SlideShare a Scribd company logo

azure track -01- identities in the cloud

Download as PPTX, PDF
ITProceed
ITProceed

by Els Putzeys More and more organizations store data in the cloud or use cloud services like Windows Azure and Office 365. For administrators that means your first task is to create and manage users in these cloud platforms. In this session we will talk about the options that are available for identity management in Windows Azure, Office 365, Windows Intune, … Windows Azure AD: Create cloud identities in Azure AD and use these across all cloud services. Directory Synchronization: Synchronize your on-premises AD users to Windows Azure AD. Federation: Allow users to sign in with their on-premises AD account when accessing cloud services. In the demo we will setup directory synchronization and federation using ADFS.

Technology
1 of 40
Identities in the Cloud Els Putzeys
Identities in the Cloud User Management in Windows Azure
Identity Options  Microsoft Online IDs  Microsoft Online IDs + Directory Synchronization  Federated IDs + Directory Synchronization
Microsoft Online IDs  Appropriate for small organizations without on-prem AD  Pros – No servers required on-premises  Cons – No SSO – 2 sets of credentials to manage with different password policies – IDs mastered in the cloud
Microsoft Online IDs + DirSync  Appropriate for medium/large organizations with on-prem AD  Pros – Users and groups mastered on-premises – Enables coexistence scenarios – Passwords can be synchronized with password sync tool  Cons – No SSO – 2 sets of credentials to maintain – DirSync server required on-premises
Federated IDs + DirSync  Appropriate for medium/large enterprises with on-prem AD  Pros – SSO – IDs mastered on-prem – Password policy controlled on-prem – Enables coexistence scenarios  Cons – Servers required on-premises
Microsoft Online IDs Windows Azure AD
Windows Azure AD  Identity and access management in the cloud  Your organization’s cloud directory – Used by • Windows Azure • Office 365 • Windows Intune  Can be integrated with on-premises AD  Integration with cloud applications – Single sign-on experience • App hosted in cloud • Users authenticate with corporate credentials
Windows Azure AD Windows PowerShell Office 365 Account Portal Windows Intune Account Portal Windows Azure AD Portal Windows Azure AD Tenant data
Windows Azure AD  Azure AD is a multi-tenant service  Authentication process – User accesses a SaaS application – User authenticates to Azure with username and password – Azure AD returns token – Token is sent to SaaS application – Application validates token and uses its content
Create Online IDs  Windows Azure AD Portal  Office 365 Portal  Windows PowerShell
DEMO
Microsoft Online IDs + DirSync Directory Synchronization
Directory Synchronization  Synchronize users from on-prem to online  User management is done on-prem  Password synchronization – Synchronize passwords from on-prem to online  Users have 1 set of credentials across on-prem and online – But 2 accounts
Directory Synchronization Customer Network Windows Azure Datacenter AD DirSync Azure AD MS Online IDs Office 365 Exchange Online SharePoint Online Lync Online
DirSync: Preparation  Synchronization computer – Windows Server 2008 R2 SP1 or Windows Server 2012 (R2) – Domain-joined – Prerequisite software:  .Net Framework 3.5 SP1 and 4.0  PowerShell  DC Requirements: – Forest functional level:  Windows Server 2003 or higher – Domain Controllers:  Windows Server 2003 SP1 or higher
DirSync: Preparation  To install DirSync, you need the following permissions: – Administrator of the DirSync Server – Administrator of the local AD environment – Administrator of the Cloud Service  DirSync setup creates service account – MSOL_AD_SYNC – Created in Users container – Read from local AD – Write to Windows Azure AD – Do not move or remove this account!
DirSync: Preparation  Initial synchronization – All AD objects copied to WAAD – Maximum 50000 objects  If more, contact support  DirSync requires SQL – SQL Express  < 50000 objects  Installed by default – Full SQL  > 50000 objects
DirSync: Preparation  UPN Requirements – Every user must have a UPN – UPNs must match a validated domain in the cloud  Make sure AD contains the correct UPN Suffix – Check UPN in the cloud after synchronization – Users must use UPN to logon to cloud services
DirSync: Installation  Download and install the Directory Sync tool – Installation can take up to 10 minutes
