Directory Integration: Creating One Directory with Active Directory and Azure Active Directory

Andreas KjellmanSamuel Devasahayam

EM-B316

AgendaIntroducing hybrid identityAzure AD Connect installationMore about syncMore about sign-inLooking aheadQ&A

Hybrid IdentityAzure AD Connect

Providing Users with a Common Identity

IT can provide users with a common identity across on-premises or cloud-based services, leveraging Windows Server Active Directory and Azure Active Directory.

Users are more productive by having a single sign-on to all their resources.

Users get access through accounts in Azure Active Directory to Azure, Office 365, and third-party applications.

Developers can build applications that leverage the common identity model .

Hybrid identity components

Active Directory

AD DS

Office 365 andSaaS

Providers

Microsoft AzureActive

DirectoryFIM/MIM

Sync

On-premises

Azure AD Connect

Sync, Sign-In

SalesforceBoxDropBoxGoogleConcur….

IdentityBridge

LOB

Your apps

Making Hybrid Identity Simple - Today

What tool do I use? Is it DirSync,

AADSync?

OMG! The # of documents that I

have to read before I do anything?

I use MMSSPP in my dedicated

environment? Will I continue to use it?

Can I use password sync or should I be

using ADFS?

How many ADFS servers do I need? I’m moving to the cloud to remove my on-

premises needs and I have to deploy more servers???

I’m using FIM. What do I do? I need to onboard to Office

365

Setting up ADFS for SSO is very hard!

I have multiple

forests. What do I do?

Making Hybrid Identity Simple

Azure AD Connect (CY15 Q1)

Express Settings• Recommended path for

single forests• 4 clicks to get on boarded

to Azure AD/Office 365• Smallest on-premises

footprint• Simple Sign-On with the

same password as AD

Azure AD Connect installationExpress Settings

Making Hybrid Identity Simple

Azure AD Connect (CY15 Q1)

Custom Settings• Multiple Forests• Choose your sign-in option• Attribute Filtering• Configure Alternate ID &

Immutable ID

Azure AD Connect installationCustom settings

Common multi-forest topologiesSeparate forestsEach object in every forest will be represented in Azure AD.

Forests with GALSyncUsers and Contacts should join on mail attribute and be represented only once.

Account-Resource forestsOne or many Account forests with enabled accounts and one Resource forest with disabled accounts. Joined on objectSID and msExchMasterAccountSID.

Before you get started

What to do before you start the installID FixMake sure your data is (reasonably) clean before you start to synchronize

Domain VerificationProve you own the domain. Otherwise userPrincipalName will not be correct.

Office 365 subscription vs Azure subscription$0 subscription - Used to access manage.windowsazure.com with an existing Office 365 subscriptionhttps://account.windowsazure.com/PremiumOffer/Index?offer=MS-AZR-0110P&whr=azure.com

Design decisionsAlternate LoginIDImmutable ID

What does Azure AD Connect not doAzure AD Connect will not configure components outside the identity bridge

“Classic” Identity Management – FIM2010/MIM vNextEmployee and contractor onboard and offboard and lifecycle changesTypically tied to HR source as a system-of-record authority

SaaS Application Access Management and SSOEnsure SaaS applications have the identities they need for authorized users

More about sync

Sync – Customize optionsTopologiesSingle forestMulti-forest configurations

Fully-mesh, Account-resource forestOne (or multiple) Exchange organizations with hybrid ExchangeGroup membership for security groups with ForeignSecurityPrincipals (FSPs)

FilteringFilter which attributes to sync based on services used in the cloud

PasswordsPassword synchronization for multiple forestsPassword write-back (for SSPR and password change) in preview

Default configuration assumptionsUser will have only one enabled user accountUser will have only one mailboxThe best data quality for a user is where Exchange is located

Sync – review the configurationInstallation logs%windir%\temp\aadsync

Synchronization RulesDepending on if Exchange and Lync is present in AD, different rules will be generatedDepending on Exchange version attributes will be removed as neededOnly selected services will have outbound rules to AADAttributes you selected to not be included are removed from the outbound rules to AAD

Introducing the Sync Rule EditorA “Resource Kit Tool” to view, change and add Sync Rules

LicensingAzure AD Sync is following AAD licensing, no extra cost for SyncAzure AD Sync incur no extra cost when synchronizing from on-prem to Azure ADIncludes multiple AD-forests, non-AD LDAP, and any other supported sourcesIncludes write-back for hybrid Exchange

Azure AD Sync requires Azure AD Premium for write-back from Azure AD to on-premPassword, device, group, user, …Includes writing between on-prem directories

This is not grandfathered back to FIM2010FIM Sync server will still require a license if used to connect with Azure ADNote: EMS and Azure AD Premium includes FIM server licenses

Sync Enhancements over DirSyncGroup size is 50k in AADSync (15k in DirSync)Can have up to 100k objects with SQL LocalDBMore filtering optionsCan filter groups and contacts

