Presentation is loading. Please wait.

Presentation is loading. Please wait.

Azure AD Domain Services Use managed domain services on Azure

Published byJuan Manuel Araya Segura Modified over 6 years ago

Similar presentations

Presentation on theme: "Azure AD Domain Services Use managed domain services on Azure"— Presentation transcript:

1 Azure AD Domain Services Use managed domain services on Azure
Microsoft Ignite 2016 9/19/2018 8:37 PM BRK3252 Azure AD Domain Services Use managed domain services on Azure Mahesh Unnikrishnan Principal Program Manager © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Session objectives & takeaways
Tech Ready 15 Session objectives & takeaways 9/19/2018 Introduce an exciting new service called Azure AD Domain Services. Understand how it works & its benefits. See the features available in preview today. Explore scenarios where you can rely on Azure AD Domain Services instead of setting up domain controllers in VMs. Explore the product roadmap. Share your feedback to influence how the service evolves. Key takeaways: Learn how to move applications to Azure IaaS without worrying about identity needs. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Azure Active Directory
Microsoft Confidential NDA Only 9/19/2018 Azure Active Directory 90% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Azure AD Directories >10 M More than 750 M user accounts on Azure AD Microsoft “Identity Management as a Service (IDaaS)” for organizations. Millions of independent identity systems controlled by enterprise and government “tenants.” Information is owned and used by the controlling organization—not by Microsoft. Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B). 33,000 Enterprise Mobility + Security | Azure AD Premium enterprise customers >110k third-party applications used with Azure AD each month >1.3 billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Identity as the core of enterprise mobility
Build 2012 Identity as the core of enterprise mobility 9/19/2018 Simple connection SaaS Azure Public cloud Cloud On-premises Other directories Windows Server Active Directory Self-service Single sign-on Microsoft Azure Active Directory

5 Options – moving applications to the cloud
Azure Subscribe to SaaS applications Switch to using SaaS versions of the app eg. Office 365 Leverage Azure AD for SaaS app management SaaS application gallery Easy provisioning, conditional access control Rewrite existing applications Rewrite apps to leverage Azure PaaS Leverage Azure AD OAuth/OpenID Connect for modern authz. Ubiquitous developer libraries. Graph API – modern directory API ‘Lift-and-shift’ on-premises applications to IaaS Move existing legacy ISV or LOB applications to Azure IaaS May not have access to source code or vendor support.

6 ’Lift-and-shift’ existing on-premises apps. Easy?
What about identity in the cloud? My apps depend on AD Domain Services 1 Apps can’t be modified to use new authn, authz (OAuth, SAML, OIDC, REST etc.) I don’t have source code for apps. ISV not interested in rewriting app for modern paradigms. Azure Active Directory On-premise apps ? Lift-and-shift Lift-and-shift Active Directory 1 AD Domain Services Domain join Group policy LDAP bind/authentication Kerberos, NTLM LDAP read/write

7 Two widely-used options today …
TechReady 23 9/19/2018 8:37 PM Two widely-used options today … Connect app to DC VM in Azure Connect app to on-premises DC © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Imagine a simpler alternative
No domain controller deployment Forget about patching DCs Compatible Fully compatible with Windows Server AD Your apps just keep working in the cloud Available Highly available domain Auto-remediation Automatic backups Cost-effective Pay-as-you-go No need for complicated networking (VPN/ExpressRoute)

9 Introducing ‘Azure AD Domain Services’
Azure Active Directory Azure AD Domain Services Contoso’s workloads/apps in Azure IaaS Virtual network Managed domain available in your Azure VNet.

10 Managed domains Domain controllers are patched automatically.
Secure locked down domain – compliant with AD deployment best-practices. Fault resilience of Azure. Automatic health detection & remediation. Automatic backups for disaster recovery. No need to monitor replication to DCs. Highly available domain.

11 Your managed domain is kept in-sync
Sync users, groups, passwords, SIDs to Azure AD Virtual network Azure AD Connect Sync Azure AD tenant On-premises AD Managed domain Automatic background sync to your managed domain Users, group memberships and passwords are synced from your Azure AD tenant. Simple to deploy Cloud-only directories – no additional sync/replication software needed! Federated/synced directories – simply leverage your existing Azure AD Connect deployment.

