Identities in the Cloud
Els Putzeys
Identities in the Cloud
User Management in Windows
Azure
Identity Options
 Microsoft Online IDs
 Microsoft Online IDs + Directory Synchronization
 Federated IDs + Directory Synchronization
Microsoft Online IDs


Appropriate for small organizations without on-prem AD
Pros
– No servers required on-premises

Cons
– No SSO
– 2 sets of credentials to manage with different password policies
– IDs mastered in the cloud
Microsoft Online IDs + DirSync


Appropriate for medium/large organizations with on-prem AD
Pros
– Users and groups mastered on-premises
– Enables coexistence scenarios
– Passwords can be synchronized with password sync tool

Cons
– No SSO
– 2 sets of credentials to maintain
– DirSync server required on-premises
Federated IDs + DirSync


Appropriate for medium/large enterprises with on-prem AD
Pros
–
–
–
–

SSO
IDs mastered on-prem
Password policy controlled on-prem
Enables coexistence scenarios
Cons
– Servers required on-premises
Microsoft Online IDs
Windows Azure AD
Windows Azure AD
 Identity and access management in the cloud
 Your organization’s cloud directory
– Used by
• Windows Azure
• Office 365
• Windows Intune
 Can be integrated with on-premises AD
 Integration with cloud applications
– Single sign-on experience
• App hosted in cloud
• Users authenticate with corporate credentials
Windows Azure AD
Windows
PowerShell
Office 365
Account Portal
Windows Intune
Account Portal
Tenant data
Windows Azure AD
Windows Azure
AD Portal
Windows Azure AD


Azure AD is a multi-tenant service
Authentication process
–
–
–
–
–
User accesses a SaaS application
User authenticates to Azure with username and password
Azure AD returns token
Token is sent to SaaS application
Application validates token and uses its content
Create Online IDs



Windows Azure AD Portal
Office 365 Portal
Windows PowerShell
DEMO
Microsoft Online IDs + DirSync
Directory Synchronization
Directory Synchronization
 Synchronize users from on-prem to online
 User management is done on-prem
 Password synchronization
– Synchronize passwords from on-prem to online
 Users have 1 set of credentials across on-prem and online
– But 2 accounts
Directory Synchronization
Exchange
Online
DirSync
AD
Office 365
Azure AD
SharePoint
Online
MS Online IDs
Lync Online
Customer Network
Windows Azure Datacenter
DirSync: Preparation

Synchronization computer
– Windows Server 2008 R2 SP1 or Windows Server 2012 (R2)
– Domain-joined
– Prerequisite software:
 .Net Framework 3.5 SP1 and 4.0
 PowerShell

DC Requirements:
– Forest functional level:
 Windows Server 2003 or higher
– Domain Controllers:
 Windows Server 2003 SP1 or higher
DirSync: Preparation

To install DirSync, you need the following permissions:
– Administrator of the DirSync Server
– Administrator of the local AD environment
– Administrator of the Cloud Service

DirSync setup creates service account
–
–
–
–
–
MSOL_AD_SYNC
Created in Users container
Read from local AD
Write to Windows Azure AD
Do not move or remove this account!
DirSync: Preparation

Initial synchronization
– All AD objects copied to WAAD
– Maximum 50000 objects
 If more, contact support

DirSync requires SQL
– SQL Express
 < 50000 objects
 Installed by default
– Full SQL
 > 50000 objects
DirSync: Preparation

UPN Requirements
– Every user must have a UPN
– UPNs must match a validated domain in the cloud
 Make sure AD contains the correct UPN Suffix
– Check UPN in the cloud after synchronization
– Users must use UPN to logon to cloud services
DirSync: Installation

Download and install the Directory Sync tool
– Installation can take up to 10 minutes
DirSync: Configure

Start DirSync Configuration wizard
– Specify Windows Azure AD Credentials
– Specify AD Credentials
– Enable hybrid deployment (if required)
 Gives dirsync service account limited Write permission to on-prem AD
DirSync: Password Sync

