Agenda AD to Windows Azure AD Sync Options Federation Architecture

Slides:



Advertisements
Similar presentations
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Advertisements

Office 365 Deployment FastTrack Overview
Office 365 Identity Federation Technology Deep-Dive
Server side Industrial Revolution Consumer devices Gold Rush.
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
RequirementsDeployment Options 2 3 Dirsync Overview 1 Understanding Synchronization 4.
Identity management integration options for Office 365
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Active Directory Integration with Microsoft Office 365
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Windows Azure Active Directory.
Introduction Please answer the survey questions posted at the end of this meeting. Let us know what sessions you want! Josh Topal at
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Single Sign-On with Microsoft Azure
Cloud Identity Windows Azure Active Directory Cloud Identity & Directory SyncFederated Identity Appropriate for Smaller orgs without.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Office 365 deployment choices Cutover, Staged, Hybrid What is AD FS (Active Directory Federation Services) Attribute Stores, ADFS Configuration Database.
Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Office 365 Office 365 Overview & InfrastructureAdministering Lync Online.
Office 365 Directory Synchronization Update: Deploying Password Sync.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Bronze Sky customer premises AD MS Online Directory Sync Provisioning platform Provisioning platform Lync Online Lync Online SharePoint Online SharePoint.
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
Configuration Manager and InTune Gemeinsam oder einsam?
DNS DNS changes required to validate domains in Office 365 UPN – User Principal Name Every user must have a UPN UPN suffixes must match a validated.
Identities and Azure AD Premium
Microsoft Office 365: Identity and Access Solutions
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Private KEEP OFF! Private KEEP OFF! Open! What is a cloud? Cloud computing is a model for enabling convenient, on-demand network access to a shared.
Productivity Architect Meet Chris Bortlik Author, Blogger, Speaker.
Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Recording Brief EMS Partner Bootcamp Variables Values Module Title
Web SSO with Cloud Resources using AD Federation Services
Identity; What you need to know to be in the Microsoft Cloud
Microsoft Virtual Academy
Directory Synchronization in Office 365
Microsoft Online Services Partner Deployment Training for Office 365
9/13/2018 4:54 PM BRK How to get Office 365 to the next level with Azure Active Directory Premium Brjann Brekkan Program Manager Lead – Customer.
SharePoint Online Management and Control
Microsoft Office 365: Identity and Access Solutions
Cloud Connect Seamlessly
Office 365 Identity Management
Hybrid Search Planning Implementation.
05 | AD to Windows Azure AD IT Professionals
Access and Information Protection Product Overview October 2013
TechEd /24/2018 4:00 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
SharePoint Online Hybrid – Configure Outbound Search
M7: New Features for Office 365 Identity Management
Office 365 Identity Management
Office 365 Identity Management
M3: Guidance for choosing the right integration option
Microsoft Ignite /24/2019 6:23 PM
2/27/2019 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
4/20/ :04 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.
M6: Advanced Identity Management topics for Office 365
Presentation transcript:

Agenda AD to Windows Azure AD Sync Options Federation Architecture AD to AAD Quick start By Sachin Shetty

AD to AAD Sync Options By Sachin Shetty

Identities for Microsoft Cloud Services Personal Services Organizational Services User OrgID Organizational Account OnMicrosoft Account (Azure AD Account) Examples: Sachin@contoso.com sachin@contoso.onmicrosoft.com Live ID Microsoft Account Examples: Sachin@outlook.com sachin@live.com Distinct identity systems Microsoft Account to access consumer services like Skydrive, Xbox Live, Outlook.com Organizational Account to access business services like Office 365, CRM Online, Intune For reasons such as Privacy, use-rights there is no direct connection or federation between the two identity systems. Users can use the two identities on their devices independently and simultaneously at times but the two will not identities will not be integrated with each other. User

Cloud-Only / No Integration Directory Synchronization Directory and Federated SSO Office 365 Windows Azure Active Directory Joe@contoso.msonline.com Authentication platform Dynamics CRM Online Contoso customer premises Admin Portal/ PowerShell/GRAPH IdP CORP App IdP AD Directory Store Provisioning platform Windows Intune shetty@contoso.com

