how to integrate aws directory service with office365 - aws online tech talks
TRANSCRIPT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ron Cully, AWS Directory Service
October 27, 2017
How to Integrate AWS
Directory Service with
Office 365
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What We Will Cover
What AWS Directory Service for Microsoft Active Directory Is
(AWS Microsoft AD)
Models for authenticating Office 365 with
Active Directory (AD) credentials
AWS Microsoft AD deployment models when using Office 365
Step-by-step set-up:
Use Azure AD Connect and Active Directory Federation Service
with AWS Microsoft AD
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What AWS Microsof t AD Is
AWS Managed, Actual Microsoft Active Directory
Windows 2012 R2 domain controllers (DC)
• ~3-click setup from Directory Service console
or script through API
• 2 DCs each in separate Availability Zones (AZs)
• Scale-out with additional DCs
• Dynamic DNS
• Compliance audited
• Healthcare Insurance Portability
and Accountability Act (HIPAA)
• Payment Card Industry (PCI)
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
AD
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
AD
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Mic roso f t AD: Shared Respons ib i l i t i es
Customer - Administers
• Configure password policies
• Configure trusts (resource forest deployment)
• Configure Certificate Authorities (for LDAPS)
• Configure federation
• Administer users, groups, GPOs, other AD content
• Administration via Active Directory Users and
Computers (ADUC) and other standard AD tools
• Add domain controllers as needed
Amazon - Operates
• Multi-AZ deployment, patch, monitor,
DC recovery, snapshot, restoreAuth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
AD
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
AD
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Microsof t AD: Two Edi t ions
Enterprise
Edition
Standard
Edition
Storage Capacity 17GB 1GB
Performance
Optimized
100,000+
employees
Up to ~5,000
employees
Enterprise Edition = Standard Edition plus enterprise features
Currently same features
Priced per DC per hour (2 DC minimum)
30-day limited free trial
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A u t h e n t i c a t i n g O f f i c e 3 6 5 U s i n g A c t i v e D i r e c t o r y
Model 1: Synchronized usernames and passwords
• Azure AD Connect synchronizes users and passwords to Azure AD
• Office 365 users log in to Azure AD with same username and password
• Issue: Requires domain admin privileges in AD; not possible with AWS Microsoft AD
Model 2: Synchronized usernames with pass-through authentication to AD
• Azure AD Connect synchronizes usernames to Azure AD
• Office 365 users log in to AD with their AD credentials
• Issue: Unsupportable by AWS while in preview
Model 3: Synchronized usernames with Active Directory Federation Service (AD FS) authentication
• Azure AD Connect synchronizes usernames to Azure AD
• Office 365 users log in to AD using federated authentication through AD FS
• Works with AWS Microsoft AD and also supports other SAML-based cloud applications
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A u t h e n t i c a t i n g O f f i c e 3 6 5 U s i n g A c t i v e D i r e c t o r y
Model 1: Synchronized usernames and passwords
• Azure AD Connect synchronizes users and passwords to Azure AD
• Office 365 users log in to Azure AD with same username and password
• Issue: Requires domain admin privileges in AD; not possible with AWS Microsoft AD
Model 2: Synchronized usernames with pass-through authentication to AD
• Azure AD Connect synchronizes usernames to Azure AD
• Office 365 users log in to AD with their AD credentials
Model 3: Synchronized usernames with Active Directory Federation Service (AD FS) authentication
• Azure AD Connect synchronizes usernames to Azure AD
• Office 365 users log in to AD using federated authentication through AD FS
• Works with AWS Microsoft AD and also supports other SAML-based cloud applications
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Microsoft AD as a resource directory
Amazon
WorkSpaces
RDS for SQL
Server
Amazon
WorkDocs
Amazon
WorkMail
Amazon
QuickSight
AWS Management
Console
Amazon
ChimeAmazon
Connect
AWS Apps & Services
AWS Microsoft
AD Directory
Enable, Authenticate, &
Authorize
Manage,
Authenticate, & Authorize
Manage, Authenticate,
& Authorize
.NET
Applications
Server
SharePoint
Server
AD-aware Workloads
SQL ServerRemote
Desktop
Licensing
Manager
.NET SharePointSQL
ServerRD
Licensing
Enterprise
Certificate
Authority
Certificate
Services
On-Premises
Microsoft Active
Directory
On-Premises User
Credentials
Corporate Data
Center
SaaS Applications
Azure AD
SAML
Authenticate
Synchronize
Users
VPN
Direct
Connect
or
AD FS
Server
Azure AD
Connect
