by Els Putzeys
More and more organizations store data in the cloud or use cloud services like Windows Azure and Office 365. For administrators that means your first task is to create and manage users in these cloud platforms.
In this session we will talk about the options that are available for identity management in Windows Azure, Office 365, Windows Intune, …
Windows Azure AD: Create cloud identities in Azure AD and use these across all cloud services.
Directory Synchronization: Synchronize your on-premises AD users to Windows Azure AD.
Federation: Allow users to sign in with their on-premises AD account when accessing cloud services.
In the demo we will setup directory synchronization and federation using ADFS.
3. Identity Options
Microsoft Online IDs
Microsoft Online IDs + Directory Synchronization
Federated IDs + Directory Synchronization
4. Microsoft Online IDs
Appropriate for small organizations without on-prem AD
Pros
– No servers required on-premises
Cons
– No SSO
– 2 sets of credentials to manage with different password policies
– IDs mastered in the cloud
5. Microsoft Online IDs + DirSync
Appropriate for medium/large organizations with on-prem AD
Pros
– Users and groups mastered on-premises
– Enables coexistence scenarios
– Passwords can be synchronized with password sync tool
Cons
– No SSO
– 2 sets of credentials to maintain
– DirSync server required on-premises
8. Windows Azure AD
Identity and access management in the cloud
Your organization’s cloud directory
– Used by
• Windows Azure
• Office 365
• Windows Intune
Can be integrated with on-premises AD
Integration with cloud applications
– Single sign-on experience
• App hosted in cloud
• Users authenticate with corporate credentials
10. Windows Azure AD
Azure AD is a multi-tenant service
Authentication process
– User accesses a SaaS application
– User authenticates to Azure with username and password
– Azure AD returns token
– Token is sent to SaaS application
– Application validates token and uses its content
11. Create Online IDs
Windows Azure AD Portal
Office 365 Portal
Windows PowerShell
14. Directory Synchronization
Synchronize users from on-prem to online
User management is done on-prem
Password synchronization
– Synchronize passwords from on-prem to online
Users have 1 set of credentials across on-prem and online
– But 2 accounts
16. DirSync: Preparation
Synchronization computer
– Windows Server 2008 R2 SP1 or Windows Server 2012 (R2)
– Domain-joined
– Prerequisite software:
.Net Framework 3.5 SP1 and 4.0
PowerShell
DC Requirements:
– Forest functional level:
Windows Server 2003 or higher
– Domain Controllers:
Windows Server 2003 SP1 or higher
17. DirSync: Preparation
To install DirSync, you need the following permissions:
– Administrator of the DirSync Server
– Administrator of the local AD environment
– Administrator of the Cloud Service
DirSync setup creates service account
– MSOL_AD_SYNC
– Created in Users container
– Read from local AD
– Write to Windows Azure AD
– Do not move or remove this account!
18. DirSync: Preparation
Initial synchronization
– All AD objects copied to WAAD
– Maximum 50000 objects
If more, contact support
DirSync requires SQL
– SQL Express
< 50000 objects
Installed by default
– Full SQL
> 50000 objects
19. DirSync: Preparation
UPN Requirements
– Every user must have a UPN
– UPNs must match a validated domain in the cloud
Make sure AD contains the correct UPN Suffix
– Check UPN in the cloud after synchronization
– Users must use UPN to logon to cloud services
21. DirSync: Configure
Start DirSync Configuration wizard
– Specify Windows Azure AD Credentials
– Specify AD Credentials
– Enable hybrid deployment (if required)
Gives dirsync service account limited Write permission to on-prem AD
22. DirSync: Password Sync
Password Synchronization
– Feature of Sync Tool
– Synchronize on-prem passwords to WAAD
– Users can use same password in cloud and on-prem
– No SSO
Extract password hash from AD
– Overwrites cloud password
– Initial dirsync synchronizes all passwords
– User changes on-prem password
• Tool detects and synchronizes (within minutes)
23. DirSync: Password Sync
Password complexity policy
– On-prem policies override cloud policies for synchronized users
Password expiration policy
– Cloud user password is set to “Never Expire”
27. Federated IDs + Dirsync
Active Directory Federation
Services
28. Federated Identities
Across on-prem and cloud services
– Single identity
– Single sign-on
User management happens on-prem
On-prem AD used to:
– Sign in
– Authenticate
Requires the following services
– Directory synchronization
– Federation Service
29. Identity Federation
AD
Contoso.
com
AD
Fabrikam
.com
DC
DCWeb Server
Relying Party Identity Provider
Federation Trust
STSSTS
Shibboleth
AD FS
Azure ACS
AD
Unix
Live ID
Google ID
Facebook
SAML Token
Claims:
Name = Els
Email = Els @Fabrikam.com
Age = 38
Security Token
https://web.contoso.com
1
2
3
4
Home realm discovery
5
7
6
ST
8
ST
ST
9
ST
10
30. Identity Federation with Azure
Active Directory
AD FS
MS Federation
Gateway
Exchange Online
Auth Token
UPN:user@contoso.com
Unique ID: 254729
Logon (SAML 1.1) Token
UPN:user@contoso.com
Source User ID: ABC123
Windows Azure PlatformOn-Premises Domain
31. AD FS Deployment Options
Single server configuration
AD FS server farm and load-balancer
AD FS proxy server or UAG/TMG (External Users, Active Sync, Outlook)
Internal User
AD FS
Server
AD FS
Server
Active
Directory
External User
AD FS
Proxy
AD FS
Proxy
Perimeter NetworkInternal Network
32. Federation: AD FS
Requirements:
– Windows Server 2008 (R2) – 2012 (R2)
– ADFS 2.0 / ADFS 3.0
– Public, validated domain name
– SSL certificate
– MS Online Services Module for PS
– MS Online Sign-In Assistant
33. Federation: AD FS
• Install ADFS
– WS2012 (R2): Add roles and features
– WS2008: Download and install ADFS
34. Federation: AD FS
Run ADFS Configuration Wizard
– Create new Federation Service
• Federation farm
• Stand-alone server
– Select SSL Certificate
• ADFS certificate
• Federation service name:
adfs.fabrikam.com
– Create Host record for the federation service
in DNS
35. Federation: AD FS
Install MS Online Sign-In Assistant
Install MS Online Services Module for PS
Configure Trust with Microsoft Online Services
– PowerShell
• Connect-MsolService –Credential $cred
• Convert-MsolDomainToFederated –DomainName fabrikam.com
36. Federation: Test
• Create account in local AD
– UPN must be your domain name (fabrikam.com)
• Synchronize account to Azure AD
– Add application licenses
• Prepare Client pc
– Install Sign-In Assistant
– Add ADFS url to Intranet zone in IE
• Sign in to client pc as test user
– Browse to https://portal.microsoftonline.com
– Enter username (user@fabrikam.com)