View
216
Download
0
Category
Preview:
Citation preview
Directory Integration: Creating One Directory with Active Directory and Azure Active Directory
Andreas KjellmanSamuel Devasahayam
EM-B316
AgendaIntroducing hybrid identityAzure AD Connect installationMore about syncMore about sign-inLooking aheadQ&A
Providing Users with a Common Identity
IT can provide users with a common identity across on-premises or cloud-based services, leveraging Windows Server Active Directory and Azure Active Directory.
Users are more productive by having a single sign-on to all their resources.
Users get access through accounts in Azure Active Directory to Azure, Office 365, and third-party applications.
Developers can build applications that leverage the common identity model .
Hybrid identity components
Active Directory
AD DS
Office 365 andSaaS
Providers
Microsoft AzureActive
DirectoryFIM/MIM
Sync
On-premises
Azure AD Connect
Sync, Sign-In
SalesforceBoxDropBoxGoogleConcur….
IdentityBridge
LOB
Your apps
Making Hybrid Identity Simple - Today
What tool do I use? Is it DirSync,
AADSync?
OMG! The # of documents that I
have to read before I do anything?
I use MMSSPP in my dedicated
environment? Will I continue to use it?
Can I use password sync or should I be
using ADFS?
How many ADFS servers do I need? I’m moving to the cloud to remove my on-
premises needs and I have to deploy more servers???
I’m using FIM. What do I do? I need to onboard to Office
365
Setting up ADFS for SSO is very hard!
I have multiple
forests. What do I do?
Making Hybrid Identity Simple
Azure AD Connect (CY15 Q1)
Express Settings• Recommended path for
single forests• 4 clicks to get on boarded
to Azure AD/Office 365• Smallest on-premises
footprint• Simple Sign-On with the
same password as AD
Making Hybrid Identity Simple
Azure AD Connect (CY15 Q1)
Custom Settings• Multiple Forests• Choose your sign-in option• Attribute Filtering• Configure Alternate ID &
Immutable ID
Common multi-forest topologiesSeparate forestsEach object in every forest will be represented in Azure AD.
Forests with GALSyncUsers and Contacts should join on mail attribute and be represented only once.
Account-Resource forestsOne or many Account forests with enabled accounts and one Resource forest with disabled accounts. Joined on objectSID and msExchMasterAccountSID.
What to do before you start the installID FixMake sure your data is (reasonably) clean before you start to synchronize
Domain VerificationProve you own the domain. Otherwise userPrincipalName will not be correct.
Office 365 subscription vs Azure subscription$0 subscription - Used to access manage.windowsazure.com with an existing Office 365 subscriptionhttps://account.windowsazure.com/PremiumOffer/Index?offer=MS-AZR-0110P&whr=azure.com
Design decisionsAlternate LoginIDImmutable ID
What does Azure AD Connect not doAzure AD Connect will not configure components outside the identity bridge
“Classic” Identity Management – FIM2010/MIM vNextEmployee and contractor onboard and offboard and lifecycle changesTypically tied to HR source as a system-of-record authority
SaaS Application Access Management and SSOEnsure SaaS applications have the identities they need for authorized users
Sync – Customize optionsTopologiesSingle forestMulti-forest configurations
Fully-mesh, Account-resource forestOne (or multiple) Exchange organizations with hybrid ExchangeGroup membership for security groups with ForeignSecurityPrincipals (FSPs)
FilteringFilter which attributes to sync based on services used in the cloud
PasswordsPassword synchronization for multiple forestsPassword write-back (for SSPR and password change) in preview
Default configuration assumptionsUser will have only one enabled user accountUser will have only one mailboxThe best data quality for a user is where Exchange is located
Sync – review the configurationInstallation logs%windir%\temp\aadsync
Synchronization RulesDepending on if Exchange and Lync is present in AD, different rules will be generatedDepending on Exchange version attributes will be removed as neededOnly selected services will have outbound rules to AADAttributes you selected to not be included are removed from the outbound rules to AAD
Introducing the Sync Rule EditorA “Resource Kit Tool” to view, change and add Sync Rules
LicensingAzure AD Sync is following AAD licensing, no extra cost for SyncAzure AD Sync incur no extra cost when synchronizing from on-prem to Azure ADIncludes multiple AD-forests, non-AD LDAP, and any other supported sourcesIncludes write-back for hybrid Exchange
Azure AD Sync requires Azure AD Premium for write-back from Azure AD to on-premPassword, device, group, user, …Includes writing between on-prem directories
This is not grandfathered back to FIM2010FIM Sync server will still require a license if used to connect with Azure ADNote: EMS and Azure AD Premium includes FIM server licenses
