is a great opportunity to do some AD cleanup and make sure you are ready for a federated Office 365 environment.

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 4

CENTRIFY O365

DEPLOYEMNT GUIDE

UPNs and Domain name One of the things that AD brought us was the ability to have non-routable local domain suffixes such as “mycompany.local”. This is a great security practice and reduces the ability to hack from the outside. But guess what? Before you can go to Office 365 or federate to AD you need to use an Internet-resolvable domain name as the suffix in each user’s username. If you have a .local domain you now need to add the Internet routable domain UPN suffix to Office 365 and AD. Don’t worry it’s easy to add a UPN suffix. Here are the steps. 

Open Active Directory Domains and Trusts.



In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.



On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.

Prepare Your Centrify Identity Service Environment If you are not already a Centrify customer it’s easy to get started with a trial at http://www.centrify.com/saas/trial.asp. Centrify will also come on site and show you how to set everything up for your proof of concept. Here is a great video from our CTO Paul Moore that shows how the Cloud Identity service works. One note is that our proxy service has been renamed to Cloud Connector. https://www.youtube.com/watch?v=ZTzJStHnahA If you are a customer or you have signed up for our 30-day trial, the first thing you will get is a set of credentials to administer the Cloud Identity Service. When you log in, the first thing to do is change your administrator password and be sure to use a complex password. From there you will need to install a cloud connector on any member server in your domain. It can be a physical server or virtualized. You can have as many as you like and can have them distributed across your global enterprise. You can find a short 5-minute video of the process here.

Add Your UPN Domain to Office 365 The earlier example used a publicly resolvable domain name of contoso.com with an internal Active Directory domain of yourcompany.local. Your domain can be anything. The Active Directory name doesn’t need to align with the external domain you use for e-mail addresses, although doing so makes things easier for users to remember. If the publicly resolvable domain name you choose isn’t already linked to Office 365, do so via the Microsoft Online Services Portal. Click Domains in the Admin console and then select Add a Domain. The wizard will prompt you for the domain name, and then give you one of two options for authenticating ownership. You’ll need to add either a TXT or MX record to the publicly accessible DNS server hosting the domain.

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 5

CENTRIFY O365

DEPLOYEMNT GUIDE

It can take anywhere from 15 minutes to 72 hours for the update to fully propagate, so it might take a while before you can complete the validation process. Validation affirms to Office 365 that you own the domain name your clients will later use to authenticate. You don’t need to have any servers within this domain for federation to function. All you need to complete this step is the domain itself that you can resolve from the Internet. You can find the “how to” video here.

Connect Centrify with Office 365 and Synchronize Active Directory User IDs Now it’s time to configure Office 365 to federate user authentication. This process entrusts your internal Active Directory domain with authenticating users, while letting Office 365 merely trust your domain’s authentication response. That’s the cool thing about federation—no passwords are ever transferred between ADFS and Office 365, it’s just a secure token exchange. While federation removes the need to send passwords between Active Directory and Office 365, it still requires that you continuously synchronize user accounts. You can perform this synchronization manually and then edit each user to assign a license profile, or you can use the Centrify Identity Service to not only synchronize users but provision them also. Below are all three of Centrify’s Office 365 federation and provisioning “how to” videos that will take you through all of the above necessary steps. Each video is about 5 minutes long. 

Part I: https://www.youtube.com/watch?v=fsl1yGaXjsg



Part II: https://www.youtube.com/watch?v=8HZCrn7t9S8



Part III: https://www.youtube.com/watch?v=eYcQEw1qZ7k

Validate Synchronization and Verify Federation in a Test Environment As with all projects it is best to validate in a test environment. You can easily sign up for a separate O365 trial and use a sub domain or your externally routable domain, e.g. centrify.mydomain.com. Centrify allows you to assign applications to individual users or groups of users so you can test with pilot groups and then roll out to the entire enterprise. Centrify’s online help system can help if you run in to any issues. And don’t forget to check out Centrify’s SaaS community site for some additional resources.

