SlideShare a Scribd company logo

Get your Hybrid Identity in 4 steps with Azure AD Connect

Ronny de Jong
Ronny de Jong
1 of 40
Download to read offline
Azure AD Connect Get your Hybrid Identity in four steps! Ronny de Jong Consultant & MVP | Inovativ @ronnydejong
Agenda  Making Hybrid Identity Simple  More topologies, more scenarios  Walk through Express & Custom Setup  Monitor your Hybrid Identity
Making Hybrid Identity Simple? - Today
Self-service Single sign on ••••••••••• Username Identity as the control plane Simple connection Cloud SaaS Azure Office 365Public cloud Other Directories Windows Server Active Directory On-premises Microsoft Azure Active Directory
Going beyond on-premises IDC predicts that 70 percent of organizations will embrace a cloud-first strategy by 2016, getting there on their own pace over a number of years, with many living in a hybrid environment for quite some time. That flexibility— living in both worlds—even with a cloud-first strategy, is nonnegotiable.1 1 Source: IDC CIO Agenda Webinar, 2013.
Making hybrid identity simple! Azure Active Directory Connect Consolidated deployment assistant for your identity bridge components
 DirSync – supported, available in Office 365 portal  There is no announcement of deprecation yet.  Once that announcement occurs, at least 1 year of support remains.  Azure AD Sync – supported.  Guide new deployments to Azure AD Connect.  Azure AD Connect is GA – available in Azure AD Portal. New deployments should use this! Which tools are supported?
 DirSync (<50k objects)  In-place migration of all supported custom configurations.  Will not migrate unsupported configurations (such as removed attribute flows). Upgrade from DirSync & Azure AD Sync
 DirSync (>50k objects)  Side-by-side deployment. Export DirSync configuration and import in Azure AD Connect.  On DirSync box, wizard prompts you to export config file.  On new box, @ cmd prompt run AzureADConnect.exe /migrate, specify config file.  Once full import and full sync complete, uninstall dirsync on old box, on new box run wizard second time to turn off staging mode  Azure AD Sync  In-place upgrade. Upgrade from DirSync & Azure AD Sync
Making Hybrid Identity Simple Azure AD Connect with Express Settings  Use one tool instead of many  Get up and running quickly (4 clicks)  Start here, then scale up or add options  Custom options to address more complex scenarios
Demo Express Setup
More topologies, more scenarios
 Multi forest topologies  Use a full SQL Server edition for sync  Deploy a pilot using just a few users in a group  Don’t start sync right away (‘staging mode’)  Sign on using federation  Azure AD Premium features (write back passwords, users, groups, and devices from the cloud)  Sync custom directory attributes to the cloud Custom settings allow more advanced options
 For all scenarios (Express Settings or Custom)  Office 365 or Azure AD subscription – free trial is OK  For custom Azure AD domains, configure your public DNS records  AD users have UPNs (IDFix)  Just for AD FS  SSL certificate is trusted on all ADFS+WAP host (Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider (CSP). Certificates with the CNG private key are not supported).  Enable WinRM on all remote targets  Federation service name resolves  For write-back scenarios  AAD Premium, prepare Active Directory Make sure you do first
 Choose Password sync for the most common deployment needs  Federation with ADFS is an option for customers that have more unique needs Choosing Password Sync or AD FS for Sign On • You already have AD FS or a 3rd party federation provider • Security policy prohibits password hashes being sync’d to the cloud • You require desktop SSO from domain joined machines on the corporate network • You require some specific capabilities AD FS has 1. on premises multi-factor authentication or smart card support for sign on 2. soft account lockout or AD work hours policy 3. conditional access for both on premises and cloud resources
 Synchronizes a hash of the password hash  The actual password never leaves on-premises and is not known by Azure AD  When enabled, on-premises password policies apply  Password complexity policy  Password expiration policy  Protects password against pass the hash attacks  Cannot be used to access any on-premises resources  Can be used as a backup for federation  If password hashes are present in Azure AD, allows for a quick fail-over Sign-in – password sync
