CLOUD WRANGLINGIdentity Management for Office 365/Azure AD

Presented by: David Pechon, Jr.MCSA, VCP6-DCV, NCDA

2

WHO DOES THIS GUY THINK HE IS?• Started IT career with an enlistment in the US Army in 1997 as an Information Systems

Operator/Analyst. Stationed at Fort Polk, LA; Youngsan Army Garrison in Seoul, South Korea; and Fort Bragg, NC.

• Worked for a loan servicing company and three different banks in SE Louisiana. Worked for other consulting business from a small MSP in New Orleans to a large systems integrator based in Denver.

• Started working at Sparkhound since February 2014, specializing in virtualization, storage, messaging, and identity management.

• Certifications: Microsoft Certified Solutions Associate – Office 365, VMware Certified Professional 6 – Datacenter Virtualization, NetApp Certified Data Administrator – cDOT

• Married to my wife Clare of 8 years with two children and currently resides in Ponchatoula, LA

• Avid Chicago Cubs fan, loves to fish, enjoy fine beers, and grill meat.

• Fun fact: My face was on the Today show in 1991 for a full five seconds when Joe Garagiola visited my school at Fort Stewart, GA.

david.pechon@sparkhound.com

@davidpechon

http://linkedin.com/in/davidpechonjr

WHAT’S COVERED• What is Azure Active Directory (AAD)?

• Sync your on premises Active Directory to the cloud.

• Active Directory Federation Services.

• Azure Access Control Services.

• Azure Active Directory Domain Services.

• Branding/User Acceptance.

WHAT IS AZURE ACTIVE DIRECTORYYour Directory as a Service.

WHAT IS AZURE ACTIVE DIRECTORY• AD services hosted in Azure that allow for identity management for Microsoft Cloud applications and custom

apps hosted in Azure

• Third party applications, such as SalesForce and Box can take advantage of Azure AD.

• Integrates with on-prem AD Directory Services using synchronization tools from Microsoft

• Management can be done from Active Directory Users and Computers, PowerShell, Azure dashboard, Office 365 admin center.

• With Active Directory Federation Services, you can provide single sign-on

• Multi-factor Authentication is available.

COMMON AZURE AD FEATURES• Directory as a service1

• User and group management using UI or PowerShell

• Access Panel portal for SSO-based user access to SaaS and custom apps2

• User based application access management and provisioning

• Self-service password change for cloud users

• Directory Sync tool

• Standard security reports

1. Up to 500k objects for Free, unlimted for basic and premium. Does not apply to Office 365 and Windows Intune or any other Microsoft online service.

2. Up to 10 apps visible in the access panel for Free and Basic. No app limit in Premium

BASIC AND PREMIUM FEATURESFeature BASIC PREMIUM

99.9% SLA Uptime √ √Group based application access management and provisioning √ √Custom branding of sign-on page and access √ √Self service password reset √ √App Proxy: Secure remote access and SSO to on-prem web. √ √Self service group management for cloud users √Microsoft Identity Manager Server Licenses for syncing √Advanced anomaly security reports √Advanced application usage reporting √Multifactor authentication service for cloud users √Multifactor authentication server for on-prem users √

PREPARING THE ON-PREMISES AD

9

• Active Directory attributes must be cleaned up before synchronization

• Cannot synchronize users with user principal names of non valid top level domains. (e.g. domain.local)

• Remove duplicate UPNs and proxyAddress attributes

• Invalid characters in givenName, sn (surname), sAMAccountName, displayName, mail, proxyAddress, mailNickname, and userPrincipalName attributes.

IDENTIFYING PROBLEMS

10

Office 365 OnRamp identifies issues but does not correct them

IdFix can be used to identify errors and allow for remediating some

FIXING ERRORS: USE WHAT YOUR MOMMA MICROSOFT GAVE YOU:

11

$oldSuffix = 'domain.local'$newSuffix = 'example.com'Get-ADUser -SearchBase "ou=text,dc=domain,dc=local" -SearchScope OneLevel -filter * | ForEach-Object$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)$_ | Set-ADUser -server yourDomainController -UserPrincipalName $newUpn }

Microsoft gives you ADUC, ADSI Edit, PowerShell, and other consoles and tools to correct attribute errors:

SYNCHRONIZING YOUR ON PREMISES ACTIVE DIRECTORY WITH AZURE ACTIVE DIRECTORY

12

BENEFITS OF SYNCHRONIZING AZURE AD WITH ON-PREMISES AD

13

• Synchronize objects to Azure AD, or back to on-prem

• Users only see one account to access on site applications and cloud applications.

• Allows users to use existing AD account for third party cloud apps.

• Can be customized to sync a subset of AD objects.

• Manage users from on-premises AD environment

AZURE AD CONNECT

14

• Replaces both Azure Active Directory Sync Tool (DirSync) and Azure Active Directory Sync (AADSync).

• Goes further than DirSync and AADS in setting up Active Directory Federation Services (ADFS) and assisting with domain name federation.

• Writeback – AD objects can be synced back to on-prem AD in the form of users, groups, and devices

• Windows 10 devices domain joined can be synced directly from Azure AD.

• Sync filtering based on AD Groups, allows for a “Pilot Mode”

• Prevent accidental deletions by setting a threshold via PowerShell.

• Will be the single choice for Azure and Office 365 deployments.

