agenda ad to windows azure ad sync options federation architecture ad to aad quick start by sachin...
TRANSCRIPT
Agenda • AD to Windows Azure AD • Sync Options• Federation Architecture• AD to AAD Quick start
By Sachin Shetty
AD to AAD Sync Options
By Sachin Shetty
Identities for Microsoft Cloud Services
User
OrgIDOrganizational Account
OnMicrosoft Account(Azure AD Account)
Examples: [email protected]
User
Personal Services Organizational Services
Live IDMicrosoft Account
Examples: [email protected]@live.com
WindowsIntune
Contoso customer premises
Cloud-Only / No Integration
AD
Windows Azure Active Directory
Provisioningplatform
CORPApp
Dynamics CRM Online
Office 365
IdP
DirectoryStore
Admin Portal/PowerShell/
GRAPH
Authentication platform
IdP
1. Cloud Only / No Integration2. Directory Synchronization3. Directory and Federated SSO
WindowsIntune
Contoso customer premises
Directory Synchronization
ADDirectory Sync
(DirSync)
Windows Azure Active Directory
Provisioningplatform
CORP App
Dynamics CRM Online
Office 365
IdPDirectory
Store
Admin Portal/PowerShell/
GRAPH
Authentication platform
IdP
1. No Integration2. Directory Synchronization3. Directory and Single sign-on
(SSO)
Directory Synchronization Options
Suitable for small/medium size organizations with AD or Non-AD
Not a highly recommended option compared to DirSync or FIM Connector
Performance limitations apply with PowerShell and Graph API provisioning
PowerShell requires extensive scripting experience
PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)
As this is a custom solution, Microsoft support may not be able to help if there are issues
PowerShell & Graph API
Suitable for Organizations using Active Directory (AD)
Supports Exchange Co-existence scenarios
Coupled with AD FS, provides best option for federation and synchronization
Does not require any additional software licenses
Multi-forest available through MCS+Partners
Suitable for large organizations with certain AD and Non-AD scenarios
Complex multi-forest AD scenarios
Non-AD synchronization through Microsoft premier deployment support
Requires Forefront Identity Manager and additional software licenses
Suitable for all organizations
Supports Exchange Co-existence scenarios
WindowsIntune
Contoso customer premises
Directory and Federated SSO
ADDirectory Sync
(DirSync)
Windows Azure Active Directory
Provisioningplatform
Office 365
Dynamics CRM Online
CORP App
Active Directory Federation Server 2.0
Trust
IdPDirectory
Store
Admin Portal/PowerShell/
GRAPH
Authentication platform
IdP
1. No Integration2. Directory Synchronization3. Directory and Federated SSO
Federation options
Suitable for educational organizations
Recommended where customers may use existing non-AD FS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
ShibbolethWorks with AD & Non-AD
Suitable for medium, large enterprises including educational organizations
Recommended option for Active Directory (AD) based customers
Single sign-on
Secure token based authentication
Support for web and rich clients
Microsoft supported
Requires on-premises servers, licenses & support
Works with AD
Suitable for medium, large enterprises including educational organizations
Recommended where customers may use existing non-AD FS Identity systems with AD or Non-AD
Single sign-on
Secure token based authentication
Support for web and rich clients
Third-party supported
Requires on-premises servers, licenses & support
Works with AD & Non-AD
Identity Options Comparison1. No Integration
Appropriate for• Smaller orgs without
AD on-premisePros• No servers required on-
premise• Same Domain name for
users possibleCons• No SSO• No 2FA• 2 sets of credentials to
manage with differing password policies
• IDs mastered in the cloud
2. Directory Only
Pros• Users and groups
mastered on-premise• Enables co-existence• Single server
deploymentCons• No 2FA until Spring 2013• 2 sets of credentials to
manage with differing password policies OR Manual / 3rd Party password Sync OR use FIM
• No SSO
3. Directory and SSO
Pros• SSO with corporate
cred• IDs mastered on-
premise• Password policy
controlled on-premise• 2FA solutions
possible• Enables hybrid
scenarios• Location isolation• Ideal for multiple
forestsCons• Additional Servers
required for AD FS
Accounts in Windows Azure AD
Demo
Federation Architecture
Federated Architecture
CorpNet Internet
Active Director
y
Windows Azure AD
AD FS +
DirSync
AD FSProxy
[Server2][Server1]
AD FS Scalability Planning
Users Dedicated Federation Servers
Federation server proxies
NLB servers
Comments
<1,000 0 0 1 Deploy AD FS on two DCs
1,000–15,000 2 2 2 Install NLB on proxies
15,000–60,000 2+1 for every 15,000 users
2+ 2+ Install NLB on proxies or use dedicated NLB implementation
http://technet.microsoft.com/en-us/library/jj151794.aspx
Federated Architecture on Windows Azure!