Common multi-forest topologies Separate forests Each object in every forest will be represented in Azure AD. Forests with GALSync Users and Contacts should join on mail attribute and be represented only once. Account-Resource forests One or many Account forests with enabled accounts and one Resource forest with disabled accounts. Joined on objectSID and msExchMasterAccountSID
 Intended to make it easy to pilot and evaluate Azure AD and Office 365  In from AD for User, Group, and Contact -> sets cloudFiltered to TRUE if NOT in group  When you add/remove users from group -> they are added/removed in AAD  Only objects which are direct members of the group will be present in Azure AD  Remove the filter when ready to ‘go live’  2nd pass Wizard option under Customize Synchronization Options Filter users and devices based on group
 Password write-back  Change and set password in Azure AD and have the password policy verified with on-premise Windows Server Active Directory.  User write-back  A user created in Azure AD is created in on-premise AD. Optional Features – Write-back
 Group write-back  “Groups in Office 365” will be written back to your on-premise Exchange forest (you need Exchange 2013 CU8 or later)  These groups are mastered in Azure AD  Does not support security groups or distribution groups  Device write-back  Requires Windows Server 2012 R2 AD schema, create configuration object and container Optional Features – Write-back cont’d
 Bring your own AD attributes to Azure AD  Attributes defined on users and groups  Single-valued attributes only  Integer, LargeInteger, DateTime, Binary, Boolean, String  Limit of 100 extension values written to a single object  Limit of 256 characters per string extension value  Limit of 256 bytes per binary extension value Optional Features – Directory Extensions
 An active sync server which is not exporting  Includes password sync and password write-back  Moving from one server (e.g. DirSync) to another  Warm stand-by for rapid disaster recovery  Also used for FIM+Azure AD Connector to Azure AD Connect migration Staging mode
 Change sync options  Remove group filter  Enable/disable staging mode  Enable/disable write-backs  Add additional domains and forests  Forests for sync  Domains for federation Second Pass – Run the wizard a 2nd time
Demo Custom Setup: Enable Federation
 Multiple Azure AD Connect to same tenant  Sync: not supported - use same Azure AD Connect instance for multiple (untrusted) forests.  AD FS: deploy separate farms for untrusted forests, supported  Same Azure AD Connect to multiple tenants  Not officially supported for sync – previously there was a ‘side- by-side’ workaround for DirSync Common questions
 Included in Azure AD/Office 365 license:  The installation wizard  Synchronize from on-premises to Azure AD regardless of source directory  Write-back for Exchange hybrid deployment  Requires Azure AD Premium:  Write-back (password, user, group, ….)  Additional licenses required for:  SQL Server if needed Licensing
 Accidental delete prevention  On by default  Cannot export more than 500 deletes (default)  Can be configured with:  Enable-ADSyncExportDeletionThreshold  Disable-ADSyncExportDeletionThreshold  Configuration stored in Azure AD Export Deletion Threshold
Monitor Your Hybrid Identity!
Azure AD Connect Health • Monitor ADFS service for reliable & highly available authentication • Email notification for critical alerts • Analyze ADFS logins for usage & capacity planning based on app, authentication, network location & failures • Perform forensic analysis on top users with bad passwords • Troubleshoot with easy access to critical performance counters
How does it work? • Download & install agent on all ADFS/proxy servers • Health agent runs locally on the server & collects data and performs configuration checks • Includes synthetic transactions • Health agent pushes data to the health service • Requires certain URL’s in MSFT cloud to be accessible from the ADFS or proxy servers • Health service processes data to generate alerts, trends & reports • Azure portal provides view to reports ADFS/ADFS Proxy/WAP Servers Microsoft Azure AD Connect Health View Alerts, Reports and Login trends
Demo Azure AD Connect Health
 Session Objective(s):  Understand the default configurations the wizard creates  Understand what can be done with the wizard and what requires additional config  Azure AD Connect is the (sync+authn) tool going forward for connecting on premise directories to Azure AD / O365 Session Objectives And Takeaways
Q & A Time... Next Session 14:30 – 15:30: "Azure Automation – Introduction Jakob Gottlieb Svendsen"
Thanks To All Our Sponsors
We Need Your Feedback  SCU Europe session planner planning.systemcenteruniverse.ch  SCU Europe WP app  Watch out for a survey invitation after the conference

