What’s new in Azure Active Directory Domain Services 6/26/2018 11:17 AM BRK3295: What’s new in Azure Active Directory Domain Services Mahesh Unnikrishnan Principal Program Manager Identity division © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What is Azure AD Domain Services? What’s new? How can I use it?

What is Azure AD Domain Services?

Options – moving applications to the cloud Azure Subscribe to SaaS applications Switch to using SaaS versions of the app ex. Office 365 Leverage Azure AD for SaaS app management SaaS application gallery Easy provisioning, conditional access control Rewrite existing applications Rewrite apps to leverage Azure PaaS Leverage Azure AD OAuth/OpenID Connect for modern authz. Ubiquitous developer libraries. Graph API – modern directory API ‘Lift-and-shift’ on-premises applications to IaaS Move existing legacy ISV/LOB apps to Azure May not have access to source code or vendor support.

’Lift-and-shift’ existing on-premises apps. Easy? What about identity in the cloud? Apps depend on Active Directory Domain Services 1 Apps can’t be modified to use new authn, authz (OAuth, SAML, OpenID Connect, REST etc.) I don’t have source code for apps. ISV not interested in rewriting app. Azure Active Directory On-premise apps ? Lift-and-shift Lift-and-shift Active Directory 1 AD Domain Services Domain join Group policy LDAP bind/authentication Kerberos, NTLM LDAP read/write

How many organizations handle this today TechReady 23 6/26/2018 11:17 AM How many organizations handle this today Connect app to DC VM in Azure Connect app to on-premises DC © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Imagine a simpler alternative No DC deployment Forget about patching DCs Compatible Fully compatible with Windows Server AD Your apps just keep working in the cloud Available Highly available domain Auto-remediation Automatic backups Cost-effective Pay-as-you-go No need for complicated networking (VPN/ExpressRoute)

Introducing ‘Azure AD Domain Services’ … Azure Active Directory Azure AD Domain Services Contoso’s workloads/apps in Azure IaaS Virtual network Managed domain available in Contoso’s VNet.

Managed domains Domain controllers are patched automatically. Secure locked down domain – compliant with AD deployment best-practices. Fault resilience of Azure. Automatic health detection & remediation. Automatic backups for disaster recovery. No need to monitor replication to DCs. Highly available domain.

Your managed domain is kept in-sync Sync users, groups, passwords, SIDs to Azure AD … Virtual network Azure AD Connect Sync Azure AD tenant On-premises AD Managed domain Automatic background sync to your managed domain Users, group memberships and passwords are synced from your Azure AD tenant. Simple to deploy Cloud-only directories – no additional sync/replication software needed! Federated/synced directories – simply leverage your existing Azure AD Connect deployment.

The big picture … … Azure AD Domain Services Azure Active Directory Automatic background sync to your managed domain Managed domain available in your Azure VNet. … Azure AD Domain Services Azure Active Directory Virtual network Contoso’s workloads/apps in Azure IaaS Azure AD Connect Active Directory

Features Simple deployment Single managed domain per Azure AD directory High availability with fault tolerance Automatic health detection & remediation Auto-sync from Azure AD – use same users, groups & passwords On-premises SIDs are synced to SIDHistory in your managed domain Domain join Windows Integrated Authentication (Kerberos, NTLM) LDAP bind and LDAP read Secure LDAP (including over internet) Create custom Organizational Units (OUs) Administer DNS Group Policy.

Pricing Tier/Number of directory objects1 Price Less than 25,000 $0.15/hr 25,001 to 100,000 $0.40/hr 100,001 to 500,000 $1.60/hr Greater than 500,000 Contact us More information - https://azure.microsoft.com/en-us/pricing/details/active-directory-ds/.

Decisions!!! Azure AD Join Azure AD Domain Services Authentication OAuth/OpenID Connect Kerberos, NTLM Management Mobile Device Management (MDM) software like Intune Group Policy Networking considerations Works over the internet Requires machines to be on the same virtual network as the managed domain. Can use virtual network peering or site-to-site VPNs to extend connectivity. Great for … Windows 10 devices Server virtual machines deployed in Azure

What’s new?