Password Synchronization
–
–
–
–

Feature of Sync Tool
Synchronize on-prem passwords to WAAD
Users can use same password in cloud and on-prem
No SSO
Extract password hash from AD
– Overwrites cloud password
– Initial dirsync synchronizes all passwords
– User changes on-prem password
• Tool detects and synchronizes (within minutes)
DirSync: Password Sync

Password complexity policy
– On-prem policies override cloud policies for synchronized users

Password expiration policy
– Cloud user password is set to “Never Expire”
DirSync: Manage
•
PowerShell
– %Program Files%\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1
– Add-PSSnapin Coexistence-Configuration
•
Cmdlets:
– Get-Command –Pssnapin Coexistence-Configuration
DirSync: Synchronize

Automatically
– Every 3 hours

Manually
– PowerShell
• Start-OnlineCoexistenceSync
– Configuration Wizard
• Start menu – Directory Sync Configuration
DEMO
Federated IDs + Dirsync
Active Directory Federation
Services
Federated Identities

Across on-prem and cloud services
– Single identity
– Single sign-on


User management happens on-prem
On-prem AD used to:
– Sign in
– Authenticate

Requires the following services
– Directory synchronization
– Federation Service
Identity Federation
Security Token
Relying Party
Identity Provider
SAML Token
Claims:
Name = Els
Email = Els @Fabrikam.com
Age = 38
Web Server
DC
AD
2
Contoso.
com
DC
AD
6
Fabrikam
.com
Federation Trust
STS
4
9
ST
Home realm discovery
7
STS
ST
10
8
ST
3
ST
1
5
https://web.contoso.com
AD FS
AD
Shibboleth
Unix
Azure ACS
Live ID
Google ID
Facebook
Identity Federation with Azure
On-Premises Domain
Windows Azure Platform
MS Federation
Gateway
Active Directory
AD FS
Logon (SAML 1.1) Token
UPN:user@contoso.com
Source User ID: ABC123
Auth Token
UPN:user@contoso.com
Unique ID: 254729
Exchange Online
AD FS Deployment Options



Single server configuration
AD FS server farm and load-balancer
AD FS proxy server or UAG/TMG (External Users, Active Sync, Outlook)
Active
Directory
AD FS
Server
AD FS
Proxy
AD FS
Server
AD FS
Proxy
External User
Internal User
Internal Network
Perimeter Network
Federation: AD FS

Requirements:
–
–
–
–
–
–
Windows Server 2008 (R2) – 2012 (R2)
ADFS 2.0 / ADFS 3.0
Public, validated domain name
SSL certificate
MS Online Services Module for PS
MS Online Sign-In Assistant
Federation: AD FS
•
Install ADFS
– WS2012 (R2): Add roles and features
– WS2008: Download and install ADFS
Federation: AD FS

Run ADFS Configuration Wizard
– Create new Federation Service
• Federation farm
• Stand-alone server
– Select SSL Certificate
• ADFS certificate
• Federation service name:
adfs.fabrikam.com
– Create Host record for the federation service
in DNS
Federation: AD FS



Install MS Online Sign-In Assistant
Install MS Online Services Module for PS
Configure Trust with Microsoft Online Services
– PowerShell
• Connect-MsolService –Credential $cred
• Convert-MsolDomainToFederated –DomainName fabrikam.com
Federation: Test
•
Create account in local AD
– UPN must be your domain name (fabrikam.com)
•
Synchronize account to Azure AD
– Add application licenses
•
Prepare Client pc
– Install Sign-In Assistant
– Add ADFS url to Intranet zone in IE
•
Sign in to client pc as test user
– Browse to https://portal.microsoftonline.com
– Enter username (user@fabrikam.com)
DEMO
Give Me Feedback
And take home the
Lumia 1320
Present your feedback form when you exit
the last session & go for the drink
Be the first to know
Follow Technet Belgium
@technetbelux
Subscribe to the TechNet newsletter
aka.ms/benews
Belgiums’ biggest IT PRO Conference