0
Identities in the Cloud
Els Putzeys
Identities in the Cloud
User Management in Windows
Azure
Identity Options
 Microsoft Online IDs
 Microsoft Online IDs + Directory Synchronization
 Federated IDs + Directory Syn...
Microsoft Online IDs
 Appropriate for small organizations without on-prem AD
 Pros
– No servers required on-premises
 C...
Microsoft Online IDs + DirSync
 Appropriate for medium/large organizations with on-prem AD
 Pros
– Users and groups mast...
Federated IDs + DirSync
 Appropriate for medium/large enterprises with on-prem AD
 Pros
– SSO
– IDs mastered on-prem
– P...
Microsoft Online IDs
Windows Azure AD
Windows Azure AD
 Identity and access management in the cloud
 Your organization’s cloud directory
– Used by
• Windows A...
Windows Azure AD
Windows
PowerShell
Office 365
Account Portal
Windows Intune
Account Portal
Windows Azure
AD Portal
Window...
Windows Azure AD
 Azure AD is a multi-tenant service
 Authentication process
– User accesses a SaaS application
– User a...
Create Online IDs
 Windows Azure AD Portal
 Office 365 Portal
 Windows PowerShell
DEMO
Microsoft Online IDs + DirSync
Directory Synchronization
Directory Synchronization
 Synchronize users from on-prem to online
 User management is done on-prem
 Password synchron...
Directory Synchronization
Customer Network Windows Azure Datacenter
AD
DirSync Azure AD
MS Online IDs
Office 365
Exchange
...
DirSync: Preparation
 Synchronization computer
– Windows Server 2008 R2 SP1 or Windows Server 2012 (R2)
– Domain-joined
–...
DirSync: Preparation
 To install DirSync, you need the following permissions:
– Administrator of the DirSync Server
– Adm...
DirSync: Preparation
 Initial synchronization
– All AD objects copied to WAAD
– Maximum 50000 objects
 If more, contact ...
DirSync: Preparation
 UPN Requirements
– Every user must have a UPN
– UPNs must match a validated domain in the cloud
 M...
DirSync: Installation
 Download and install the Directory Sync tool
– Installation can take up to 10 minutes
DirSync: Configure
 Start DirSync Configuration wizard
– Specify Windows Azure AD Credentials
– Specify AD Credentials
– ...
DirSync: Password Sync
 Password Synchronization
– Feature of Sync Tool
– Synchronize on-prem passwords to WAAD
– Users c...
DirSync: Password Sync
 Password complexity policy
– On-prem policies override cloud policies for synchronized users
 Pa...
DirSync: Manage
• PowerShell
– %Program Files%Windows Azure Active Directory SyncDirSyncConfigShell.psc1
– Add-PSSnapin Co...
DirSync: Synchronize
 Automatically
– Every 3 hours
 Manually
– PowerShell
• Start-OnlineCoexistenceSync
– Configuration...
DEMO
Federated IDs + Dirsync
Active Directory Federation
Services
Federated Identities
 Across on-prem and cloud services
– Single identity
– Single sign-on
 User management happens on-p...
Identity Federation
AD
Contoso.
com
AD
Fabrikam
.com
DC
DCWeb Server
Relying Party Identity Provider
Federation Trust
STSS...
Identity Federation with Azure
Active Directory
AD FS
MS Federation
Gateway
Exchange Online
Auth Token
UPN:user@contoso.co...
AD FS Deployment Options
 Single server configuration
 AD FS server farm and load-balancer
 AD FS proxy server or UAG/T...
Federation: AD FS
 Requirements:
– Windows Server 2008 (R2) – 2012 (R2)
– ADFS 2.0 / ADFS 3.0
– Public, validated domain ...
Federation: AD FS
• Install ADFS
– WS2012 (R2): Add roles and features
– WS2008: Download and install ADFS
Federation: AD FS
 Run ADFS Configuration Wizard
– Create new Federation Service
• Federation farm
• Stand-alone server
–...
Federation: AD FS
 Install MS Online Sign-In Assistant
 Install MS Online Services Module for PS
 Configure Trust with ...
Federation: Test
• Create account in local AD
– UPN must be your domain name (fabrikam.com)
• Synchronize account to Azure...
DEMO
And take home the
Lumia 1320
Present your feedback form when you exit
the last session & go for the drink
Give Me Feedback
Follow Technet Belgium
@technetbelux
Subscribe to the TechNet newsletter
aka.ms/benews
Be the first to know
Belgiums’ biggest IT PRO Conference
Upcoming SlideShare
Loading in...5
×

azure track -01- identities in the cloud

211

Published on

by Els Putzeys

More and more organizations store data in the cloud or use cloud services like Windows Azure and Office 365. For administrators that means your first task is to create and manage users in these cloud platforms.

