Agenda • AD to Windows Azure AD • Sync Options• Federation Architecture• AD to AAD Quick start

By Sachin Shetty

AD to AAD Sync Options

By Sachin Shetty

Identities for Microsoft Cloud Services

User

OrgIDOrganizational Account

OnMicrosoft Account(Azure AD Account)

Examples: Sachin@contoso.com

sachin@contoso.onmicrosoft.com

User

Personal Services Organizational Services

Live IDMicrosoft Account

Examples: Sachin@outlook.comsachin@live.com

WindowsIntune

Contoso customer premises

Cloud-Only / No Integration

AD

Windows Azure Active Directory

Provisioningplatform

CORPApp

Dynamics CRM Online

Office 365

IdP

DirectoryStore

Admin Portal/PowerShell/

GRAPH

Authentication platform

IdP

1. Cloud Only / No Integration2. Directory Synchronization3. Directory and Federated SSO

Joe@contoso.msonline.com

shetty@contoso.com

WindowsIntune

Contoso customer premises

Directory Synchronization

ADDirectory Sync

(DirSync)

Windows Azure Active Directory

Provisioningplatform

CORP App

Dynamics CRM Online

Office 365

IdPDirectory

Store

Admin Portal/PowerShell/

GRAPH

Authentication platform

IdP

1. No Integration2. Directory Synchronization3. Directory and Single sign-on

(SSO)

Directory Synchronization Options

Suitable for small/medium size organizations with AD or Non-AD

Not a highly recommended option compared to DirSync or FIM Connector

Performance limitations apply with PowerShell and Graph API provisioning

PowerShell requires extensive scripting experience

PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)

As this is a custom solution, Microsoft support may not be able to help if there are issues

PowerShell & Graph API

Suitable for Organizations using Active Directory (AD)

Supports Exchange Co-existence scenarios

Coupled with AD FS, provides best option for federation and synchronization

Does not require any additional software licenses

Multi-forest available through MCS+Partners

Suitable for large organizations with certain AD and Non-AD scenarios

Complex multi-forest AD scenarios

Non-AD synchronization through Microsoft premier deployment support

Requires Forefront Identity Manager and additional software licenses

Suitable for all organizations

Supports Exchange Co-existence scenarios

WindowsIntune

Contoso customer premises

Directory and Federated SSO

ADDirectory Sync

(DirSync)

Windows Azure Active Directory

Provisioningplatform

Office 365

Dynamics CRM Online

CORP App

Active Directory Federation Server 2.0

Trust

IdPDirectory

Store

Admin Portal/PowerShell/

GRAPH

Authentication platform

IdP

1. No Integration2. Directory Synchronization3. Directory and Federated SSO

Federation options

Suitable for educational organizations

Recommended where customers may use existing non-AD FS Identity systems

Single sign-on

Secure token based authentication

Support for web clients and outlook only

Microsoft supported for integration only, no shibboleth deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

ShibbolethWorks with AD & Non-AD

Suitable for medium, large enterprises including educational organizations

Recommended option for Active Directory (AD) based customers

Single sign-on

Secure token based authentication

Support for web and rich clients

Microsoft supported

Requires on-premises servers, licenses & support

Works with AD

Suitable for medium, large enterprises including educational organizations

Recommended where customers may use existing non-AD FS Identity systems with AD or Non-AD

Single sign-on

Secure token based authentication

Support for web and rich clients

Third-party supported

Requires on-premises servers, licenses & support

Works with AD & Non-AD

Identity Options Comparison1. No Integration

Appropriate for• Smaller orgs without

AD on-premisePros• No servers required on-

premise• Same Domain name for

users possibleCons• No SSO• No 2FA• 2 sets of credentials to

manage with differing password policies

• IDs mastered in the cloud

2. Directory Only

Pros• Users and groups

mastered on-premise• Enables co-existence• Single server

deploymentCons• No 2FA until Spring 2013• 2 sets of credentials to

manage with differing password policies OR Manual / 3rd Party password Sync OR use FIM