Recommended

Azure Active Directory, Practical Guide
Azure Active Directory, Practical GuideAzure Active Directory, Practical Guide
Azure Active Directory, Practical GuideSasha Rosenbaum
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365nelmedia
 
Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Nordic Infrastructure Conference
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directoryKrunal Trivedi
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active DirectoryThurupathan Vijayakumar
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
Windows Azure Active Directory: Identity Management in the Cloud
Windows Azure Active Directory: Identity Management in the CloudWindows Azure Active Directory: Identity Management in the Cloud
Windows Azure Active Directory: Identity Management in the CloudChris Dufour
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryPavel Revenkov
 

Recommended

Azure Active Directory, Practical Guide
Azure Active Directory, Practical GuideAzure Active Directory, Practical Guide
Azure Active Directory, Practical GuideSasha Rosenbaum
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365nelmedia
 
Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Brian Desmond - Identity and directory synchronization with office 365 and wi...
Brian Desmond - Identity and directory synchronization with office 365 and wi...Nordic Infrastructure Conference
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directoryKrunal Trivedi
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active DirectoryThurupathan Vijayakumar
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
Windows Azure Active Directory: Identity Management in the Cloud
Windows Azure Active Directory: Identity Management in the CloudWindows Azure Active Directory: Identity Management in the Cloud
Windows Azure Active Directory: Identity Management in the CloudChris Dufour
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryPavel Revenkov
 
Azure AD Connect
Azure AD ConnectAzure AD Connect
Azure AD ConnectSasha Rosenbaum
 
ADFS + IAM
ADFS + IAMADFS + IAM
ADFS + IAMRichard Harvey
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure ADNew Horizons Ireland
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryKrunal Trivedi
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure DevelopersKrunal Trivedi
 
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnPeter Selch Dahl
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active DirectorySovelto
 
Introduction to Azure IaaS
Introduction to Azure IaaSIntroduction to Azure IaaS
Introduction to Azure IaaSRobert Crane
 
Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on AzureMostafa
 
Azure active directory
Azure active directoryAzure active directory
Azure active directoryRaju Kumar
 
Azure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Riyadh User Group
 
Microsoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesMicrosoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesAndre Debilloez
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Kris Wagner
 
Introduction to Microsoft Azure
Introduction to Microsoft AzureIntroduction to Microsoft Azure
Introduction to Microsoft AzureKasun Kodagoda
 
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...Nordic Infrastructure Conference
 
AAD with MVC App
AAD with MVC AppAAD with MVC App
AAD with MVC AppSasha Rosenbaum
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft CloudEuropean Collaboration Summit
 
Azure AD and Office 365 - Deja Vu All Over Again
Azure AD and Office 365 - Deja Vu All Over AgainAzure AD and Office 365 - Deja Vu All Over Again
Azure AD and Office 365 - Deja Vu All Over AgainSean Deuby
 
Innovation morning agenda+azure arc
Innovation morning agenda+azure arcInnovation morning agenda+azure arc
Innovation morning agenda+azure arcClaudia Angelelli
 
O365Con18 - Running SharePoint on Azure Tips - Jared Shockley
O365Con18 - Running SharePoint on Azure Tips - Jared ShockleyO365Con18 - Running SharePoint on Azure Tips - Jared Shockley
O365Con18 - Running SharePoint on Azure Tips - Jared ShockleyNCCOMMS
 
Azure AD with Office 365 and Beyond!
Azure AD with Office 365 and Beyond!Azure AD with Office 365 and Beyond!
Azure AD with Office 365 and Beyond!Ravikumar Sathyamurthy
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADuberbaum
 

More Related Content

What's hot

Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryKrunal Trivedi
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure DevelopersKrunal Trivedi
 
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnPeter Selch Dahl
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active DirectorySovelto
 
