Integrating your on-premises Active Directory with Azure and Office 365
- 1. Integrating Your On-Premises Active Directory with Azure and Office 365 Mike Nelson Solutions Architect - nGenX Level: Intermediate
- 2. Who Is This Guy? • Solutions Architect – nGenX • 25 years in tech • CTP - vExpert - MCSE-PC • mike.nelson@ngenx.com • Twitter - @nelmedia Mike Nelson 2014
- 3. What Are We Going To Talk About? • Azure Active Directory & Office 365 • Integration, Synchronization & Migration • Administration & Troubleshooting • Tools / Tips Mike Nelson 2014
- 4. What Are We Going To Do? • Create a new local AD • Create a new Azure AD Instance • Setup Sync • Play around a bit Mike Nelson 2014
- 5. Updates I like to draw ;-) Updated slides, drawings, etc. http://1drv.ms/1oHyZz0 Mike Nelson 2014
- 6. Prerequisites • Get a Live ID account – http://signup.live.com • Get an Azure Trial & VHD - http://aka.ms/R2 – Select “Windows 2012 R2 Datacenter on Azure” (also have pre-config’d copies to distribute) • Pick a domain name (variant of “contoso” is recommended – ex. contoso611.onmicrosoft.com • You must have a hypervisor installed/enabled on your laptop to run a lab VM Mike Nelson 2014
- 7. Prerequisites • Hypervisors (download trials if needed) – For Win 8.x, use Hyper-V role or VMware Workstation – For Win 7.x, use VMware Workstation – For Mac, use Fusion • Image provided on the DVD’s or USB drives – Server 2012 R2 Datacenter VHD file & OVF package – You can also build your own 2012 R2 VM or use an existing one you have with no AD role installed Mike Nelson 2014
- 8. Import VM • Need 7GB free for disk file • OVF file can be imported for VMware – VMware Fusion - http://bit.ly/1lCLNjO – VMware Workstation - http://bit.ly/1jNSW1h • Hyper-V import VHD as IDE - http://bit.ly/1rpoQZi • Administrator – P@ssw0rd Mike Nelson 2014
- 10. Let’s Talk AD, AAD & O365 Windows Server Active Directory Azure Active Directory Free Azure Active Directory Tenant Azure Active Directory Premium Mike Nelson 2014
- 12. • Scenario 1 Subscriptions • No Azure subscription & no Office 365 subscription • Sign up for Azure first as an Organization – https://account.windowsazure.com/organization • Add your domain to Azure AD & then sign up for Office 365 using org account • Scenario 2 • Office 365 subscription, but no Azure subscription • You already have an AAD Tenant • Sign up for Azure using your org account
- 13. • Scenario 3 Subscriptions • Office 365 subscription with Org Account & Azure subscription with Microsoft ID • Already have AAD Tenant, but must be joined via org account • Sign in to Azure with org account • Add LiveID to Azure AD • Sign in to Azure with LiveID • Go to Settings and Edit Directory • Set default directory to Org directory • Add org account as Co-Administrator
- 14. Windows Azure AD vs AD on Windows Azure IaaS On Premise VM w/ AD on Azure IaaS
- 15. Identity for Microsoft cloud services Microsoft Account Microsoft Azure Active Directory Microsoft Account Ex: alice@outlook.com User Organizational Account Ex: alice@contoso.com User
- 16. Office 365 Identity Models
- 17. Identity Synchronization and Federation WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API
- 20. Identities Everywhere Windows Azure Active Directory
- 21. What Else Uses Identity?
- 22. It’s All About Sync S S O Single SignOn Requires ADFS – seamless experience Same SignOn Second credential entry – a compromise
- 23. SSO and Office 365 • Admin View – Single Credential to manage – Single place to manage polices – on-premises workstation restrictions etc – IDP is your AD • User View – I have a single credential – I may be prompted to enter it more than once, but is always the same credential
- 24. SSO Alternatives & SAML • Pros, Cons, Needs, and Wants Centrify OneLogin Okta PingFederate Optimal IDM IBM Tivoli FIM PacketOne SiteMinder
- 25. • • • • • Directory Integration options Microsoft Dynamics CRM Passwords
- 26. Sync Options
- 27. Directory Sync - AADSync
- 28. Password Sync • Synchronizes user password hash from your on-premises Active Directory to Azure Active Directory (pretty secure) – mainly for Self-Service reset • Doesn’t require something to be installed on all DC’s • Users can use the same credentials to login into both on-premises • No additional infrastructure required on premises • No dependency on on-premises infrastructure for authentication • Password Write-Back is coming in AADSync – in latest DirSync now
- 29. Password Sync** • Password complexity policies configured in the on-premises AD apply in the cloud, i.e. you mange them on-premises. • Cloud password is set to ‘Never Expire’ • Users cannot change their password in the cloud except via self-service mechanism • Admins can reset user’s password on the cloud*
- 30. AADConnect
- 31. ADFS • Not Multi-Forest • Parent & Child domains
- 32. ADFS • Plan for capacity • More infrastructure - SQL or WID, WAAP, multiple ADFS servers • More administration - service accounts, DBA, certificates, Claims, etc.
