Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Sales

Deploying Active Directory in Windows Azure

advertisement 
Agenda
•
•
•
•
AD to Windows Azure AD
Sync Options
Federation Architecture
AD to AAD Quick start
By Sachin Shetty
By Sachin Shetty
Personal Services
Organizational Services
OrgID
Organizational Account
OnMicrosoft Account
(Azure AD Account)
Live ID
Microsoft Account
Examples:
Sachin@outlook.com
sachin@live.com
User
User
Examples:
Sachin@contoso.com
sachin@contoso.onmicrosoft.com
1. Cloud Only / No Integration
2. Directory Synchronization
3. Directory and Federated SSO
Office 365
Windows Azure Active Directory
Contoso customer premises
Joe@contoso.
msonline.com
Admin Portal/
PowerShell/GRAPH
Authentication
platform
IdP
IdP
AD
shetty@contoso.com
Provisioning
platform
Dynamics CRM
Online
Directory
Store
CORP
App
Windows
Intune
1. No Integration
2. Directory Synchronization
3. Directory and Single sign-on (SSO)
Office 365
Windows Azure Active Directory
Contoso customer premises
Admin Portal/
PowerShell/GRAPH
IdP
AD
Directory Sync
(DirSync)
Provisioning
platform
Dynamics CRM
Online
Authentication
platform
IdP
Directory
Store
CORP App
Windows
Intune
Directory Synchronization Options
PowerShell & Graph API
Suitable for Organizations using
Active Directory (AD)
Suitable for large organizations with Suitable for small/medium size
certain AD and Non-AD scenarios
organizations with AD or Non-AD
Supports Exchange Co-existence scenarios
Complex multi-forest AD scenarios
Coupled with AD FS, provides best option
for federation and synchronization
Non-AD synchronization through Microsoft
premier deployment support
Does not require any additional software
licenses
Requires Forefront Identity Manager and
additional software licenses
Multi-forest available through
MCS+Partners
Suitable for all organizations
Supports Exchange Co-existence scenarios
Not a highly recommended option
compared to DirSync or FIM Connector
Performance limitations apply with
PowerShell and Graph API provisioning
PowerShell requires extensive scripting
experience
PowerShell option can be used where the
customer/partner may have wrappers
around PowerShell scripts (eg: Self Service
Provisioning)
As this is a custom solution, Microsoft
support may not be able to help if there
are issues
1. No Integration
2. Directory Synchronization
3. Directory and Federated SSO
CORP App
Windows Azure Active Directory
Contoso customer premises
Active Directory
Federation Server
2.0
IdP
AD
Directory Sync
(DirSync)
Trust
Admin Portal/
PowerShell/GRAPH
Provisioning
platform
Dynamics CRM
Online
Authentication
platform
IdP
Directory
Store
Office 365
Windows
Intune
Federation options
Works with AD
Works with AD & Non-AD
Shibboleth
Works with AD & Non-AD
Suitable for medium, large enterprises
including educational organizations
Suitable for medium, large enterprises
including educational organizations
Suitable for educational organizations
Recommended option for Active Directory (AD)
based customers
Recommended where customers may use existing
non-AD FS Identity systems with AD or Non-AD
Single sign-on
Single sign-on
Secure token based authentication
Secure token based authentication
Support for web and rich clients
Support for web and rich clients
Microsoft supported
Third-party supported
Microsoft supported for integration only, no
shibboleth deployment support
Requires on-premises servers, licenses & support
Requires on-premises servers, licenses & support
Requires on-premises servers & support
Recommended where customers may use existing
non-AD FS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook only
Works with AD and other directories on-premises
Appropriate for
• Smaller orgs without AD
on-premise
Pros
• No servers required onpremise
• Same Domain name for
users possible
Cons
• No SSO
• No 2FA
• 2 sets of credentials to
manage with differing
password policies
• IDs mastered in the cloud
Pros
• Users and groups mastered
on-premise
• Enables co-existence
• Single server deployment
Cons
• No 2FA until Spring 2013
• 2 sets of credentials to
manage with differing
password policies OR
Manual / 3rd Party password
Sync OR use FIM
• No SSO
Pros
• SSO with corporate cred
• IDs mastered on-premise
• Password policy controlled
on-premise
• 2FA solutions possible
• Enables hybrid scenarios
• Location isolation
• Ideal for multiple forests
Cons
• Additional Servers required
for AD FS
Federated Architecture
Active
Directory
AD FS +
DirSync
[Server1]
CorpNet
AD FS
Proxy
[Server2]
Windows
Azure AD
Internet
Users
Dedicated
Federation Servers
Federation
server proxies
NLB
Comments
servers
<1,000
0
0
1
Deploy AD FS on two DCs
1,000–15,000
2
2
2
Install NLB on proxies
15,000–60,000
2+1 for every 15,000
users
2+
2+
Install NLB on proxies or
use dedicated NLB
implementation
http://technet.microsoft.com/en-us/library/jj151794.aspx
Federated Architecture on Windows Azure!