12 Synced tenants … Azure AD Domain Services Azure Active Directory
Automatic background sync to your managed domain Managed domain available in your Azure VNet. Azure AD Domain Services Azure Active Directory Virtual network Contoso’s workloads/apps in Azure IaaS Azure AD Connect Active Directory

13 Features Simple deployment
Single managed domain per Azure AD directory High availability with fault tolerance Automatic health detection & remediation Auto-sync from Azure AD – use same users, groups & passwords On-premises SIDs are synced to SIDHistory in your managed domain Domain join Windows Integrated Authentication (Kerberos, NTLM) LDAP bind and LDAP read Secure LDAP (including over internet) Create custom Organizational Units (OUs) Administer DNS Basic Group Policy – single built-in GPO each for users & computers containers.

14 Demo Azure AD Domain Services Microsoft Ignite 2016 9/19/2018 8:37 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Service availability North Europe West Europe West US East US East US2
Central US South central US East Asia Southeast Asia Australia East Australia Southeast

16 Networking considerations (1) Use your managed domain in multiple classic virtual networks

17 Networking considerations (2) Use your managed domain in Resource Manager virtual networks

18 Networking considerations (3) Subnets and Network Security Groups
Deploy Azure AD Domain Services to a dedicated subnet Do not deploy to the Gateway subnet. Do not apply NSGs to your AAD-DS subnet. This prevents Microsoft from being able to manage & update your domain. It also breaks synchronization with your Azure AD tenant.

19 Deployment scenarios …
1. Secure, streamlined administration of Azure virtual machines Domain join/ GP Domain-join your Azure IaaS virtual machines – Windows Server and Linux Use your corporate credentials to log-in to VMs No need for local administrator accounts Use Group Policy (built-in GPO for computers container) to manage & secure domain joined VMs. Contoso’s workloads/apps in Azure IaaS Virtual network

20 Deployment scenarios …
2. Lift-and-shift applications that use LDAP bind for authentication Consider the following web-app: An LOB application uses a web-form to collect user credentials and authenticates users via LDAP bind to the directory. This application can be migrated & deployed in Azure VMs. End-users sign in using their existing corporate credentials. The app is deployed in Azure, transparent to end-users. This app pattern is often used by organizations to grant access to vendors or partners to their applications. LDAP bind Virtual network

21 Deployment scenarios …
3. Lift-and-shift server applications that use Windows Integrated Authentication Consider the following application: An application uses an AD service account for its web front-end to authenticate access to a backend server. This application can be migrated & deployed in Azure VMs. You can create custom OUs & provision service accounts within those OUs. You can assign custom password policies (eg. password- never-expires) to service accounts. GMSAs (Group Managed Service Accounts) work as well. WIA service acct Virtual network

22 Deployment scenarios …
4. VDI – Lift-and-shift (Remote Desktop in Azure VMs) Deploy domain joined Remote Desktop VMs for VDI in the cloud. Use group policy to manage/secure Remote Desktop VMs. Known issue: Remote Desktop Licensing server AAD-DS does not support the ability to add computer accounts to the TS licensing group. Workaround : track licensing outside of AAD-DS domain join Remote desktop server VMs Virtual network

23 domain join, Kerberos etc.
Deployment scenarios 5. HD Insights Secure Hadoop HD Insights Hadoop clusters can be integrated with AAD Domain Services for secure Hadoop deployments. Feature currently in public preview More information – BA326 – Securing big data environments on Azure domain join, Kerberos etc. Classic Virtual network VNet to VNet connection HD Insights cluster ARM Virtual network Preview

24 Deciding when not to ‘DIY’ your AD deployment
Feature Azure AD Domain Services 'Do-it-yourself' AD in Azure VMs Managed service Yes No Secured & locked-down deployment Needs to be secured DNS server Yes (managed service) Domain or Enterprise administrator privileges Domain join Domain authentication using NTLM and Kerberos Custom OU structure Schema extensions AD domain/forest trusts LDAP read Secure LDAP (LDAPS) LDAP write Group Policy Simple Full Geo-dispersed deployments More information:

25 domain join, Kerberos etc.
What about client workstations? We do not recommend this deployment with AAD Domain Services For Windows 10 devices, we recommend Azure AD Join Azure AD Join is better suited for mobile clients (eg. tablets, laptops) Supports BYO devices Devices are managed using MDM (Intune) Works even in the absence of VPN/ExpressRoute connection. More resilient to VPN/ExpressRoute outages. More information: us/documentation/articles/active-directory-azureadjoin- overview/ domain join, Kerberos etc. Virtual network VPN/ ExpressRoute

26 Post-GA roadmap – help us prioritize!
Azure Resource Manager (ARM) support Support for ARM based virtual networks PowerShell automation ARM template & automation support Support for new Azure portal (portal.azure.com) Resource forest deployments Schema extensions support Support for LDAP writes Sophisticated Group Policy support – including custom GPOs.

