Azure AD Domain Services Use managed domain services on Azure Microsoft Ignite 2016 9/19/2018 8:37 PM BRK3252 Azure AD Domain Services Use managed domain services on Azure Mahesh Unnikrishnan Principal Program Manager © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Session objectives & takeaways Tech Ready 15 Session objectives & takeaways 9/19/2018 Introduce an exciting new service called Azure AD Domain Services. Understand how it works & its benefits. See the features available in preview today. Explore scenarios where you can rely on Azure AD Domain Services instead of setting up domain controllers in VMs. Explore the product roadmap. Share your feedback to influence how the service evolves. Key takeaways: Learn how to move applications to Azure IaaS without worrying about identity needs. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure Active Directory Microsoft Confidential NDA Only 9/19/2018 Azure Active Directory 90% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Azure AD Directories >10 M More than 750 M user accounts on Azure AD Microsoft “Identity Management as a Service (IDaaS)” for organizations. Millions of independent identity systems controlled by enterprise and government “tenants.” Information is owned and used by the controlling organization—not by Microsoft. Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B). 33,000 Enterprise Mobility + Security | Azure AD Premium enterprise customers >110k third-party applications used with Azure AD each month >1.3 billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Identity as the core of enterprise mobility Build 2012 Identity as the core of enterprise mobility 9/19/2018 Simple connection SaaS Azure Public cloud Cloud On-premises Other directories Windows Server Active Directory Self-service Single sign-on Microsoft Azure Active Directory
Options – moving applications to the cloud Azure Subscribe to SaaS applications Switch to using SaaS versions of the app eg. Office 365 Leverage Azure AD for SaaS app management SaaS application gallery Easy provisioning, conditional access control Rewrite existing applications Rewrite apps to leverage Azure PaaS Leverage Azure AD OAuth/OpenID Connect for modern authz. Ubiquitous developer libraries. Graph API – modern directory API ‘Lift-and-shift’ on-premises applications to IaaS Move existing legacy ISV or LOB applications to Azure IaaS May not have access to source code or vendor support.
’Lift-and-shift’ existing on-premises apps. Easy? What about identity in the cloud? My apps depend on AD Domain Services 1 Apps can’t be modified to use new authn, authz (OAuth, SAML, OIDC, REST etc.) I don’t have source code for apps. ISV not interested in rewriting app for modern paradigms. Azure Active Directory On-premise apps ? Lift-and-shift Lift-and-shift Active Directory 1 AD Domain Services Domain join Group policy LDAP bind/authentication Kerberos, NTLM LDAP read/write
Two widely-used options today … TechReady 23 9/19/2018 8:37 PM Two widely-used options today … Connect app to DC VM in Azure Connect app to on-premises DC © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Imagine a simpler alternative No domain controller deployment Forget about patching DCs Compatible Fully compatible with Windows Server AD Your apps just keep working in the cloud Available Highly available domain Auto-remediation Automatic backups Cost-effective Pay-as-you-go No need for complicated networking (VPN/ExpressRoute)
Introducing ‘Azure AD Domain Services’ … Azure Active Directory Azure AD Domain Services Contoso’s workloads/apps in Azure IaaS Virtual network Managed domain available in your Azure VNet.
Managed domains Domain controllers are patched automatically. Secure locked down domain – compliant with AD deployment best-practices. Fault resilience of Azure. Automatic health detection & remediation. Automatic backups for disaster recovery. No need to monitor replication to DCs. Highly available domain.
Your managed domain is kept in-sync Sync users, groups, passwords, SIDs to Azure AD … Virtual network Azure AD Connect Sync Azure AD tenant On-premises AD Managed domain Automatic background sync to your managed domain Users, group memberships and passwords are synced from your Azure AD tenant. Simple to deploy Cloud-only directories – no additional sync/replication software needed! Federated/synced directories – simply leverage your existing Azure AD Connect deployment.