Windows Azure
Subscription
Active
Directory
CorpNet
AD FS
+ AD
Internet
AD FS
Proxy
Windows
Azure AD
DirSync
Quick Start Guide for
Integrating a Single Forest OnPremises Active Directory with
Windows Azure AD
Quickstart Guide Architecture
Windows
Server
2012
Active
Directory
AD FS +
DirSync
[Server1]
Windows
Server
2012
AD FS
Proxy
[Server2]
Windows
Azure AD
[Windows Azure from Server1]
[Windows Azure from Server1]
[Server1]
[Server1]
[Server2]
[Server2]
[Server2]
[Server1]
[Server1]
What we’ve built so far
Windows Azure
Subscription
AD + AD FS
Active
Directory
CorpNet
Internet
Windows
Azure AD
DirSync – Activated, not synced
Domain Name – Added, not verified
Configure Inbound SSL Access
Windows Azure
Subscription
AD + AD FS
Active
Directory
CorpNet
Internet
157.56.167.107
mycloudservice.cloudapp.net
Windows
Azure AD
Internet
[On Server1]
Write-QSTitle 'Download, install, and configure the DirSync tool'
$DirSyncFilename = $script:CurrentExecutingPath + '\DirSync.exe'
if (-not (Require-QSDownloadableFile -FileName $DirSyncFilename -URL
'http://g.microsoftonline.com/0BX10en/571')) {
Write-QSError 'DirSync download failed.'
return
}
Write-Host 'Running DirSync installer...'
Start-Process -FilePath $DirSyncFilename -ArgumentList @('/quiet') Wait
http://support.microsoft.com/kb/2681562
Final Configuration
Windows Azure
Subscription
Active
Directory
CorpNet
AD FS
+ AD
Internet
AD FS
Proxy
Windows
Azure AD
DirSync
DirSync – Activated + synced
Domain Name – Added + verified
Document
Step #
PS Script
Step #
Component of Configuration
Actual Time Taken
1
1-2
Initial Software Installation (pre-requisites)*,***
1 min 12 sec
1
3
Office 365 Readiness Tool
5 min 48 sec
2
4-5
Add Domain Name in Windows Azure AD
27 sec
3
6
Activate DirSync Support
10 sec
4
7-14
Install and Configure On-Premise AD FS Server1**
2 min 53 sec
5
15-22
Install and Configure AD FS Proxy Server2*, ***, ****
6 min 12 sec
6
23-24
Configure Windows Azure AD Federation Support
41 sec
7
25-27
Install and Configure DirSync
3 min 26 sec
Thank you
Related documents
Windows Azure Active Directory Overview
Windows Azure Active Directory Overview
Deploying Active Directory in Windows Azure
Deploying Active Directory in Windows Azure
Getting Started - Microsoft Azure Platform Academic 150 day Pass.ppt
Getting Started - Microsoft Azure Platform Academic 150 day Pass.ppt
CloudBrew 2013- Connecting IoT
CloudBrew 2013- Connecting IoT
File-Directory
File-Directory
Windows Azure Websites
Windows Azure Websites
Windows Azure Active Directory
Windows Azure Active Directory
here
here
Network Services
Network Services
Windows Azure Marketplace
Windows Azure Marketplace
Latest Microsoft EnsurePass 70-417 Dumps PDF
Latest Microsoft EnsurePass 70-417 Dumps PDF
Testking.70-417.376.QA
Testking.70-417.376.QA
Download
advertisement