In this session we will talk about the options that are available for identity management in Windows Azure, Office 365, Windows Intune, …

Windows Azure AD: Create cloud identities in Azure AD and use these across all cloud services.
Directory Synchronization: Synchronize your on-premises AD users to Windows Azure AD.
Federation: Allow users to sign in with their on-premises AD account when accessing cloud services.

In the demo we will setup directory synchronization and federation using ADFS.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
211
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "azure track -01- identities in the cloud"

  1. 1. Identities in the Cloud Els Putzeys
  2. 2. Identities in the Cloud User Management in Windows Azure
  3. 3. Identity Options  Microsoft Online IDs  Microsoft Online IDs + Directory Synchronization  Federated IDs + Directory Synchronization
  4. 4. Microsoft Online IDs  Appropriate for small organizations without on-prem AD  Pros – No servers required on-premises  Cons – No SSO – 2 sets of credentials to manage with different password policies – IDs mastered in the cloud
  5. 5. Microsoft Online IDs + DirSync  Appropriate for medium/large organizations with on-prem AD  Pros – Users and groups mastered on-premises – Enables coexistence scenarios – Passwords can be synchronized with password sync tool  Cons – No SSO – 2 sets of credentials to maintain – DirSync server required on-premises
  6. 6. Federated IDs + DirSync  Appropriate for medium/large enterprises with on-prem AD  Pros – SSO – IDs mastered on-prem – Password policy controlled on-prem – Enables coexistence scenarios  Cons – Servers required on-premises
  7. 7. Microsoft Online IDs Windows Azure AD
  8. 8. Windows Azure AD  Identity and access management in the cloud  Your organization’s cloud directory – Used by • Windows Azure • Office 365 • Windows Intune  Can be integrated with on-premises AD  Integration with cloud applications – Single sign-on experience • App hosted in cloud • Users authenticate with corporate credentials
  9. 9. Windows Azure AD Windows PowerShell Office 365 Account Portal Windows Intune Account Portal Windows Azure AD Portal Windows Azure AD Tenant data
  10. 10. Windows Azure AD  Azure AD is a multi-tenant service  Authentication process – User accesses a SaaS application – User authenticates to Azure with username and password – Azure AD returns token – Token is sent to SaaS application – Application validates token and uses its content
  11. 11. Create Online IDs  Windows Azure AD Portal  Office 365 Portal  Windows PowerShell
  12. 12. DEMO
  13. 13. Microsoft Online IDs + DirSync Directory Synchronization
  14. 14. Directory Synchronization  Synchronize users from on-prem to online  User management is done on-prem  Password synchronization – Synchronize passwords from on-prem to online  Users have 1 set of credentials across on-prem and online – But 2 accounts
  15. 15. Directory Synchronization Customer Network Windows Azure Datacenter AD DirSync Azure AD MS Online IDs Office 365 Exchange Online SharePoint Online Lync Online
  16. 16. DirSync: Preparation  Synchronization computer – Windows Server 2008 R2 SP1 or Windows Server 2012 (R2) – Domain-joined – Prerequisite software:  .Net Framework 3.5 SP1 and 4.0  PowerShell  DC Requirements: – Forest functional level:  Windows Server 2003 or higher – Domain Controllers:  Windows Server 2003 SP1 or higher
  17. 17. DirSync: Preparation  To install DirSync, you need the following permissions: – Administrator of the DirSync Server – Administrator of the local AD environment – Administrator of the Cloud Service  DirSync setup creates service account – MSOL_AD_SYNC – Created in Users container – Read from local AD – Write to Windows Azure AD – Do not move or remove this account!
  18. 18. DirSync: Preparation  Initial synchronization – All AD objects copied to WAAD – Maximum 50000 objects  If more, contact support  DirSync requires SQL – SQL Express  < 50000 objects  Installed by default – Full SQL  > 50000 objects
  19. 19. DirSync: Preparation  UPN Requirements – Every user must have a UPN – UPNs must match a validated domain in the cloud  Make sure AD contains the correct UPN Suffix – Check UPN in the cloud after synchronization – Users must use UPN to logon to cloud services