DirSync: Configure  Start DirSync Configuration wizard – Specify Windows Azure AD Credentials – Specify AD Credentials – Enable hybrid deployment (if required)  Gives dirsync service account limited Write permission to on-prem AD
DirSync: Password Sync  Password Synchronization – Feature of Sync Tool – Synchronize on-prem passwords to WAAD – Users can use same password in cloud and on-prem – No SSO  Extract password hash from AD – Overwrites cloud password – Initial dirsync synchronizes all passwords – User changes on-prem password • Tool detects and synchronizes (within minutes)
DirSync: Password Sync  Password complexity policy – On-prem policies override cloud policies for synchronized users  Password expiration policy – Cloud user password is set to “Never Expire”
DirSync: Manage • PowerShell – %Program Files%Windows Azure Active Directory SyncDirSyncConfigShell.psc1 – Add-PSSnapin Coexistence-Configuration • Cmdlets: – Get-Command –Pssnapin Coexistence-Configuration
DirSync: Synchronize  Automatically – Every 3 hours  Manually – PowerShell • Start-OnlineCoexistenceSync – Configuration Wizard • Start menu – Directory Sync Configuration
DEMO
Federated IDs + Dirsync Active Directory Federation Services
Federated Identities  Across on-prem and cloud services – Single identity – Single sign-on  User management happens on-prem  On-prem AD used to: – Sign in – Authenticate  Requires the following services – Directory synchronization – Federation Service
Identity Federation AD Contoso. com AD Fabrikam .com DC DCWeb Server Relying Party Identity Provider Federation Trust STSSTS Shibboleth AD FS Azure ACS AD Unix Live ID Google ID Facebook SAML Token Claims: Name = Els Email = Els @Fabrikam.com Age = 38 Security Token https://web.contoso.com 1 2 3 4 Home realm discovery 5 7 6 ST 8 ST ST 9 ST 10
Identity Federation with Azure Active Directory AD FS MS Federation Gateway Exchange Online Auth Token UPN:user@contoso.com Unique ID: 254729 Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Windows Azure PlatformOn-Premises Domain
AD FS Deployment Options  Single server configuration  AD FS server farm and load-balancer  AD FS proxy server or UAG/TMG (External Users, Active Sync, Outlook) Internal User AD FS Server AD FS Server Active Directory External User AD FS Proxy AD FS Proxy Perimeter NetworkInternal Network
Federation: AD FS  Requirements: – Windows Server 2008 (R2) – 2012 (R2) – ADFS 2.0 / ADFS 3.0 – Public, validated domain name – SSL certificate – MS Online Services Module for PS – MS Online Sign-In Assistant
Federation: AD FS • Install ADFS – WS2012 (R2): Add roles and features – WS2008: Download and install ADFS
Federation: AD FS  Run ADFS Configuration Wizard – Create new Federation Service • Federation farm • Stand-alone server – Select SSL Certificate • ADFS certificate • Federation service name: adfs.fabrikam.com – Create Host record for the federation service in DNS
Federation: AD FS  Install MS Online Sign-In Assistant  Install MS Online Services Module for PS  Configure Trust with Microsoft Online Services – PowerShell • Connect-MsolService –Credential $cred • Convert-MsolDomainToFederated –DomainName fabrikam.com
Federation: Test • Create account in local AD – UPN must be your domain name (fabrikam.com) • Synchronize account to Azure AD – Add application licenses • Prepare Client pc – Install Sign-In Assistant – Add ADFS url to Intranet zone in IE • Sign in to client pc as test user – Browse to https://portal.microsoftonline.com – Enter username (user@fabrikam.com)
DEMO
And take home the Lumia 1320 Present your feedback form when you exit the last session & go for the drink Give Me Feedback
Follow Technet Belgium @technetbelux Subscribe to the TechNet newsletter aka.ms/benews Be the first to know
Belgiums’ biggest IT PRO Conference

Recommended

Office 365: Do’s and Don’ts, Lessons learned from the field
Office 365: Do’s and Don’ts, Lessons learned from the fieldOffice 365: Do’s and Don’ts, Lessons learned from the field
Office 365: Do’s and Don’ts, Lessons learned from the field
Microsoft TechNet - Belgium and Luxembourg
 
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterpriseITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITProceed
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITProceed
 
The Internet of your things by Jan Tielens
The Internet of your things by Jan TielensThe Internet of your things by Jan Tielens
The Internet of your things by Jan Tielens
ITProceed
 
