Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda AD to Windows Azure AD Sync Options Federation Architecture

Similar presentations


Presentation on theme: "Agenda AD to Windows Azure AD Sync Options Federation Architecture"— Presentation transcript:

1 Agenda AD to Windows Azure AD Sync Options Federation Architecture
AD to AAD Quick start By Sachin Shetty

2 AD to AAD Sync Options By Sachin Shetty

3 Identities for Microsoft Cloud Services
Personal Services Organizational Services User OrgID Organizational Account OnMicrosoft Account (Azure AD Account) Examples: Live ID Microsoft Account Examples: Distinct identity systems Microsoft Account to access consumer services like Skydrive, Xbox Live, Outlook.com Organizational Account to access business services like Office 365, CRM Online, Intune For reasons such as Privacy, use-rights there is no direct connection or federation between the two identity systems. Users can use the two identities on their devices independently and simultaneously at times but the two will not identities will not be integrated with each other. User

4 Cloud-Only / No Integration
Directory Synchronization Directory and Federated SSO Office 365 Windows Azure Active Directory Authentication platform Dynamics CRM Online Contoso customer premises Admin Portal/ PowerShell/GRAPH IdP CORP App IdP AD Directory Store Provisioning platform Windows Intune

5 Directory Synchronization
No Integration Directory Synchronization Directory and Single sign-on (SSO) Office 365 Windows Azure Active Directory Authentication platform Dynamics CRM Online Contoso customer premises Admin Portal/ PowerShell/GRAPH IdP CORP App IdP Directory Store AD Directory Sync (DirSync) Provisioning platform Windows Intune

6 Directory Synchronization Options
DirSync Office 365 Connector PowerShell & Graph API Suitable for Organizations using Active Directory (AD) Supports Exchange Co-existence scenarios Coupled with AD FS, provides best option for federation and synchronization Does not require any additional software licenses Multi-forest available through MCS+Partners Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses Suitable for small/medium size organizations with AD or Non-AD Not a highly recommended option compared to DirSync or FIM Connector Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires extensive scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) As this is a custom solution, Microsoft support may not be able to help if there are issues For provisioning of large number of users, DirSync and FIM are recommended options for reasons of performance. Forefront Identity Manager (FIM) Suitable for all organizations Supports Exchange Co-existence scenarios

7 Directory and Federated SSO
No Integration Directory Synchronization Directory and Federated SSO CORP App Windows Azure Active Directory Authentication platform Dynamics CRM Online Contoso customer premises Trust Active Directory Federation Server 2.0 Admin Portal/ PowerShell/GRAPH IdP Office 365 IdP Directory Store AD Directory Sync (DirSync) Provisioning platform Windows Intune

8 Federation options AD FS Works with AD Third-party STS
Works with AD & Non-AD Shibboleth Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Secure token based authentication Support for web and rich clients Microsoft supported Requires on-premises servers, licenses & support Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-AD FS Identity systems with AD or Non-AD Single sign-on Secure token based authentication Support for web and rich clients Third-party supported Requires on-premises servers, licenses & support Suitable for educational organizations Recommended where customers may use existing non-AD FS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises AD FS This is the most recommended option as it is end to end Microsoft support and offers the best customer experience Offers advantage of evolving with Microsoft’s identity strategy Best solution with On-Premises AD Works only with AD On-Premises Supports all web and rich client scenarios Third-party STS This is a good option for customers that currently use third-party Identity systems in their infrastructure Works for both On-Premises AD and Non-AD Stores Verified through ‘Works with Office 365 Program’ – Discussed in the next slide Shibboleth Works only for Web client scenarios and Outlook Lync, certain Office Pro-plus scenarios, Active Sync on mobile will not work

9 Identity Options Comparison
1. No Integration 2. Directory Only 3. Directory and SSO Appropriate for Smaller orgs without AD on-premise Pros No servers required on-premise Same Domain name for users possible Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies IDs mastered in the cloud Pros Users and groups mastered on-premise Enables co-existence Single server deployment Cons No 2FA until Spring 2013 2 sets of credentials to manage with differing password policies OR Manual / 3rd Party password Sync OR use FIM No SSO Pros SSO with corporate cred IDs mastered on-premise Password policy controlled on-premise 2FA solutions possible Enables hybrid scenarios Location isolation Ideal for multiple forests Cons Additional Servers required for AD FS

10 Accounts in Windows Azure AD
Demo

11 Federation Architecture

12 Federated Architecture
Active Directory Windows Azure AD AD FS + DirSync AD FS Proxy [Server1] [Server2] Internet CorpNet

13 AD FS Scalability Planning
Users Dedicated Federation Servers Federation server proxies NLB servers Comments <1,000 1 Deploy AD FS on two DCs 1,000–15,000 2 Install NLB on proxies 15,000–60,000 2+1 for every 15,000 users 2+ Install NLB on proxies or use dedicated NLB implementation

14 Federated Architecture on Windows Azure!
Windows Azure Subscription VPN Active Directory Windows Azure AD AD FS + AD AD FS Proxy DirSync CorpNet Internet