Directory Synchronization No Integration Directory Synchronization Directory and Single sign-on (SSO) Office 365 Windows Azure Active Directory Authentication platform Dynamics CRM Online Contoso customer premises Admin Portal/ PowerShell/GRAPH IdP CORP App IdP Directory Store AD Directory Sync (DirSync) Provisioning platform Windows Intune

Directory Synchronization Options DirSync Office 365 Connector PowerShell & Graph API Suitable for Organizations using Active Directory (AD) Supports Exchange Co-existence scenarios Coupled with AD FS, provides best option for federation and synchronization Does not require any additional software licenses Multi-forest available through MCS+Partners Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses Suitable for small/medium size organizations with AD or Non-AD Not a highly recommended option compared to DirSync or FIM Connector Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires extensive scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) As this is a custom solution, Microsoft support may not be able to help if there are issues For provisioning of large number of users, DirSync and FIM are recommended options for reasons of performance. Forefront Identity Manager (FIM) Suitable for all organizations Supports Exchange Co-existence scenarios

Directory and Federated SSO No Integration Directory Synchronization Directory and Federated SSO CORP App Windows Azure Active Directory Authentication platform Dynamics CRM Online Contoso customer premises Trust Active Directory Federation Server 2.0 Admin Portal/ PowerShell/GRAPH IdP Office 365 IdP Directory Store AD Directory Sync (DirSync) Provisioning platform Windows Intune

Federation options AD FS Works with AD Third-party STS Works with AD & Non-AD Shibboleth Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Secure token based authentication Support for web and rich clients Microsoft supported Requires on-premises servers, licenses & support Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-AD FS Identity systems with AD or Non-AD Single sign-on Secure token based authentication Support for web and rich clients Third-party supported Requires on-premises servers, licenses & support Suitable for educational organizations Recommended where customers may use existing non-AD FS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises AD FS This is the most recommended option as it is end to end Microsoft support and offers the best customer experience Offers advantage of evolving with Microsoft’s identity strategy Best solution with On-Premises AD Works only with AD On-Premises Supports all web and rich client scenarios Third-party STS This is a good option for customers that currently use third-party Identity systems in their infrastructure Works for both On-Premises AD and Non-AD Stores Verified through ‘Works with Office 365 Program’ – Discussed in the next slide Shibboleth Works only for Web client scenarios and Outlook Lync, certain Office Pro-plus scenarios, Active Sync on mobile will not work

Identity Options Comparison 1. No Integration 2. Directory Only 3. Directory and SSO Appropriate for Smaller orgs without AD on-premise Pros No servers required on-premise Same Domain name for users possible Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies IDs mastered in the cloud Pros Users and groups mastered on-premise Enables co-existence Single server deployment Cons No 2FA until Spring 2013 2 sets of credentials to manage with differing password policies OR Manual / 3rd Party password Sync OR use FIM No SSO Pros SSO with corporate cred IDs mastered on-premise Password policy controlled on-premise 2FA solutions possible Enables hybrid scenarios Location isolation Ideal for multiple forests Cons Additional Servers required for AD FS

Accounts in Windows Azure AD Demo

Federation Architecture

Federated Architecture Active Directory Windows Azure AD AD FS + DirSync AD FS Proxy [Server1] [Server2] Internet CorpNet

AD FS Scalability Planning Users Dedicated Federation Servers Federation server proxies NLB servers Comments <1,000 1 Deploy AD FS on two DCs 1,000–15,000 2 Install NLB on proxies 15,000–60,000 2+1 for every 15,000 users 2+ Install NLB on proxies or use dedicated NLB implementation http://technet.microsoft.com/en-us/library/jj151794.aspx

Federated Architecture on Windows Azure! Windows Azure Subscription VPN Active Directory Windows Azure AD AD FS + AD AD FS Proxy DirSync CorpNet Internet

Quick Start Guide for Integrating a Single Forest On-Premises Active Directory with Windows Azure AD

Quickstart Guide Architecture Windows Server 2012 Windows Server 2012 Active Directory Windows Azure AD AD FS + DirSync AD FS Proxy [Server1] [Server2]

AD to AAD Quickstart Steps Add Domain to Windows Azure AD [Windows Azure from Server1] Activate DirSync [Windows Azure from Server1] Install AD FS Server Role [Server1] Configure AD FS Server [Server1] Install AD FS Proxy (optional) [Server2] Configure AD FS Proxy (optional) [Server2] Configure Inbound SSL Access [Server2] Configure AD Federation Support [Server1] Install & Configure DirSync [Server1]