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 6

CENTRIFY O365

DEPLOYEMNT GUIDE

Prerequisites: 

Must have publicly resolvable Domain



Must have access to DNS Server to add / modify records for publicly resolvable domain



Must have Office 365 account with at least one License



Must have Centrify Cloud Tenant

Configure Office 365 1. Log on to Office Portal 2. Click on Domains

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 7

CENTRIFY O365

DEPLOYEMNT GUIDE

3. Click on add Domains

4. Click on Let’s get started

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 8

CENTRIFY O365

DEPLOYEMNT GUIDE

5. Enter your Domain name and click on Next

6. If your Domain is register with GoDaddy (like in my example) you can simply sign into GoDaddy and let the wizard modify/add the DNS records needed for Domain verification. It is beyond the scope of this document to explore all variations of DNS servers and how to configure such. After completing the DNS Wizard / manually adding the TXT record needed for Domain verification you’ll see a confirmation about Domain Ownership.

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 9

CENTRIFY O365

DEPLOYEMNT GUIDE

7. If this is the first time / domain you are setting up O365 you’ll be prompted to change the default admin email address. You can skip this step.

8. You’ll be prompted to add Users. You can Skip this step

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 10

CENTRIFY O365

DEPLOYEMNT GUIDE

9. At the “Update DNS records” prompt click on “Next”

10. Depending on your license you can use Outlook and Lync services. Select which services you want to enable and click on Next

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 11

CENTRIFY O365

DEPLOYEMNT GUIDE

11. Add the DNS records provided by O365. In my example I am using GoDaddy as DNS service provider and will add those records automatically.

12. After adding the records click on Finish 13. If all settings are correct you will see the following screen

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 12

CENTRIFY O365

DEPLOYEMNT GUIDE

14. Expand User on the left side and click on Active Users 15. Click on Active Directory synchronization: Set up| at the top of the page

16. Click on Activate in “3 Active Directory synchronization”

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 13

CENTRIFY O365

DEPLOYEMNT GUIDE

17. Confirm any prompts 18. Done

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 14

CENTRIFY O365

DEPLOYEMNT GUIDE

Federating Centrify User Suite with O365 1. Log on to your Cloud Manager 2. Click on the Roles Tab

3. Click on Add Role

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 15

CENTRIFY O365

DEPLOYEMNT GUIDE

4. Enter a Name and Description for your Role 5. Example: O365-Users / Role for user access and license assignment for Office 365 6. Click OK to close the Add Role dialog

7. Click on the Apps tab

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 16

CENTRIFY O365

DEPLOYEMNT GUIDE

8. Click Add Web Apps

9. In the Add Web Apps dialog search for Office 365 10. Click on Add for “Office 365 WS-Fed + Provisioning”

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 17

CENTRIFY O365

DEPLOYEMNT GUIDE

11. Confirm any dialog and click on Close on the Add Web Apps dialog 12. NOTE: The Office 365 Application dialog will open automatically

13. Enter the Office 365 Admin Username and Password on the first screen 14. NOTE: You must use the Admin Credentials of the Default domain.onmicrosoft.com to log on. 15. Click on Verify

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 18

CENTRIFY O365

DEPLOYEMNT GUIDE

16. Select the Domain you want to federate from the Office 365 Domains 17. From the Actions dropdown menu select Federate 18. NOTE: The default domain cannot be federated

19. Click Yes on the information dialog 20. NOTE: Federation can take up to 2 min

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 19

CENTRIFY O365

DEPLOYEMNT GUIDE

21. Click on Save

22. Click on User Access on the left side 23. Select the Role you created in step 3 to be assigned to Office 365 user access 24. Click on Save

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 20

CENTRIFY O365

DEPLOYEMNT GUIDE

25. Click on Provisioning on the left side 26. Select Enable Provisioning 27. Under Role Mappings click on Add

28. Select the Role add in step 3 to be associated with the License assignment

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 21

CENTRIFY O365

DEPLOYEMNT GUIDE

29. Select the License you want to associate with the Role 30. Click Done

31. Click Save

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 22

CENTRIFY O365

DEPLOYEMNT GUIDE

32. Click on the Users tab

33. Click on Add User

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 23

CENTRIFY O365

DEPLOYEMNT GUIDE

34. Configure the User a) b) c) d) e)

Enter the logon name Select the correct Domain name from the Suffix dropdown menu Enter the email address Enter and verify the password Uncheck the Require password change at next logon (in this training exercise)