Server
Amazon
EC2
Amazon
Windows EC2
Instances
Amazon
Linux EC2
Instances
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Manage,
Authenticate, & Authorize
AWS Microsoft AD as a primary directory
Amazon
WorkSpaces
AWS Microsoft
AD Directory
RDS for SQL
Server
Amazon
WorkDocs
Amazon
WorkMail
Amazon
QuickSight
AWS Management
Console
Amazon
ChimeAmazon
Connect
AWS Apps & Services
.NET
Applications
Server
SharePoint
Server
AD-aware Workloads
SQL ServerRemote
Desktop
Licensing
Manager
.NET SharePointSQL
ServerRD
Licensing
SaaS Applications
Azure AD
Enable, Authenticate, &
Authorize
SAML
Authenticate
Synchronize
Users
Manage, Authenticate,
& Authorize
Enterprise
Certificate
Authority
Certificate
Services
Amazon
Windows EC2
Instances
Amazon
Linux EC2
Instances
Amazon
EC2
AD FS
Server
Azure AD
Connect
Server
Federate
ADSync
AD FS
On-Premises
Microsoft Active
Directory
On-Premises User
Credentials
Corporate Data
CenterVPN
Direct
Connect
or
AD FS
Server
Azure AD
Connect
Server
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1. Create AWS Microsoft AD directory
2. Join EC2 Windows server to AWS Microsoft AD
domain (admin instance)
3. Install AD Administration tools on EC2*
4. Join EC2 Windows server to AWS Microsoft AD
domain (AD FS instance)*
5. Join EC2 Windows server to AWS Microsoft AD
domain (Azure AD Connect instance)*
6. Create AD FS service account in AWS Microsoft
AD using AD Users and Computers
7. Set up Office 365 account
8. Set up Azure AD domain
Set Up Envi ronment (Prerequis i tes)
AWS Microsoft AD
AD
1
adfsserver
EC2
AD FS Server(Windows Server 2016)
4
adsync
EC2
Azure AD Connect
5Install ADAdminTools
3
management
2
EC2
AD AdministrationTools
ADFSSVC
6
Office 365
7
AzureAD
8*Can be the same instance
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prerequis i tes You Must Create
• Virtual Private Cloud (VPC)
• Two subnets in different AZs
• Optional on-premises link
• Virtual Private Network (VPN)
• Amazon Direct Connect
Availability Zone
10.0.2.0/24
Availability Zone
10.0.3.0/24
Optional
VPN
Direct
Connect
OrOr
On-premises
Data Center
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• One AWS
Security Group
Dur ing Creat ion AWS Creates
• 2 DCs with
Dynamic DNS
• Elastic Network
Interface in your
subnets
Availability Zone
10.0.2.0/24
Availability Zone
10.0.3.0/24
Optional
VPN
Direct
Connect
OrOr
On-premises
Data Center
AWS Managed
Microsoft AD
DC
AWS Managed
Microsoft AD
DC
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Key-pair (PEM) file
• EC2 Windows(Install AD Administration Tools)
Best Pract ice Af ter Creat ion You Create
• DHCP Option Sets
• AWS Security Group
• IAM Role/Policy for EC2(AmazonEC2RoleforSSM)
Availability Zone
10.0.2.0/24
Availability Zone
10.0.3.0/24
Optional
VPN
Direct
Connect
OrOr
On-premises
Data Center
AWS Managed
Microsoft AD
DC
AWS Managed
Microsoft AD
DC
DHCP
Option
Set
AD Admin
Tools
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS/Customer Permiss ions Model88-856-43-585 88-856-43-585
Domain
“administrator”
OU
“admin”
Customer
AWS is domain
administrator
AWS creates OU
for customer &
delegates “admin”
permissions
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1. Create the AD FS required container in AWS
Microsoft AD
Enable Off ice 365
Office 365
EC2
Azure AD Connect
EC2
AWS Microsoft AD
AD
AzureAD
1AD FS
Container
EC2
AD AdministrationTools
awsexample.com
management adfsserver adsync
AD FS Server(Windows Server 2016)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create the AD FS Conta iner
Generate and save a global unique identifier (GUID) to use
AD Admin
Tools
10.0.2.0/24
AWS Managed
Microsoft AD
DCUsername: <yourdomain>\admin
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create the AD FS Conta iner (cont inued)
Create a parent container named ADFS and a child container with the name of your GUID
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ver i fy Your Conta iners
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1. Create the AD FS required container in AWS
Microsoft AD
2. Install AD FS on EC2 Windows Server 2016
(Requires AD FS 2016)
Enable Off ice 365
Office 365
EC2
Azure AD Connect
EC2
AWS Microsoft AD
AD1
AzureAD
2
InstallAD FS
AD FS
Container
EC2
AD AdministrationTools
awsexample.com
management adfsserver adsync
AD FS Server(Windows Server 2016)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insta l l AD FS: Add the AD FS Feature
AD FS
Server
10.0.2.0/24
AWS Managed
Microsoft AD
DCUsername: <yourdomain>\admin
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insta l l AD FS: Insta l l SSL Cert i f icate
Use Microsoft Enterprise Certificate Authority
https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/
Import using Microsoft Management Console (MMC)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insta l l AD FS: Add Cert i f icate MMC