• No SSO

3. Directory and SSO

Pros• SSO with corporate

cred• IDs mastered on-

premise• Password policy

controlled on-premise• 2FA solutions

possible• Enables hybrid

scenarios• Location isolation• Ideal for multiple

forestsCons• Additional Servers

required for AD FS

Accounts in Windows Azure AD

Demo

Federation Architecture

Federated Architecture

CorpNet Internet

Active Director

y

Windows Azure AD

AD FS +

DirSync

AD FSProxy

[Server2][Server1]

AD FS Scalability Planning

Users Dedicated Federation Servers

Federation server proxies

NLB servers

Comments

<1,000 0 0 1 Deploy AD FS on two DCs

1,000–15,000 2 2 2 Install NLB on proxies

15,000–60,000 2+1 for every 15,000 users

2+ 2+ Install NLB on proxies or use dedicated NLB implementation

http://technet.microsoft.com/en-us/library/jj151794.aspx

Federated Architecture on Windows Azure!

CorpNet Internet

Active Director

y

Windows Azure AD

AD FS + AD

AD FSProxy

Windows AzureSubscription

VPN

DirSync

Quick Start Guide for Integrating a Single Forest On-Premises Active Directory with Windows Azure AD

Quickstart Guide Architecture

Active Director

y

Windows Azure AD

AD FS +

DirSync

AD FSProxy

[Server2][Server1]

Windows Server 2012

Windows Server 2012

1) Add Domain to Windows Azure AD [Windows Azure from Server1]

2) Activate DirSync [Windows Azure from Server1]

3) Install AD FS Server Role [Server1]

4) Configure AD FS Server [Server1]

5) Install AD FS Proxy (optional) [Server2]

6) Configure AD FS Proxy (optional) [Server2]

7) Configure Inbound SSL Access [Server2]

8) Configure AD Federation Support [Server1]

9) Install & Configure DirSync [Server1]

AD to AAD Quickstart Steps

Demo

Pre-requisites & Initial SetupInstall and Configure a new AD FS farm

What we’ve built so far

CorpNet Internet

Active Director

y

Windows Azure AD

AD + AD FS

Windows AzureSubscription

VPN

DirSync – Activated, not syncedDomain Name – Added, not verified

Domain: Christianboarders.com

Configure Inbound SSL Access

Internet

Windows Azure AD

157.56.167.107mycloudservice.cloudapp.net

CorpNet Internet

Active Director

y

AD + AD FS

Windows AzureSubscription

VPN

Install DirSync on WS 2012Write-QSTitle 'Download, install, and configure the DirSync tool'$DirSyncFilename = $script:CurrentExecutingPath + '\DirSync.exe'if (-not (Require-QSDownloadableFile -FileName $DirSyncFilename -URL 'http://g.microsoftonline.com/0BX10en/571')) {Write-QSError 'DirSync download failed.'return}Write-Host 'Running DirSync installer...'Start-Process -FilePath $DirSyncFilename -ArgumentList @('/quiet') -Wait

Note: SQL 2008 R2 Express not officially supported on WS 2012. SP1 is supported, buthttp://support.microsoft.com/kb/2681562

[On Server1]

Final Configuration

CorpNet Internet

Active Director

y

Windows Azure AD

AD FS + AD

AD FSProxy

Windows AzureSubscription

VPN

DirSync

DirSync – Activated + syncedDomain Name – Added + verified

Actual Times TakenDocument Step #

PS Script Step #

Component of Configuration Actual Time Taken

1 1-2 Initial Software Installation (pre-requisites)*,*** 1 min 12 sec

1 3 Office 365 Readiness Tool 5 min 48 sec

2 4-5 Add Domain Name in Windows Azure AD 27 sec

3 6 Activate DirSync Support 10 sec

4 7-14 Install and Configure On-Premise AD FS Server1** 2 min 53 sec

5 15-22 Install and Configure AD FS Proxy Server2*, ***, ****

6 min 12 sec

6 23-24 Configure Windows Azure AD Federation Support 41 sec

7 25-27 Install and Configure DirSync 3 min 26 sec*Includes auto-install of .Net Framework tools**Includes using self-signed certificate & auto-install of RSAT-DNS tools*** Includes install of Sign-in Assistant & PS Module for MS Online**** Used single-core VM for comparison vs AD FS server VM with 6 cores

Thank you