Agenda • AD to Windows Azure
AD Sync Options• Federation Architecture• AD to AAD Quickstart
By Sachin Shetty
AD to AAD Sync Options
By Sachin Shetty
Identities for Microsoft Cloud Services
User
OrgIDOrganizational Account
OnMicrosoft Account(Azure AD Account)
Examples: [email protected]
User
Personal Services Organizational Services
Live IDMicrosoft Account
Examples: [email protected]@live.com
WindowsIntune
Contoso customer premises
Cloud-Only / No Integration
AD
Windows Azure Active Directory
Provisioningplatform
CORPApp
Dynamics CRM Online
Office 365
IdP
DirectoryStore
Admin Portal/PowerShell/
GRAPH
Authentication platform
IdP
1. Cloud Only / No Integration2. Directory Synchronization3. Directory and Federated SSO
WindowsIntune
Contoso customer premises
Directory Synchronization
ADDirectory Sync
(DirSync)
Windows Azure Active Directory
Provisioningplatform
CORP App
Dynamics CRM Online
Office 365
IdPDirectory
Store
Admin Portal/PowerShell/
GRAPH
Authentication platform
IdP
1. No Integration2. Directory Synchronization3. Directory and Single sign-on
(SSO)
Directory Synchronization Options
Suitable for small/medium size organizations with AD or Non-ADNot a highly recommended option compared to DirSync or FIM ConnectorPerformance limitations apply with PowerShell and Graph API provisioningPowerShell requires extensive scripting experiencePowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)As this is a custom solution, Microsoft support may not be able to help if there are issues
PowerShell & Graph API
Suitable for Organizations using Active Directory (AD)Supports Exchange Co-existence scenariosCoupled with AD FS, provides best option for federation and synchronizationDoes not require any additional software licensesMulti-forest available through MCS+Partners
Suitable for large organizations with certain AD and Non-AD scenariosComplex multi-forest AD scenariosNon-AD synchronization through Microsoft premier deployment supportRequires Forefront Identity Manager and additional software licenses
Suitable for all organizationsSupports Exchange Co-existence scenarios
WindowsIntune
Contoso customer premises
Directory and Federated SSO
ADDirectory Sync
(DirSync)
Windows Azure Active Directory
Provisioningplatform
Office 365
Dynamics CRM Online
CORP App
Active Directory Federation Server 2.0
Trust
IdP DirectoryStore
Admin Portal/PowerShell/
GRAPH
Authentication platform
IdP
1. No Integration2. Directory Synchronization3. Directory and Federated SSO
Federation options
Suitable for educational organizations Recommended where customers may use existing non-AD FS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
ShibbolethWorks with AD & Non-AD
Suitable for medium, large enterprises including educational organizationsRecommended option for Active Directory (AD) based customers
Single sign-on
Secure token based authentication
Support for web and rich clients
Microsoft supported
Requires on-premises servers, licenses & support
Works with AD
Suitable for medium, large enterprises including educational organizationsRecommended where customers may use existing non-AD FS Identity systems with AD or Non-AD
Single sign-on
Secure token based authentication
Support for web and rich clients
Third-party supported
Requires on-premises servers, licenses & support
Works with AD & Non-AD
Identity Options Comparison1. No Integration
Appropriate for• Smaller orgs without
AD on-premisePros• No servers required on-
premise• Same Domain name for
users possibleCons• No SSO• No 2FA• 2 sets of credentials to
manage with differing password policies
• IDs mastered in the cloud
2. Directory OnlyPros• Users and groups
mastered on-premise• Enables co-existence• Single server
deploymentCons• No 2FA until Spring 2013• 2 sets of credentials to
manage with differing password policies OR Manual / 3rd Party password Sync OR use FIM
• No SSO
3. Directory and SSOPros• SSO with corporate
cred• IDs mastered on-
premise• Password policy
controlled on-premise• 2FA solutions
possible• Enables hybrid
scenarios• Location isolation• Ideal for multiple
forestsCons• Additional Servers
required for AD FS
Accounts in Windows Azure AD
Demo
Federation Architecture
Federated Architecture
CorpNet Internet
Active Director
y
Windows Azure ADAD FS
+ DirSyn
c
AD FSProxy
[Server2][Server1]
AD FS Scalability PlanningUsers Dedicated
Federation Servers
Federation server proxies
NLB servers
Comments
<1,000 0 0 1 Deploy AD FS on two DCs
1,000–15,000 2 2 2 Install NLB on proxies
15,000–60,000 2+1 for every 15,000 users
2+ 2+ Install NLB on proxies or use dedicated NLB implementation
http://technet.microsoft.com/en-us/library/jj151794.aspx
Federated Architecture on Windows Azure!
