Local AD, Azure AD, & Google Suite User Management Brainstorm 2018 Slides and Questions: https://goo.gl/fT4FU2

Agenda Background information Challenges Previous Workflow Current Tools Effectiveness Future Goals Slides and Questions: https://goo.gl/fT4FU2

About Me Technology Coordinator since 2013 Previously taught MS and HS math and computer courses Previously worked as a DBA and MES Programmer Contact Info: Email: Brady.Woudstra@scwarriors.org Twitter: @BradyWoudstra Slides and Questions: https://goo.gl/fT4FU2

Sioux Center Community School District 1400 students Historically a Microsoft school Google Apps in 2010 Exchange Online in 2014 1:1 Chromebooks grades 4-8 1:1 Windows PCs grades 9-12 VDI for windows next year Chromebooks 1-8, 10-12 Adding about 50-60 students per year for the last 5 years Slides and Questions: https://goo.gl/fT4FU2

Previous Workflow Create local user in AD - @sioux-center.k12.ia.us UPN Create user in Google Suite - @scwarriors.org Confirm proper OU Wait for DirSync to occur Assign license manually to the user in O365 Update rosters on a variety of applications Each step required logging into a different system -Local DC -Google Admin Console -Office 365 Portal -Other Applications Even beginning of the year scripting or importing took significant time Slides and Questions: https://goo.gl/fT4FU2

Current Workflow Create local user in AD Add AD user to license groups (optional if copying existing user) Confirm account in SIS (Infinite Campus) Wait for Google Cloud Directory Sync Update Password One place to create the login (Local AD) and then reset the password Normally we copy and existing user so the license groups (and other groups) are pre-populated Infinite Campus auto creates the user and then we just need to change the authentication method to LDAP Office secretaries populate the student email field which is what Clever needs Slides and Questions: https://goo.gl/fT4FU2

Tools Azure AD Connect - https://www.microsoft.com/en- us/download/details.aspx?id=47594 Google Cloud Directory Sync - https://support.google.com/a/answer/6120989?hl=en Google Suite Password Sync - https://support.google.com/a/answer/2611859?hl=en Azure Group Based Licensing - https://docs.microsoft.com/en- us/azure/active-directory/active-directory-licensing-whatis-azure-portal Clever - https://clever.com/ PowerShell LDAP(S) and SAML Clever – we use for Rostering and some SSO in our elementary A lot of our MS and HS teachers just use Google Oauth features PowerShell – I found some PS scripts that adjusted local AD and AAD instances and tweaked them to accomplish what I needed. My first run in with PS was when I accidentally deleted all the student accounts in AD from the Exchange Management Console (not knowing at that time how interconnected they were). I then used PS to re-create the bunch.

Summary of Project Goal: Create a single sign-on experience across multiple platforms Remove Gmail from Google Suite Assign @scwarriors.org as the UPN and proxyaddress in AD Update usernames to first.last from frstlst (squishy name) Update MX records Connect SIS with Clever We spent quite a bit of time determining whether to use Gmail or Exchange Online. Our Google domain was @scwarriors.org and our AD forest was @sioux-center.k12.ia.us so we had to update a lot of details Updating UPNs after a license is assigned, does not update the AAD UPN. You need to run a powershell command (set userprincipalname) We did NOT use this solution but it may work for some instututions. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-google-apps-tutorial

PowerShell for AD and AAD Updates UpdateEmailProxyAddresses.ps1 Show Scripts

Azure AD Connect Started with DirSync and updated as the tool improved DEMO

Azure AD Group Licensing Group licensing is fairly new. This has saved me a ridiculous amount of time. We still have a lot of users who are assigned licensing from multiple sources DEMO

Google Cloud Directory Sync & Password Sync Was formerly called Google Apps Directory Sync and Google Apps Password Sync The names changed but the functionality hasn’t DEMO

Effectiveness Everything works pretty seamlessly Simple communication to staff about Usernames and Passwords Lots of OAUTH sites for Google Lots of control with Microsoft and some OAUTH Ability to enable SAML from either instance Thought about using Azure AD to provision accounts in G-Suite but this created a double logon (although it technically worked) Slides and Questions: https://goo.gl/fT4FU2

Shortcomings Password Resets for Staff GCDS/GSPS wait and password reset Confusion for staff on Google Suite and Office 365 Infinite Campus Account Creations are not LDAP/SAML We thought about AAD Premium but if we migrate to Gmail this isn’t necessary. Although now with Microsoft 365 we may be able to do just that. Staff have no idea that these things are connected. So they have a hard time grasping what username and password to use on things and for the most part they can just use the same one. A few tools we use allow for either Google or O365 logins and staff aren’t sure which to use. Slides and Questions: https://goo.gl/fT4FU2

Future Goals Auto-Create AD Accounts & Password Reset Auto Email Required Staff (grade teams, etc.) Migrate all LDAP to SAML authentication Possible workflow would be to have secretaries enter the student into a text doc or spreadsheet which them PowerShell pulls from and creates the user, puts them in the right OU and then another PS script reset the password. It could then email the tech staff the info and we can update our spreadsheet. Or have it auto create a CSV based on an export from IC to a SMB/FTP drive Slides and Questions: https://goo.gl/fT4FU2

Questions? Slide Link: goo.gl/fT4FU2