http://www.itproguy.com Windows Azure Datacenter – West US Contoso CORP SITE – Las Vegas, NV AD SharePoint Cloud Service Virtual Network RDS.
Download ReportTranscript http://www.itproguy.com Windows Azure Datacenter – West US Contoso CORP SITE – Las Vegas, NV AD SharePoint Cloud Service Virtual Network RDS.
http://www.itproguy.com Windows Azure Datacenter – West US Contoso CORP SITE – Las Vegas, NV AD SharePoint Cloud Service Virtual Network RDS Windows Azure Datacenter – West US Contoso CORP SITE – Las Vegas, NV AD SharePoint Cloud Service Virtual Network Website Personal Services Organizational Services Live ID Microsoft Account OrgID Organizational Account OnMicrosoft Account (Azure AD Account) Examples: [email protected] [email protected] Examples: [email protected] [email protected]. com User User 1. Cloud Only / No Integration 2. Directory Synchronization 3. Directory and Federated SSO Office 365 Windows Azure Active Directory Contoso customer premises Joe@contoso. msonline.com Admin Portal/ PowerShell/GRAPH Authentication platform IdP IdP AD [email protected] Provisioning platform Dynamics CRM Online Directory Store CORP App Windows Intune 1. No Integration 2. Directory Synchronization 3. Directory and Single sign-on (SSO) Office 365 Windows Azure Active Directory Contoso customer premises Admin Portal/ PowerShell/GRAPH IdP AD Directory Sync (DirSync) Provisioning platform Dynamics CRM Online Authentication platform IdP Directory Store CORP App Windows Intune Directory Synchronization Options PowerShell & Graph API Suitable for Organizations using Active Directory (AD) Supports Exchange Co-existence scenarios Coupled with AD FS, provides best option for federation and synchronization Does not require any additional software licenses Multi-forest available through MCS+Partners Suitable for large organizations with certain AD and Non-AD scenarios Suitable for small/medium size organizations with AD or NonAD Complex multi-forest AD scenarios Not a highly recommended option compared to DirSync or FIM Connector Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires extensive scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) Suitable for all organizations. Most Robust for Sync. More features: Password Reset, Compliance, Access, Policy, and Group Management As this is a custom solution, Microsoft support may not be able to help if there are issues 1. No Integration 2. Directory Synchronization 3. Directory and Federated SSO CORP App Windows Azure Active Directory Contoso customer premises Active Directory Federation Server 2.0 IdP AD Directory Sync (DirSync) Trust Admin Portal/ PowerShell/GRAPH Provisioning platform Dynamics CRM Online Authentication platform IdP Directory Store Office 365 Windows Intune Federation options Works with AD Works with AD & Non-AD Shibboleth Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Recommended where customers may use existing non-AD FS Identity systems with AD or Non-AD Single sign-on Single sign-on Secure token based authentication Secure token based authentication Support for web and rich clients Support for web and rich clients Microsoft supported Third-party supported Microsoft supported for integration only, no shibboleth deployment support Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Requires on-premises servers & support Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program Works with AD and other directories on-premises Works for Office 365 Hybrid Scenarios Suitable for educational organizations Recommended where customers may use existing non-AD FS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook only Appropriate for • Smaller orgs without AD on-premise Pros • No servers required onpremise • Same Domain name for users possible Cons • No SSO • No 2FA • 2 sets of credentials to manage with differing password policies • IDs mastered in the cloud Pros • Users and groups mastered on-premise • Enables co-existence • Single server deployment Cons • No 2FA until Spring 2013 • 2 sets