Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to Integrate AWS Directory Service with Office365 - AWS Online Tech Talks

3,400 views

Published on

Learning Objectives:
- How to deploy Microsoft Azure AD Connect and AD Federation Services with AWS Directory Service for Microsoft AD
- How to authenticate user access to Office365 using AWS Directory Service for Microsoft AD
- How to design and deploy AWS Directory Service for Microsoft AD

  • Be the first to comment

How to Integrate AWS Directory Service with Office365 - AWS Online Tech Talks

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ron Cully, AWS Directory Service October 27, 2017 How to Integrate AWS Directory Service with Office 365
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What We Will Cover What AWS Directory Service for Microsoft Active Directory Is (AWS Microsoft AD) Models for authenticating Office 365 with Active Directory (AD) credentials AWS Microsoft AD deployment models when using Office 365 Step-by-step set-up: Use Azure AD Connect and Active Directory Federation Service with AWS Microsoft AD
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What AWS Microsoft AD Is AWS Managed, Actual Microsoft Active Directory Windows 2012 R2 domain controllers (DC) • ~3-click setup from Directory Service console or script through API • 2 DCs each in separate Availability Zones (AZs) • Scale-out with additional DCs • Dynamic DNS • Compliance audited • Healthcare Insurance Portability and Accountability Act (HIPAA) • Payment Card Industry (PCI) Auth/ LDAP Availability Zone Private Subnet 10.0.2.0/24 EC2 App Server EC2 IIS Server AWS Managed Services D C AWS Managed Microsoft AD AD Auth/ LDAP Availability Zone Private Subnet 10.0.2.0/24 EC2 App Server EC2 IIS Server AWS Managed Services D C AWS Managed Microsoft AD AD
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Microsoft AD: Shared Responsibilities Customer - Administers • Configure password policies • Configure trusts (resource forest deployment) • Configure Certificate Authorities (for LDAPS) • Configure federation • Administer users, groups, GPOs, other AD content • Administration via Active Directory Users and Computers (ADUC) and other standard AD tools • Add domain controllers as needed Amazon - Operates • Multi-AZ deployment, patch, monitor, DC recovery, snapshot, restore Auth/ LDAP Availability Zone Private Subnet 10.0.2.0/24 EC2 App Server EC2 IIS Server AWS Managed Services D C AWS Managed Microsoft AD AD Auth/ LDAP Availability Zone Private Subnet 10.0.2.0/24 EC2 App Server EC2 IIS Server AWS Managed Services D C AWS Managed Microsoft AD AD
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Microsoft AD: Two Editions Enterprise Edition Standard Edition Storage Capacity 17GB 1GB Performance Optimized 100,000+ employees Up to ~5,000 employees Enterprise Edition = Standard Edition plus enterprise features Currently same features Priced per DC per hour (2 DC minimum) 30-day limited free trial
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Authentic ating Offic e 365 U s ing Ac tive D ir ec tor y Model 1: Synchronized usernames and passwords • Azure AD Connect synchronizes users and passwords to Azure AD • Office 365 users log in to Azure AD with same username and password • Issue: Requires domain admin privileges in AD; not possible with AWS Microsoft AD Model 2: Synchronized usernames with pass-through authentication to AD • Azure AD Connect synchronizes usernames to Azure AD • Office 365 users log in to AD with their AD credentials • Issue: Unsupportable by AWS while in preview Model 3: Synchronized usernames with Active Directory Federation Service (AD FS) authentication • Azure AD Connect synchronizes usernames to Azure AD • Office 365 users log in to AD using federated authentication through AD FS • Works with AWS Microsoft AD and also supports other SAML-based cloud applications
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Authentic ating Offic e 365 U s ing Ac tive D ir ec tor y Model 1: Synchronized usernames and passwords • Azure AD Connect synchronizes users and passwords to Azure AD • Office 365 users log in to Azure AD with same username and password • Issue: Requires domain admin privileges in AD; not possible with AWS Microsoft AD Model 2: Synchronized usernames with pass-through authentication to AD • Azure AD Connect synchronizes usernames to Azure AD • Office 365 users log in to AD with their AD credentials Model 3: Synchronized usernames with Active Directory Federation Service (AD FS) authentication • Azure AD Connect synchronizes usernames to Azure AD • Office 365 users log in to AD using federated authentication through AD FS • Works with AWS Microsoft AD and also supports other SAML-based cloud applications
