Identities in the CloudEls Putzeys
Identities in the Cloud
User Management in Windows Azure
Identity Options Microsoft Online IDs Microsoft Online IDs + Directory Synchronization Federated IDs + Directory Synchronization
Microsoft Online IDs Appropriate for small organizations without on-prem AD Pros
– No servers required on-premises Cons
– No SSO– 2 sets of credentials to manage with different password policies– IDs mastered in the cloud
Microsoft Online IDs + DirSync Appropriate for medium/large organizations with on-prem AD Pros
– Users and groups mastered on-premises– Enables coexistence scenarios– Passwords can be synchronized with password sync tool
Cons– No SSO– 2 sets of credentials to maintain– DirSync server required on-premises
Federated IDs + DirSync Appropriate for medium/large enterprises with on-prem AD Pros
– SSO– IDs mastered on-prem– Password policy controlled on-prem– Enables coexistence scenarios
Cons– Servers required on-premises
Microsoft Online IDs
Windows Azure AD
Windows Azure AD Identity and access management in the cloud Your organization’s cloud directory
– Used by• Windows Azure• Office 365• Windows Intune
Can be integrated with on-premises AD Integration with cloud applications
– Single sign-on experience• App hosted in cloud• Users authenticate with corporate credentials
Windows Azure AD
Windows PowerShell
Office 365 Account Portal
Windows Intune Account Portal
Windows Azure AD Portal
Windows Azure AD
Tenant data
Windows Azure AD Azure AD is a multi-tenant service Authentication process
– User accesses a SaaS application– User authenticates to Azure with username and password– Azure AD returns token– Token is sent to SaaS application– Application validates token and uses its content
Create Online IDs Windows Azure AD Portal Office 365 Portal Windows PowerShell
DEMO
Microsoft Online IDs + DirSync
Directory Synchronization
Directory Synchronization Synchronize users from on-prem to online User management is done on-prem Password synchronization
– Synchronize passwords from on-prem to online
Users have 1 set of credentials across on-prem and online– But 2 accounts
Directory Synchronization
Customer Network Windows Azure Datacenter
AD
DirSync Azure ADMS Online IDs
Office 365
Exchange Online
SharePoint Online
Lync Online
DirSync: Preparation Synchronization computer
– Windows Server 2008 R2 SP1 or Windows Server 2012 (R2)– Domain-joined– Prerequisite software:
.Net Framework 3.5 SP1 and 4.0 PowerShell
DC Requirements:– Forest functional level:
Windows Server 2003 or higher
– Domain Controllers: Windows Server 2003 SP1 or higher
DirSync: Preparation To install DirSync, you need the following permissions:
– Administrator of the DirSync Server– Administrator of the local AD environment– Administrator of the Cloud Service
DirSync setup creates service account– MSOL_AD_SYNC– Created in Users container– Read from local AD– Write to Windows Azure AD– Do not move or remove this account!
DirSync: Preparation Initial synchronization
– All AD objects copied to WAAD– Maximum 50000 objects
If more, contact support
DirSync requires SQL– SQL Express
< 50000 objects Installed by default
– Full SQL > 50000 objects
DirSync: Preparation UPN Requirements
– Every user must have a UPN– UPNs must match a validated domain in the cloud
Make sure AD contains the correct UPN Suffix
– Check UPN in the cloud after synchronization– Users must use UPN to logon to cloud services
DirSync: Installation Download and install the Directory Sync tool
– Installation can take up to 10 minutes
DirSync: Configure Start DirSync Configuration wizard
– Specify Windows Azure AD Credentials– Specify AD Credentials– Enable hybrid deployment (if required)
Gives dirsync service account limited Write permission to on-prem AD
DirSync: Password Sync Password Synchronization
– Feature of Sync Tool– Synchronize on-prem passwords to WAAD– Users can use same password in cloud and on-prem– No SSO
Extract password hash from AD– Overwrites cloud password– Initial dirsync synchronizes all passwords– User changes on-prem password
• Tool detects and synchronizes (within minutes)
DirSync: Password Sync Password complexity policy
– On-prem policies override cloud policies for synchronized users Password expiration policy
– Cloud user password is set to “Never Expire”
DirSync: Manage• PowerShell
– %Program Files%\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1
– Add-PSSnapin Coexistence-Configuration
• Cmdlets:– Get-Command –Pssnapin Coexistence-Configuration
DirSync: Synchronize Automatically
– Every 3 hours Manually
– PowerShell• Start-OnlineCoexistenceSync
– Configuration Wizard• Start menu – Directory Sync Configuration
DEMO
Federated IDs + Dirsync
Active Directory Federation Services
Federated Identities Across on-prem and cloud services
– Single identity– Single sign-on
User management happens on-prem On-prem AD used to:
– Sign in– Authenticate
Requires the following services– Directory synchronization– Federation Service
Identity Federation
ADContoso.
com
ADFabrikam
.com
DCDCWeb Server
Relying Party Identity Provider
Federation Trust
STSSTS
Shibboleth
AD FS
Azure ACS
AD
Unix
Live IDGoogle IDFacebook
SAML TokenClaims: Name = Els Email = Els @Fabrikam.com Age = 38
Security Token
https://web.contoso.com
1
2
3
4
Home realm discovery
5
7
6
ST
8
ST
ST
9
ST10
Identity Federation with Azure
Active Directory
AD FS
MS Federation Gateway
Exchange Online
Auth TokenUPN:[email protected] ID: 254729
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123
Windows Azure PlatformOn-Premises Domain
AD FS Deployment Options Single server configuration AD FS server farm and load-balancer AD FS proxy server or UAG/TMG (External Users, Active Sync,
Outlook)
Internal User
AD FS Server
AD FS Server
Active Directory
External User
AD FS Proxy
AD FS Proxy
Perimeter NetworkInternal Network
Federation: AD FS Requirements:
– Windows Server 2008 (R2) – 2012 (R2)– ADFS 2.0 / ADFS 3.0– Public, validated domain name– SSL certificate– MS Online Services Module for PS– MS Online Sign-In Assistant
Federation: AD FS• Install ADFS
– WS2012 (R2): Add roles and features– WS2008: Download and install ADFS
Federation: AD FS Run ADFS Configuration Wizard
– Create new Federation Service• Federation farm• Stand-alone server
– Select SSL Certificate• ADFS certificate• Federation service name:
adfs.fabrikam.com
– Create Host record for the federation service in DNS
Federation: AD FS Install MS Online Sign-In Assistant Install MS Online Services Module for PS Configure Trust with Microsoft Online Services
– PowerShell • Connect-MsolService –Credential $cred• Convert-MsolDomainToFederated –DomainName fabrikam.com
Federation: Test• Create account in local AD
– UPN must be your domain name (fabrikam.com)
• Synchronize account to Azure AD– Add application licenses
• Prepare Client pc– Install Sign-In Assistant– Add ADFS url to Intranet zone in IE
• Sign in to client pc as test user– Browse to https://portal.microsoftonline.com– Enter username ([email protected])
DEMO
And take home the Lumia 1320
Present your feedback form when you exit the last session & go for the drink
Give Me Feedback
Follow Technet Belgium@technetbelux
Subscribe to the TechNet newsletteraka.ms/benews
Be the first to know
Belgiums’ biggest IT PRO Conference