New Azure portal UI experience Intuitive wizard-based experience. Create virtual networks & manage delegated administration group membership inline.

New Azure portal UI experience … is now Generally Available (GA)

Problem: You can enable Azure AD Domain Services in only classic Azure virtual networks. Workaround: Setup virtual network peering between classic & resource manager virtual networks.

We now support Resource Manager virtual networks

Support for Resource Manager virtual networks … is now Generally Available (GA)

6/26/2018 11:17 AM Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

A few things to note … The Azure classic portal experience for AAD Domain Services is retired New managed domains cannot be created using the classic portal We have migrated all existing managed domains to the new Azure portal Modifications of existing managed domains from the classic portal are blocked. Classic virtual network support is ending soon (for new domains) Creation of new managed domains in classic networks will be blocked soon. Existing managed domains in classic networks continue to be supported We will deliver an experience to migrate an existing managed domain from classic to resource manager virtual network – later this year.

6/26/2018 11:17 AM How can I use it? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Manage Azure IaaS virtual machines ‘Lift-and-shift’ LDAP applications ‘Lift-and-shift’ Kerberos applications ‘Lift-and-shift’ SharePoint server Domain-joined HDInsight clusters Remote desktop deployments

Manage your Azure IaaS virtual machines Domain-join your Azure IaaS virtual machines – Windows Server and Linux Use your corporate credentials to log-in to VMs No need for local administrator accounts Use Group Policy (built-in GPO for computers container) to manage & secure domain joined VMs. Domain join/ GP … Virtual network Contoso’s workloads/apps in Azure IaaS

We’ve enhanced Group Policy on managed domains Members of ‘AAD DC Administrators’ group can create their own GPOs You can now target GPs to specific Organizational Units Eg. Separate policies for web servers vs backend servers. More information - https://docs.microsoft.com/en- us/azure/active-directory-domain-services/active- directory-ds-admin-guide-administer-group-policy

‘Lift-and-shift’ LDAP applications Manage Azure IaaS virtual machines ‘Lift-and-shift’ LDAP applications ‘Lift-and-shift’ Kerberos applications ‘Lift-and-shift’ SharePoint server Domain-joined HDInsight clusters Remote desktop deployments

Move server applications to Azure Apps using LDAP bind for authentication An LOB application uses a web-form to collect user credentials and authenticates users via LDAP bind to the directory. Migrate & deploy the app in domain-joined Azure VMs. End-users sign in using their existing corporate credentials. This app pattern is often used by organizations to grant access to vendors or partners to their applications. LDAP bind … Virtual network

LDAP over SSL (LDAPS) Move apps that connect to AD over LDAP/LDAPS to Azure. Access your managed domain over LDAPS: From app servers within the virtual network Over the internet (optional) Use LDAPS certificates issued by: Public certification authority Self-signed certificates More information: https://docs.microsoft.com/en- us/azure/active-directory-domain-services/active-directory-ds- admin-guide-configure-secure-ldap LDAPS over the internet LDAPS … Virtual network

‘Lift-and-shift’ Kerberos applications Manage Azure IaaS virtual machines ‘Lift-and-shift’ LDAP applications ‘Lift-and-shift’ Kerberos applications ‘Lift-and-shift’ SharePoint server Domain-joined HDInsight clusters Remote desktop deployments

Move server applications to Azure Windows integrated authentication apps A server application uses an AD service account for its web front- end to authenticate access to a backend server. Migrate & deploy the app in domain-joined Azure VMs. Create custom OUs & provision service accounts. Assign custom password policies (eg. password-never- expires) to service accounts. GMSAs (Group Managed Service Accounts) work as well. Windows Integrated Authentication service acct … Virtual network

Move server applications to Azure Kerberos Constrained Delegation (KCD) apps Front-end Backend Active Directory Kerberos Constrained Delegation Access in context of user