Optimal Azure Database Development by Karel Coenye
Optimal Azure Database Development by Karel Coenye Optimal Azure Database Development by Karel Coenye
Optimal Azure Database Development by Karel Coenye
ITProceed
 
Azure SQL DB V12 at your service by Pieter Vanhove
Azure SQL DB V12 at your service by Pieter VanhoveAzure SQL DB V12 at your service by Pieter Vanhove
Azure SQL DB V12 at your service by Pieter Vanhove
ITProceed
 
Azure stream analytics by Nico Jacobs
Azure stream analytics by Nico JacobsAzure stream analytics by Nico Jacobs
Azure stream analytics by Nico Jacobs
ITProceed
 
ITPROCEED_WorkplaceMobility_Delivering applications with Azure RemoteApp
ITPROCEED_WorkplaceMobility_Delivering applications with Azure RemoteAppITPROCEED_WorkplaceMobility_Delivering applications with Azure RemoteApp
ITPROCEED_WorkplaceMobility_Delivering applications with Azure RemoteApp
ITProceed
 

Recommended

Office 365: Do’s and Don’ts, Lessons learned from the field
Office 365: Do’s and Don’ts, Lessons learned from the fieldOffice 365: Do’s and Don’ts, Lessons learned from the field
Office 365: Do’s and Don’ts, Lessons learned from the field
Microsoft TechNet - Belgium and Luxembourg
 
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterpriseITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITProceed
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITProceed
 
The Internet of your things by Jan Tielens
The Internet of your things by Jan TielensThe Internet of your things by Jan Tielens
The Internet of your things by Jan Tielens
ITProceed
 
Optimal Azure Database Development by Karel Coenye
Optimal Azure Database Development by Karel Coenye Optimal Azure Database Development by Karel Coenye
Optimal Azure Database Development by Karel Coenye
ITProceed
 
Azure SQL DB V12 at your service by Pieter Vanhove
Azure SQL DB V12 at your service by Pieter VanhoveAzure SQL DB V12 at your service by Pieter Vanhove
Azure SQL DB V12 at your service by Pieter Vanhove
ITProceed
 
Azure stream analytics by Nico Jacobs
Azure stream analytics by Nico JacobsAzure stream analytics by Nico Jacobs
Azure stream analytics by Nico Jacobs
ITProceed
 
ITPROCEED_WorkplaceMobility_Delivering applications with Azure RemoteApp
ITPROCEED_WorkplaceMobility_Delivering applications with Azure RemoteAppITPROCEED_WorkplaceMobility_Delivering applications with Azure RemoteApp
ITPROCEED_WorkplaceMobility_Delivering applications with Azure RemoteApp
ITProceed
 
ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...
ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...
ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...
ITProceed
 
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITProceed
 
ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...
ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...
ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...
ITProceed
 
ITPROCEED2015_WorkplaceMobility_Configuration Manager 2012’s latest Service P...
ITPROCEED2015_WorkplaceMobility_Configuration Manager 2012’s latest Service P...ITPROCEED2015_WorkplaceMobility_Configuration Manager 2012’s latest Service P...
ITPROCEED2015_WorkplaceMobility_Configuration Manager 2012’s latest Service P...
ITProceed
 
Office Track: Information Protection and Control in Exchange Online/On Premis...
Office Track: Information Protection and Control in Exchange Online/On Premis...Office Track: Information Protection and Control in Exchange Online/On Premis...
Office Track: Information Protection and Control in Exchange Online/On Premis...
ITProceed
 
Office Track: Exchange 2013 in the real world - Michael Van Horenbeeck
Office Track: Exchange 2013 in the real world - Michael Van HorenbeeckOffice Track: Exchange 2013 in the real world - Michael Van Horenbeeck
Office Track: Exchange 2013 in the real world - Michael Van Horenbeeck
ITProceed
 
Office Track: SharePoint Online Migration - Asses, Prepare, Migrate & Support...
Office Track: SharePoint Online Migration - Asses, Prepare, Migrate & Support...Office Track: SharePoint Online Migration - Asses, Prepare, Migrate & Support...
Office Track: SharePoint Online Migration - Asses, Prepare, Migrate & Support...
ITProceed
 