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insta l l AD FS: Import Cer t i f icate for AD FS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insta l l AD FS: Get the Cert Thumbpr int
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insta l l AD FS: Set $adminConf ig
AD FS
Server
10.0.2.0/24
AWS Managed
Microsoft AD
DC
GUID of AD FS Container
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insta l l AD FS: Get ADFSSVC User Creds
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insta l l AD FS: Get Your OU Admin Creds
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insta l l AD FS: Insta l l AD FS Server
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insta l l AD FS: Publ ish DNS A Record
Obtain your AD FS EC2 instance public IP address (AWS EC2 dashboard)
Log in to your DNS hosting provider to add the record
Hostname: sts.awsexample.com
Record Type: A
IP Address: 34.215.72.57
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insta l l AD FS: Enable AD FS Sign - in Page
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
adsync
1. Create the AD FS required container in AWS
Microsoft AD
2. Install AD FS on EC2 Windows Server 2016
(Requires AD FS 2016)
3. Connect Office 365 to authenticate to AD FS
Enable Off ice 365
Office 365
EC2
Azure AD Connect
EC2
AWS Microsoft AD
AD1
2
AzureAD
InstallAD FS
AD FS
Container
3
EC2
AD AdministrationTools
awsexample.com
management adfsserver
AD FS Server(Windows Server 2016)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
In tegrate AD FS wi th Azure AD
From your AD FS instance, as admin, connect to Azure AD using Windows PowerShell
https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-msonlinev1?view=azureadps-1.0
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
In tegrate AD FS wi th Azure AD ( c o n t i n u e d )
Set context to the AD FS server using the internal FQDN
Set-MsolADFSContext -computer adfsserver.awsexample.com
Convert Azure AD to use adfsserver for federated authentication to your AD domain
Convert-MsolDomainToFederated –domain awsexample.com
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
adsync
1. Create the AD FS required container in AWS
Microsoft AD
2. Install AD FS on EC2 Windows Server 2016
(Requires AD FS 2016)
3. Connect Office 365 to authenticate to AD FS
4. Install Azure AD Connect on EC2 Windows and
configure to synchronize usernames only to Azure
AD
Enable Off ice 365
Office 365
EC2
Azure AD Connect
EC2
AWS Microsoft AD
AD1
2
AzureAD
InstallAzure ADConnect
InstallAD FS
AD FS
Container
3 4
EC2
AD AdministrationTools
awsexample.com
management adfsserver
AD FS Server(Windows Server 2016)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Azure AD
Connect
10.0.2.0/24
AWS Managed
Microsoft AD
DC
Synchronize Users to Azure AD
Download Azure AD Connect MSI and install with Custom settings
On the Connect Directories page choose
Active Directory as the directory type, choose
your Microsoft AD Forest as your Forest
Enter your AWS Microsoft AD admin credentials
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Select User Conta iner to Synchronize
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
adsync
1. Create the AD FS required container in AWS
Microsoft AD
2. Install AD FS on EC2 Windows Server 2016
(Requires AD FS 2016)
3. Connect Office 365 to authenticate to AD FS
4. Install Azure AD Connect on EC2 Windows and
configure to synchronize usernames only to Azure
AD
5. Log in to Office 365 with AWS Microsoft AD user
credentials
Enable Off ice 365
Office 365
EC2
Azure AD Connect
EC2
AWS Microsoft AD
AD1
2
4
AzureAD
InstallAzure ADConnect
InstallAD FS
AD FS
Container
3
5
EC2
AD AdministrationTools
awsexample.com
management adfsserver
AD FS Server(Windows Server 2016)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Assign Off ice 365 L icense and Log In
https://portal.office.com/adminportal/home#/homepage
Use global administrator account
https://portal.office.com
Use AD credentials for a licensed user
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
References
Documentation and Blog Posts
• How to Enable Your Users to Access Office 365 with DS for Microsoft Active Directory Credentials
https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-
microsoft-active-directory-credentials/
• How to set up AWS Microsoft AD and join an EC2 instance for administration
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html/
• How to Enable LDAPS for Your Microsoft AD Directory
(setting up Microsoft enterprise Certificate Authority)
https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/
• AWS Directory Service
https://aws.amazon.com/directoryservice/
• AWS Directory Service Documentation
https://aws.amazon.com/documentation/directory-service/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!