Sync Enhancements over DirSyncGroup size is 50k in AADSync (15k in DirSync)Can have up to 100k objects with SQL LocalDBMore filtering optionsCan filter groups and contacts
More options for custom configurationCan view the configuration
Choosing a Sign-In optionDefault: Choose Password sync for the simplest deployment
needsSSO with ADFS is just another option for customers that have
more unique needsTight AD
integration•Desktop SSO from domain joined machines•Honor AD login policies (e.g. work hours)•Integration with AD lockout with support for independent ‘soft’ lockout for extranet•Alternate login ID
Security Policy
•Policy prevents any AD credential to be synced to public cloud
Conditional Access
•Client Access Policies to control extranet access to applications•Conditional access based on devices (workplace join)
Strong Authentication
•Inbox support for AD cert authentication (e.g. SmartCards)•Support for Azure MFA server or 3rd party MFA vendors (RSA, SafeNet, LoginPeople, InWebo, Gemalto…) that a customer already has
Sign-in – password syncSynchronizes a hash of the password hashThe actual password never leaves on-premises and is not known by Azure ADSince password was set on-premises, those password policies apply
Cannot be used outside Azure ADCannot be used to access any on-premises resources
Can be used as a backup for federationIf password hashes are present in Azure AD, allows for a quick fall over
Sign-in: How does SSO work
Fire
wall
Fire
wall
Start1. User accesses application
2. Redirected to Azure AD; User enters their login ID for HRD
3. Redirected to ADFS; desktop SSO on domain joined machine
4. Redirected to AAD; AAD validates user token and generates new token for app
5. User now has accesses to application
Intranet User
Sign-in: How does SSO work
Fire
wall
Fire
wall
Start
1. User accesses application
2. Redirected to Azure AD; User enters their login ID for HRD
3. Redirected to WAP; U/P or Cert Auth
4. Redirected to AAD; AAD validates user token and generates new token for app
5. User now has accesses to application
Extranet User
SSO: Tips for a successful deployment
Deployment
• Use Windows 2012 R2• Co-locate ADFS on domain controllers (no IIS needed)• You don’t need SQL unless you are greater than 90K users!• Use self-signed token signing certificates.
Network
• Deploy Web Application Proxy. Current Outlook/EAS need this to work. • AAD uses federation metadata endpoint that is internet accessible to
keep token signing cert information up to date.• Don’t use sticky sessions on your Load Balancer• Configure SNI on load balancer or use HTTP health probes (MS14-08)
Security
• Enable extranet soft account lockout• Enable MFA with smartcards, Azure MFA or 3rd party
MFA (SafeNet, RSA, Gemalto, LoginPeople …)• Enable client access policies in the prescribed manner.
Sign-In Experience
• Ensure that SPN (HOST/adfs.contoso.com) is set on ADFS service account
• Customize illustration & logo to have a great end user experience
• Enable ‘Keep Me Signed In’ option for better SSO
Future featuresSupport Azure AD PremiumWrite-back of passwords, devices, groups, and users
Support non-AD LDAP directoriesAdd common configuration tasks to the wizardDirectory extensions
Quarantine objectsIn the next few months, we will allow objects with duplicate UPNs and proxyAddresses to be exported to AAD, but they will be quarantined until cleaned up
Related content
Microsoft Solutions Experience Location (MSE)
Tue, Oct 28 3:15 PM-4:30 PM EM-B214 Privileged Access Management for Active Directory
Wed, Oct 29 8:30 AM-9:45 AM
EM-B316 Directory Integration: Creating One Directory with Active Directory and Azure Active Directory
Wed, Oct 29 3:15 PM-4:30 PM EM-B319 Microsoft Identity Manager vNext Overview
Wed, Oct 29 3:15 PM-4:30 PM CDP-B210 Cloud Identity: Microsoft Azure Active Directory Explained
Wed, Oct 29 5:00 PM-6:15 PM EM-B318 Free Your Apps: Introducing Microsoft Azure Active Directory Application Proxy and Windows Server Web Application Proxy
Thu, Oct 30 10:15 AM-11:30 AM
CDP-B312 Microsoft Azure Active Directory Premium, in Depth
Fri, Oct 31 2:45 PM-4:00 PM EM-B313 Microsoft Azure Multi-Factor Authentication Deep Dive: Securing Access on Premises and in the Cloud
Thu, Oct 30 12:00 PM-1:15 PM
EM-B310 Active Directory + BYOD = Peace of Mind
Thu, Oct 30 5:00 PM-6:15 PM DEV-B322 Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management
Fri, Oct 31 8:30 AM-9:45 AM CDP-B207 Securing Organizations: Azure Active Directory Intelligence as a Differentiator
Enterprise Mobility Suitehttp://aka.ms/enterprisemobilitysuite
Microsoft Intunehttp://aka.ms/microsoftintune
Configuration Managerhttp://aka.ms/configmgr
Enterprise Mobility Track Resources
Hybrid Identityhttp://aka.ms/hi
Access & Info Protectionhttp://aka.ms/aip
Desktop Virtualizationhttp://aka.ms/virtualdesktop
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Recommended