CorpNet Internet
Active Director
y
Windows Azure ADAD FS
+ ADAD FSProxy
Windows AzureSubscription
VPN
DirSync
Quick Start Guide for Integrating a Single Forest On-Premises Active Directory with Windows Azure AD
Quickstart Guide Architecture
Active Director
y
Windows Azure ADAD FS
+ DirSyn
c
AD FSProxy
[Server2][Server1]
Windows Server 2012
Windows Server 2012
1) Add Domain to Windows Azure AD [Windows Azure from Server1]
2) Activate DirSync [Windows Azure from Server1]
3) Install AD FS Server Role [Server1]
4) Configure AD FS Server [Server1]
5) Install AD FS Proxy (optional) [Server2]
6) Configure AD FS Proxy (optional) [Server2]
7) Configure Inbound SSL Access [Server2]
8) Configure AD Federation Support [Server1]
9) Install & Configure DirSync [Server1]
AD to AAD Quickstart Steps
Demo
Pre-requisites & Initial SetupInstall and Configure a new AD FS farm
What we’ve built so far
CorpNet Internet
Active Director
y
Windows Azure ADAD + AD
FS
Windows AzureSubscription
VPN
DirSync – Activated, not syncedDomain Name – Added, not verified
Domain: Christianboarders.com
Configure Inbound SSL Access
Internet
Windows Azure AD
157.56.167.107mycloudservice.cloudapp.net
CorpNet Internet
Active Director
y
AD + AD FS
Windows AzureSubscription
VPN
Install DirSync on WS 2012Write-QSTitle 'Download, install, and configure the DirSync tool'$DirSyncFilename = $script:CurrentExecutingPath + '\DirSync.exe'if (-not (Require-QSDownloadableFile -FileName $DirSyncFilename -URL 'http://g.microsoftonline.com/0BX10en/571')) {Write-QSError 'DirSync download failed.'return}Write-Host 'Running DirSync installer...'Start-Process -FilePath $DirSyncFilename -ArgumentList @('/quiet') -Wait
Note: SQL 2008 R2 Express not officially supported on WS 2012. SP1 is supported, buthttp://support.microsoft.com/kb/2681562
[On Server1]
Final Configuration
CorpNet Internet
Active Director
y
Windows Azure ADAD FS
+ ADAD FSProxy
Windows AzureSubscription
VPN
DirSync
DirSync – Activated + syncedDomain Name – Added + verified
Actual Times TakenDocument Step #
PS Script Step #
Component of Configuration Actual Time Taken
1 1-2 Initial Software Installation (pre-requisites)*,*** 1 min 12 sec1 3 Office 365 Readiness Tool 5 min 48 sec2 4-5 Add Domain Name in Windows Azure AD 27 sec3 6 Activate DirSync Support 10 sec4 7-14 Install and Configure On-Premise AD FS Server1** 2 min 53 sec5 15-22 Install and Configure AD FS Proxy Server2*, ***,
****6 min 12 sec
6 23-24 Configure Windows Azure AD Federation Support 41 sec7 25-27 Install and Configure DirSync 3 min 26 sec*Includes auto-install of .Net Framework tools**Includes using self-signed certificate & auto-install of RSAT-DNS tools*** Includes install of Sign-in Assistant & PS Module for MS Online**** Used single-core VM for comparison vs AD FS server VM with 6 cores