Agenda

Agenda • AD to Windows Azure

AD Sync Options• Federation Architecture• AD to AAD Quickstart

By Sachin Shetty

AD to AAD Sync Options

By Sachin Shetty

Identities for Microsoft Cloud Services

User

OrgIDOrganizational Account

OnMicrosoft Account(Azure AD Account)

Examples: [email protected]

[email protected]

User

Personal Services Organizational Services

Live IDMicrosoft Account

Examples: [email protected]@live.com

WindowsIntune

Contoso customer premises

Cloud-Only / No Integration

AD

Windows Azure Active Directory

Provisioningplatform

CORPApp

Dynamics CRM Online

Office 365

IdP

DirectoryStore

Admin Portal/PowerShell/

GRAPH

Authentication platform

IdP

1. Cloud Only / No Integration2. Directory Synchronization3. Directory and Federated SSO

[email protected]

[email protected]

WindowsIntune

Contoso customer premises

Directory Synchronization

ADDirectory Sync

(DirSync)

Windows Azure Active Directory

Provisioningplatform

CORP App

Dynamics CRM Online

Office 365

IdPDirectory

Store

Admin Portal/PowerShell/

GRAPH

Authentication platform

IdP

1. No Integration2. Directory Synchronization3. Directory and Single sign-on

(SSO)

Directory Synchronization Options

Suitable for small/medium size organizations with AD or Non-ADNot a highly recommended option compared to DirSync or FIM ConnectorPerformance limitations apply with PowerShell and Graph API provisioningPowerShell requires extensive scripting experiencePowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)As this is a custom solution, Microsoft support may not be able to help if there are issues

PowerShell & Graph API

Suitable for Organizations using Active Directory (AD)Supports Exchange Co-existence scenariosCoupled with AD FS, provides best option for federation and synchronizationDoes not require any additional software licensesMulti-forest available through MCS+Partners

Suitable for large organizations with certain AD and Non-AD scenariosComplex multi-forest AD scenariosNon-AD synchronization through Microsoft premier deployment supportRequires Forefront Identity Manager and additional software licenses

Suitable for all organizationsSupports Exchange Co-existence scenarios

WindowsIntune

Contoso customer premises

Directory and Federated SSO

ADDirectory Sync

(DirSync)

Windows Azure Active Directory

Provisioningplatform

Office 365

Dynamics CRM Online

CORP App

Active Directory Federation Server 2.0

Trust

IdP DirectoryStore

Admin Portal/PowerShell/

GRAPH

Authentication platform

IdP

1. No Integration2. Directory Synchronization3. Directory and Federated SSO

Federation options

Suitable for educational organizations Recommended where customers may use existing non-AD FS Identity systems

Single sign-on

Secure token based authentication

Support for web clients and outlook only

Microsoft supported for integration only, no shibboleth deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

ShibbolethWorks with AD & Non-AD

Suitable for medium, large enterprises including educational organizationsRecommended option for Active Directory (AD) based customers

Single sign-on

Secure token based authentication

Support for web and rich clients

Microsoft supported

Requires on-premises servers, licenses & support

Works with AD

Suitable for medium, large enterprises including educational organizationsRecommended where customers may use existing non-AD FS Identity systems with AD or Non-AD

Single sign-on

Secure token based authentication

Support for web and rich clients

Third-party supported

Requires on-premises servers, licenses & support

Works with AD & Non-AD

Identity Options Comparison1. No Integration

Appropriate for• Smaller orgs without

AD on-premisePros• No servers required on-

premise• Same Domain name for

users possibleCons• No SSO• No 2FA• 2 sets of credentials to

manage with differing password policies

• IDs mastered in the cloud

2. Directory OnlyPros• Users and groups

mastered on-premise• Enables co-existence• Single server

deploymentCons• No 2FA until Spring 2013• 2 sets of credentials to

manage with differing password policies OR Manual / 3rd Party password Sync OR use FIM

