Azure AD ConnectGet your Hybrid Identity
in four steps!
Ronny de Jong
Consultant & MVP | Inovativ
@ronnydejong
Agenda
Making Hybrid Identity Simple
More topologies, more scenarios
Walk through Express & Custom Setup
Monitor your Hybrid Identity
Making Hybrid Identity Simple? - Today
Self-service Singlesign on
•••••••••••
Username
Identity as the control plane
Simple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises Microsoft Azure Active Directory
Going beyond on-premises
IDC predicts that 70 percent of organizations will embrace a
cloud-first strategy by 2016, getting there on their own pace
over a number of years, with many living in a hybrid
environment for quite some time. That flexibility— living in both
worlds—even with a cloud-first strategy, is nonnegotiable.1
1 Source: IDC CIO Agenda Webinar, 2013.
Making hybrid identity simple!
Azure Active Directory Connect
Consolidated deployment assistant for your identity bridge components
DirSync – supported, available in Office 365 portal
There is no announcement of deprecation yet.
Once that announcement occurs, at least 1 year of support
remains.
Azure AD Sync – supported.
Guide new deployments to Azure AD Connect.
Azure AD Connect is GA – available in Azure AD
Portal. New deployments should use this!
Which tools are supported?
DirSync (<50k objects)
In-place migration of all supported custom configurations.
Will not migrate unsupported configurations (such as removed
attribute flows).
Upgrade from DirSync & Azure AD Sync
DirSync (>50k objects)
Side-by-side deployment. Export DirSync configuration and
import in Azure AD Connect.
On DirSync box, wizard prompts you to export config file.
On new box, @ cmd prompt run AzureADConnect.exe /migrate,
specify config file.
Once full import and full sync complete, uninstall dirsync on old
box, on new box run wizard second time to turn off staging mode
Azure AD Sync
In-place upgrade.
Upgrade from DirSync & Azure AD Sync
Making Hybrid Identity SimpleAzure AD Connect with Express Settings
Use one tool
instead of many
Get up and
running quickly (4
clicks)
Start here, then
scale up or add
options
Custom options to
address more
complex scenarios
Demo
Express Setup
More topologies, more scenarios
Multi forest topologies
Use a full SQL Server edition for sync
Deploy a pilot using just a few users in a group
Don’t start sync right away (‘staging mode’)
Sign on using federation
Azure AD Premium features (write back passwords, users,
groups, and devices from the cloud)
Sync custom directory attributes to the cloud
Custom settings allow more advanced options
For all scenarios (Express Settings or Custom)
Office 365 or Azure AD subscription – free trial is OK
For custom Azure AD domains, configure your public DNS records
AD users have UPNs (IDFix)
Just for AD FS
SSL certificate is trusted on all ADFS+WAP host (Use a certificate based on a key
pair generated by a legacy Cryptographic Service Provider (CSP). Certificates with the CNG
private key are not supported).
Enable WinRM on all remote targets
Federation service name resolves
For write-back scenarios
AAD Premium, prepare Active Directory
Make sure you do first
Choose Password sync for the most common deployment
needs
Federation with ADFS is an option for customers that have
more unique needs
Choosing Password Sync or AD FS for Sign On
• You already have AD FS or a 3rd party federation provider
• Security policy prohibits password hashes being sync’d to the cloud
• You require desktop SSO from domain joined machines on the corporate network
• You require some specific capabilities AD FS has
1. on premises multi-factor authentication or smart card support for sign on
2. soft account lockout or AD work hours policy
3. conditional access for both on premises and cloud resources
Synchronizes a hash of the password hash The actual password never leaves on-premises and is not known by Azure
AD
When enabled, on-premises password policies apply
Password complexity policy
Password expiration policy
Protects password against pass the hash attacks Cannot be used to access any on-premises resources
Can be used as a backup for federation If password hashes are present in Azure AD, allows for a quick fail-over
Sign-in – password sync
Common multi-forest topologies
Separate forestsEach object in every forest will be represented in Azure
AD.
Forests with GALSyncUsers and Contacts should join on mail attribute and be represented only once.
