240 likes | 251 Views
This article provides an overview of the synchronization and federation options available when syncing Active Directory (AD) with Windows Azure AD (AAD). It covers different identity formats, integration methods, and recommended options for various organizational sizes and scenarios.
E N D
AD to Windows Azure AD Sync Options Federation Architecture AD to AAD Quick start By Sachin Shetty Agenda
Identities for Microsoft Cloud Services Personal Services Organizational Services OrgID Organizational Account OnMicrosoft Account (Azure AD Account) Examples: Sachin@contoso.com sachin@contoso.onmicrosoft.com Live ID Microsoft Account Examples: Sachin@outlook.com sachin@live.com User User
Cloud-Only / No Integration Cloud Only / No Integration Directory Synchronization Directory and Federated SSO Office 365 Windows Azure Active Directory Authentication platform Joe@contoso.msonline.com Dynamics CRM Online Contoso customer premises Admin Portal/ PowerShell/GRAPH IdP CORPApp IdP AD Directory Store Provisioning platform WindowsIntune shetty@contoso.com
Directory Synchronization No Integration Directory Synchronization Directory and Single sign-on (SSO) Office 365 Windows Azure Active Directory Authentication platform Dynamics CRM Online Contoso customer premises Admin Portal/ PowerShell/GRAPH IdP CORP App IdP Directory Store Provisioning platform Directory Sync(DirSync) AD WindowsIntune
Directory Synchronization Options DirSync Office 365 Connector PowerShell & Graph API Suitable for Organizations using Active Directory (AD) Supports Exchange Co-existence scenarios Coupled with AD FS, provides best option for federation and synchronization Does not require any additional software licenses Multi-forest available through MCS+Partners Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses Suitable for small/medium size organizations with AD or Non-AD Not a highly recommended option compared to DirSync or FIM Connector Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires extensive scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) As this is a custom solution, Microsoft support may not be able to help if there are issues Forefront Identity Manager (FIM) Suitable for all organizations Supports Exchange Co-existence scenarios
Directory and Federated SSO No Integration Directory Synchronization Directory and Federated SSO CORP App Windows Azure Active Directory Authentication platform Dynamics CRM Online Contoso customer premises Trust Active Directory Federation Server 2.0 Admin Portal/ PowerShell/GRAPH IdP Office 365 Directory Store IdP Provisioning platform Directory Sync(DirSync) AD WindowsIntune
Federation options AD FS Works with AD Third-party STS Works with AD & Non-AD Shibboleth Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Secure token based authentication Support for web and rich clients Microsoft supported Requires on-premises servers, licenses & support Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-AD FS Identity systems with AD or Non-AD Single sign-on Secure token based authentication Support for web and rich clients Third-party supported Requires on-premises servers, licenses & support Suitable for educational organizations Recommended where customers may use existing non-AD FS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises
Identity Options Comparison 1. No Integration 2. Directory Only 3. Directory and SSO • Appropriate for • Smaller orgs without AD on-premise • Pros • No servers required on-premise • Same Domain name for users possible • Cons • No SSO • No 2FA • 2 sets of credentials to manage with differing password policies • IDs mastered in the cloud • Pros • Users and groups mastered on-premise • Enables co-existence • Single server deployment • Cons • No 2FA until Spring 2013 • 2 sets of credentials to manage with differing password policies OR Manual / 3rd Party password Sync OR use FIM • No SSO • Pros • SSO with corporate cred • IDs mastered on-premise • Password policy controlled on-premise • 2FA solutions possible • Enables hybrid scenarios • Location isolation • Ideal for multiple forests • Cons • Additional Servers required for AD FS
Federated Architecture Windows Azure AD Active Directory AD FS + DirSync AD FSProxy • [Server2] • [Server1] Internet CorpNet
AD FS Scalability Planning http://technet.microsoft.com/en-us/library/jj151794.aspx
Federated Architecture on Windows Azure! • Windows AzureSubscription VPN Windows Azure AD Active Directory AD FSProxy AD FS + AD DirSync CorpNet Internet
Quick Start Guide for Integrating a Single Forest On-Premises Active Directory with Windows Azure AD
Quickstart Guide Architecture Windows Server 2012 Windows Server 2012 Windows Azure AD Active Directory AD FS + DirSync AD FSProxy • [Server2] • [Server1]
AD to AAD QuickstartSteps • Add Domain to Windows Azure AD [Windows Azure from Server1] • Activate DirSync[Windows Azure from Server1] • Install AD FS Server Role [Server1] • Configure AD FS Server [Server1] • Install AD FS Proxy (optional) [Server2] • Configure AD FS Proxy (optional) [Server2] • Configure Inbound SSL Access [Server2] • Configure AD Federation Support [Server1] • Install & Configure DirSync[Server1]
Demo Pre-requisites & Initial Setup Install and Configure a new AD FS farm
What we’ve built so far • Windows AzureSubscription VPN Windows Azure AD Active Directory AD + AD FS • DirSync – Activated, not synced • Domain Name – Added, not verified CorpNet Internet
Configure Inbound SSL Access • Windows AzureSubscription Domain: Christianboarders.com VPN Windows Azure AD Active Directory AD + AD FS 157.56.167.107 mycloudservice.cloudapp.net CorpNet Internet Internet
Install DirSync on WS 2012 • [On Server1] Write-QSTitle'Download, install, and configure the DirSync tool' $DirSyncFilename=$script:CurrentExecutingPath+'\DirSync.exe' if (-not (Require-QSDownloadableFile-FileName$DirSyncFilename-URL'http://g.microsoftonline.com/0BX10en/571')) { Write-QSError'DirSync download failed.' return } Write-Host'Running DirSync installer...' Start-Process-FilePath$DirSyncFilename-ArgumentList @('/quiet') -Wait Note: SQL 2008 R2 Express not officially supported on WS 2012. SP1 is supported, buthttp://support.microsoft.com/kb/2681562
Final Configuration • Windows AzureSubscription VPN Windows Azure AD Active Directory AD FSProxy AD FS + AD DirSync – Activated + synced Domain Name – Added + verified DirSync CorpNet Internet
Actual Times Taken *Includes auto-install of .Net Framework tools **Includes using self-signed certificate & auto-install of RSAT-DNS tools *** Includes install of Sign-in Assistant & PS Module for MS Online **** Used single-core VM for comparison vs AD FS server VM with 6 cores