  20. 20. DirSync: Installation  Download and install the Directory Sync tool – Installation can take up to 10 minutes
  21. 21. DirSync: Configure  Start DirSync Configuration wizard – Specify Windows Azure AD Credentials – Specify AD Credentials – Enable hybrid deployment (if required)  Gives dirsync service account limited Write permission to on-prem AD
  22. 22. DirSync: Password Sync  Password Synchronization – Feature of Sync Tool – Synchronize on-prem passwords to WAAD – Users can use same password in cloud and on-prem – No SSO  Extract password hash from AD – Overwrites cloud password – Initial dirsync synchronizes all passwords – User changes on-prem password • Tool detects and synchronizes (within minutes)
  23. 23. DirSync: Password Sync  Password complexity policy – On-prem policies override cloud policies for synchronized users  Password expiration policy – Cloud user password is set to “Never Expire”
  24. 24. DirSync: Manage • PowerShell – %Program Files%Windows Azure Active Directory SyncDirSyncConfigShell.psc1 – Add-PSSnapin Coexistence-Configuration • Cmdlets: – Get-Command –Pssnapin Coexistence-Configuration
  25. 25. DirSync: Synchronize  Automatically – Every 3 hours  Manually – PowerShell • Start-OnlineCoexistenceSync – Configuration Wizard • Start menu – Directory Sync Configuration
  26. 26. DEMO
  27. 27. Federated IDs + Dirsync Active Directory Federation Services
  28. 28. Federated Identities  Across on-prem and cloud services – Single identity – Single sign-on  User management happens on-prem  On-prem AD used to: – Sign in – Authenticate  Requires the following services – Directory synchronization – Federation Service
  29. 29. Identity Federation AD Contoso. com AD Fabrikam .com DC DCWeb Server Relying Party Identity Provider Federation Trust STSSTS Shibboleth AD FS Azure ACS AD Unix Live ID Google ID Facebook SAML Token Claims: Name = Els Email = Els @Fabrikam.com Age = 38 Security Token https://web.contoso.com 1 2 3 4 Home realm discovery 5 7 6 ST 8 ST ST 9 ST 10
  30. 30. Identity Federation with Azure Active Directory AD FS MS Federation Gateway Exchange Online Auth Token UPN:user@contoso.com Unique ID: 254729 Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Windows Azure PlatformOn-Premises Domain
  31. 31. AD FS Deployment Options  Single server configuration  AD FS server farm and load-balancer  AD FS proxy server or UAG/TMG (External Users, Active Sync, Outlook) Internal User AD FS Server AD FS Server Active Directory External User AD FS Proxy AD FS Proxy Perimeter NetworkInternal Network
  32. 32. Federation: AD FS  Requirements: – Windows Server 2008 (R2) – 2012 (R2) – ADFS 2.0 / ADFS 3.0 – Public, validated domain name – SSL certificate – MS Online Services Module for PS – MS Online Sign-In Assistant
  33. 33. Federation: AD FS • Install ADFS – WS2012 (R2): Add roles and features – WS2008: Download and install ADFS
  34. 34. Federation: AD FS  Run ADFS Configuration Wizard – Create new Federation Service • Federation farm • Stand-alone server – Select SSL Certificate • ADFS certificate • Federation service name: adfs.fabrikam.com – Create Host record for the federation service in DNS
  35. 35. Federation: AD FS  Install MS Online Sign-In Assistant  Install MS Online Services Module for PS  Configure Trust with Microsoft Online Services – PowerShell • Connect-MsolService –Credential $cred • Convert-MsolDomainToFederated –DomainName fabrikam.com
  36. 36. Federation: Test • Create account in local AD – UPN must be your domain name (fabrikam.com) • Synchronize account to Azure AD – Add application licenses • Prepare Client pc – Install Sign-In Assistant – Add ADFS url to Intranet zone in IE • Sign in to client pc as test user – Browse to https://portal.microsoftonline.com – Enter username (user@fabrikam.com)
  37. 37. DEMO
  38. 38. And take home the Lumia 1320 Present your feedback form when you exit the last session & go for the drink Give Me Feedback
  39. 39. Follow Technet Belgium @technetbelux Subscribe to the TechNet newsletter aka.ms/benews Be the first to know
  40. 40. Belgiums’ biggest IT PRO Conference
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×