- 37. Use Sync As Backup for ADFS http://bit.ly/1lQvPmm http://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to- switch-from-single-sign-on-to-password-sync.aspx
- 38. Typical AD FS deployment on-premises…
- 39. …Compromise when moving to Azure
- 40. Password Sync vs. Single Sign-On Password Sync Single Sign-On (ADFS) Same password to access resources X X Control password policies on-premises X X Support for multi-factor authentication X * X No password re-entry if on premises X Authentication occurs in on premises directory X Client access filtering X * Limited Support
- 42. AD Deployment Models in Azure • AD Forest in Azure • Static IP via PowerShell • AD Extended from On-Premises Network • Azure VNet w/P2P or S2S required • Static IP via PowerShell • Azure AD As A Service • Commercial providers • Directory Services As A Service
- 43. AD Forest in Isolated Azure VNet Data-Tier 10.2.2.0/24 Backend 10.2.1.0/24 Microsoft Azure Virtual Network - 10.2.x fe2 fe1 SharePoint SQL contoso.corp Collab-Tier 10.2.3.0/24 Frontend 10.2.4.0/24 Availability Set Availability Set dc1/dns 10.2.1.4/24 dc2/dns 10.2.1.5/24 Load-Balancer fe3 Availability Set © 2014 Yung Chou. 43
- 44. Hybrid Cloud with Azure VNet and P2S Microsoft Azure Virtual Network Site Backend 10.2.1.0/24 Availability SharePoint SQL Microsoft Azure Virtual Network - 10.2.x contoso.cor p Point-to-Site VPN Data-Tier 10.2.2.0/24 Collab-Tier 10.2.3.0/24 Frontend 10.2.4.0/24 Set fe2 fe1 dc1/dns 10.2.1.4/24 dc2/dns 10.2.1.5/24 Load-Balancer fe3 Availability Set © 2014 Yung Chou. Point-to-Site VPN 44
- 45. Hybrid Cloud with Azure VNet and Microsoft Azure Virtual Network Site SharePoint SQL Microsoft Azure Virtual Network - 10.2.x contoso.corp Windows Server 2012 R2 as a VPN gateway On-premises Active Directory establishment Site-to-Site VPN Point-to-Site VPN Data-Tier 10.2.2.0/24 Collab-Tier 10.2.3.0/24 Backend 10.2.1.0/24 Availability Frontend 10.2.4.0/24 Set fe2 fe1 dc1/dns 10.2.1.4/24 dc2/dns 10.2.1.5/24 Load-Balancer fe3 Availability Set © 2014 Yung Chou. S2S/P2S 45
- 46. What About Virtualizing AD? Is it safe to do? Yes, but you need to plan carefully The role The network The disk The clock Mike Nelson 2014
- 49. First Things First • Plan for AAD Sync & manually check AD • DNS – Lower your TTL • UPN suffixes must exist! • Add & verify all SMTP domains • Set Password Expiration flag via PowerShell • Run idfix
- 50. First Things First • Use the VM Readiness Assessment tool! • ADModify (codeplex) to bulk modify AD • Use PowerShell to provide info & delete if your gutsy!
- 51. Tools for Administration • Azure Portal • Office365 Admin Center • Local AD Tools • PowerShell! Mike Nelson 2014
- 52. Tools for Troubleshooting • idFix • Microsoft RCA (web / client) https://testconnectivity.microsoft.com/ • Troubleshooting AAD Sync http://support.microsoft.com/kb/2684395 Mike Nelson 2014
- 53. Tools for Troubleshooting • PowerShell • MsiiClient for AAD Sync • ADSI Edit • ADPlus.vbs • On-Ramp (O365 setup) Mike Nelson 2014
- 54. Tips • Always create a Company Administrator (formerly Global Administrator) account that is “In Cloud” • Rollback from Federated domain to Standard requires O365 password reset • ADFS – Parent certificate covers children Mike Nelson 2014
- 55. Tips • Use Sync as backup for ADFS • Update the ADFS Relying Party Metadata periodically – Update-MSOLFederatedDomain –DomainName:<domain name> – Use –supportmultipledomain switch if needed – Scheduled task script • ADFS – Parent certificate covers children – Using the –supportmultipledomains switch is required when multiple top-level domains are federated by using the same AD FS federation service • Testing ADFS – https://<adfs_url>/adfs/ls/idpinitiatedsignon.aspx Mike Nelson 2014 –supportmultipledomains
- 56. Sync Tips • AAD Sync runs every 3 hours, Password sync runs every 2 minutes. Both can be forced via PoSH – Start-OnlineCoexistenceSync -FullSync • Online portal can take a very long time to update • “Technical Contact” will get all the emails • To determine Sync version – PowerShell (GP 'hklm:SOFTWAREMicrosoftWindowsCurrentVersionUninstallMicro soft Online Directory Sync').DisplayVersion Mike Nelson 2014
- 57. Sync Tips • When filtering OU’s in Sync, remove unused Run Steps • Always use latest version of Sync • Upgrade is painless – Local SQL, just run the install – Standalone SQL, need to connect to DB & upgrade • When in doubt – Force a Sync • PoSH module – import-module DirSync Mike Nelson 2014