27 Identity and Access Management Sessions
9/19/2018 8:37 PM Monday 02:15: BRK2139 Protect your business and empower your users with cloud Identity and Access Management Tuesday 12:30: BRK3107 Connect your on-premises directories to Azure AD and use one identity for all your apps 02:15: BRK3225 Secure access to Office 365, SaaS, and on-premises apps and files with Azure AD and Intune 04:30: BRK3109 Deliver management and security at scale to Office 365 with Azure Active Directory Wednesday 09:00: BRK3111 Manage productivity at scale with Azure Active Directory 11:30: BRK2170 Learn how Unilever modernized IT with Azure Active Directory at the core 02:15: BRK3139 Throw away your DMZ – Azure Active Directory Application Proxy deep-dive 04:00: BRK3181 Secure your web applications with Microsoft identity Thursday 09:00: BRK3252 Use managed domain services on Microsoft Azure 12:30: BRK3182 Secure your native and mobile applications with Microsoft identity and application management 02:15: BRK3110 Respond to advanced threats before they start - identity protection at its best! 04:00: BRK3179 Modernize your app’s consumer identity management with Azure AD B2C 04:30: BRK2067 Manage access to SaaS Applications With Azure Active Directory Friday 09:00: BRK3074 Discover what’s new in Active Directory Federation and Domain Services in Windows Server 2016 10:45: BRK3108 Share corporate resources with your partners using Azure AD B2B collaboration 12:30: BRK3330 Join your Windows 10 devices to Azure AD for anywhere, anytime productivity © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 In review: session objectives & takeaways
Tech Ready 15 In review: session objectives & takeaways 9/19/2018 Introduce an exciting new service called Azure AD Domain Services. Understand how it works & its benefits. See the features available in preview today. Explore scenarios where you can rely on Azure AD Domain Services instead of setting up domain controllers in VMs. View the product roadmap. Share your feedback to influence how things evolve. Key takeaway Learn how you can move applications to Azure IaaS without worrying about identity needs. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 9/19/2018 8:37 PM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 Please evaluate this session
9/19/2018 8:37 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 9/19/2018 8:37 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 Keep going… Try Enterprise Mobility + Security for free, today:
Read the CIO’s guide to Azure Active Directory Explore Identity + Access Management Learn more from the Azure AD documentation library Discover Password best practices Check out the new Azure AD webinars Microsoft is a leader in Gartner's IDaaS MQ 2016

Download ppt "Azure AD Domain Services Use managed domain services on Azure"

Similar presentations

Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD

Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,

2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,
Deployment Planning Services

Deployment Planning Services
Microsoft Ignite 2016 4/27/2018 9:00 AM THR2016

Microsoft Ignite /27/2018 9:00 AM THR2016
Microsoft Ignite 2016 5/17/ :48 AM BRK3330

Microsoft Ignite /17/ :48 AM BRK3330
Examine information management in Cortana Intelligence

Examine information management in Cortana Intelligence
Enterprise Security in Practice

Enterprise Security in Practice
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Microsoft Virtual Academy

Microsoft Virtual Academy
Microsoft 2016 6/2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.

Microsoft /2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.
O365 & AZURE ADDS Mladen Baranek, Miadria

O365 & AZURE ADDS Mladen Baranek, Miadria
Microsoft 2016 6/4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,

Microsoft /4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,
Configure and Manage Your Hybrid Cloud Environment at Scale

Configure and Manage Your Hybrid Cloud Environment at Scale
Conduct a successful pilot deployment of Microsoft Intune

Conduct a successful pilot deployment of Microsoft Intune
Review the Nutanix Cloud Platform System Standard solution

Review the Nutanix Cloud Platform System Standard solution
SaaS Application Deep Dive

SaaS Application Deep Dive
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
Web development productivity with Visual Studio

Web development productivity with Visual Studio
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
What’s new in Azure Active Directory Domain Services

What’s new in Azure Active Directory Domain Services

Similar presentations

Ads by Google