Demo Pre-requisites & Initial Setup Install and Configure a new AD FS farm

PS – Activate DirSync + Add AD FS Role 2. Activating DirSync [In Windows Azure on Server1] Set-MsolDirSyncEnabled -EnableDirSync $true 3. Add AD FS Role [on Server1] Install-WindowsFeature ADFS-Federation

Configure AD FS Role -FederationServiceName $script:ADFSSubjectName ` [On Server1] Install-AdfsFarm -CertificateThumbprint $Certificate.Thumbprint ` -FederationServiceName $script:ADFSSubjectName ` -ServiceAccountCredential $script:ADFSCredentials ` -OverwriteConfiguration Note: WS 2008 R2 code #commented out in script Start-Process -FilePath ("$env:SystemRoot\ADFS\FSPConfigWizard.exe") -Wait -ArgumentList @( ` '/Hostname', $script:ADFSSubjectName, ` '/Username', $script:ADFSAccountName, ` '/Password', (ConvertFrom-QSSecureStringToPlaintext -SecureString $script:ADFSAccountPassword)

Windows Azure Subscription What we’ve built so far Windows Azure Subscription VPN Active Directory Windows Azure AD AD + AD FS DirSync – Activated, not synced Domain Name – Added, not verified CorpNet Internet

Configure Inbound SSL Access Windows Azure Subscription Domain: Christianboarders.com VPN Active Directory Windows Azure AD AD + AD FS 157.56.167.107 mycloudservice.cloudapp.net CorpNet Internet Internet

TechReady 16 4/6/2017 Install DirSync on WS 2012 [On Server1] Write-QSTitle 'Download, install, and configure the DirSync tool' $DirSyncFilename = $script:CurrentExecutingPath + '\DirSync.exe' if (-not (Require-QSDownloadableFile -FileName $DirSyncFilename -URL 'http://g.microsoftonline.com/0BX10en/571')) { Write-QSError 'DirSync download failed.' return } Write-Host 'Running DirSync installer...' Start-Process -FilePath $DirSyncFilename -ArgumentList @('/quiet') -Wait Note: SQL 2008 R2 Express not officially supported on WS 2012. SP1 is supported, but http://support.microsoft.com/kb/2681562 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Configure DirSync [On Server1] Write-Host 'Requesting synchronization credentials...' $TargetCredentials = Get-Credential -Message 'Permanent Synchronization Credentials' Write-Host 'Requesting local credentials...' $SourceCredentials = Get-Credential -Message 'Local Active Directory Administrator' Write-Host 'Requesting online coexistence configuration information...' $Configuration = Get-CoexistenceConfiguration -TargetCredentials $script:MsolCredential Write-Host 'Configuring local coexistence configuration information...' Set-CoexistenceConfiguration -SourceCredentials $SourceCredentials -TargetCredentials $TargetCredentials Write-Host 'Requesting an immediate synchronization...' Start-OnlineCoexistenceSync

Windows Azure Subscription Final Configuration Windows Azure Subscription VPN Active Directory Windows Azure AD AD FS + AD AD FS Proxy DirSync DirSync – Activated + synced Domain Name – Added + verified CorpNet Internet

Actual Times Taken *Includes auto-install of .Net Framework tools Document Step # PS Script Step # Component of Configuration Actual Time Taken 1 1-2 Initial Software Installation (pre-requisites)*,*** 1 min 12 sec 3 Office 365 Readiness Tool 5 min 48 sec 2 4-5 Add Domain Name in Windows Azure AD 27 sec 6 Activate DirSync Support 10 sec 4 7-14 Install and Configure On-Premise AD FS Server1** 2 min 53 sec 5 15-22 Install and Configure AD FS Proxy Server2*, ***, **** 6 min 12 sec 23-24 Configure Windows Azure AD Federation Support 41 sec 7 25-27 Install and Configure DirSync 3 min 26 sec *Includes auto-install of .Net Framework tools **Includes using self-signed certificate & auto-install of RSAT-DNS tools *** Includes install of Sign-in Assistant & PS Module for MS Online **** Used single-core VM for comparison vs AD FS server VM with 6 cores

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.