azure track -01- identities in the cloud
Upcoming SlideShare
Loading in...5

azure track -01- identities in the cloud



by Els Putzeys ...

by Els Putzeys

More and more organizations store data in the cloud or use cloud services like Windows Azure and Office 365. For administrators that means your first task is to create and manage users in these cloud platforms.

In this session we will talk about the options that are available for identity management in Windows Azure, Office 365, Windows Intune, …

Windows Azure AD: Create cloud identities in Azure AD and use these across all cloud services.
Directory Synchronization: Synchronize your on-premises AD users to Windows Azure AD.
Federation: Allow users to sign in with their on-premises AD account when accessing cloud services.

In the demo we will setup directory synchronization and federation using ADFS.



Total Views
Views on SlideShare
Embed Views



1 Embed 2 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

azure track -01- identities in the cloud azure track -01- identities in the cloud Presentation Transcript

  • Identities in the Cloud Els Putzeys
  • Identities in the Cloud User Management in Windows Azure
  • Identity Options  Microsoft Online IDs  Microsoft Online IDs + Directory Synchronization  Federated IDs + Directory Synchronization
  • Microsoft Online IDs  Appropriate for small organizations without on-prem AD  Pros – No servers required on-premises  Cons – No SSO – 2 sets of credentials to manage with different password policies – IDs mastered in the cloud
  • Microsoft Online IDs + DirSync  Appropriate for medium/large organizations with on-prem AD  Pros – Users and groups mastered on-premises – Enables coexistence scenarios – Passwords can be synchronized with password sync tool  Cons – No SSO – 2 sets of credentials to maintain – DirSync server required on-premises
  • Federated IDs + DirSync  Appropriate for medium/large enterprises with on-prem AD  Pros – SSO – IDs mastered on-prem – Password policy controlled on-prem – Enables coexistence scenarios  Cons – Servers required on-premises
  • Microsoft Online IDs Windows Azure AD
  • Windows Azure AD  Identity and access management in the cloud  Your organization’s cloud directory – Used by • Windows Azure • Office 365 • Windows Intune  Can be integrated with on-premises AD  Integration with cloud applications – Single sign-on experience • App hosted in cloud • Users authenticate with corporate credentials
  • Windows Azure AD Windows PowerShell Office 365 Account Portal Windows Intune Account Portal Windows Azure AD Portal Windows Azure AD Tenant data
  • Windows Azure AD  Azure AD is a multi-tenant service  Authentication process – User accesses a SaaS application – User authenticates to Azure with username and password – Azure AD returns token – Token is sent to SaaS application – Application validates token and uses its content
  • Create Online IDs  Windows Azure AD Portal  Office 365 Portal  Windows PowerShell
  • DEMO
  • Microsoft Online IDs + DirSync Directory Synchronization
  • Directory Synchronization  Synchronize users from on-prem to online  User management is done on-prem  Password synchronization – Synchronize passwords from on-prem to online  Users have 1 set of credentials across on-prem and online – But 2 accounts
  • Directory Synchronization Customer Network Windows Azure Datacenter AD DirSync Azure AD MS Online IDs Office 365 Exchange Online SharePoint Online Lync Online
  • DirSync: Preparation  Synchronization computer – Windows Server 2008 R2 SP1 or Windows Server 2012 (R2) – Domain-joined – Prerequisite software:  .Net Framework 3.5 SP1 and 4.0  PowerShell  DC Requirements: – Forest functional level:  Windows Server 2003 or higher – Domain Controllers:  Windows Server 2003 SP1 or higher
  • DirSync: Preparation  To install DirSync, you need the following permissions: – Administrator of the DirSync Server – Administrator of the local AD environment – Administrator of the Cloud Service  DirSync setup creates service account – MSOL_AD_SYNC – Created in Users container – Read from local AD – Write to Windows Azure AD – Do not move or remove this account!