Office Track: Lync & Skype Federation v2 Deep Dive - Johan Delimon
Office Track: Lync & Skype Federation v2 Deep Dive - Johan DelimonOffice Track: Lync & Skype Federation v2 Deep Dive - Johan Delimon
Office Track: Lync & Skype Federation v2 Deep Dive - Johan Delimon
ITProceed
 
Office Track: Lync in a VDI Infrastructure - Ruben Nauwelaers & Wim Borgers
Office Track: Lync in a VDI Infrastructure - Ruben Nauwelaers & Wim BorgersOffice Track: Lync in a VDI Infrastructure - Ruben Nauwelaers & Wim Borgers
Office Track: Lync in a VDI Infrastructure - Ruben Nauwelaers & Wim Borgers
ITProceed
 
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas VochtenOffice Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
ITProceed
 
SQL Track: Restoring databases with powershell
SQL Track: Restoring databases with powershellSQL Track: Restoring databases with powershell
SQL Track: Restoring databases with powershell
ITProceed
 
SQL Track: Get more out of your data visualizations
SQL Track: Get more out of your data visualizationsSQL Track: Get more out of your data visualizations
SQL Track: Get more out of your data visualizations
ITProceed
 
SQL Track: SQL Server unleashed meet SQL Server's extreme sides
SQL Track: SQL Server unleashed meet SQL Server's extreme sidesSQL Track: SQL Server unleashed meet SQL Server's extreme sides
SQL Track: SQL Server unleashed meet SQL Server's extreme sides
ITProceed
 
SQL Track: In Memory OLTP in SQL Server
SQL Track: In Memory OLTP in SQL ServerSQL Track: In Memory OLTP in SQL Server
SQL Track: In Memory OLTP in SQL Server
ITProceed
 
SQL Track: Hybrid cloud with sql server 2014
SQL Track: Hybrid cloud with sql server 2014SQL Track: Hybrid cloud with sql server 2014
SQL Track: Hybrid cloud with sql server 2014
ITProceed
 
SQL: Enough business intelligence time for administration intelligence
SQL: Enough business intelligence time for administration intelligenceSQL: Enough business intelligence time for administration intelligence
SQL: Enough business intelligence time for administration intelligence
ITProceed
 
Sysctr Track: Managing your hybrid Mobile cloud Workforce Demystified with Sy...
Sysctr Track: Managing your hybrid Mobile cloud Workforce Demystified with Sy...Sysctr Track: Managing your hybrid Mobile cloud Workforce Demystified with Sy...
Sysctr Track: Managing your hybrid Mobile cloud Workforce Demystified with Sy...
ITProceed
 
Sysctr Track: Can SCOM monitor other stuff than Windows thingies Euhm yes it ...
Sysctr Track: Can SCOM monitor other stuff than Windows thingies Euhm yes it ...Sysctr Track: Can SCOM monitor other stuff than Windows thingies Euhm yes it ...
Sysctr Track: Can SCOM monitor other stuff than Windows thingies Euhm yes it ...
ITProceed
 
Sysctr Track: SMA, the hybrid provisioning engine for public clouds
Sysctr Track: SMA, the hybrid provisioning engine for public cloudsSysctr Track: SMA, the hybrid provisioning engine for public clouds
Sysctr Track: SMA, the hybrid provisioning engine for public clouds
ITProceed
 
Sysctr Track: Unified Device Management: It’s all about the experience
Sysctr Track: Unified Device Management: It’s all about the experienceSysctr Track: Unified Device Management: It’s all about the experience
Sysctr Track: Unified Device Management: It’s all about the experience
ITProceed
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

More Related Content

More from ITProceed

ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...
ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...
ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...
ITProceed
 
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITProceed
 
ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...
ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...
ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...
ITProceed
 
SQL Track: SQL Server unleashed meet SQL Server's extreme sides
SQL Track: SQL Server unleashed meet SQL Server's extreme sidesSQL Track: SQL Server unleashed meet SQL Server's extreme sides
SQL Track: SQL Server unleashed meet SQL Server's extreme sides
ITProceed
 
Sysctr Track: Unified Device Management: It’s all about the experience
Sysctr Track: Unified Device Management: It’s all about the experienceSysctr Track: Unified Device Management: It’s all about the experience
Sysctr Track: Unified Device Management: It’s all about the experience
ITProceed
 

More from ITProceed (20)

ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...
ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...
ITPROCEED_TransformTheDatacenter_Automate yourself service management like a ...
 
