azure track -01- identities in the cloud

  • View

  • Download

Embed Size (px)


by Els Putzeys More and more organizations store data in the cloud or use cloud services like Windows Azure and Office 365. For administrators that means your first task is to create and manage users in these cloud platforms. In this session we will talk about the options that are available for identity management in Windows Azure, Office 365, Windows Intune, … Windows Azure AD: Create cloud identities in Azure AD and use these across all cloud services. Directory Synchronization: Synchronize your on-premises AD users to Windows Azure AD. Federation: Allow users to sign in with their on-premises AD account when accessing cloud services. In the demo we will setup directory synchronization and federation using ADFS.

Text of azure track -01- identities in the cloud

  • 1. Identities in the Cloud Els Putzeys
  • 2. Identities in the Cloud User Management in Windows Azure
  • 3. Identity Options Microsoft Online IDs Microsoft Online IDs + Directory Synchronization Federated IDs + Directory Synchronization
  • 4. Microsoft Online IDs Appropriate for small organizations without on-prem AD Pros No servers required on-premises Cons No SSO 2 sets of credentials to manage with different password policies IDs mastered in the cloud
  • 5. Microsoft Online IDs + DirSync Appropriate for medium/large organizations with on-prem AD Pros Users and groups mastered on-premises Enables coexistence scenarios Passwords can be synchronized with password sync tool Cons No SSO 2 sets of credentials to maintain DirSync server required on-premises
  • 6. Federated IDs + DirSync Appropriate for medium/large enterprises with on-prem AD Pros SSO IDs mastered on-prem Password policy controlled on-prem Enables coexistence scenarios Cons Servers required on-premises
  • 7. Microsoft Online IDs Windows Azure AD
  • 8. Windows Azure AD Identity and access management in the cloud Your organizations cloud directory Used by Windows Azure Office 365 Windows Intune Can be integrated with on-premises AD Integration with cloud applications Single sign-on experience App hosted in cloud Users authenticate with corporate credentials
  • 9. Windows Azure AD Windows PowerShell Office 365 Account Portal Windows Intune Account Portal Windows Azure AD Portal Windows Azure AD Tenant data
  • 10. Windows Azure AD Azure AD is a multi-tenant service Authentication process User accesses a SaaS application User authenticates to Azure with username and password Azure AD returns token Token is sent to SaaS application Application validates token and uses its content
  • 11. Create Online IDs Windows Azure AD Portal Office 365 Portal Windows PowerShell
  • 12. DEMO
  • 13. Microsoft Online IDs + DirSync Directory Synchronization
  • 14. Directory Synchronization Synchronize users from on-prem to online User management is done on-prem Password synchronization Synchronize passwords from on-prem to online Users have 1 set of credentials across on-prem and online But 2 accounts
  • 15. Directory Synchronization Customer Network Windows Azure Datacenter AD DirSync Azure AD MS Online IDs Office 365 Exchange Online SharePoint Online Lync Online
  • 16. DirSync: Preparation Synchronization computer Windows Server 2008 R2 SP1 or Windows Server 2012 (R2) Domain-joined Prerequisite software: .Net Framework 3.5 SP1 and 4.0 PowerShell DC Requirements: Forest functional level: Windows Server 2003 or higher Domain Controllers: Windows Server 2003 SP1 or higher
  • 17. DirSync: Preparation To install DirSync, you need the following permissions: Administrator of the DirSync Server Administrator of the local AD environment Administrator of the Cloud Service DirSync setup creates service account MSOL_AD_SYNC Created in Users container Read from local AD Write to Windows Azure AD Do not move or remove this account!
  • 18. DirSync: Preparation Initial synchronization All AD objects copied to WAAD Maximum 50000 objects If more, contact support DirSync requires SQL SQL Express < 50000 objects Installed by default Full SQL > 50000 objects
  • 19. DirSync: Preparation UPN Requirements Every user must have a UPN UPNs must match a validated domain in the cloud Make sure AD contains the correct UPN Suffix Check UPN in the cloud after synchronization Users must use UPN to logon to cloud services
  • 20. DirSync: Installation Download and install the Directory Sync tool Installation can take up to 10 minutes
  • 21. DirSync: Configure Start DirSync Configuration wizard Specify Windows Azure AD Credentials Specify AD Credentials Enable hybrid deployment (if required) Gives dirsync service account limited Write permission to on-prem AD
  • 22. DirSync: Password Sync Password Synchronization Feature of Sync Tool Synchronize on-prem passwords to WAAD Users can use same password in cloud and on-prem No SSO Extract password hash from AD Overwrites cloud password Initial dirsync synchronizes all passwords User changes on-prem password Tool detects and synchronizes (within minutes)
  • 23. DirSync: Password Sync Password complexity policy On-prem policies override cloud policies for synchronized users Password expiration policy Cloud user password is set to Never Expire
  • 24. DirSync: Manage PowerShell %Program Files%Windows Azure Active Directory SyncDirSyncConfigShell.psc1 Add-PSSnapin Coexistence-Configuration Cmdlets: Get-Command Pssnapin Coexistence-Configuration
  • 25. DirSync: Synchronize Automatically Every 3 hours Manually PowerShell Start-OnlineCoexistenceSync Configuration Wizard Start menu Directory Sync Configuration
  • 26. DEMO
  • 27. Federated IDs + Dirsync Active Directory Federation Services
  • 28. Federated Identities Across on-prem and cloud services Single identity Single sign-on User management happens on-prem On-prem AD used to: Sign in Authenticate Requires the following services Directory synchronization Federation Service
  • 29. Identity Federation AD Contoso. com AD Fabrikam .com DC DCWeb Server Relying Party Identity Provider Federation Trust STSSTS Shibboleth AD FS Azure ACS AD Unix Live ID Google ID Facebook SAML Token Claims: Name = Els Email = Els Age = 38 Security Token 1 2 3 4 Home realm discovery 5 7 6 ST 8 ST ST 9 ST 10
  • 30. Identity Federation with Azure Active Directory AD FS MS Federation Gateway Exchange Online Auth Token Unique ID: 254729 Logon (SAML 1.1) Token Source User ID: ABC123 Windows Azure PlatformOn-Premises Domain
  • 31. AD FS Deployment Options Single server configuration AD FS server farm and load-balancer AD FS proxy server or UAG/TMG (External Users, Active Sync, Outlook) Internal User AD FS Server AD FS Server Active Directory External User AD FS Proxy AD FS Proxy Perimeter NetworkInternal Network
  • 32. Federation: AD FS Requirements: Windows Server 2008 (R2) 2012 (R2) ADFS 2.0 / ADFS 3.0 Public, validated domain name SSL certificate MS Online Services Module for PS MS Online Sign-In Assistant
  • 33. Federation: AD FS Install ADFS WS2012 (R2): Add roles and features WS2008: Download and install ADFS
  • 34. Federation: AD FS Run ADFS Configuration Wizard Create new Federation Service Federation farm Stand-alone server Select SSL Certificate ADFS certificate Federation service name: Create Host record for the federation service in DNS
  • 35. Federation: AD FS Install MS Online Sign-In Assistant Install MS Online Services Module for PS Configure Trust with Microsoft Online Services PowerShell Connect-MsolService Credential $cred Convert-MsolDomainToFederated DomainName