Identities in the CloudEls Putzeys

Identities in the Cloud

User Management in Windows Azure

Identity Options Microsoft Online IDs Microsoft Online IDs + Directory Synchronization Federated IDs + Directory Synchronization

Microsoft Online IDs Appropriate for small organizations without on-prem AD Pros

– No servers required on-premises Cons

– No SSO– 2 sets of credentials to manage with different password policies– IDs mastered in the cloud

Microsoft Online IDs + DirSync Appropriate for medium/large organizations with on-prem AD Pros

– Users and groups mastered on-premises– Enables coexistence scenarios– Passwords can be synchronized with password sync tool

Cons– No SSO– 2 sets of credentials to maintain– DirSync server required on-premises

Federated IDs + DirSync Appropriate for medium/large enterprises with on-prem AD Pros

– SSO– IDs mastered on-prem– Password policy controlled on-prem– Enables coexistence scenarios

Cons– Servers required on-premises

Microsoft Online IDs

Windows Azure AD

Windows Azure AD Identity and access management in the cloud Your organization’s cloud directory

– Used by• Windows Azure• Office 365• Windows Intune

Can be integrated with on-premises AD Integration with cloud applications

– Single sign-on experience• App hosted in cloud• Users authenticate with corporate credentials

Windows Azure AD

Windows PowerShell

Office 365 Account Portal

Windows Intune Account Portal

Windows Azure AD Portal

Windows Azure AD

Tenant data

Windows Azure AD Azure AD is a multi-tenant service Authentication process

– User accesses a SaaS application– User authenticates to Azure with username and password– Azure AD returns token– Token is sent to SaaS application– Application validates token and uses its content

Create Online IDs Windows Azure AD Portal Office 365 Portal Windows PowerShell

DEMO

Microsoft Online IDs + DirSync

Directory Synchronization

Directory Synchronization Synchronize users from on-prem to online User management is done on-prem Password synchronization

– Synchronize passwords from on-prem to online

Users have 1 set of credentials across on-prem and online– But 2 accounts

Directory Synchronization

Customer Network Windows Azure Datacenter

AD

DirSync Azure ADMS Online IDs

Office 365

Exchange Online

SharePoint Online

Lync Online

DirSync: Preparation Synchronization computer

– Windows Server 2008 R2 SP1 or Windows Server 2012 (R2)– Domain-joined– Prerequisite software:

.Net Framework 3.5 SP1 and 4.0 PowerShell

DC Requirements:– Forest functional level:

Windows Server 2003 or higher

– Domain Controllers: Windows Server 2003 SP1 or higher

DirSync: Preparation To install DirSync, you need the following permissions:

– Administrator of the DirSync Server– Administrator of the local AD environment– Administrator of the Cloud Service

DirSync setup creates service account– MSOL_AD_SYNC– Created in Users container– Read from local AD– Write to Windows Azure AD– Do not move or remove this account!

DirSync: Preparation Initial synchronization

– All AD objects copied to WAAD– Maximum 50000 objects

If more, contact support

DirSync requires SQL– SQL Express

< 50000 objects Installed by default

– Full SQL > 50000 objects

DirSync: Preparation UPN Requirements

– Every user must have a UPN– UPNs must match a validated domain in the cloud

Make sure AD contains the correct UPN Suffix

– Check UPN in the cloud after synchronization– Users must use UPN to logon to cloud services

DirSync: Installation Download and install the Directory Sync tool

– Installation can take up to 10 minutes

DirSync: Configure Start DirSync Configuration wizard

– Specify Windows Azure AD Credentials– Specify AD Credentials– Enable hybrid deployment (if required)

Gives dirsync service account limited Write permission to on-prem AD

DirSync: Password Sync Password Synchronization

– Feature of Sync Tool– Synchronize on-prem passwords to WAAD– Users can use same password in cloud and on-prem– No SSO

Extract password hash from AD– Overwrites cloud password– Initial dirsync synchronizes all passwords– User changes on-prem password

• Tool detects and synchronizes (within minutes)

DirSync: Password Sync Password complexity policy

– On-prem policies override cloud policies for synchronized users Password expiration policy

– Cloud user password is set to “Never Expire”

DirSync: Manage• PowerShell

– %Program Files%\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1

– Add-PSSnapin Coexistence-Configuration

• Cmdlets:– Get-Command –Pssnapin Coexistence-Configuration

DirSync: Synchronize Automatically

– Every 3 hours Manually

– PowerShell• Start-OnlineCoexistenceSync

– Configuration Wizard• Start menu – Directory Sync Configuration

DEMO

Federated IDs + Dirsync

Active Directory Federation Services

Federated Identities Across on-prem and cloud services

– Single identity– Single sign-on

User management happens on-prem On-prem AD used to:

– Sign in– Authenticate

Requires the following services– Directory synchronization– Federation Service

Identity Federation

ADContoso.

com

ADFabrikam

.com

DCDCWeb Server

Relying Party Identity Provider

Federation Trust

STSSTS

Shibboleth

AD FS

Azure ACS

AD

Unix

Live IDGoogle IDFacebook

SAML TokenClaims: Name = Els Email = Els @Fabrikam.com Age = 38

Security Token

https://web.contoso.com

1

2

3

4

Home realm discovery

5

7

6

ST

8

ST

ST

9

ST10

Identity Federation with Azure

Active Directory

AD FS

MS Federation Gateway

Exchange Online

Auth TokenUPN:user@contoso.comUnique ID: 254729

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Windows Azure PlatformOn-Premises Domain

AD FS Deployment Options Single server configuration AD FS server farm and load-balancer AD FS proxy server or UAG/TMG (External Users, Active Sync,

Outlook)

Internal User

AD FS Server

AD FS Server

Active Directory

External User

AD FS Proxy

AD FS Proxy

Perimeter NetworkInternal Network

Federation: AD FS Requirements:

– Windows Server 2008 (R2) – 2012 (R2)– ADFS 2.0 / ADFS 3.0– Public, validated domain name– SSL certificate– MS Online Services Module for PS– MS Online Sign-In Assistant

Federation: AD FS• Install ADFS

– WS2012 (R2): Add roles and features– WS2008: Download and install ADFS

Federation: AD FS Run ADFS Configuration Wizard

– Create new Federation Service• Federation farm• Stand-alone server

– Select SSL Certificate• ADFS certificate• Federation service name:

adfs.fabrikam.com

– Create Host record for the federation service in DNS

Federation: AD FS Install MS Online Sign-In Assistant Install MS Online Services Module for PS Configure Trust with Microsoft Online Services

– PowerShell • Connect-MsolService –Credential $cred• Convert-MsolDomainToFederated –DomainName fabrikam.com

Federation: Test• Create account in local AD

– UPN must be your domain name (fabrikam.com)

• Synchronize account to Azure AD– Add application licenses

• Prepare Client pc– Install Sign-In Assistant– Add ADFS url to Intranet zone in IE

• Sign in to client pc as test user– Browse to https://portal.microsoftonline.com– Enter username (user@fabrikam.com)

DEMO

And take home the Lumia 1320

Present your feedback form when you exit the last session & go for the drink

Give Me Feedback

Follow Technet Belgium@technetbelux

Subscribe to the TechNet newsletteraka.ms/benews

Be the first to know

Belgiums’ biggest IT PRO Conference