15 Quick Start Guide for Integrating a Single Forest On-Premises Active Directory with Windows Azure AD

16 Quickstart Guide Architecture
Windows Server 2012 Windows Server 2012 Active Directory Windows Azure AD AD FS + DirSync AD FS Proxy [Server1] [Server2]

17 AD to AAD Quickstart Steps
Add Domain to Windows Azure AD [Windows Azure from Server1] Activate DirSync [Windows Azure from Server1] Install AD FS Server Role [Server1] Configure AD FS Server [Server1] Install AD FS Proxy (optional) [Server2] Configure AD FS Proxy (optional) [Server2] Configure Inbound SSL Access [Server2] Configure AD Federation Support [Server1] Install & Configure DirSync [Server1]

18 Demo Pre-requisites & Initial Setup
Install and Configure a new AD FS farm

19 PS – Activate DirSync + Add AD FS Role
2. Activating DirSync [In Windows Azure on Server1] Set-MsolDirSyncEnabled -EnableDirSync $true 3. Add AD FS Role [on Server1] Install-WindowsFeature ADFS-Federation

20 Configure AD FS Role -FederationServiceName $script:ADFSSubjectName `
[On Server1] Install-AdfsFarm -CertificateThumbprint $Certificate.Thumbprint ` -FederationServiceName $script:ADFSSubjectName ` -ServiceAccountCredential $script:ADFSCredentials ` -OverwriteConfiguration Note: WS 2008 R2 code #commented out in script Start-Process -FilePath ("$env:SystemRoot\ADFS\FSPConfigWizard.exe") -Wait ` '/Hostname', $script:ADFSSubjectName, ` '/Username', $script:ADFSAccountName, ` '/Password', (ConvertFrom-QSSecureStringToPlaintext -SecureString $script:ADFSAccountPassword)

21 Windows Azure Subscription
What we’ve built so far Windows Azure Subscription VPN Active Directory Windows Azure AD AD + AD FS DirSync – Activated, not synced Domain Name – Added, not verified CorpNet Internet

22 Configure Inbound SSL Access
Windows Azure Subscription Domain: Christianboarders.com VPN Active Directory Windows Azure AD AD + AD FS mycloudservice.cloudapp.net CorpNet Internet Internet

23 TechReady 16 4/6/2017 Install DirSync on WS 2012 [On Server1] Write-QSTitle 'Download, install, and configure the DirSync tool' $DirSyncFilename = $script:CurrentExecutingPath + '\DirSync.exe' if (-not (Require-QSDownloadableFile -FileName $DirSyncFilename -URL 'http://g.microsoftonline.com/0BX10en/571')) { Write-QSError 'DirSync download failed.' return } Write-Host 'Running DirSync installer...' Start-Process -FilePath $DirSyncFilename -Wait Note: SQL 2008 R2 Express not officially supported on WS SP1 is supported, but © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 Configure DirSync [On Server1]
Write-Host 'Requesting synchronization credentials...' $TargetCredentials = Get-Credential -Message 'Permanent Synchronization Credentials' Write-Host 'Requesting local credentials...' $SourceCredentials = Get-Credential -Message 'Local Active Directory Administrator' Write-Host 'Requesting online coexistence configuration information...' $Configuration = Get-CoexistenceConfiguration -TargetCredentials $script:MsolCredential Write-Host 'Configuring local coexistence configuration information...' Set-CoexistenceConfiguration -SourceCredentials $SourceCredentials -TargetCredentials $TargetCredentials Write-Host 'Requesting an immediate synchronization...' Start-OnlineCoexistenceSync

25 Windows Azure Subscription
Final Configuration Windows Azure Subscription VPN Active Directory Windows Azure AD AD FS + AD AD FS Proxy DirSync DirSync – Activated + synced Domain Name – Added + verified CorpNet Internet

26 Actual Times Taken *Includes auto-install of .Net Framework tools
Document Step # PS Script Step # Component of Configuration Actual Time Taken 1 1-2 Initial Software Installation (pre-requisites)*,*** 1 min 12 sec 3 Office 365 Readiness Tool 5 min 48 sec 2 4-5 Add Domain Name in Windows Azure AD 27 sec 6 Activate DirSync Support 10 sec 4 7-14 Install and Configure On-Premise AD FS Server1** 2 min 53 sec 5 15-22 Install and Configure AD FS Proxy Server2*, ***, **** 6 min 12 sec 23-24 Configure Windows Azure AD Federation Support 41 sec 7 25-27 Install and Configure DirSync 3 min 26 sec *Includes auto-install of .Net Framework tools **Includes using self-signed certificate & auto-install of RSAT-DNS tools *** Includes install of Sign-in Assistant & PS Module for MS Online **** Used single-core VM for comparison vs AD FS server VM with 6 cores

27 Thank you


Download ppt "Agenda AD to Windows Azure AD Sync Options Federation Architecture"

Similar presentations


Ads by Google