1 / 24

Agenda

This article provides an overview of the synchronization and federation options available when syncing Active Directory (AD) with Windows Azure AD (AAD). It covers different identity formats, integration methods, and recommended options for various organizational sizes and scenarios.

rachelhicks
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. AD to Windows Azure AD Sync Options Federation Architecture AD to AAD Quick start By Sachin Shetty Agenda

  2. AD to AAD Sync OptionsBy Sachin Shetty

  3. Identities for Microsoft Cloud Services Personal Services Organizational Services OrgID Organizational Account OnMicrosoft Account (Azure AD Account) Examples: Sachin@contoso.com sachin@contoso.onmicrosoft.com Live ID Microsoft Account Examples: Sachin@outlook.com sachin@live.com User User

  4. Cloud-Only / No Integration Cloud Only / No Integration Directory Synchronization Directory and Federated SSO Office 365 Windows Azure Active Directory Authentication platform Joe@contoso.msonline.com Dynamics CRM Online Contoso customer premises Admin Portal/ PowerShell/GRAPH IdP CORPApp IdP AD Directory Store Provisioning platform WindowsIntune shetty@contoso.com

  5. Directory Synchronization No Integration Directory Synchronization Directory and Single sign-on (SSO) Office 365 Windows Azure Active Directory Authentication platform Dynamics CRM Online Contoso customer premises Admin Portal/ PowerShell/GRAPH IdP CORP App IdP Directory Store Provisioning platform Directory Sync(DirSync) AD WindowsIntune

  6. Directory Synchronization Options DirSync Office 365 Connector PowerShell & Graph API Suitable for Organizations using Active Directory (AD) Supports Exchange Co-existence scenarios Coupled with AD FS, provides best option for federation and synchronization Does not require any additional software licenses Multi-forest available through MCS+Partners Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses Suitable for small/medium size organizations with AD or Non-AD Not a highly recommended option compared to DirSync or FIM Connector Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires extensive scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) As this is a custom solution, Microsoft support may not be able to help if there are issues Forefront Identity Manager (FIM) Suitable for all organizations Supports Exchange Co-existence scenarios

  7. Directory and Federated SSO No Integration Directory Synchronization Directory and Federated SSO CORP App Windows Azure Active Directory Authentication platform Dynamics CRM Online Contoso customer premises Trust Active Directory Federation Server 2.0 Admin Portal/ PowerShell/GRAPH IdP Office 365 Directory Store IdP Provisioning platform Directory Sync(DirSync) AD WindowsIntune

  8. Federation options AD FS Works with AD Third-party STS Works with AD & Non-AD Shibboleth Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Secure token based authentication Support for web and rich clients Microsoft supported Requires on-premises servers, licenses & support Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-AD FS Identity systems with AD or Non-AD Single sign-on Secure token based authentication Support for web and rich clients Third-party supported Requires on-premises servers, licenses & support Suitable for educational organizations Recommended where customers may use existing non-AD FS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises

  9. Identity Options Comparison 1. No Integration 2. Directory Only 3. Directory and SSO • Appropriate for • Smaller orgs without AD on-premise • Pros • No servers required on-premise • Same Domain name for users possible • Cons • No SSO • No 2FA • 2 sets of credentials to manage with differing password policies • IDs mastered in the cloud • Pros • Users and groups mastered on-premise • Enables co-existence • Single server deployment • Cons • No 2FA until Spring 2013 • 2 sets of credentials to manage with differing password policies OR Manual / 3rd Party password Sync OR use FIM • No SSO • Pros • SSO with corporate cred • IDs mastered on-premise • Password policy controlled on-premise • 2FA solutions possible • Enables hybrid scenarios • Location isolation • Ideal for multiple forests • Cons • Additional Servers required for AD FS

  10. Accounts in Windows Azure AD Demo

  11. Federation Architecture

  12. Federated Architecture Windows Azure AD Active Directory AD FS + DirSync AD FSProxy • [Server2] • [Server1] Internet CorpNet

  13. AD FS Scalability Planning http://technet.microsoft.com/en-us/library/jj151794.aspx

  14. Federated Architecture on Windows Azure! • Windows AzureSubscription VPN Windows Azure AD Active Directory AD FSProxy AD FS + AD DirSync CorpNet Internet

  15. Quick Start Guide for Integrating a Single Forest On-Premises Active Directory with Windows Azure AD

  16. Quickstart Guide Architecture Windows Server 2012 Windows Server 2012 Windows Azure AD Active Directory AD FS + DirSync AD FSProxy • [Server2] • [Server1]

  17. AD to AAD QuickstartSteps • Add Domain to Windows Azure AD [Windows Azure from Server1] • Activate DirSync[Windows Azure from Server1] • Install AD FS Server Role [Server1] • Configure AD FS Server [Server1] • Install AD FS Proxy (optional) [Server2] • Configure AD FS Proxy (optional) [Server2] • Configure Inbound SSL Access [Server2] • Configure AD Federation Support [Server1] • Install & Configure DirSync[Server1]

  18. Demo Pre-requisites & Initial Setup Install and Configure a new AD FS farm

  19. What we’ve built so far • Windows AzureSubscription VPN Windows Azure AD Active Directory AD + AD FS • DirSync – Activated, not synced • Domain Name – Added, not verified CorpNet Internet

  20. Configure Inbound SSL Access • Windows AzureSubscription Domain: Christianboarders.com VPN Windows Azure AD Active Directory AD + AD FS 157.56.167.107 mycloudservice.cloudapp.net CorpNet Internet Internet

  21. Install DirSync on WS 2012 • [On Server1] Write-QSTitle'Download, install, and configure the DirSync tool' $DirSyncFilename=$script:CurrentExecutingPath+'\DirSync.exe' if (-not (Require-QSDownloadableFile-FileName$DirSyncFilename-URL'http://g.microsoftonline.com/0BX10en/571')) { Write-QSError'DirSync download failed.' return } Write-Host'Running DirSync installer...' Start-Process-FilePath$DirSyncFilename-ArgumentList @('/quiet') -Wait Note: SQL 2008 R2 Express not officially supported on WS 2012. SP1 is supported, buthttp://support.microsoft.com/kb/2681562

  22. Final Configuration • Windows AzureSubscription VPN Windows Azure AD Active Directory AD FSProxy AD FS + AD DirSync – Activated + synced Domain Name – Added + verified DirSync CorpNet Internet

  23. Actual Times Taken *Includes auto-install of .Net Framework tools **Includes using self-signed certificate & auto-install of RSAT-DNS tools *** Includes install of Sign-in Assistant & PS Module for MS Online **** Used single-core VM for comparison vs AD FS server VM with 6 cores

  24. Thank you

More Related