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
ITPROCEED_WorkplaceMobility_Creating a seamless experience with ue v and wind...
 
ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...
ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...
ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...
 
ITPROCEED2015_WorkplaceMobility_Configuration Manager 2012’s latest Service P...
ITPROCEED2015_WorkplaceMobility_Configuration Manager 2012’s latest Service P...ITPROCEED2015_WorkplaceMobility_Configuration Manager 2012’s latest Service P...
ITPROCEED2015_WorkplaceMobility_Configuration Manager 2012’s latest Service P...
 
Office Track: Information Protection and Control in Exchange Online/On Premis...
Office Track: Information Protection and Control in Exchange Online/On Premis...Office Track: Information Protection and Control in Exchange Online/On Premis...
Office Track: Information Protection and Control in Exchange Online/On Premis...
 
Office Track: Exchange 2013 in the real world - Michael Van Horenbeeck
Office Track: Exchange 2013 in the real world - Michael Van HorenbeeckOffice Track: Exchange 2013 in the real world - Michael Van Horenbeeck
Office Track: Exchange 2013 in the real world - Michael Van Horenbeeck
 
Office Track: SharePoint Online Migration - Asses, Prepare, Migrate & Support...
Office Track: SharePoint Online Migration - Asses, Prepare, Migrate & Support...Office Track: SharePoint Online Migration - Asses, Prepare, Migrate & Support...
Office Track: SharePoint Online Migration - Asses, Prepare, Migrate & Support...
 
Office Track: Lync & Skype Federation v2 Deep Dive - Johan Delimon
Office Track: Lync & Skype Federation v2 Deep Dive - Johan DelimonOffice Track: Lync & Skype Federation v2 Deep Dive - Johan Delimon
Office Track: Lync & Skype Federation v2 Deep Dive - Johan Delimon
 
Office Track: Lync in a VDI Infrastructure - Ruben Nauwelaers & Wim Borgers
Office Track: Lync in a VDI Infrastructure - Ruben Nauwelaers & Wim BorgersOffice Track: Lync in a VDI Infrastructure - Ruben Nauwelaers & Wim Borgers
Office Track: Lync in a VDI Infrastructure - Ruben Nauwelaers & Wim Borgers
 
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas VochtenOffice Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
 
SQL Track: Restoring databases with powershell
SQL Track: Restoring databases with powershellSQL Track: Restoring databases with powershell
SQL Track: Restoring databases with powershell
 
SQL Track: Get more out of your data visualizations
SQL Track: Get more out of your data visualizationsSQL Track: Get more out of your data visualizations
SQL Track: Get more out of your data visualizations
 
SQL Track: SQL Server unleashed meet SQL Server's extreme sides
SQL Track: SQL Server unleashed meet SQL Server's extreme sidesSQL Track: SQL Server unleashed meet SQL Server's extreme sides
SQL Track: SQL Server unleashed meet SQL Server's extreme sides
 
SQL Track: In Memory OLTP in SQL Server
SQL Track: In Memory OLTP in SQL ServerSQL Track: In Memory OLTP in SQL Server
SQL Track: In Memory OLTP in SQL Server
 
SQL Track: Hybrid cloud with sql server 2014
SQL Track: Hybrid cloud with sql server 2014SQL Track: Hybrid cloud with sql server 2014
SQL Track: Hybrid cloud with sql server 2014
 
SQL: Enough business intelligence time for administration intelligence
SQL: Enough business intelligence time for administration intelligenceSQL: Enough business intelligence time for administration intelligence
SQL: Enough business intelligence time for administration intelligence
 
Sysctr Track: Managing your hybrid Mobile cloud Workforce Demystified with Sy...
Sysctr Track: Managing your hybrid Mobile cloud Workforce Demystified with Sy...Sysctr Track: Managing your hybrid Mobile cloud Workforce Demystified with Sy...
Sysctr Track: Managing your hybrid Mobile cloud Workforce Demystified with Sy...
 
Sysctr Track: Can SCOM monitor other stuff than Windows thingies Euhm yes it ...
Sysctr Track: Can SCOM monitor other stuff than Windows thingies Euhm yes it ...Sysctr Track: Can SCOM monitor other stuff than Windows thingies Euhm yes it ...
Sysctr Track: Can SCOM monitor other stuff than Windows thingies Euhm yes it ...
 