35. Scroll down and enter the display name 36. Click Create User

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 24

CENTRIFY O365

DEPLOYEMNT GUIDE

37. Click on Roles

38. Double Click your previously created Office 365 Role

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 25

CENTRIFY O365

DEPLOYEMNT GUIDE

39. Click on Members on the left side and click on Add

40. Enter the logon name into the search field 41. Select the User 42. Click on Add

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 26

CENTRIFY O365

DEPLOYEMNT GUIDE

43. Click on Save

44. Click Assigned Applications on the left side 45. Click Add

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 27

CENTRIFY O365

DEPLOYEMNT GUIDE

46. Select Office 365 47. Click Add

48. Click Save

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 28

CENTRIFY O365

DEPLOYEMNT GUIDE

49. Click on the Users tab 50. Select the User you just added to the Office 365 Role

51. Select Sync all Apps from the Action dropdown menu

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 29

CENTRIFY O365

DEPLOYEMNT GUIDE

52. Click Close

53. 54. 55. 56. 57.

Log on to your Office 365 administrative Portal Expand the Users tree on the left side Click on Active Users Select the newly provisioned user As you can see on the right side a license and email address has been provisioned for the user

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 30

CENTRIFY O365

58. 59. 60. 61.

DEPLOYEMNT GUIDE

Open a new browser and go to cloud.centrify.com Log on as the newly provisioned User Click on the Office 365 application tile Office will open in a new browser window

62. Done

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 31

CENTRIFY O365

DEPLOYEMNT GUIDE

How to delete users from O365 using PowerShell When going through testing and evaluating Office 365 sometimes the same users are added and removed from Office 365, however Office 365 has security mechanisms in place that the user is not actually deleted. When removing the user from the user database the user is first placed in a suspended mode where only the license and the right to log on is removed. In that state the user remains in the “Active User” list on Office 365 for 30 days. At the end of the 30 days the user is then moved to the “Recycle Bin” where the user will remain for another 90 days. Office will deny to add the same user name since the SID for the new user with the same username added to Office 365 is different from SID of the user who is in a suspended mode but has the same user name. Office 365 detects the “new user” as a different user with the same username and thus flags it as a duplicate denying the user to be added. Office 365 will deny to add “new” users with the same username if a user with the same name is in the “Active Users” list as well as in the “Recycle Bin”. Since it doesn’t make for very efficient testing if one has to wait 120 days to reuse the same username one can permanently delete users in real time from the Office 365 “Active User” list and “Recycle Bin” using Windows Azure Power Shell commands.

1. Install Azure Power Shell https://technet.microsoft.com/library/jj151815.aspx 2. Install Microsoft Online Services Sign-In Assistant 7.0 or greater http://www.microsoft.com/en-us/download/details.aspx?id=28177 3. Install the Microsoft Online Services Module Microsoft Online Services Module for Windows PowerShell (32-bit version) Microsoft Online Services Module for Windows PowerShell (64-bit version)

4. Copy the folders called MSOnline and MSOnline Extended from the source C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ to the folder C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ 5. Open Azure Power Shell and run the following commands… 

Import-Module MSOnline



$cred = get-credential NOTE: When prompted, enter the admin credentials for the Office 365 Account managing the domain from which you want to delete a user



Connect-MSOLService –credential $cred



Remove-MsolUser –UserPrincipalName [email protected] NOTE: To point out the obvious, the user here has to be within a managed domain of the admin credentials that you used to log on in step 5b



Remove-MsolUser –UserPrincipalName -RemoveFromRecycleBin

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 32

CENTRIFY O365

DEPLOYEMNT GUIDE

6. Sample output PS C:\> $cred = get-credential (A second window will open to enter the

credentials) cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential PS C:\> Connect-MSOLService –credential $cred PS C:\> Remove-MsolUser –UserPrincipalName [email protected] Confirm Continue with this operation? [Y] Yes

[N] No

[S] Suspend

[?] Help (default is "Y"): Y

PS C:\> Remove-MsolUser –UserPrincipalName [email protected] RemoveFromRecycleBin Confirm Continue with this operation? [Y] Yes

[N] No

[S] Suspend

[?] Help (default is "Y"): Y

PS C:\>

How to Contact Centrify North America

Europe, Middle East, Africa

(And All Locations Outside EMEA)

(EMEA)

Centrify Corporation

Centrify EMEA

785 N. Mary, Suite 200

Lilly Hill House

Sunnyvale, CA 94085

Lilly Hill Road

United States

Bracknell, Berkshire RG12 2SJ United Kingdom

Sales:

+1 (408) 542-7500

Sales:

+44 (0) 1344 317950

Online: www.centrify.com/contact

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

PAGE 33