4/20/2019 11:04 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Active Directory * + Windows Azure [FTW] 4/20/2019 11:04 PM Active Directory * + Windows Azure [FTW] David Tesar Technical Evangelist, Microsoft http://www.itproguy.com WS-B331 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Session Objectives And Takeaways Tech Ready 15 4/20/2019 Session Objectives And Takeaways Session Objective(s): Essentials of running AD in Windows Azure Understand Identity Sync options of AD to Windows Azure AD Learn how to go from just AD to Federation/SSO/DirSync with Windows Azure AD in < 1 hr Running AD on Windows Azure IaaS is straightforward You probably want Windows Azure AD & Federation AD to Windows Azure AD federation can be quick to enable Session NON Objectives: Deep Dive or Quickstart on Multi-Forest scenarios & Non-AD sources © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Why AD on Windows Azure IaaS? Why Windows Azure AD? + Identity Sync Options Federation Architecture Details Quick Start Guide for Integrating a Single Forest On-Premises Active Directory with Windows Azure AD

Why AD on Windows Azure AD IaaS?

Local authentication in Windows Azure Datacenter – West US Contoso CORP SITE – Las Vegas, NV AD SharePoint RDS VPN Tunnel Cloud Service Virtual Network AD Website

Contoso CORP SITE – Las Vegas, NV Disaster Recovery Windows Azure Datacenter – West US Contoso CORP SITE – Las Vegas, NV AD SharePoint Website VPN Tunnel Cloud Service Virtual Network AD Website

New DC on Windows Azure IaaS Microsoft Management Summit 2013 4/20/2019 11:04 PM New DC on Windows Azure IaaS Demo © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Why Windows Azure AD? + Identity Options

Identities for Microsoft Cloud Services Personal Services Organizational Services User OrgID Organizational Account OnMicrosoft Account (Azure AD Account) Examples: alice@contoso.com alice@contoso.onmicrosoft.com Live ID Microsoft Account Examples: alice@outlook.com alice@live.com User

Microsoft Management Summit 2013 4/20/2019 11:04 PM Why Windows Azure AD? Azure AD Office 365 Windows Azure MP CORP App CRM Online Windows InTune Office 365 Azure AD AD © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Cloud-Only / No Integration Directory Synchronization Directory and Federated SSO Office 365 Windows Azure Active Directory Joe@contoso.msonline.com Authentication platform Dynamics CRM Online Contoso customer premises Admin Portal/ PowerShell/GRAPH IdP CORP App IdP AD Directory Store Provisioning platform Windows Intune Joe@contoso.com

Directory Synchronization No Integration Directory Synchronization Directory and Single sign-on (SSO) Office 365 Windows Azure Active Directory Authentication platform Dynamics CRM Online Contoso customer premises Admin Portal/ PowerShell/GRAPH IdP CORP App IdP Directory Store AD Directory Sync (DirSync) Provisioning platform Windows Intune

Directory Synchronization Options DirSync Office 365 Connector PowerShell & Graph API Suitable for Organizations using Active Directory (AD) Supports Exchange Co-existence scenarios Coupled with AD FS, provides best option for federation and synchronization Does not require any additional software licenses Multi-forest available through MCS+Partners Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses Suitable for small/medium size organizations with AD or Non- AD Not a highly recommended option compared to DirSync or FIM Connector Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires extensive scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) As this is a custom solution, Microsoft support may not be able to help if there are issues Forefront Identity Manager (FIM) Suitable for all organizations. Most Robust for Sync. More features: Password Reset, Compliance, Access, Policy, and Group Management

Directory and Federated SSO No Integration Directory Synchronization Directory and Federated SSO CORP App Windows Azure Active Directory Authentication platform Dynamics CRM Online Contoso customer premises Trust Active Directory Federation Server 2.0 Admin Portal/ PowerShell/GRAPH IdP Office 365 IdP Directory Store AD Directory Sync (DirSync) Provisioning platform Windows Intune

Federation options AD FS Third-party STS Shibboleth Works with AD Third-party STS Works with AD & Non-AD Shibboleth Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Secure token based authentication Support for web and rich clients Microsoft supported Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-AD FS Identity systems with AD or Non-AD Single sign-on Secure token based authentication Support for web and rich clients Third-party supported Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program Works for Office 365 Hybrid Scenarios Suitable for educational organizations Recommended where customers may use existing non-AD FS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises

Identity Options Comparison 1. No Integration 2. Directory Only 3. Directory and SSO Appropriate for Smaller orgs without AD on-premise Pros No servers required on-premise Same Domain name for users possible Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies IDs mastered in the cloud Pros Users and groups mastered on-premise Enables co-existence Single server deployment Cons No 2FA until Spring 2013 2 sets of credentials to manage with differing password policies OR Manual / 3rd Party password Sync OR use FIM No SSO Pros SSO with corporate cred IDs mastered on-premise Password policy controlled on-premise 2FA solutions possible Enables hybrid scenarios Location isolation Ideal for multiple forests Cons Additional Servers required for AD FS

Accounts in Windows Azure AD Demo

Federation Architecture

Federated Architecture Active Directory Windows Azure AD AD FS + DirSync AD FS Proxy [Server1] [Server2] Internet CorpNet

AD FS Scalability Planning Users Dedicated Federation Servers Federation server proxies NLB servers Comments <1,000 1 Deploy AD FS on two DCs 1,000–15,000 2 Install NLB on proxies 15,000–60,000 2+1 for every 15,000 users 2+ Install NLB on proxies or use dedicated NLB implementation http://technet.microsoft.com/en-us/library/jj151794.aspx

Quick Start Guide for Integrating a Single Forest On-Premises Active Directory with Windows Azure AD

Quickstart Guide Architecture Windows Server 2012 Windows Server 2012 Active Directory Windows Azure AD AD FS + DirSync AD FS Proxy [Server1] [Server2] Internet CorpNet

AD to AAD Quickstart Steps Add Domain to Windows Azure AD [Windows Azure from Server1] Activate DirSync [Windows Azure from Server1] Install AD FS Server Role [Server1] Configure AD FS Server [Server1] Install AD FS Proxy (optional) [Server2] Configure AD FS Proxy (optional) [Server2] Configure Inbound SSL Access [Server2] Configure AD Federation Support [Server1] Install & Configure DirSync [Server1]

Demo 0) Install Pre-requisite Tools [Server1] Add Domain to Windows Azure AD [Windows Azure from Server1] Activate DirSync [Windows Azure from Server1] Add AD FS Role [Server1]

PS – Add Federated Domain [In Windows Azure] New-MsolDomain -Name $SelectedSuffix -Authentication Federated $Domain = Get-MsolDomain -DomainName $SelectedSuffix if ($Domain.Status -eq 'Verified') { Write-Host ' ' Write-Host 'Domain is verified. If it is a subdomain of an existing domain, this is automatic.' } else { Write-Host -NoNewline 'Domain verification code: ' Get-QSMsolDNSVerificationText -Domain $SelectedSuffix

PS – Activate DirSync + Add AD FS Role 2. Activating DirSync [In Windows Azure on Server1] Set-MsolDirSyncEnabled -EnableDirSync $true 3. Add AD FS Role [on Server1] Install-WindowsFeature ADFS-Federation

Demo AD FS prerequisite steps (service acct, cert) Configure AD FS Role [Server1]

Configure AD FS Role -FederationServiceName $script:ADFSSubjectName ` [On Server1] Install-AdfsFarm -CertificateThumbprint $Certificate.Thumbprint ` -FederationServiceName $script:ADFSSubjectName ` -ServiceAccountCredential $script:ADFSCredentials ` -OverwriteConfiguration Note: WS 2008 R2 code #commented out in script Start-Process -FilePath ("$env:SystemRoot\ADFS\FSPConfigWizard.exe") -Wait -ArgumentList @( ` '/Hostname', $script:ADFSSubjectName, ` '/Username', $script:ADFSAccountName, ` '/Password', (ConvertFrom-QSSecureStringToPlaintext -SecureString $script:ADFSAccountPassword)

What we’ve built so far Active Directory Windows Azure AD AD FS AD FS Proxy DirSync – Activated, not synced Domain Name – Added, not verified [Server1] [Server2] Internet CorpNet

Configure Inbound SSL Access Active Directory Windows Azure AD AD FS AD FS Proxy 157.56.167.107 Internet CorpNet

AD to AAD Quickstart Steps Add Domain to Windows Azure AD [Windows Azure from Server1] Activate DirSync [Windows Azure from Server1] Install AD FS Server Role [Server1] Configure AD FS Server [Server1] Install AD FS Proxy (optional) [Server2] Configure AD FS Proxy (optional) [Server2] Configure Inbound SSL Access [Server2] Configure AD Federation Support [Server1] Install & Configure DirSync [Server1]