Sysctr Track: SMA, the hybrid provisioning engine for public clouds
Sysctr Track: SMA, the hybrid provisioning engine for public cloudsSysctr Track: SMA, the hybrid provisioning engine for public clouds
Sysctr Track: SMA, the hybrid provisioning engine for public clouds
 
Sysctr Track: Unified Device Management: It’s all about the experience
Sysctr Track: Unified Device Management: It’s all about the experienceSysctr Track: Unified Device Management: It’s all about the experience
Sysctr Track: Unified Device Management: It’s all about the experience
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

azure track -01- identities in the cloud

  • 1. Identities in the Cloud Els Putzeys
  • 2. Identities in the Cloud User Management in Windows Azure
  • 3. Identity Options  Microsoft Online IDs  Microsoft Online IDs + Directory Synchronization  Federated IDs + Directory Synchronization
  • 4. Microsoft Online IDs  Appropriate for small organizations without on-prem AD  Pros – No servers required on-premises  Cons – No SSO – 2 sets of credentials to manage with different password policies – IDs mastered in the cloud
  • 5. Microsoft Online IDs + DirSync  Appropriate for medium/large organizations with on-prem AD  Pros – Users and groups mastered on-premises – Enables coexistence scenarios – Passwords can be synchronized with password sync tool  Cons – No SSO – 2 sets of credentials to maintain – DirSync server required on-premises
  • 6. Federated IDs + DirSync  Appropriate for medium/large enterprises with on-prem AD  Pros – SSO – IDs mastered on-prem – Password policy controlled on-prem – Enables coexistence scenarios  Cons – Servers required on-premises
  • 8. Windows Azure AD  Identity and access management in the cloud  Your organization’s cloud directory – Used by • Windows Azure • Office 365 • Windows Intune  Can be integrated with on-premises AD  Integration with cloud applications – Single sign-on experience • App hosted in cloud • Users authenticate with corporate credentials
  • 9. Windows Azure AD Windows PowerShell Office 365 Account Portal Windows Intune Account Portal Windows Azure AD Portal Windows Azure AD Tenant data
  • 10. Windows Azure AD  Azure AD is a multi-tenant service  Authentication process – User accesses a SaaS application – User authenticates to Azure with username and password – Azure AD returns token – Token is sent to SaaS application – Application validates token and uses its content
  • 11. Create Online IDs  Windows Azure AD Portal  Office 365 Portal  Windows PowerShell
  • 12. DEMO
  • 13. Microsoft Online IDs + DirSync Directory Synchronization
  • 14. Directory Synchronization  Synchronize users from on-prem to online  User management is done on-prem  Password synchronization – Synchronize passwords from on-prem to online  Users have 1 set of credentials across on-prem and online – But 2 accounts
  • 15. Directory Synchronization Customer Network Windows Azure Datacenter AD DirSync Azure AD MS Online IDs Office 365 Exchange Online SharePoint Online Lync Online
  • 16. DirSync: Preparation  Synchronization computer – Windows Server 2008 R2 SP1 or Windows Server 2012 (R2) – Domain-joined – Prerequisite software:  .Net Framework 3.5 SP1 and 4.0  PowerShell  DC Requirements: – Forest functional level:  Windows Server 2003 or higher – Domain Controllers:  Windows Server 2003 SP1 or higher
  • 17. DirSync: Preparation  To install DirSync, you need the following permissions: – Administrator of the DirSync Server – Administrator of the local AD environment – Administrator of the Cloud Service  DirSync setup creates service account – MSOL_AD_SYNC – Created in Users container – Read from local AD – Write to Windows Azure AD – Do not move or remove this account!
  • 18. DirSync: Preparation  Initial synchronization – All AD objects copied to WAAD – Maximum 50000 objects  If more, contact support  DirSync requires SQL – SQL Express  < 50000 objects  Installed by default – Full SQL  > 50000 objects
  • 19. DirSync: Preparation  UPN Requirements – Every user must have a UPN – UPNs must match a validated domain in the cloud  Make sure AD contains the correct UPN Suffix – Check UPN in the cloud after synchronization – Users must use UPN to logon to cloud services