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Microsoft AD as a resource directory Amazon WorkSpaces RDS for SQL Server Amazon WorkDocs Amazon WorkMail Amazon QuickSight AWS Management Console Amazon Chime Amazon Connect AWS Apps & Services AWS Microsoft AD Directory Enable, Authenticate, & Authorize Manage, Authenticate, & Authorize Manage, Authenticate, & Authorize .NET Applications Server SharePoint Server AD-aware Workloads SQL ServerRemote Desktop Licensing Manager .NET SharePoint SQL Server RD Licensing Enterprise Certificate Authority Certificate Services On-Premises Microsoft Active Directory On-Premises User Credentials Corporate Data Center SaaS Applications Azure AD SAML Authenticate Synchronize Users VPN Direct Connect or AD FS Server Azure AD Connect Server Amazon EC2 Amazon Windows EC2 Instances Amazon Linux EC2 Instances
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Manage, Authenticate, & Authorize AWS Microsoft AD as a primary directory Amazon WorkSpaces AWS Microsoft AD Directory RDS for SQL Server Amazon WorkDocs Amazon WorkMail Amazon QuickSight AWS Management Console Amazon Chime Amazon Connect AWS Apps & Services .NET Applications Server SharePoint Server AD-aware Workloads SQL ServerRemote Desktop Licensing Manager .NET SharePoint SQL Server RD Licensing SaaS Applications Azure AD Enable, Authenticate, & Authorize SAML Authenticate Synchronize Users Manage, Authenticate, & Authorize Enterprise Certificate Authority Certificate Services Amazon Windows EC2 Instances Amazon Linux EC2 Instances Amazon EC2 AD FS Server Azure AD Connect Server Federate ADSync AD FS On-Premises Microsoft Active Directory On-Premises User Credentials Corporate Data CenterVPN Direct Connect or AD FS Server Azure AD Connect Server
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Create AWS Microsoft AD directory 2. Join EC2 Windows server to AWS Microsoft AD domain (admin instance) 3. Install AD Administration tools on EC2* 4. Join EC2 Windows server to AWS Microsoft AD domain (AD FS instance)* 5. Join EC2 Windows server to AWS Microsoft AD domain (Azure AD Connect instance)* 6. Create AD FS service account in AWS Microsoft AD using AD Users and Computers 7. Set up Office 365 account 8. Set up Azure AD domain Set Up Environment (Prerequisites) AWS Microsoft AD AD 1 adfsserver EC2 AD FS Server (Windows Server 2016) 4 adsync EC2 Azure AD Connect 5 Install AD Admin Tools 3 management 2 EC2 AD Administration Tools ADFSSVC 6 Office 365 7 Azure AD 8 *Can be the same instance
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prerequisites You Must Create • Virtual Private Cloud (VPC) • Two subnets in different AZs • Optional on-premises link • Virtual Private Network (VPN) • Amazon Direct Connect Availability Zone 10.0.2.0/24 Availability Zone 10.0.3.0/24 Optional VPN Direct Connect OrOr On-premises Data Center http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • One AWS Security Group During Creation AWS Creates • 2 DCs with Dynamic DNS • Elastic Network Interface in your subnets Availability Zone 10.0.2.0/24 Availability Zone 10.0.3.0/24 Optional VPN Direct Connect OrOr On-premises Data Center AWS Managed Microsoft AD DC AWS Managed Microsoft AD DC http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Key-pair (PEM) file • EC2 Windows (Install AD Administration Tools) Best Practice After Creation You Create • DHCP Option Sets • AWS Security Group • IAM Role/Policy for EC2 (AmazonEC2RoleforSSM) Availability Zone 10.0.2.0/24 Availability Zone 10.0.3.0/24 Optional VPN Direct Connect OrOr On-premises Data Center AWS Managed Microsoft AD DC AWS Managed Microsoft AD DC DHCP Option Set AD Admin Tools http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS/Customer Permissions Model 88-856-43-585 88-856-43-585 Domain “administrator” OU “admin” Customer AWS is domain administrator AWS creates OU for customer & delegates “admin” permissions
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Create the AD FS required container in AWS Microsoft AD Enable Office 365 Office 365 EC2 Azure AD Connect EC2 AWS Microsoft AD AD Azure AD 1 AD FS Container EC2 AD Administration Tools awsexample.com management adfsserver adsync AD FS Server (Windows Server 2016)
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create the AD FS Container Generate and save a global unique identifier (GUID) to use AD Admin Tools 10.0.2.0/24 AWS Managed Microsoft AD DC Username: <yourdomain>admin
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create the AD FS Container (continued) Create a parent container named ADFS and a child container with the name of your GUID
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Verify Your Containers
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Create the AD FS required container in AWS Microsoft AD 2. Install AD FS on EC2 Windows Server 2016 (Requires AD FS 2016) Enable Office 365 Office 365 EC2 Azure AD Connect EC2 AWS Microsoft AD AD1 Azure AD 2 Install AD FS AD FS Container EC2 AD Administration Tools awsexample.com management adfsserver adsync AD FS Server (Windows Server 2016)
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install AD FS: Add the AD FS Feature AD FS Server 10.0.2.0/24 AWS Managed Microsoft AD DC Username: <yourdomain>admin