  • DirSync: Preparation  Initial synchronization – All AD objects copied to WAAD – Maximum 50000 objects  If more, contact support  DirSync requires SQL – SQL Express  < 50000 objects  Installed by default – Full SQL  > 50000 objects
  • DirSync: Preparation  UPN Requirements – Every user must have a UPN – UPNs must match a validated domain in the cloud  Make sure AD contains the correct UPN Suffix – Check UPN in the cloud after synchronization – Users must use UPN to logon to cloud services
  • DirSync: Installation  Download and install the Directory Sync tool – Installation can take up to 10 minutes
  • DirSync: Configure  Start DirSync Configuration wizard – Specify Windows Azure AD Credentials – Specify AD Credentials – Enable hybrid deployment (if required)  Gives dirsync service account limited Write permission to on-prem AD
  • DirSync: Password Sync  Password Synchronization – Feature of Sync Tool – Synchronize on-prem passwords to WAAD – Users can use same password in cloud and on-prem – No SSO  Extract password hash from AD – Overwrites cloud password – Initial dirsync synchronizes all passwords – User changes on-prem password • Tool detects and synchronizes (within minutes)
  • DirSync: Password Sync  Password complexity policy – On-prem policies override cloud policies for synchronized users  Password expiration policy – Cloud user password is set to “Never Expire”
  • DirSync: Manage • PowerShell – %Program Files%Windows Azure Active Directory SyncDirSyncConfigShell.psc1 – Add-PSSnapin Coexistence-Configuration • Cmdlets: – Get-Command –Pssnapin Coexistence-Configuration
  • DirSync: Synchronize  Automatically – Every 3 hours  Manually – PowerShell • Start-OnlineCoexistenceSync – Configuration Wizard • Start menu – Directory Sync Configuration
  • DEMO
  • Federated IDs + Dirsync Active Directory Federation Services
  • Federated Identities  Across on-prem and cloud services – Single identity – Single sign-on  User management happens on-prem  On-prem AD used to: – Sign in – Authenticate  Requires the following services – Directory synchronization – Federation Service
  • Identity Federation AD Contoso. com AD Fabrikam .com DC DCWeb Server Relying Party Identity Provider Federation Trust STSSTS Shibboleth AD FS Azure ACS AD Unix Live ID Google ID Facebook SAML Token Claims: Name = Els Email = Els Age = 38 Security Token 1 2 3 4 Home realm discovery 5 7 6 ST 8 ST ST 9 ST 10
  • Identity Federation with Azure Active Directory AD FS MS Federation Gateway Exchange Online Auth Token Unique ID: 254729 Logon (SAML 1.1) Token Source User ID: ABC123 Windows Azure PlatformOn-Premises Domain
  • AD FS Deployment Options  Single server configuration  AD FS server farm and load-balancer  AD FS proxy server or UAG/TMG (External Users, Active Sync, Outlook) Internal User AD FS Server AD FS Server Active Directory External User AD FS Proxy AD FS Proxy Perimeter NetworkInternal Network
  • Federation: AD FS  Requirements: – Windows Server 2008 (R2) – 2012 (R2) – ADFS 2.0 / ADFS 3.0 – Public, validated domain name – SSL certificate – MS Online Services Module for PS – MS Online Sign-In Assistant
  • Federation: AD FS • Install ADFS – WS2012 (R2): Add roles and features – WS2008: Download and install ADFS
  • Federation: AD FS  Run ADFS Configuration Wizard – Create new Federation Service • Federation farm • Stand-alone server – Select SSL Certificate • ADFS certificate • Federation service name: – Create Host record for the federation service in DNS
  • Federation: AD FS  Install MS Online Sign-In Assistant  Install MS Online Services Module for PS  Configure Trust with Microsoft Online Services – PowerShell • Connect-MsolService –Credential $cred • Convert-MsolDomainToFederated –DomainName
  • Federation: Test • Create account in local AD – UPN must be your domain name ( • Synchronize account to Azure AD – Add application licenses • Prepare Client pc – Install Sign-In Assistant – Add ADFS url to Intranet zone in IE • Sign in to client pc as test user – Browse to – Enter username (
  • DEMO
  • And take home the Lumia 1320 Present your feedback form when you exit the last session & go for the drink Give Me Feedback
  • Follow Technet Belgium @technetbelux Subscribe to the TechNet newsletter Be the first to know
  • Belgiums’ biggest IT PRO Conference