Kerberos constrained delegation 6/26/2018 11:17 AM Kerberos constrained delegation This will not work on an AAD-DS managed domain! Traditional KCD configuration will not work because you do not have ‘Domain Administrator’ privileges on a managed domain © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Solution – Use Resource-based KCD Configure resource-based KCD for apps that require constrained delegation Was introduced in Windows Server 2012 More secure – enables resource administrator to control who has delegated access to the resource. Does not require domain admin privileges. Set up using PowerShell cmdlets $ImpersonatingAccount = Get-ADComputer -Identity contoso100- webapp.contoso100.com Set-ADComputer contoso100-api.contoso100.com - PrincipalsAllowedToDelegateToAccount $ImpersonatingAccount More information - https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active- directory-ds-enable-kcd

Modernize legacy apps with Azure AD Application Proxy … IWA capable app App proxy connectors Azure AD Azure AD Application Proxy Service AAD-DS Managed domain KCD User authn with MFA. Access in context of user Lift-and-shift IWA apps/websites to Azure IaaS VMs joined to AAD-DS domain. Deploy App Proxy connectors on Azure IaaS VMs joined to AAD-DS domain. Modernize app by delivering MFA & conditional access control. Use resource-based KCD to enable connectors to authenticate users.

‘Lift-and-shift’ SharePoint server Manage Azure IaaS virtual machines ‘Lift-and-shift’ LDAP applications ‘Lift-and-shift’ Kerberos applications ‘Lift-and-shift’ SharePoint server Domain-joined HDInsight clusters Remote desktop deployments

Lift-and-shift SharePoint Server to Azure Deployment blocker: Unable to configure SharePoint User Profile Sync on AAD-DS managed domains Solution: New built-in security group called ‘AAD DC Service Accounts’. You can add service account used for SharePoint Profile sync to this group. Members of this security group are delegated the following privileges: 'Replicate Directory Changes' on the root DSE 'Replicate Directory Changes' on the Configuration naming context. This security group is also a member of the built-in group ‘Pre-Windows 2000 Compatible Access’.

Domain-joined HDInsight clusters Manage Azure IaaS virtual machines ‘Lift-and-shift’ LDAP applications ‘Lift-and-shift’ Kerberos applications ‘Lift-and-shift’ SharePoint server Domain-joined HDInsight clusters Remote desktop deployments

Domain-joined HDInsight cluster 6/26/2018 11:17 AM Domain-joined HDInsight cluster Preview HD Insights Hadoop clusters can be integrated with AAD Domain Services for secure Hadoop deployments. Feature currently in public preview More information: BRK3108 – Enterprise security and monitoring for big data solutions on Azure HDInsight AADDS subnet domain join, Kerberos etc. … HD Insights subnet … Resource Manager virtual network © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Remote desktop deployments Manage Azure IaaS virtual machines ‘Lift-and-shift’ LDAP applications ‘Lift-and-shift’ Kerberos applications ‘Lift-and-shift’ SharePoint server Domain-joined HDInsight clusters Remote desktop deployments

Windows Server Remote desktop deployments 6/26/2018 11:17 AM Windows Server Remote desktop deployments Deploy domain joined Remote Desktop VMs for VDI in the cloud. Use group policy to manage/secure Remote Desktop VMs. Known issue: Remote Desktop Licensing server Doesn’t block deployments, licensing warnings. Workaround : track licensing outside of AAD-DS Fix coming soon – currently in testing! More information: BRK2169 – Learn about our vision and upcoming innovations for Microsoft Remote Desktop Services BRK3021 - Learn about modern infrastructure roles in RDS © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Citrix XenApp and XenDesktop 6/26/2018 11:17 AM Citrix XenApp and XenDesktop Domain join Citrix machines (XenApp and XenDesktop workers and supporting infrastructure machines) More information: https://support.citrix.com/article/CTX224111 domain join … Citrix machines … Virtual network © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/26/2018 11:17 AM Roadmap © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Deciding when not to ‘DIY’ your AD deployment Feature Azure AD Domain Services 'Do-it-yourself' AD in Azure VMs Managed service Yes No Secured & locked-down deployment Needs to be secured DNS server Yes (managed service) Domain or Enterprise administrator privileges Domain join Domain authentication using NTLM and Kerberos Custom OU structure Schema extensions AD domain/forest trusts LDAP read Secure LDAP (LDAPS) LDAP write Group Policy Geo-dispersed deployments More information: https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-comparison

