setting up azure ad for sharepoint admins - todd … up...• yours or theirs • flip of a switch...
TRANSCRIPT
SETTING UP AZURE AD FOR SHAREPOINT ADMINS
12 Year SharePoint MVP
Writer, speaker, consultant, podcaster, SysKit Chief Evangelist
Todd Klindt – Sympraxis Consulting
www.toddklindt.comwww.toddklindt.com/Thrive2018
Azure Active Directory
• If you are going to do anything with Office 365 this is step one
• This is a very valuable skill set to add to the resume
• Stop reinventing the authentication wheel
• Walk through guide
• https://www.youtube.com/watch?v=duYYmqzx0Rc
Identity Bridge
Active
Directory
LDAP
Azure AD
Connect(sync + sign on)
• (Windows) Active Directory
• User Principal Name (UPN)
• Azure Active Directory (AAD)
• Identity as a Service
• Hybrid
• DirSync
• ADFS
• Azure AD Connect (AADC)
• SSO
• The other SSO
Defining Terminology
Topology & Security
• ADFS vs DirSync vs Pass-Through
• Federation starts with synchronization
• Pass-through, best of both worlds?
• Multifactor Auth
• Yours or theirs
• Flip of a switch
Azure identity management security overview
• Single sign-on
• Reverse proxy
• Multi-factor authentication
• Security monitoring, alerts, and machine learning-based reports
• Consumer identity and access management
• Device registration
• Privileged identity management
• Identity protection
• Hybrid identity management
• https://docs.microsoft.com/en-us/azure/security/security-identity-management-overview
Same sign on scenario
Single sign on scenario
Pass-through Auth
Active Directory core concepts and concerns
• FSMO roles, AD DNS, WINS, etc
• Dirty Directories
• 2003 Everyone group -> 2008 Authenticated Users group
• IsCriticalSystemObject objects are not synced
• I’m looking at you Domain Users
• UPN issues
• Schema Extensions
On-Prem Server, Cloud Auth
• Azure AD with your on-prem SharePoint Server
• Get Azure AD set up
• Set up SSL
• Create new Enterprise Application in Azure AD
• Configure new Trusted ID in SharePoint 2016
• Set permissions on SharePoint 2016
• Enable SAML 1.1 token in Azure AD
• Verify provider
• Some cleanup
• Kirk’s Instructions here
• Spence has a session on this here at Thrive
AZURE AD CONNECT WALKTHROUGH
Assumptions
• Windows Active Directory Domain
• It works
• Forest and Domain Windows 2003 functional level or higher
• Not Single Level or dotted
• AD Connect Server
• Windows 2008 or greater
• Own an Internet domain and control DNS
• Have an Azure or Office 365 Tenant
• Domain admin and tenant admin creds
Before Picture
Add Internet Domain
Verify Domain
TXT Record Shuffle
Your DNS Host
The Easy Way
Verifying…
With PowerShell
• V1
• New-MSOLDomain
• Get-MsolDomainVerificationDns
• Confirm-MsolDomain
• Set-MsolDomain
• V2
• New-AzureADDomain
• Get-AzureADDomainVerificationDnsRecord
• Confirm-AzureADDomain
• Set-AzureADDomain
Now, Another Word about DNS
Again with the DNS
Function Check
Second Before
Start Syncing
Is Directory Sync Right for You?
Step 1
https://portal.office.com/tools
More Checking…
Step 2 - HRC
Step 3 – IDFix
More Fixin’
Houston, we have a problem…
Install and Config
Almost there
The Pudding
ADVANCED MOVES
Viewing AADC
Customizing AADC
miisclient
PowerShell
Questions?
Todd Klindt – Sympraxis Consulting
www.toddklindt.comwww.toddklindt.com/Thrive2018