Identities in the Cloud

Download Report

Transcript Identities in the Cloud

Identities in the Cloud

Els Putzeys

Identities in the Cloud

User Management in Windows Azure

Identity Options    Microsoft Online IDs Microsoft Online IDs + Directory Synchronization Federated IDs + Directory Synchronization

Microsoft Online IDs    Appropriate for small organizations without on-prem AD Pros – No servers required on-premises Cons – No SSO – – 2 sets of credentials to manage with different password policies IDs mastered in the cloud

Microsoft Online IDs + DirSync    Appropriate for medium/large organizations with on-prem AD Pros – – Users and groups mastered on-premises Enables coexistence scenarios – Passwords can be synchronized with password sync tool Cons – – – No SSO 2 sets of credentials to maintain DirSync server required on-premises

Federated IDs + DirSync    Appropriate for medium/large enterprises with on-prem AD Pros – – SSO IDs mastered on-prem – – Password policy controlled on-prem Enables coexistence scenarios Cons – Servers required on-premises

Microsoft Online IDs

Windows Azure AD

Windows Azure AD     Identity and access management in the cloud Your organization’s cloud directory – Used by • • • Windows Azure Office 365 Windows Intune Can be integrated with on-premises AD Integration with cloud applications – Single sign-on experience • • App hosted in cloud Users authenticate with corporate credentials

Windows Azure AD Windows PowerShell Office 365 Account Portal Windows Intune Account Portal Windows Azure AD Portal Tenant data Windows Azure AD

Windows Azure AD   Azure AD is a multi-tenant service Authentication process – – User accesses a SaaS application User authenticates to Azure with username and password – – – Azure AD returns token Token is sent to SaaS application Application validates token and uses its content

Create Online IDs    Windows Azure AD Portal Office 365 Portal Windows PowerShell


Microsoft Online IDs + DirSync

Directory Synchronization

Directory Synchronization     Synchronize users from on-prem to online User management is done on-prem Password synchronization – Synchronize passwords from on-prem to online Users have 1 set of credentials across on-prem and online – But 2 accounts

Directory Synchronization AD Customer Network DirSync Azure AD MS Online IDs Office 365 Windows Azure Datacenter Exchange Online SharePoint Online Lync Online

DirSync: Preparation  Synchronization computer – Windows Server 2008 R2 SP1 or Windows Server 2012 (R2) – – Domain-joined Prerequisite software:   .Net Framework 3.5 SP1 and 4.0

PowerShell  DC Requirements: – – Forest functional level:  Windows Server 2003 or higher Domain Controllers:  Windows Server 2003 SP1 or higher

DirSync: Preparation  To install DirSync, you need the following permissions: – Administrator of the DirSync Server – – Administrator of the local AD environment Administrator of the Cloud Service  DirSync setup creates service account – – – – – MSOL_AD_SYNC Created in Users container Read from local AD Write to Windows Azure AD Do not move or remove this account!

DirSync: Preparation   Initial synchronization – All AD objects copied to WAAD – Maximum 50000 objects  If more, contact support DirSync requires SQL – – SQL Express  < 50000 objects  Installed by default Full SQL  > 50000 objects

DirSync: Preparation  UPN Requirements – Every user must have a UPN – – – UPNs must match a validated domain in the cloud  Make sure AD contains the correct UPN Suffix Check UPN in the cloud after synchronization Users must use UPN to logon to cloud services

DirSync: Installation  Download and install the Directory Sync tool – Installation can take up to 10 minutes

DirSync: Configure  Start DirSync Configuration wizard – Specify Windows Azure AD Credentials – – Specify AD Credentials Enable hybrid deployment (if required)  Gives dirsync service account limited Write permission to on-prem AD

DirSync: Password Sync   Password Synchronization – Feature of Sync Tool – – – Synchronize on-prem passwords to WAAD Users can use same password in cloud and on-prem No SSO Extract password hash from AD – – – Overwrites cloud password Initial dirsync synchronizes all passwords User changes on-prem password • Tool detects and synchronizes (within minutes)

DirSync: Password Sync   Password complexity policy – On-prem policies override cloud policies for synchronized users Password expiration policy – Cloud user password is set to “Never Expire”

DirSync: Manage • • PowerShell – %Program Files%\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1

– Add-PSSnapin Coexistence-Configuration Cmdlets: – Get-Command –Pssnapin Coexistence-Configuration

DirSync: Synchronize   Automatically – Every 3 hours Manually – PowerShell • Start-OnlineCoexistenceSync – Configuration Wizard • Start menu – Directory Sync Configuration


Federated IDs + Dirsync

Active Directory Federation Services

Federated Identities     Across on-prem and cloud services – Single identity – Single sign-on User management happens on-prem On-prem AD used to: – – Sign in Authenticate Requires the following services – – Directory synchronization Federation Service

Identity Federation

Relying Party

DC AD Contoso.

com Web Server



4 9

ST Home realm discovery


Security Token

SAML Token

Claims: Name = Els Email = Els

Age = 38

Federation Trust 10




1 5


Identity Provider 7 6

DC AD Fabrikam .com

STS AD FS Shibboleth Azure ACS AD Unix Live ID Google ID Facebook

Identity Federation with Azure Windows Azure Platform On-Premises Domain MS Federation Gateway Active Directory AD FS Logon (SAML 1.1) Token UPN:[email protected]

Source User ID: ABC123 Auth Token UPN:[email protected]

Unique ID: 254729 Exchange Online

AD FS Deployment Options    Single server configuration AD FS server farm and load-balancer AD FS proxy server or UAG/TMG (External Users, Active Sync, Outlook) AD FS Server Active Directory AD FS Server AD FS Proxy AD FS Proxy External User Internal User Internal Network Perimeter Network

Federation: AD FS  Requirements: – Windows Server 2008 (R2) – 2012 (R2) – – – – ADFS 2.0 / ADFS 3.0

Public, validated domain name SSL certificate MS Online Services Module for PS – MS Online Sign-In Assistant

Federation: AD FS • Install ADFS – WS2012 (R2): Add roles and features – WS2008: Download and install ADFS

Federation: AD FS  Run ADFS Configuration Wizard – – – Create new Federation Service • • Federation farm Stand-alone server Select SSL Certificate • • ADFS certificate Federation service name:

Create Host record for the federation service in DNS

Federation: AD FS    Install MS Online Sign-In Assistant Install MS Online Services Module for PS Configure Trust with Microsoft Online Services – PowerShell • • Connect-MsolService –Credential $cred Convert-MsolDomainToFederated –DomainName

Federation: Test • • • • Create account in local AD – UPN must be your domain name ( Synchronize account to Azure AD – Add application licenses Prepare Client pc – – Install Sign-In Assistant Add ADFS url to Intranet zone in IE Sign in to client pc as test user – – Browse to

Enter username ([email protected])


Give Me Feedback

And take home the Lumia 1320 Present your feedback form when you exit the last session & go for the drink

Be the first to know

Follow Technet Belgium @technetbelux Subscribe to the TechNet newsletter

Belgiums’ biggest IT PRO Conference