Verify Federated Domain [In Windows Azure on Server1] New-MsolFederatedDomain -DomainName $Domain

TechReady 16 4/20/2019 Install DirSync on WS 2012 [On Server1] Write-QSTitle 'Download, install, and configure the DirSync tool' $DirSyncFilename = $script:CurrentExecutingPath + '\DirSync.exe' if (-not (Require-QSDownloadableFile -FileName $DirSyncFilename -URL 'http://g.microsoftonline.com/0BX10en/571')) { Write-QSError 'DirSync download failed.' return } Write-Host 'Running DirSync installer...' Start-Process -FilePath $DirSyncFilename -ArgumentList @('/quiet') -Wait Note: SQL 2008 R2 Express not officially supported on WS 2012. SP1 is supported, but http://support.microsoft.com/kb/2681562 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Configure DirSync [On Server1] Write-Host 'Requesting synchronization credentials...' $TargetCredentials = Get-Credential -Message 'Permanent Synchronization Credentials' Write-Host 'Requesting local credentials...' $SourceCredentials = Get-Credential -Message 'Local Active Directory Administrator' Write-Host 'Requesting online coexistence configuration information...' $Configuration = Get-CoexistenceConfiguration -TargetCredentials $script:MsolCredential Write-Host 'Configuring local coexistence configuration information...' Set-CoexistenceConfiguration -SourceCredentials $SourceCredentials -TargetCredentials $TargetCredentials Write-Host 'Requesting an immediate synchronization...' Start-OnlineCoexistenceSync

Final Configuration Active Directory Windows Azure AD AD FS + DirSync AD FS Proxy DirSync – Activated + synced Domain Name – Added + verified [Server1] [Server2] Internet CorpNet

Actual Times Taken *Includes auto-install of .Net Framework tools Document Step # PS Script Step # Component of Configuration Actual Time Taken 1 1-2 Initial Software Installation (pre-requisites)*,*** 1 min 12 sec 3 Office 365 Readiness Tool 5 min 48 sec 2 4-5 Add Domain Name in Windows Azure AD 27 sec 6 Activate DirSync Support 10 sec 4 7-14 Install and Configure On-Premise AD FS Server1** 2 min 53 sec 5 15-22 Install and Configure AD FS Proxy Server2*, ***, **** 6 min 12 sec 23-24 Configure Windows Azure AD Federation Support 41 sec 7 25-27 Install and Configure DirSync 3 min 26 sec *Includes auto-install of .Net Framework tools **Includes using self-signed certificate & auto-install of RSAT-DNS tools *** Includes install of Sign-in Assistant & PS Module for MS Online **** Used single-core VM for comparison vs AD FS server VM with 6 cores

Total Time Taken ~20 Minutes

Federated Architecture on Windows Azure! Windows Azure Subscription VPN Active Directory Windows Azure AD AD FS + AD AD FS Proxy DirSync CorpNet Internet

AD+ AD FS + DirSync on IaaS Demo AD+ AD FS + DirSync on IaaS

In Review: Objectives And Takeaways Tech Ready 15 4/20/2019 In Review: Objectives And Takeaways Session Objective(s): Essentials of running AD in Windows Azure Understand Identity Sync options of AD to Windows Azure AD Learn how to go from just AD to Federation/SSO/DirSync with Windows Azure AD in < 1 hr Running AD on Windows Azure IaaS is straightforward You probably want Windows Azure AD & Federation AD to Windows Azure AD federation can be quick to enable Session NON Objectives: Deep Dive or Quickstart on Multi-Forest scenarios & Non-AD sources © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Resources The Quickstart guide + PS Script! http://aka.ms/AD2AAD Tech Ready 15 4/20/2019 Resources The Quickstart guide + PS Script! http://aka.ms/AD2AAD Running AD on Windows Azure IaaS http://technet.microsoft.com/en-us/library/jj713614.aspx Windows Azure Training Kit http://aka.ms/github HOL-DeployingActiveDirectory HOL-DeployingActiveDirectoryPS PRESENTATION-DeployingActiveDirectory © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

We want to hear from you! Evaluation Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com. Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.

Access MMS Online to view session recordings after the event. Resources Access MMS Online to view session recordings after the event. http://channel9.msdn.com/Events

4/20/2019 11:04 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.