  • 20. DirSync: Installation  Download and install the Directory Sync tool – Installation can take up to 10 minutes
  • 21. DirSync: Configure  Start DirSync Configuration wizard – Specify Windows Azure AD Credentials – Specify AD Credentials – Enable hybrid deployment (if required)  Gives dirsync service account limited Write permission to on-prem AD
  • 22. DirSync: Password Sync  Password Synchronization – Feature of Sync Tool – Synchronize on-prem passwords to WAAD – Users can use same password in cloud and on-prem – No SSO  Extract password hash from AD – Overwrites cloud password – Initial dirsync synchronizes all passwords – User changes on-prem password • Tool detects and synchronizes (within minutes)
  • 23. DirSync: Password Sync  Password complexity policy – On-prem policies override cloud policies for synchronized users  Password expiration policy – Cloud user password is set to “Never Expire”
  • 24. DirSync: Manage • PowerShell – %Program Files%Windows Azure Active Directory SyncDirSyncConfigShell.psc1 – Add-PSSnapin Coexistence-Configuration • Cmdlets: – Get-Command –Pssnapin Coexistence-Configuration
  • 25. DirSync: Synchronize  Automatically – Every 3 hours  Manually – PowerShell • Start-OnlineCoexistenceSync – Configuration Wizard • Start menu – Directory Sync Configuration
  • 26. DEMO
  • 27. Federated IDs + Dirsync Active Directory Federation Services
  • 28. Federated Identities  Across on-prem and cloud services – Single identity – Single sign-on  User management happens on-prem  On-prem AD used to: – Sign in – Authenticate  Requires the following services – Directory synchronization – Federation Service
  • 29. Identity Federation AD Contoso. com AD Fabrikam .com DC DCWeb Server Relying Party Identity Provider Federation Trust STSSTS Shibboleth AD FS Azure ACS AD Unix Live ID Google ID Facebook SAML Token Claims: Name = Els Email = Els @Fabrikam.com Age = 38 Security Token https://web.contoso.com 1 2 3 4 Home realm discovery 5 7 6 ST 8 ST ST 9 ST 10
  • 30. Identity Federation with Azure Active Directory AD FS MS Federation Gateway Exchange Online Auth Token UPN:user@contoso.com Unique ID: 254729 Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Windows Azure PlatformOn-Premises Domain
  • 31. AD FS Deployment Options  Single server configuration  AD FS server farm and load-balancer  AD FS proxy server or UAG/TMG (External Users, Active Sync, Outlook) Internal User AD FS Server AD FS Server Active Directory External User AD FS Proxy AD FS Proxy Perimeter NetworkInternal Network
  • 32. Federation: AD FS  Requirements: – Windows Server 2008 (R2) – 2012 (R2) – ADFS 2.0 / ADFS 3.0 – Public, validated domain name – SSL certificate – MS Online Services Module for PS – MS Online Sign-In Assistant
  • 33. Federation: AD FS • Install ADFS – WS2012 (R2): Add roles and features – WS2008: Download and install ADFS
  • 34. Federation: AD FS  Run ADFS Configuration Wizard – Create new Federation Service • Federation farm • Stand-alone server – Select SSL Certificate • ADFS certificate • Federation service name: adfs.fabrikam.com – Create Host record for the federation service in DNS
  • 35. Federation: AD FS  Install MS Online Sign-In Assistant  Install MS Online Services Module for PS  Configure Trust with Microsoft Online Services – PowerShell • Connect-MsolService –Credential $cred • Convert-MsolDomainToFederated –DomainName fabrikam.com
  • 36. Federation: Test • Create account in local AD – UPN must be your domain name (fabrikam.com) • Synchronize account to Azure AD – Add application licenses • Prepare Client pc – Install Sign-In Assistant – Add ADFS url to Intranet zone in IE • Sign in to client pc as test user – Browse to https://portal.microsoftonline.com – Enter username (user@fabrikam.com)
  • 37. DEMO
  • 38. And take home the Lumia 1320 Present your feedback form when you exit the last session & go for the drink Give Me Feedback
  • 39. Follow Technet Belgium @technetbelux Subscribe to the TechNet newsletter aka.ms/benews Be the first to know
  • 40. Belgiums’ biggest IT PRO Conference