Synced tenants … Azure AD Domain Services Azure Active Directory Automatic background sync to your managed domain Managed domain available in your Azure VNet. … Azure AD Domain Services Azure Active Directory Virtual network Contoso’s workloads/apps in Azure IaaS Azure AD Connect Active Directory
Features Simple deployment Single managed domain per Azure AD directory High availability with fault tolerance Automatic health detection & remediation Auto-sync from Azure AD – use same users, groups & passwords On-premises SIDs are synced to SIDHistory in your managed domain Domain join Windows Integrated Authentication (Kerberos, NTLM) LDAP bind and LDAP read Secure LDAP (including over internet) Create custom Organizational Units (OUs) Administer DNS Basic Group Policy – single built-in GPO each for users & computers containers.
Demo Azure AD Domain Services Microsoft Ignite 2016 9/19/2018 8:37 PM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Service availability North Europe West Europe West US East US East US2 Central US South central US East Asia Southeast Asia Australia East Australia Southeast https://azure.microsoft.com/en-us/regions/#services
Networking considerations (1) Use your managed domain in multiple classic virtual networks
Networking considerations (2) Use your managed domain in Resource Manager virtual networks
Networking considerations (3) Subnets and Network Security Groups Deploy Azure AD Domain Services to a dedicated subnet Do not deploy to the Gateway subnet. Do not apply NSGs to your AAD-DS subnet. This prevents Microsoft from being able to manage & update your domain. It also breaks synchronization with your Azure AD tenant.
Deployment scenarios … 1. Secure, streamlined administration of Azure virtual machines Domain join/ GP Domain-join your Azure IaaS virtual machines – Windows Server and Linux Use your corporate credentials to log-in to VMs No need for local administrator accounts Use Group Policy (built-in GPO for computers container) to manage & secure domain joined VMs. … Contoso’s workloads/apps in Azure IaaS Virtual network
Deployment scenarios … 2. Lift-and-shift applications that use LDAP bind for authentication Consider the following web-app: An LOB application uses a web-form to collect user credentials and authenticates users via LDAP bind to the directory. This application can be migrated & deployed in Azure VMs. End-users sign in using their existing corporate credentials. The app is deployed in Azure, transparent to end-users. This app pattern is often used by organizations to grant access to vendors or partners to their applications. LDAP bind … Virtual network
Deployment scenarios … 3. Lift-and-shift server applications that use Windows Integrated Authentication Consider the following application: An application uses an AD service account for its web front-end to authenticate access to a backend server. This application can be migrated & deployed in Azure VMs. You can create custom OUs & provision service accounts within those OUs. You can assign custom password policies (eg. password- never-expires) to service accounts. GMSAs (Group Managed Service Accounts) work as well. WIA … service acct Virtual network
Deployment scenarios … 4. VDI – Lift-and-shift (Remote Desktop in Azure VMs) Deploy domain joined Remote Desktop VMs for VDI in the cloud. Use group policy to manage/secure Remote Desktop VMs. Known issue: Remote Desktop Licensing server AAD-DS does not support the ability to add computer accounts to the TS licensing group. Workaround : track licensing outside of AAD-DS domain join … Remote desktop server VMs … Virtual network
domain join, Kerberos etc. Deployment scenarios 5. HD Insights Secure Hadoop HD Insights Hadoop clusters can be integrated with AAD Domain Services for secure Hadoop deployments. Feature currently in public preview More information – BA326 – Securing big data environments on Azure domain join, Kerberos etc. … Classic Virtual network VNet to VNet connection HD Insights cluster … … ARM Virtual network Preview
Deciding when not to ‘DIY’ your AD deployment Feature Azure AD Domain Services 'Do-it-yourself' AD in Azure VMs Managed service Yes No Secured & locked-down deployment Needs to be secured DNS server Yes (managed service) Domain or Enterprise administrator privileges Domain join Domain authentication using NTLM and Kerberos Custom OU structure Schema extensions AD domain/forest trusts LDAP read Secure LDAP (LDAPS) LDAP write Group Policy Simple Full Geo-dispersed deployments More information: https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-comparison
domain join, Kerberos etc. What about client workstations? We do not recommend this deployment with AAD Domain Services For Windows 10 devices, we recommend Azure AD Join Azure AD Join is better suited for mobile clients (eg. tablets, laptops) Supports BYO devices Devices are managed using MDM (Intune) Works even in the absence of VPN/ExpressRoute connection. More resilient to VPN/ExpressRoute outages. More information: https://azure.microsoft.com/en- us/documentation/articles/active-directory-azureadjoin- overview/ domain join, Kerberos etc. … Virtual network VPN/ ExpressRoute …
Post-GA roadmap – help us prioritize! Azure Resource Manager (ARM) support Support for ARM based virtual networks PowerShell automation ARM template & automation support Support for new Azure portal (portal.azure.com) Resource forest deployments Schema extensions support Support for LDAP writes Sophisticated Group Policy support – including custom GPOs.
