Getting Started with Azure AD and Hybrid Identities
Jason Himmelstein, SharePoint MVP
Office 365 Advisory Services Manager@sharepointlhornhttp://www.sharepointlonghorn.com
Todd Klindt, SharePoint MVP
SharePoint Principal Architect@toddklindthttp://www.toddklindt.com/blog
Who is this Todd Klindt guy?
SharePoint MVP since 2006
Speaker, writer, consultant, Aquarius, Iowa Native
Fan of all sorts of Microsoft technologies
Personal Blog
www.toddklindt.com/blog
Twitter me! @toddklindt
If you’re not already sick of him
http://www.toddklindt.com/netcast
That other guy… Jason something
• SharePoint Server MVP
• Office 365 Advisory Services Manager, Rackspace
• ITPro enthusiast, Business Intelligence geek,
& general technology fan boy
• Re-installed Texan, die-hard Spurs, Longhorns, & Jaguars fan
• Geek Blog: www.sharepointlonghorn.com
• On the Twitters: @sharepointlhorn
• GitHub: www.github.com/jasonhimmelstein
© SPintersection. All rights reserved.http://www.SPintersection.com
Agenda
History lesson
Defining Terminology
Active Directory Core Concepts & Concerns
Topology & Security
Use Cases
Homework
© SPintersection. All rights reserved.http://www.SPintersection.com
History lesson
© SPintersection. All rights reserved.http://www.SPintersection.com
History lesson
The dark days – SharePoint 2003 & 2007
© SPintersection. All rights reserved.http://www.SPintersection.com
History lesson
Age of enlightenment - SharePoint 2010
© SPintersection. All rights reserved.http://www.SPintersection.com
History lesson
Age of the Internet - SharePoint 2013
© SPintersection. All rights reserved.http://www.SPintersection.com
Defining Terminology
© SPintersection. All rights reserved.http://www.SPintersection.com
Defining Terminology
Active Directory
User Principal Name
Azure Active Directory
Identity as a Service
DirSync
ADFS
Azure AD Connect
Azure AD Connect: Your Identity Bridge
Azure AD
Connect(sync + sign on)
Active Directory
LDAP
Hybrid Identity management
Azure Active Directory ConnectConsolidated deployment assistant for your identity bridge components
Common monitoring for your identity bridge components
© SPintersection. All rights reserved.http://www.SPintersection.com
Active Directory Core Concepts & Concerns
FSMO roles, AD DNS, WINS, NETBIOS, etc
Dirty, dirty directories
2003 (Everyone group) --> 2008 (Authenticated Users group)
IsCriticalSystemObject objects not synced (like Domain Users)
UPN issues around migration
Schema extensions
© SPintersection. All rights reserved.http://www.SPintersection.com
Topology & Security
ADFS vs DirSync
Multifactor Auth
© SPintersection. All rights reserved.http://www.SPintersection.com
Same Sign On scenario
© SPintersection. All rights reserved.http://www.SPintersection.com
Single Sign On scenario
© SPintersection. All rights reserved.http://www.SPintersection.com
Highly Available Auth scenario
© SPintersection. All rights reserved.http://www.SPintersection.com
Use Cases
Old environment moving to a new Hybrid Estate
New Farm Identities
Extranet situations
© SPintersection. All rights reserved.http://www.SPintersection.com
Pre-requisites for Installing Azure AD Connect
Office 365 tenant
1 Registered Domain URL
2 Machines
1 AD Domain Controller (ADDC)
Windows 2003 or later
1 Domain member server
Windows 2008 or greater
But really, Windows 2012 R2
© SPintersection. All rights reserved.http://www.SPintersection.com
Downloads
Package downloads on member server
Azure AD Connect
http://go.microsoft.com/fwlink/?linkid=615771&clcid=0x409
PowerShell Bits Windows PowerShell cmdlets for Office 365 management and deployment
https://www.microsoft.com/en-us/download/details.aspx?id=35588
Microsoft Online Services Sign-In Assistant for IT Professionals RTW http://www.microsoft.com/en-us/download/details.aspx?id=41950
Azure AD Module for Windows PowerShell http://go.microsoft.com/fwlink/p/?linkid=236297
© SPintersection. All rights reserved.http://www.SPintersection.com
CSSA (The Cloud Search Service Application)
Introduced in the August 2015 CU for SharePoint 2013
Combines on-prem Search index and SharePoint Online Search
Not Federation
Search results are not separated
Does not require a Search index on-prem
Allows cloud services to include on-prem content
Getting Comfortable with the new hybrid Cloud Search Service in SharePoint 2013
© SPintersection. All rights reserved.http://www.SPintersection.com
What are we can do…
“It’s not over complicating things… it’s fun!”
Using PowerShell to manage Office 365
“How screw up and lose friends”
Tales of woe from the field & what not to do
“Licensing a cat”
Creating accounts, syncing them & applying licenses
© SPintersection. All rights reserved.http://www.SPintersection.com
Param(
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string] $User
)
# Add the Active Directory bits and not complain
if they're already there
Import-Module ActiveDirectory -ErrorAction
SilentlyContinue
Real world example
© SPintersection. All rights reserved.http://www.SPintersection.com
# Add the Azure Active Directory module
Import-Module MSOnline
# Define AD group that is synced to AAD and is
used for ODFB audience
$syncgroupname = "CloudSync"
$syncgroup =Get-ADGroup $syncgroupname
© SPintersection. All rights reserved.http://www.SPintersection.com
# Location to AAD Connect manual sync EXE
$syncclient = "C:\Program Files\Microsoft Azure AD
Sync\Bin\DirectorySyncClientCmd.exe"
# Name of the Azure License to apply
$license = "reseller-account:ENTERPRISEPACK"
© SPintersection. All rights reserved.http://www.SPintersection.com
# Azure AD domain suffix
$aadsuffix = "rackhybrid4.com"
# First, add the user to the group
Add-ADGroupMember -Identity $syncgroupname -
Members $User
# Remind them to recompile their SharePoint
audience
Write-Host "You'll need to recompile your
SharePoint audience to reflect the group change"
© SPintersection. All rights reserved.http://www.SPintersection.com
# Sync up to Azure AD
& $syncclient
# Now tweak the user in Azure AD
# First connect
Connect-MsolService
# Get the user
$aaduser = "$user@$aadsuffix"
© SPintersection. All rights reserved.http://www.SPintersection.com
# Set the user's location. Without that the
license will fail
Set-MsolUser -UserPrincipalName $aaduser -
UsageLocation "US"
# Set the user's license
Set-MsolUserLicense -UserPrincipalName $aaduser -
AddLicenses $license
© SPintersection. All rights reserved.http://www.SPintersection.com
MIM (Microsoft Identity Management)
The next version of FIM
ILM
MIIS
What are they trying to hide?
Better cloud and Windows 10 & 2016 support
Don’t upgrade SharePoint FIM
AD Team Blog Post
© SPintersection. All rights reserved.http://www.SPintersection.com
The Hybrid Picker
Helps you configure your hybrid options
Requires August 2015 CU
Shows up in Admin Tenant Console
Plan for the SharePoint Hybrid Picker
© SPintersection. All rights reserved.http://www.SPintersection.com
Links For Clicking
The Microsoft Cloud Show episode on Azure AD dev
Q & A