• No SSO

3. Directory and SSOPros• SSO with corporate

cred• IDs mastered on-

premise• Password policy

controlled on-premise• 2FA solutions

possible• Enables hybrid

scenarios• Location isolation• Ideal for multiple

forestsCons• Additional Servers

required for AD FS

Accounts in Windows Azure AD

Demo

Federation Architecture

Federated Architecture

CorpNet Internet

Active Director

y

Windows Azure ADAD FS

+ DirSyn

c

AD FSProxy

[Server2][Server1]

AD FS Scalability PlanningUsers Dedicated

Federation Servers

Federation server proxies

NLB servers

Comments

<1,000 0 0 1 Deploy AD FS on two DCs

1,000–15,000 2 2 2 Install NLB on proxies

15,000–60,000 2+1 for every 15,000 users

2+ 2+ Install NLB on proxies or use dedicated NLB implementation

http://technet.microsoft.com/en-us/library/jj151794.aspx

Federated Architecture on Windows Azure!

CorpNet Internet

Active Director

y

Windows Azure ADAD FS

+ ADAD FSProxy

Windows AzureSubscription

VPN

DirSync

Quick Start Guide for Integrating a Single Forest On-Premises Active Directory with Windows Azure AD

Quickstart Guide Architecture

Active Director

y

Windows Azure ADAD FS

+ DirSyn

c

AD FSProxy

[Server2][Server1]

Windows Server 2012

Windows Server 2012

1) Add Domain to Windows Azure AD [Windows Azure from Server1]

2) Activate DirSync [Windows Azure from Server1]

3) Install AD FS Server Role [Server1]

4) Configure AD FS Server [Server1]

5) Install AD FS Proxy (optional) [Server2]

6) Configure AD FS Proxy (optional) [Server2]

7) Configure Inbound SSL Access [Server2]

8) Configure AD Federation Support [Server1]

9) Install & Configure DirSync [Server1]

AD to AAD Quickstart Steps

Demo

Pre-requisites & Initial SetupInstall and Configure a new AD FS farm

What we’ve built so far

CorpNet Internet

Active Director

y

Windows Azure ADAD + AD

FS

Windows AzureSubscription

VPN

DirSync – Activated, not syncedDomain Name – Added, not verified

Domain: Christianboarders.com

Configure Inbound SSL Access

Internet

Windows Azure AD

157.56.167.107mycloudservice.cloudapp.net

CorpNet Internet

Active Director

y

AD + AD FS

Windows AzureSubscription

VPN

Install DirSync on WS 2012Write-QSTitle 'Download, install, and configure the DirSync tool'$DirSyncFilename = $script:CurrentExecutingPath + '\DirSync.exe'if (-not (Require-QSDownloadableFile -FileName $DirSyncFilename -URL 'http://g.microsoftonline.com/0BX10en/571')) {Write-QSError 'DirSync download failed.'return}Write-Host 'Running DirSync installer...'Start-Process -FilePath $DirSyncFilename -ArgumentList @('/quiet') -Wait

Note: SQL 2008 R2 Express not officially supported on WS 2012. SP1 is supported, buthttp://support.microsoft.com/kb/2681562

[On Server1]

Final Configuration

CorpNet Internet

Active Director

y

Windows Azure ADAD FS

+ ADAD FSProxy

Windows AzureSubscription

VPN

DirSync

DirSync – Activated + syncedDomain Name – Added + verified

Actual Times TakenDocument Step #

PS Script Step #

Component of Configuration Actual Time Taken

1 1-2 Initial Software Installation (pre-requisites)*,*** 1 min 12 sec1 3 Office 365 Readiness Tool 5 min 48 sec2 4-5 Add Domain Name in Windows Azure AD 27 sec3 6 Activate DirSync Support 10 sec4 7-14 Install and Configure On-Premise AD FS Server1** 2 min 53 sec5 15-22 Install and Configure AD FS Proxy Server2*, ***,

****6 min 12 sec

6 23-24 Configure Windows Azure AD Federation Support 41 sec7 25-27 Install and Configure DirSync 3 min 26 sec*Includes auto-install of .Net Framework tools**Includes using self-signed certificate & auto-install of RSAT-DNS tools*** Includes install of Sign-in Assistant & PS Module for MS Online**** Used single-core VM for comparison vs AD FS server VM with 6 cores