AZURE AD CONNECT TOOLS

15

Wizard – Unlike the DirSync wizard, you are given more options to setup synchronization.

FIM is replaced by Synchronization Service Manager

FILTERING VIA AZURE AD CONNECT

16

Filter by attribute by using the Synchronization Rules Editor.

Filter by domain or OU by using the Synchronization Service Manager UI

FILTERING VIA AZURE AD CONNECT

17

Azure AD Connect allows you to filter by group during setup.

ACTIVE DIRECTORY FEDERATED SERVICES

18

WHAT IS ADFS?

19

Active Directory Federation Services or ADFS is a server role that allows for single sign-on for internal and external access to various web applications.

For Office 365, ADFS 2.0 is the minimum requirement and is a separate installable for Windows Server 2008. On 2008 R2, 2012, and 2012 R2, ADFS is a role that can be installed.

HOW SSO WITH ADFS WORKS:

20

1. User logs onto Office 365 using a federated login

2. AzureAD detects the domain is federated with an ADFS Farm

3. For internal users, NTLM credentials can be passed to ADFS server to verify login (setup in a GPO). External users on a web proxy (and non-IE users) are given a login screen to enter a password.

4. When user credentials are verified as correct, a token is passed back to Office 365/Azure AD verifying the user identity.

CLAIMS RULES WITH ADFS

21

Allows administrators to permit or deny the access of federated logins based on IP address, group membership, geolocation, etc.

Uses Claim Rule Language but basic rules can be setup using a wizard.

ADFS SETUP TIPS

22

Never name the federation service or farm ADFS, or the name of an existing object. This will cause a conflict of the service principle name attribute. The service account must have the ADFS service name as the SPN

Never expose your ADFS server to the world, that’s what the ADFS Proxy (ADFS 2.x) or Web Application Proxy (ADFS 3.0) is for.

For larger deployments, use a load balancer between proxies and internal ADFS servers.

Enable the relay trust via PowerShell, don’t manually create it:

$cred=Get-CredentialConnect-msolservice -credential $credSet-msoladfscontext -computer <FQDN of ADFS Server>Convert-MSOLDomainToFederated -Domainname <Federated domain>

AZURE ACCESS CONTROL SERVICES

23

WHAT IS AZURE ACS?

24

A claims based authentication mechanism that allows application developers to use public authentication providers (e.g. Facebook, Google, Windows Live ID) and organization ADFS for authentication.

Integrates with Windows Identity Foundation, supports OAuth 2.0, and can be used for .NET Framework, PHP, Python, Java and Ruby.

This is primarily used for publicly available web apps and SharePoint sites where you don’t want to manage user accounts but still have people authenticate to use your app.

Setting up ACS for SharePoint 2013:https://technet.microsoft.com/en-us/library/dn635311.aspx

AZURE AD DOMAIN SERVICESPREVIEW

25

AZURE AD DOMAIN SERVICES

26

While Azure AD allowed you to synchronize your on-prem AD to a directory as a cloud service, it did not use AD Domain Services features like Group Policy, NTLM, Kerberos, and LDAP.

Organizations would setup VMs in Azure that would have the Active Directory Domain Services role installed.

The Azure VMs would be managed similarly to servers in an additional site.

“Cloud only” organizations would have to install ADDS this way as well.

AZURE AD DOMAIN SERVICES

27

Cloud only organizations can get more out of Azure AD by converting their tenant and get the same benefits of Active Directory Domain Services for their cloud VMs

Hybrid organizations can also benefit by allowing cloud apps to take advantage of ADDS services.

AZURE AD DOMAIN SERVICES• Cloud only organizations can now manage domain services as a service rather than maintain

another VM running Active Directory Domain Services

• Hybrid organizations will still need to run Azure AD Connect as the Azure ADDS instance is a stand-alone domain and not an extension of your domain/forest.

• Directory aware applications running in Azure can now take advantage of services like Group Policy.

• THIS FEATURE IS IN PREVIEW! Highly recommend that you do not try this in production.

• Pricing charged per AD object (users, computers, and groups).

Technet Blog: http://blogs.technet.com/b/ad/archive/2015/10/14/azure-ad-domain-services-is-now-in-public-preview-use-azure-ad-as-a-cloud-based-domain-controller.aspx

BRANDING

29

BRANDING THE OFFICE 365 LANDING PAGE

30

In the Azure dashboard -> Active Directory -> Configure, you have the option to customize branding

You can setup a default branding page, by language, and then add your images, sign-in text, and background colors.

BRANDING THE OFFICE 365 LANDING PAGE

31

BRANDING THE ADFS LOGIN PAGE

32

The ADFS login page can be branded using two PowerShell commands:

For the logo banner on the right side (240x35px @ 96 dpi):

set-adfswebtheme -targetname default -logo @{path='c:\images\logo.png'}

For the image on the left:

set-adfswebtheme -targetname default -illustration @{path='c:\images\image.jpg'}

Source: https://technet.microsoft.com/en-us/library/dn280950.aspx

BRANDING THE ADFS LOGIN PAGE

33

QUESTIONS?

34

COME SEE US AT OUR BOOTH!

35

david.pechon@sparkhound.com

@davidpechon

http://linkedin.com/in/davidpechonjr

Come talk to my fellow Sparkies, we’re the ones in the lime green shirts!

My contact info: