How to Integrate AWS Directory Service with Office365 - AWS Online Tech Talks

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ron Cully, AWS Directory Service

October 27, 2017

How to Integrate AWS

Directory Service with

Office 365


What We Will Cover

What AWS Directory Service for Microsoft Active Directory Is

(AWS Microsoft AD)

Models for authenticating Office 365 with

Active Directory (AD) credentials

AWS Microsoft AD deployment models when using Office 365

Step-by-step set-up:

Use Azure AD Connect and Active Directory Federation Service

with AWS Microsoft AD


What AWS Microsof t AD Is

AWS Managed, Actual Microsoft Active Directory

Windows 2012 R2 domain controllers (DC)

• ~3-click setup from Directory Service console

or script through API

• 2 DCs each in separate Availability Zones (AZs)

• Scale-out with additional DCs

• Dynamic DNS

• Compliance audited

• Healthcare Insurance Portability

and Accountability Act (HIPAA)

• Payment Card Industry (PCI)

Auth/

LDAP

Availability Zone

Private Subnet

10.0.2.0/24

EC2

App

Server

EC2

IIS

Server

AWS Managed

Services

D

C

AWS Managed

Microsoft AD

AD

Auth/

LDAP

Availability Zone

Private Subnet

10.0.2.0/24

EC2

App

Server

EC2

IIS

Server

AWS Managed

Services

D

C

AWS Managed

Microsoft AD

AD


AWS Mic roso f t AD: Shared Respons ib i l i t i es

Customer - Administers

• Configure password policies

• Configure trusts (resource forest deployment)

• Configure Certificate Authorities (for LDAPS)

• Configure federation

• Administer users, groups, GPOs, other AD content

• Administration via Active Directory Users and

Computers (ADUC) and other standard AD tools

• Add domain controllers as needed

Amazon - Operates

• Multi-AZ deployment, patch, monitor,

DC recovery, snapshot, restoreAuth/

LDAP

Availability Zone

Private Subnet

10.0.2.0/24

EC2

App

Server

EC2

IIS

Server

AWS Managed

Services

D

C

AWS Managed

Microsoft AD

AD

Auth/

LDAP

Availability Zone

Private Subnet

10.0.2.0/24

EC2

App

Server

EC2

IIS

Server

AWS Managed

Services

D

C

AWS Managed

Microsoft AD

AD


AWS Microsof t AD: Two Edi t ions

Enterprise

Edition

Standard

Edition

Storage Capacity 17GB 1GB

Performance

Optimized

100,000+

employees

Up to ~5,000

employees

Enterprise Edition = Standard Edition plus enterprise features

Currently same features

Priced per DC per hour (2 DC minimum)

30-day limited free trial


A u t h e n t i c a t i n g O f f i c e 3 6 5 U s i n g A c t i v e D i r e c t o r y

Model 1: Synchronized usernames and passwords

• Azure AD Connect synchronizes users and passwords to Azure AD

• Office 365 users log in to Azure AD with same username and password

• Issue: Requires domain admin privileges in AD; not possible with AWS Microsoft AD

Model 2: Synchronized usernames with pass-through authentication to AD

• Azure AD Connect synchronizes usernames to Azure AD

• Office 365 users log in to AD with their AD credentials

• Issue: Unsupportable by AWS while in preview

Model 3: Synchronized usernames with Active Directory Federation Service (AD FS) authentication


• Office 365 users log in to AD using federated authentication through AD FS

• Works with AWS Microsoft AD and also supports other SAML-based cloud applications


A u t h e n t i c a t i n g O f f i c e 3 6 5 U s i n g A c t i v e D i r e c t o r y

Model 1: Synchronized usernames and passwords

• Azure AD Connect synchronizes users and passwords to Azure AD

• Office 365 users log in to Azure AD with same username and password

• Issue: Requires domain admin privileges in AD; not possible with AWS Microsoft AD

Model 2: Synchronized usernames with pass-through authentication to AD


• Office 365 users log in to AD with their AD credentials

Model 3: Synchronized usernames with Active Directory Federation Service (AD FS) authentication


• Office 365 users log in to AD using federated authentication through AD FS

• Works with AWS Microsoft AD and also supports other SAML-based cloud applications


AWS Microsoft AD as a resource directory

Amazon

WorkSpaces

RDS for SQL

Server

Amazon

WorkDocs

Amazon

WorkMail

Amazon

QuickSight

AWS Management

Console

Amazon

ChimeAmazon

Connect

AWS Apps & Services

AWS Microsoft

AD Directory

Enable, Authenticate, &

Authorize

Manage,

Authenticate, & Authorize

Manage, Authenticate,

& Authorize

.NET

Applications

Server

SharePoint

Server

AD-aware Workloads

SQL ServerRemote

Desktop

Licensing

Manager

.NET SharePointSQL

ServerRD

Licensing

Enterprise

Certificate

Authority

Certificate

Services

On-Premises

Microsoft Active

Directory

On-Premises User

Credentials

Corporate Data

Center

SaaS Applications

Azure AD

SAML

Authenticate

Synchronize

Users

VPN

Direct

Connect

or

AD FS

Server

Azure AD

Connect

Server

Amazon

EC2

Amazon

Windows EC2

Instances

Amazon

Linux EC2

Instances


Manage,

Authenticate, & Authorize

AWS Microsoft AD as a primary directory

Amazon

WorkSpaces

AWS Microsoft

AD Directory

RDS for SQL

Server

Amazon

WorkDocs

Amazon

WorkMail

Amazon

QuickSight

AWS Management

Console

Amazon

ChimeAmazon

Connect

AWS Apps & Services

.NET

Applications

Server

SharePoint

Server

AD-aware Workloads

SQL ServerRemote

Desktop

Licensing

Manager

.NET SharePointSQL

ServerRD

Licensing

SaaS Applications

Azure AD

Enable, Authenticate, &

Authorize

SAML

Authenticate

Synchronize

Users

Manage, Authenticate,

& Authorize

Enterprise

Certificate

Authority

Certificate

Services

Amazon

Windows EC2

Instances

Amazon

Linux EC2

Instances

Amazon

EC2

AD FS

Server

Azure AD

Connect

Server

Federate

ADSync

AD FS

On-Premises

Microsoft Active

Directory

On-Premises User

Credentials

Corporate Data

CenterVPN

Direct

Connect

or

AD FS

Server

Azure AD

Connect

Server


1. Create AWS Microsoft AD directory

2. Join EC2 Windows server to AWS Microsoft AD

domain (admin instance)

3. Install AD Administration tools on EC2*


domain (AD FS instance)*


domain (Azure AD Connect instance)*

6. Create AD FS service account in AWS Microsoft

AD using AD Users and Computers

7. Set up Office 365 account

8. Set up Azure AD domain

Set Up Envi ronment (Prerequis i tes)

AWS Microsoft AD

AD

1

adfsserver

EC2

AD FS Server(Windows Server 2016)

4

adsync

EC2

Azure AD Connect

5Install ADAdminTools

3

management

2

EC2

AD AdministrationTools

ADFSSVC

6

Office 365

7

AzureAD

8*Can be the same instance


Prerequis i tes You Must Create

• Virtual Private Cloud (VPC)

• Two subnets in different AZs

• Optional on-premises link

• Virtual Private Network (VPN)

• Amazon Direct Connect

Availability Zone

10.0.2.0/24

Availability Zone

10.0.3.0/24

Optional

VPN

Direct

Connect

OrOr

On-premises

Data Center

http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html


• One AWS

Security Group

Dur ing Creat ion AWS Creates

• 2 DCs with

Dynamic DNS

• Elastic Network

Interface in your

subnets

Availability Zone

10.0.2.0/24

Availability Zone

10.0.3.0/24

Optional

VPN

Direct

Connect

OrOr

On-premises

Data Center

AWS Managed

Microsoft AD

DC

AWS Managed

Microsoft AD

DC



• Key-pair (PEM) file

• EC2 Windows(Install AD Administration Tools)

Best Pract ice Af ter Creat ion You Create

• DHCP Option Sets

• AWS Security Group

• IAM Role/Policy for EC2(AmazonEC2RoleforSSM)

Availability Zone

10.0.2.0/24

Availability Zone

10.0.3.0/24

Optional

VPN

Direct

Connect

OrOr

On-premises

Data Center

AWS Managed

Microsoft AD

DC

AWS Managed

Microsoft AD

DC

DHCP

Option

Set

AD Admin

Tools



AWS/Customer Permiss ions Model88-856-43-585 88-856-43-585

Domain

“administrator”

OU

“admin”

Customer

AWS is domain

administrator

AWS creates OU

for customer &

delegates “admin”

permissions


1. Create the AD FS required container in AWS

Microsoft AD

Enable Off ice 365

Office 365

EC2

Azure AD Connect

EC2

AWS Microsoft AD

AD

AzureAD

1AD FS

Container

EC2


awsexample.com

management adfsserver adsync



Create the AD FS Conta iner

Generate and save a global unique identifier (GUID) to use

AD Admin

Tools

10.0.2.0/24

AWS Managed

Microsoft AD

DCUsername: <yourdomain>\admin


Create the AD FS Conta iner (cont inued)

Create a parent container named ADFS and a child container with the name of your GUID


Ver i fy Your Conta iners



Microsoft AD

2. Install AD FS on EC2 Windows Server 2016

(Requires AD FS 2016)

Enable Off ice 365

Office 365

EC2

Azure AD Connect

EC2

AWS Microsoft AD

AD1

AzureAD

2

InstallAD FS

AD FS

Container

EC2


awsexample.com

management adfsserver adsync



Insta l l AD FS: Add the AD FS Feature

AD FS

Server

10.0.2.0/24

AWS Managed

Microsoft AD

DCUsername: <yourdomain>\admin


Insta l l AD FS: Insta l l SSL Cert i f icate

Use Microsoft Enterprise Certificate Authority

https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/

Import using Microsoft Management Console (MMC)



Insta l l AD FS: Add Cert i f icate MMC


Insta l l AD FS: Import Cer t i f icate for AD FS


Insta l l AD FS: Get the Cert Thumbpr int


Insta l l AD FS: Set $adminConf ig

AD FS

Server

10.0.2.0/24

AWS Managed

Microsoft AD

DC

GUID of AD FS Container


Insta l l AD FS: Get ADFSSVC User Creds


Insta l l AD FS: Get Your OU Admin Creds


Insta l l AD FS: Insta l l AD FS Server


Insta l l AD FS: Publ ish DNS A Record

Obtain your AD FS EC2 instance public IP address (AWS EC2 dashboard)

Log in to your DNS hosting provider to add the record

Hostname: sts.awsexample.com

Record Type: A

IP Address: 34.215.72.57


Insta l l AD FS: Enable AD FS Sign - in Page


adsync


Microsoft AD



3. Connect Office 365 to authenticate to AD FS

Enable Off ice 365

Office 365

EC2

Azure AD Connect

EC2

AWS Microsoft AD

AD1

2

AzureAD

InstallAD FS

AD FS

Container

3

EC2


awsexample.com

management adfsserver



In tegrate AD FS wi th Azure AD

From your AD FS instance, as admin, connect to Azure AD using Windows PowerShell

https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-msonlinev1?view=azureadps-1.0

https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-msonlinev1?view=azureadps-1.0


In tegrate AD FS wi th Azure AD ( c o n t i n u e d )

Set context to the AD FS server using the internal FQDN

Set-MsolADFSContext -computer adfsserver.awsexample.com

Convert Azure AD to use adfsserver for federated authentication to your AD domain

Convert-MsolDomainToFederated –domain awsexample.com


adsync


Microsoft AD




4. Install Azure AD Connect on EC2 Windows and

configure to synchronize usernames only to Azure

AD

Enable Off ice 365

Office 365

EC2

Azure AD Connect

EC2

AWS Microsoft AD

AD1

2

AzureAD

InstallAzure ADConnect

InstallAD FS

AD FS

Container

3 4

EC2


awsexample.com




Azure AD

Connect

10.0.2.0/24

AWS Managed

Microsoft AD

DC

Synchronize Users to Azure AD

Download Azure AD Connect MSI and install with Custom settings

On the Connect Directories page choose

Active Directory as the directory type, choose

your Microsoft AD Forest as your Forest

Enter your AWS Microsoft AD admin credentials


Select User Conta iner to Synchronize


adsync


Microsoft AD




4. Install Azure AD Connect on EC2 Windows and

configure to synchronize usernames only to Azure

AD

5. Log in to Office 365 with AWS Microsoft AD user

credentials

Enable Off ice 365

Office 365

EC2

Azure AD Connect

EC2

AWS Microsoft AD

AD1

2

4

AzureAD

InstallAzure ADConnect

InstallAD FS

AD FS

Container

3

5

EC2


awsexample.com




Assign Off ice 365 L icense and Log In

https://portal.office.com/adminportal/home#/homepage

Use global administrator account

https://portal.office.com

Use AD credentials for a licensed user




References

Documentation and Blog Posts

• How to Enable Your Users to Access Office 365 with DS for Microsoft Active Directory Credentials

https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-

microsoft-active-directory-credentials/

• How to set up AWS Microsoft AD and join an EC2 instance for administration

http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html/

• How to Enable LDAPS for Your Microsoft AD Directory

(setting up Microsoft enterprise Certificate Authority)


• AWS Directory Service

https://aws.amazon.com/directoryservice/

• AWS Directory Service Documentation

https://aws.amazon.com/documentation/directory-service/


Thank you!

Documents

How to Integrate AWS Directory Service with Office365 - AWS Online Tech Talks