of credentials to manage with differing password policies OR Manual / 3rd Party password Sync OR use FIM • No SSO Pros • SSO with corporate cred • IDs mastered on-premise • Password policy controlled on-premise • 2FA solutions possible • Enables hybrid scenarios • Location isolation • Ideal for multiple forests Cons • Additional Servers required for AD FS [Server1] [Server2] Users Dedicated Federation Servers Federation server proxies NLB servers Comments <1,000 0 0 1 Deploy AD FS on two DCs 1,000–15,000 2 2 2 Install NLB on proxies 15,000–60,000 2+1 for every 15,000 users 2+ 2+ Install NLB on proxies or use dedicated NLB implementation http://technet.microsoft.com/en-us/library/jj151794.aspx [Server1] [Server2] [Windows Azure from Server1] [Windows Azure from Server1] [Server1] [Server1] [Server2] [Server2] [Server2] [Server1] [Server1] [Server1] [Windows Azure from Server1] [Windows Azure from Server1] [Server1] [In Windows Azure] New-MsolDomain -Name $SelectedSuffix -Authentication Federated $Domain = Get-MsolDomain -DomainName $SelectedSuffix if ($Domain.Status -eq 'Verified') { Write-Host ' ' Write-Host 'Domain is verified. If it is a subdomain of an existing domain, this is automatic.' Write-Host ' ' } else { Write-Host ' ' Write-Host -NoNewline 'Domain verification code: ' Get-QSMsolDNSVerificationText -Domain $SelectedSuffix Write-Host ' ' [In Windows Azure on Server1] Set-MsolDirSyncEnabled $true [on Server1] Install-WindowsFeature ADFS-Federation [Server1] [On Server1] Install-AdfsFarm -CertificateThumbprint $Certificate.Thumbprint ` -FederationServiceName $script:ADFSSubjectName ` -ServiceAccountCredential $script:ADFSCredentials ` -OverwriteConfiguration Start-Process -FilePath ("$env:SystemRoot\ADFS\FSPConfigWizard.exe") -Wait -ArgumentList @( ` '/Hostname', $script:ADFSSubjectName, ` '/Username', $script:ADFSAccountName, ` '/Password', (ConvertFrom-QSSecureStringToPlaintext -SecureString $script:ADFSAccountPassword) [Server1] [Server2] [Windows Azure from Server1] [Windows Azure from Server1] [Server1] [Server1] [Server2] [Server2] [Server2] [Server1] [Server1] [In Windows Azure on Server1] New-MsolFederatedDomain -DomainName $Domain [On Server1] Write-QSTitle 'Download, install, and configure the DirSync tool' $DirSyncFilename = $script:CurrentExecutingPath + '\DirSync.exe' if (-not (Require-QSDownloadableFile -FileName $DirSyncFilename -URL 'http://g.microsoftonline.com/0BX10en/571')) { Write-QSError 'DirSync download failed.' return } Write-Host 'Running DirSync installer...' Start-Process -FilePath $DirSyncFilename -ArgumentList @('/quiet') Wait http://support.microsoft.com/kb/2681562 [On Server1] Write-Host 'Requesting synchronization credentials...' $TargetCredentials = Get-Credential -Message 'Permanent Synchronization Credentials' Write-Host 'Requesting local credentials...' $SourceCredentials = Get-Credential -Message 'Local Active Directory Administrator' Write-Host 'Requesting online coexistence configuration information...' $Configuration = Get-CoexistenceConfiguration -TargetCredentials $script:MsolCredential Write-Host 'Configuring local coexistence configuration information...' Set-CoexistenceConfiguration -SourceCredentials $SourceCredentials TargetCredentials $TargetCredentials Write-Host 'Requesting an immediate synchronization...' Start-OnlineCoexistenceSync [Server1] [Server2] Document Step # PS Script Step # Component of Configuration Actual Time Taken 1 1-2 Initial Software Installation (pre-requisites)*,*** 1 min 12 sec 1 3 Office 365 Readiness Tool 5 min 48 sec 2 4-5 Add Domain Name in Windows Azure AD 27 sec 3 6 Activate DirSync Support 10 sec 4 7-14 Install and Configure On-Premise AD FS Server1** 2 min 53 sec 5 15-22 Install and Configure AD FS Proxy Server2*, ***, **** 6 min 12 sec 6 23-24 Configure Windows Azure AD Federation Support 41 sec 7 25-27 Install and Configure DirSync 3 min 26 sec Windows Azure Subscription http://aka.ms/AD2AAD http://technet.microsoft.com/en-us/library/jj713614.aspx http://aka.ms/github