More options for custom configurationCan view the configuration

More about sign-in

Choosing a Sign-In optionDefault: Choose Password sync for the simplest deployment

needsSSO with ADFS is just another option for customers that have

more unique needsTight AD

integration•Desktop SSO from domain joined machines•Honor AD login policies (e.g. work hours)•Integration with AD lockout with support for independent ‘soft’ lockout for extranet•Alternate login ID

Security Policy

•Policy prevents any AD credential to be synced to public cloud

Conditional Access

•Client Access Policies to control extranet access to applications•Conditional access based on devices (workplace join)

Strong Authentication

•Inbox support for AD cert authentication (e.g. SmartCards)•Support for Azure MFA server or 3rd party MFA vendors (RSA, SafeNet, LoginPeople, InWebo, Gemalto…) that a customer already has

Sign-in – password syncSynchronizes a hash of the password hashThe actual password never leaves on-premises and is not known by Azure ADSince password was set on-premises, those password policies apply

Cannot be used outside Azure ADCannot be used to access any on-premises resources

Can be used as a backup for federationIf password hashes are present in Azure AD, allows for a quick fall over

Sign-in: How does SSO work

Fire

wall

Fire

wall

Start1. User accesses application

2. Redirected to Azure AD; User enters their login ID for HRD

3. Redirected to ADFS; desktop SSO on domain joined machine

4. Redirected to AAD; AAD validates user token and generates new token for app

5. User now has accesses to application

Intranet User

Sign-in: How does SSO work

Fire

wall

Fire

wall

Start

1. User accesses application

2. Redirected to Azure AD; User enters their login ID for HRD

3. Redirected to WAP; U/P or Cert Auth

4. Redirected to AAD; AAD validates user token and generates new token for app

5. User now has accesses to application

Extranet User

SSO: Tips for a successful deployment

Deployment

• Use Windows 2012 R2• Co-locate ADFS on domain controllers (no IIS needed)• You don’t need SQL unless you are greater than 90K users!• Use self-signed token signing certificates.

Network

• Deploy Web Application Proxy. Current Outlook/EAS need this to work. • AAD uses federation metadata endpoint that is internet accessible to

keep token signing cert information up to date.• Don’t use sticky sessions on your Load Balancer• Configure SNI on load balancer or use HTTP health probes (MS14-08)

Security

• Enable extranet soft account lockout• Enable MFA with smartcards, Azure MFA or 3rd party

MFA (SafeNet, RSA, Gemalto, LoginPeople …)• Enable client access policies in the prescribed manner.

Sign-In Experience

• Ensure that SPN (HOST/adfs.contoso.com) is set on ADFS service account

• Customize illustration & logo to have a great end user experience

• Enable ‘Keep Me Signed In’ option for better SSO

Looking ahead…

Future featuresSupport Azure AD PremiumWrite-back of passwords, devices, groups, and users

Support non-AD LDAP directoriesAdd common configuration tasks to the wizardDirectory extensions

Quarantine objectsIn the next few months, we will allow objects with duplicate UPNs and proxyAddresses to be exported to AAD, but they will be quarantined until cleaned up

Related content

Microsoft Solutions Experience Location (MSE)

Tue, Oct 28 3:15 PM-4:30 PM EM-B214 Privileged Access Management for Active Directory

Wed, Oct 29 8:30 AM-9:45 AM

EM-B316 Directory Integration: Creating One Directory with Active Directory and Azure Active Directory

Wed, Oct 29 3:15 PM-4:30 PM EM-B319 Microsoft Identity Manager vNext Overview

Wed, Oct 29 3:15 PM-4:30 PM CDP-B210 Cloud Identity: Microsoft Azure Active Directory Explained

Wed, Oct 29 5:00 PM-6:15 PM EM-B318 Free Your Apps: Introducing Microsoft Azure Active Directory Application Proxy and Windows Server Web Application Proxy

Thu, Oct 30 10:15 AM-11:30 AM

CDP-B312 Microsoft Azure Active Directory Premium, in Depth

Fri, Oct 31 2:45 PM-4:00 PM EM-B313 Microsoft Azure Multi-Factor Authentication Deep Dive: Securing Access on Premises and in the Cloud

Thu, Oct 30 12:00 PM-1:15 PM

EM-B310 Active Directory + BYOD = Peace of Mind

Thu, Oct 30 5:00 PM-6:15 PM DEV-B322 Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management

Fri, Oct 31 8:30 AM-9:45 AM CDP-B207 Securing Organizations: Azure Active Directory Intelligence as a Differentiator

Enterprise Mobility Suitehttp://aka.ms/enterprisemobilitysuite

Microsoft Intunehttp://aka.ms/microsoftintune

Configuration Managerhttp://aka.ms/configmgr

Enterprise Mobility Track Resources

Hybrid Identityhttp://aka.ms/hi

Access & Info Protectionhttp://aka.ms/aip

Desktop Virtualizationhttp://aka.ms/virtualdesktop

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

Developer Network

http://developer.microsoft.com

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC

TechEd Mobile appPhone or Tablet

QR code

Evaluate this session

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.