Features we’re considering … Cloud solution provider support Support for a single managed domain to span multiple virtual networks. Managed Resource forests Schema extensions Support for LDAP writes Questions/Feedback about the service? Contact the product team – aaddsfb@microsoft.com

Identity @ Ignite | Monday 6/26/2018 11:17 AM Identity @ Ignite | Monday BRK3020 What's new and upcoming in AD FS to securely sign-in your users to Office 365 and other applications OCCC Valencia W415 CD Monday 4:00–5:15 Sam Devasahayam Identity @ Ignite | Tuesday BRK2019 Productivity and protection for your employees, partners, and customers with Azure Active Directory OCCC West Hall F2 Tue 9:00–10:15 Alex Simons Nasos Kladakis THR2072 Migrate your apps from legacy APIs to Microsoft Graph OCCC South – Expo Theater #6 Tue 11:35-11:55 Jeff Sakowicz, Dan Kershaw BRK2017 Saying goodbye to passwords OCCC West Hall F3-4 Tue 12:45-1:30 Manini Roy THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory OCCC West Building Theater - Level 2 Tue 2:10–2:30 Jeff Sakowicz BRK1051 Locking down access to the Azure Cloud using SSO, Roles Based Access Control, and Conditional Access OCCC W308 Tue 2:15–3:30 Stuart Kwan © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Identity @ Ignite | Wednesday 6/26/2018 11:17 AM Identity @ Ignite | Wednesday BRK3388 Build applications to secure and manage your enterprise using Microsoft Graph OCCC S210 Wed 09:00-09:45 Jeff Sakowicz, Dan Kershaw BRK3225 Office development: Authentication demystified OCCC W315 Wed 10:45–12:00 Vittorio Bertocci BRK3146 The power of common identity across any cloud OCCC W240 Wed 12:45-1:30 Sam Devasahayam THR2126 Azure Active Directory: Your options explained from AD sync to pass through authentication & more OCCC West – Microsoft Ignite Studio Wed 1:35-1:55 Alex Simons Simon May   BRK3352 Windows devices in Azure Active Directory: Why should I care? OCCC Valencia W415 AB Wed 2:15–3:30 Jairo Cadena THR2007 How to get Office 365 to the next level with Azure Active Directory Premium OCCC South – Expo Theater Wed 3:15-4:00 Brjann Brekkan BRK3295 What’s new in Azure Active Directory Domain Services Hyatt Regency Windermere Z Wed 4:00–5:15 Mahesh Unnikrishnan BRK3016 Shut the door to cybercrime with Azure Active Directory risk-based identity protection OCCC Valencia W415 CD Alex Weinert Nitika Gupta © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Identity @ Ignite | Thursday 6/26/2018 11:17 AM Identity @ Ignite | Thursday BRK2018 Share corporate resources with your partners using Azure Active Directory B2B collaboration OCCC W230 Thu 9:00–10:15 Mary Lynch Sarat Subramaniam Laith Al Shamri BRK3207 The keys to the cloud: Use Microsoft identities to sign in and access API from your mobile+web apps OCCC S310 Thu 10:45-12:00 Vittorio Bertocci BRK3012 Secure access to Office 365, SaaS and on-premises apps with Microsoft Enterprise Mobility + Security OCCC W311 Caleb Baker Chris Green BRK3013 Ensure users have the right access with Azure Active Directory OCCC Valencia W415 AB Thu 12:30–1:45 Joseph Dadzie Mark Wahl BRK3015 Deep-dive: Azure Active Directory Authentication and Single-Sign-On OCCC West Hall E1 Thu 2:15-3:30 John Craddock BRK3014 Azure Active Directory best practices from around the world Thu 4:00–5:15 Tarek Dawoud Mark Morowczynski Identity @ Ignite | Friday BRK2276 Modernize your customer identity management with Azure Active Directory B2C OCCC W314 Friday 9:00-9:45 Saeed Akhter © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session Tech Ready 15 6/26/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/26/2018 11:17 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.