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install AD FS: Install SSL Certificate Use Microsoft Enterprise Certificate Authority https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/ Import using Microsoft Management Console (MMC)
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install AD FS: Add Certificate MMC
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install AD FS: Import Certificate for AD FS
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install AD FS: Get the Cert Thumbprint
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install AD FS: Set $adminConfig AD FS Server 10.0.2.0/24 AWS Managed Microsoft AD DC GUID of AD FS Container
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install AD FS: Get ADFSSVC User Creds
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install AD FS: Get Your OU Admin Creds
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install AD FS: Install AD FS Server
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install AD FS: Publish DNS A Record Obtain your AD FS EC2 instance public IP address (AWS EC2 dashboard) Log in to your DNS hosting provider to add the record Hostname: sts.awsexample.com Record Type: A IP Address: 34.215.72.57
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install AD FS: Enable AD FS Sign-in Page
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. adsync 1. Create the AD FS required container in AWS Microsoft AD 2. Install AD FS on EC2 Windows Server 2016 (Requires AD FS 2016) 3. Connect Office 365 to authenticate to AD FS Enable Office 365 Office 365 EC2 Azure AD Connect EC2 AWS Microsoft AD AD1 2 Azure AD Install AD FS AD FS Container 3 EC2 AD Administration Tools awsexample.com management adfsserver AD FS Server (Windows Server 2016)
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Integrate AD FS with Azure AD From your AD FS instance, as admin, connect to Azure AD using Windows PowerShell https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-msonlinev1?view=azureadps-1.0
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Integrate AD FS with Azure AD ( c o n t i n u e d ) Set context to the AD FS server using the internal FQDN Set-MsolADFSContext -computer adfsserver.awsexample.com Convert Azure AD to use adfsserver for federated authentication to your AD domain Convert-MsolDomainToFederated –domain awsexample.com
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. adsync 1. Create the AD FS required container in AWS Microsoft AD 2. Install AD FS on EC2 Windows Server 2016 (Requires AD FS 2016) 3. Connect Office 365 to authenticate to AD FS 4. Install Azure AD Connect on EC2 Windows and configure to synchronize usernames only to Azure AD Enable Office 365 Office 365 EC2 Azure AD Connect EC2 AWS Microsoft AD AD1 2 Azure AD Install Azure AD Connect Install AD FS AD FS Container 3 4 EC2 AD Administration Tools awsexample.com management adfsserver AD FS Server (Windows Server 2016)
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Azure AD Connect 10.0.2.0/24 AWS Managed Microsoft AD DC Synchronize Users to Azure AD Download Azure AD Connect MSI and install with Custom settings On the Connect Directories page choose Active Directory as the directory type, choose your Microsoft AD Forest as your Forest Enter your AWS Microsoft AD admin credentials
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Select User Container to Synchronize
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. adsync 1. Create the AD FS required container in AWS Microsoft AD 2. Install AD FS on EC2 Windows Server 2016 (Requires AD FS 2016) 3. Connect Office 365 to authenticate to AD FS 4. Install Azure AD Connect on EC2 Windows and configure to synchronize usernames only to Azure AD 5. Log in to Office 365 with AWS Microsoft AD user credentials Enable Office 365 Office 365 EC2 Azure AD Connect EC2 AWS Microsoft AD AD1 2 4 Azure AD Install Azure AD Connect Install AD FS AD FS Container 3 5 EC2 AD Administration Tools awsexample.com management adfsserver AD FS Server (Windows Server 2016)
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Assign Office 365 License and Log In https://portal.office.com/adminportal/home#/homepage Use global administrator account https://portal.office.com Use AD credentials for a licensed user
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. References Documentation and Blog Posts • How to Enable Your Users to Access Office 365 with DS for Microsoft Active Directory Credentials https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws- microsoft-active-directory-credentials/ • How to set up AWS Microsoft AD and join an EC2 instance for administration http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html/ • How to Enable LDAPS for Your Microsoft AD Directory (setting up Microsoft enterprise Certificate Authority) https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/ • AWS Directory Service https://aws.amazon.com/directoryservice/ • AWS Directory Service Documentation https://aws.amazon.com/documentation/directory-service/
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×