- 58. Demo Lab Setup • Get a Live ID account – http://signup.live.com • Get an Azure Trial - http://bit.ly/1zaeXB4 • Add & configure Azure AD • Create local AD – Import pre-made 2012R2 server VM – Add AD role Mike Nelson 2014
- 59. The Lab • Power on the VM • Login as administrator – P@ssw0rd • Add the AD role – don’t worry about DNS messages • Once role installed, configure it. The AD Forest should be “corp.com” • Reboot the VM once AD config is complete Mike Nelson 2014
- 60. The Lab • Login as <domain>administrator – P@ssw0rd • Right-click on PowerShell icon in taskbar and click Run As Administrator • Enter “set-executionpolicy unrestricted” and hit enter • Open Explorer and go to C:scripts • Right-click and edit “createusers.ps1” (should open in ISE) Mike Nelson 2014
- 61. The Lab • Change domain name to your domain name (You can also do these steps manually via the MMC if you wish) • Save the file and run it. A new OU called O365Users should be created in your AD • With ISE still open, open the “createusers.ps1” file. Change the domain name to your domain name. • Save the file and run it. Users should now appear in that O365Users OU. • Close ISE Mike Nelson 2014
- 62. The Lab • Open a browser on your local machine and create your MS Live ID account • Go to fasttrack.office.com and sign up for a Enterprise demo. Pick a domain name. Highly recommended to pick a variant of “contoso.com” (ex. contoso611.com) • Once signup is complete, login to Office365 with new credentials • Create Azure account using same credentials Mike Nelson 2014
- 63. The Lab • Back in the VM, in Explorer, double click the C:Deployment ToolsLdfixLdfix.exe • Query your domain • Fix any issues • Install DirSync • Configure DirSync • Sync objects Mike Nelson 2014
Editor's Notes
- #4: Topics- Azure Active Directory & Office 365 - Discuss the basics and architecture of Azure, Azure AD, and Office 365 Discuss how to initiate a subscription, and administrate the environments via the portal and PowerShell for the duration of the session Integration, Synchronization & Migration Single SignOn and Same SignOn DirSync, ADFS, AADConnect, AADSync On-Premise to/from Off-Premise architecture How sync works How to modify sync How to migrate “In cloud” users to “Synched with Active Directory” Administration & troubleshooting Tools & Tips Cleaning up your AD Azure Portal Office 365 Admin Center PowerShell Troubleshooting sync Troubleshooting Tools
- #8: A client side hypervisor is required for the lab. The server image is supplied for the lab.
- #9: A client side hypervisor is required for the lab. The server image is supplied for the lab.
- #15: Microsoft has cloud services they need to authenticate users to which needs to be able to be independent of any on-premise AD for cloud-only scenarios or customers without AD. Microsoft took their knowledge of AD and enhanced this service to fit best for a cloud environment and this is called Windows Azure AD. [click] The challenge is many customers already have an on-premise AD which they would like users to be able to seamlessly authenticate. There are a number of methods to synchronize these two, but it is outside of the scope of this presentation. [click] Windows Azure AD must be used to authenticate to many of Microsoft’s cloud services, regardless of whether or not you synchronize with your on-premise AD [click] The topic of this presentation today covers running the Active Directory role on a VM inside of Windows Azure IaaS. This is NOT the same thing as Windows Azure AD.
- #26: Credit: TechEd 2014
- #28: Directory Sync – Enables on-premises directory data to be projected into the cloud Only synchronizes from single AD forest Groups, contacts and users ~ 150 properties Provides for a delta sync of changes - Sync timeframe is every 3 hours Links on-prem object to cloud object using ‘SourceAnchor’ – unique on-prem ID (By default: ObjectGUID) On-prem master for all objects and properties Proactively reports errors via email: “No news is good news” Provides for rich integration experiences Office Hybrid scenarios, requires two way sync for some properties Hybrid is only way data gets written back (Exchange data now – passwords soon)
- #29: Multiple iterations of SHA256 encryption on hash
- #38: http://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx
- #48: USN Bubbles
- #59: Tasks to be done for prep and execution of Demo Lab
- #60: Tasks to be done for prep and execution of Demo Lab
- #61: Tasks to be done for prep and execution of Demo Lab
- #62: Tasks to be done for prep and execution of Demo Lab
- #63: Tasks to be done for prep and execution of Demo Lab
- #64: Tasks to be done for prep and execution of Demo Lab