Account-Resource forestsOne or many Account forests with enabled accounts and one Resource forest with disabled accounts. Joined on objectSID and msExchMasterAccountSID
Intended to make it easy to pilot and evaluate
Azure AD and Office 365 In from AD for User, Group, and Contact -> sets cloudFiltered to TRUE if
NOT in group
When you add/remove users from group -> they are added/removed in
AAD
Only objects which are direct members of the group will be present in
Azure AD
Remove the filter when ready to ‘go live’ 2nd pass Wizard option under Customize Synchronization Options
Filter users and devices based on group
Password write-back Change and set password in Azure AD and have the password policy
verified with on-premise Windows Server Active Directory.
User write-back A user created in Azure AD is created in on-premise AD.
Optional Features – Write-back
Group write-back “Groups in Office 365” will be written back to your on-premise Exchange
forest (you need Exchange 2013 CU8 or later)
These groups are mastered in Azure AD
Does not support security groups or distribution groups
Device write-back
Requires Windows Server 2012 R2 AD schema, create
configuration object and container
Optional Features – Write-back cont’d
Bring your own AD attributes to Azure AD
Attributes defined on users and groups
Single-valued attributes only
Integer, LargeInteger, DateTime, Binary, Boolean, String
Limit of 100 extension values written to a single object
Limit of 256 characters per string extension value
Limit of 256 bytes per binary extension value
Optional Features – Directory Extensions
An active sync server which is not exporting
Includes password sync and password write-back
Moving from one server (e.g. DirSync) to another
Warm stand-by for rapid disaster recovery
Also used for FIM+Azure AD Connector to Azure AD
Connect migration
Staging mode
Change sync options
Remove group filter
Enable/disable staging mode
Enable/disable write-backs
Add additional domains and forests
Forests for sync
Domains for federation
Add ADFS/WAP servers
Second Pass – Run the wizard a 2nd time
DemoCustom Setup: Enable Federation
Multiple Azure AD Connect to same tenant
Sync: not supported - use same Azure AD Connect instance
for multiple (untrusted) forests.
AD FS: deploy separate farms for untrusted forests, supported
Same Azure AD Connect to multiple tenants
Not officially supported for sync – previously there was a ‘side-
by-side’ workaround for DirSync
Common questions
Included in Azure AD/Office 365 license:
The installation wizard
Synchronize from on-premises to Azure AD regardless of
source directory
Write-back for Exchange hybrid deployment
Requires Azure AD Premium:
Write-back (password, user, group, ….)
Additional licenses required for:
SQL Server if needed
Licensing
Accidental delete prevention
On by default
Cannot export more than 500 deletes (default)
Can be configured with:
Enable-ADSyncExportDeletionThreshold
Disable-ADSyncExportDeletionThreshold
Configuration stored in Azure AD
Export Deletion Threshold
Monitor Your Hybrid Identity!
Azure AD Connect Health
• Monitor ADFS service for reliable & highly available authentication
• Email notification for critical alerts
• Analyze ADFS logins for usage & capacity planning based on app, authentication, network location & failures
• Perform forensic analysis on top users with bad passwords
• Troubleshoot with easy access to critical performance counters
How does it work?• Download & install agent on all
ADFS/proxy servers
• Health agent runs locally on the server & collects data and performs configuration checks
• Includes synthetic transactions
• Health agent pushes data to the health service
• Requires certain URL’s in MSFT cloud to be accessible from the ADFS or proxy servers
• Health service processes data to generate alerts, trends & reports
• Azure portal provides view to reports
ADFS/ADFS Proxy/WAP
Servers
Microsoft Azure AD
Connect Health
View Alerts, Reports and
Login trends
Demo
Azure AD Connect Health
Session Objective(s):
Understand the default configurations the wizard creates
Understand what can be done with the wizard and what
requires additional config
Azure AD Connect is the (sync+authn) tool going
forward for connecting on premise directories to
Azure AD / O365
Session Objectives And Takeaways
Q & A Time...
Next Session 14:30 – 15:30:"Azure Automation – Introduction
Jakob Gottlieb Svendsen"
Thanks To All Our Sponsors
We Need Your Feedback
SCU Europe session planner planning.systemcenteruniverse.ch
SCU Europe WP app
Watch out for a survey invitation after the conference