Recording Brief EMS Partner Bootcamp Variables Values Module Title TechReady 18 10/5/2017 Recording Brief Variables Values Module Title Azure Active Directory I Chunk Title Integration between On-premises AD and Azure AD Content Slides 12 Lab Slide Yes Demo Slide Estimated Delivery Time 29 minutes EMS Partner Bootcamp © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Integration between On-premises AD and Azure AD TechReady 18 10/5/2017 Module: Azure Active Directory I Integration between On-premises AD and Azure AD EMS Partner Bootcamp © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Integrate an Azure AD with existing directories Synchronization Active Directory Microsoft Azure Active Directory Identity Sync with password hash sync User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory *Write back of attributes to support cloud first and co-existence Federation Active Directory Microsoft Azure Integrate an Azure AD with existing directories Implement DirSync, O365 integration Watch the Channel 9 Session on this… ?Can we move AD FS into IaaS? If so, what are the recommendations? Active Directory Identity Sync AD FS User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication
Azure AD Connect – directory synchronization Microsoft Ignite 2015 10/5/2017 12:58 PM Azure AD Connect – directory synchronization https://msdn.microsoft.com/en-us/library/azure/jj151831.aspx#BKMK_ObjectLimits Review Object Limits 50K/300K Review requirements for the directory synchronization computer Review requirements for the domain controllers Ensure you have administrator permissions Review performance considerations Review hardware recommendations Review your Windows Azure AD authentication requirements Review User experience with Help/Support team Object Limits (Uses/Groups/Contact –count of all, 50K default -> 300k with a verified domain also dictates if you need Full SQL 2008/2012 or get by with SQL Express Directory Sync computer -> 64-bit WS 2008/2012 -> .net 3.5 +SP1, or .net 4.5.1, PowerShell -> Domain Joined Domain Controller: Forest must be functional level WS2003 or greater. DC must be WS 2008 or 2012 Must have Admin rights to local machine, on domain and Tenant Admin in AzureAD Performance how long will first sync take? Depends upon object -> anticipate time for first full sync. HW Requirements -> CPU/Memory/Hard Disk -> review table matrix depends upon number of objects Authn Requirements UPN -> if you have non-routable domain such as .local or .intranet, then consider using alternative login IDs © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
SMSG Readiness Deprecated Synchronization tools https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx 10/5/2017 Azure AD Directory Synchronization (DirSync) Supports a single AD DS forest Supported customization limited to filtering, synchronization frequency Supports password hash synchronization See Install the Azure AD Sync Service Azure Active Directory Sync Services (AAD Sync) Significant changes to the core synchronization engine Build on declarative synchronization rules, manageable without the FIM Portal All connectors built on the ECMA 2 architecture Supports multiple AD DS forests, LDAP directories Support for multi-forest password hash synchronization Support Password Write-back In-place upgrade Currently there are two tools used to implement directory synchronization, which are as follows: Azure Active Directory Synchronization tool (DirSync) Azure Active Directory Synchronization Services (AAD Sync) Which tool you use also depends on the scenario you are implementing and the synchronization features that your scenario requires. AAD Sync should be the tool you look to first because this is the tool Microsoft is making investments in going forward. Configuring directory synchronization with password sync is the simplest of the supported directory synchronization scenarios. It does not provide a true single sign- on experience for users, but it does enable users to sign-in using the same username and password that they use in their on-premises environment. For many organizations, this is sufficient to meet their authentication requirements for cloud applications if Active Directory Federation Services (AD FS) is not already configured on-premises. Configuring directory synchronization with single sign-on results in a better user experience for users than the password-sync scenario discussed in the previous section because it provides true single sign-on for the users. In this scenario, if a user is already authenticated in their on-premises environment, the user will not be prompted to re-authenticate when accessing cloud applications protected by Azure Active Directory. This is the most significant difference for users, as compared to the password sync scenario described earlier. In that scenario, the user would be prompted to sign-in when accessing cloud applications even if the user was already authenticated in their on-premises environment. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure AD Connect Tool to connect on-premises AD with AAD Installs Synchronization (=AADSync) functionality Configuration wizard to configure Synchronization scenarios ADFS-based SSO from on-premises to AAD Intended to be used as appliance, without programming/scripting Supports write-back Passwords Users Groups Devices Config changes mainly through the config wizard Upgrade to AAD Connect https://msdn.microsoft.com/en-us/library/azure/dn783462.aspx
Demo AAD Connect TechReady 18 10/5/2017 Deploy AAD Connect -> AAD Sync Show standard, default configuration Show Password Hash Sync configuration Show variations from default, for piloting, multiple forest © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Synchronization tools SMSG Readiness 10/5/2017 Synchronization tools Microsoft Identity Manager (MIM) aka FIM When you really need to jailbreak your AAD Sync solution Azure AD connector is available for download Until AAD Sync gets more connectors, required for multi-forest and LDAP scenarios, which means a lot of customers have this deployed Still will be used for very complex scenarios Recommendation: keep this isolated from enterprise IdM solutions based on MIM Does not support password hash synchronization Does not support password write back Other PowerShell, other IdM (Identity management) products © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Lab 3 and 6: Install AAD Connect Directory Sync and ADFS
Azure AD Premium Cloud App Discovery Customized Logon Self Service features Self Service Password Reset Self Service Group Management Access to SaaS Applications Application Integration SaaS applications LOB Application Application Proxy
Cloud App Discovery https://appdiscovery.azure.com/
Company Branded Logon https://technet.microsoft.com/en-us/library/dn532270.aspx
Company Branded Logon Desktop Mobile https://technet.microsoft.com/en-us/library/dn532270.aspx
Keep Me Signed In -> Show/Hide