CorpNet Internet
Active Director
y
Windows Azure AD
AD FS + AD
AD FSProxy
Windows AzureSubscription
VPN
DirSync
Quick Start Guide for Integrating a Single Forest On-Premises Active Directory with Windows Azure AD
Quickstart Guide Architecture
Active Director
y
Windows Azure AD
AD FS +
DirSync
AD FSProxy
[Server2][Server1]
Windows Server 2012
Windows Server 2012
1) Add Domain to Windows Azure AD [Windows Azure from Server1]
2) Activate DirSync [Windows Azure from Server1]
3) Install AD FS Server Role [Server1]
4) Configure AD FS Server [Server1]
5) Install AD FS Proxy (optional) [Server2]
6) Configure AD FS Proxy (optional) [Server2]
7) Configure Inbound SSL Access [Server2]
8) Configure AD Federation Support [Server1]
9) Install & Configure DirSync [Server1]
AD to AAD Quickstart Steps
Demo
Pre-requisites & Initial SetupInstall and Configure a new AD FS farm
What we’ve built so far
CorpNet Internet
Active Director
y
Windows Azure AD
AD + AD FS
Windows AzureSubscription
VPN
DirSync – Activated, not syncedDomain Name – Added, not verified
Domain: Christianboarders.com
Configure Inbound SSL Access
Internet
Windows Azure AD
157.56.167.107mycloudservice.cloudapp.net
CorpNet Internet
Active Director
y
AD + AD FS
Windows AzureSubscription
VPN
Install DirSync on WS 2012Write-QSTitle 'Download, install, and configure the DirSync tool'$DirSyncFilename = $script:CurrentExecutingPath + '\DirSync.exe'if (-not (Require-QSDownloadableFile -FileName $DirSyncFilename -URL 'http://g.microsoftonline.com/0BX10en/571')) {Write-QSError 'DirSync download failed.'return}Write-Host 'Running DirSync installer...'Start-Process -FilePath $DirSyncFilename -ArgumentList @('/quiet') -Wait
Note: SQL 2008 R2 Express not officially supported on WS 2012. SP1 is supported, buthttp://support.microsoft.com/kb/2681562
[On Server1]
Final Configuration
CorpNet Internet
Active Director
y
Windows Azure AD
AD FS + AD
AD FSProxy
Windows AzureSubscription
VPN
DirSync
DirSync – Activated + syncedDomain Name – Added + verified
Actual Times TakenDocument Step #
PS Script Step #
Component of Configuration Actual Time Taken
1 1-2 Initial Software Installation (pre-requisites)*,*** 1 min 12 sec
1 3 Office 365 Readiness Tool 5 min 48 sec
2 4-5 Add Domain Name in Windows Azure AD 27 sec
3 6 Activate DirSync Support 10 sec
4 7-14 Install and Configure On-Premise AD FS Server1** 2 min 53 sec
5 15-22 Install and Configure AD FS Proxy Server2*, ***, ****
6 min 12 sec
6 23-24 Configure Windows Azure AD Federation Support 41 sec
7 25-27 Install and Configure DirSync 3 min 26 sec*Includes auto-install of .Net Framework tools**Includes using self-signed certificate & auto-install of RSAT-DNS tools*** Includes install of Sign-in Assistant & PS Module for MS Online**** Used single-core VM for comparison vs AD FS server VM with 6 cores
Thank you