Identity and Access Management Sessions 9/19/2018 8:37 PM Monday 02:15: BRK2139 Protect your business and empower your users with cloud Identity and Access Management Tuesday 12:30: BRK3107 Connect your on-premises directories to Azure AD and use one identity for all your apps 02:15: BRK3225 Secure access to Office 365, SaaS, and on-premises apps and files with Azure AD and Intune 04:30: BRK3109 Deliver management and security at scale to Office 365 with Azure Active Directory Wednesday 09:00: BRK3111 Manage productivity at scale with Azure Active Directory 11:30: BRK2170 Learn how Unilever modernized IT with Azure Active Directory at the core 02:15: BRK3139 Throw away your DMZ – Azure Active Directory Application Proxy deep-dive 04:00: BRK3181 Secure your web applications with Microsoft identity Thursday 09:00: BRK3252 Use managed domain services on Microsoft Azure 12:30: BRK3182 Secure your native and mobile applications with Microsoft identity and application management 02:15: BRK3110 Respond to advanced threats before they start - identity protection at its best! 04:00: BRK3179 Modernize your app’s consumer identity management with Azure AD B2C 04:30: BRK2067 Manage access to SaaS Applications With Azure Active Directory Friday 09:00: BRK3074 Discover what’s new in Active Directory Federation and Domain Services in Windows Server 2016 10:45: BRK3108 Share corporate resources with your partners using Azure AD B2B collaboration 12:30: BRK3330 Join your Windows 10 devices to Azure AD for anywhere, anytime productivity © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
In review: session objectives & takeaways Tech Ready 15 In review: session objectives & takeaways 9/19/2018 Introduce an exciting new service called Azure AD Domain Services. Understand how it works & its benefits. See the features available in preview today. Explore scenarios where you can rely on Azure AD Domain Services instead of setting up domain controllers in VMs. View the product roadmap. Share your feedback to influence how things evolve. Key takeaway Learn how you can move applications to Azure IaaS without worrying about identity needs. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Free IT Pro resources To advance your career in cloud technology Microsoft Ignite 2016 9/19/2018 8:37 PM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center www.microsoft.com/itprocareercenter Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials www.microsoft.com/itprocloudessentials Demos and how-to videos Microsoft Mechanics www.microsoft.com/mechanics Connect with peers and experts Microsoft Tech Community https://techcommunity.microsoft.com © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Please evaluate this session 9/19/2018 8:37 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
9/19/2018 8:37 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Keep going… Try Enterprise Mobility + Security for free, today: www.microsoft.com/en-us/cloud-platform/enterprise-mobility-trial Read the CIO’s guide to Azure Active Directory https://info.microsoft.com/CIOsGuideToAzureAD.html?ls=Website Explore Identity + Access Management www.microsoft.com/identity Learn more from the Azure AD documentation library https://docs.microsoft.com/en-us/active-directory/ Discover Password best practices https://info.microsoft.com/MicrosoftPasswordGuidance.html?ls=Website Check out the new Azure AD webinars https://info.microsoft.com/AADP-Webinar-CLE_AADP-Main-Landing-Page.html?ls=Media Microsoft is a leader in Gartner's IDaaS MQ 2016 https://info.microsoft.com/EMS-IDaaS-MQ-2016.html?ls=Website