Introduction to Azure IaaS
Introduction to Azure IaaSIntroduction to Azure IaaS
Introduction to Azure IaaSRobert Crane
 
Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on AzureMostafa
 
Azure active directory
Azure active directoryAzure active directory
Azure active directoryRaju Kumar
 
Azure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Riyadh User Group
 
Microsoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesMicrosoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesAndre Debilloez
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Kris Wagner
 
Introduction to Microsoft Azure
Introduction to Microsoft AzureIntroduction to Microsoft Azure
Introduction to Microsoft AzureKasun Kodagoda
 
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...Nordic Infrastructure Conference
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft CloudEuropean Collaboration Summit
 
Azure AD and Office 365 - Deja Vu All Over Again
Azure AD and Office 365 - Deja Vu All Over AgainAzure AD and Office 365 - Deja Vu All Over Again
Azure AD and Office 365 - Deja Vu All Over AgainSean Deuby
 
Innovation morning agenda+azure arc
Innovation morning agenda+azure arcInnovation morning agenda+azure arc
Innovation morning agenda+azure arcClaudia Angelelli
 
O365Con18 - Running SharePoint on Azure Tips - Jared Shockley
O365Con18 - Running SharePoint on Azure Tips - Jared ShockleyO365Con18 - Running SharePoint on Azure Tips - Jared Shockley
O365Con18 - Running SharePoint on Azure Tips - Jared ShockleyNCCOMMS
 

What's hot (20)

Azure AD Connect
Azure AD ConnectAzure AD Connect
Azure AD Connect
 
ADFS + IAM
ADFS + IAMADFS + IAM
ADFS + IAM
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure AD
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure Developers
 
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active Directory
 
Introduction to Azure IaaS
Introduction to Azure IaaSIntroduction to Azure IaaS
Introduction to Azure IaaS
 
Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on Azure
 
Azure active directory
Azure active directoryAzure active directory
Azure active directory
 
Azure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage Overview
 
Microsoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesMicrosoft Azure ad in 10 slides
Microsoft Azure ad in 10 slides
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365
 
Introduction to Microsoft Azure
Introduction to Microsoft AzureIntroduction to Microsoft Azure
Introduction to Microsoft Azure
 
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
 
AAD with MVC App
AAD with MVC AppAAD with MVC App
AAD with MVC App
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
 
Azure AD and Office 365 - Deja Vu All Over Again
Azure AD and Office 365 - Deja Vu All Over AgainAzure AD and Office 365 - Deja Vu All Over Again
Azure AD and Office 365 - Deja Vu All Over Again
 
Innovation morning agenda+azure arc
Innovation morning agenda+azure arcInnovation morning agenda+azure arc
Innovation morning agenda+azure arc
 
O365Con18 - Running SharePoint on Azure Tips - Jared Shockley
O365Con18 - Running SharePoint on Azure Tips - Jared ShockleyO365Con18 - Running SharePoint on Azure Tips - Jared Shockley
O365Con18 - Running SharePoint on Azure Tips - Jared Shockley
 

Viewers also liked

Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADuberbaum
 
3. godina question tags
3. godina question tags3. godina question tags
3. godina question tagsShah Khan
 
Office 365 – SharePoint 2013 onprem hybrid
Office 365 – SharePoint 2013 onprem hybridOffice 365 – SharePoint 2013 onprem hybrid
Office 365 – SharePoint 2013 onprem hybridArild Aarnes
 
Webinar Azure - Dia 04
Webinar Azure - Dia 04Webinar Azure - Dia 04
Webinar Azure - Dia 04Alvaro Rezende
 
Microsoft Azure webcast - MSP Egypt
Microsoft Azure webcast - MSP EgyptMicrosoft Azure webcast - MSP Egypt
Microsoft Azure webcast - MSP EgyptAhmed M. Abo Tameem
 
Azure AD Connect - Office365 Day
Azure AD Connect - Office365 DayAzure AD Connect - Office365 Day
Azure AD Connect - Office365 DayAlvaro Rezende
 
Office 365 in a hybrid world
Office 365 in a hybrid worldOffice 365 in a hybrid world
Office 365 in a hybrid worldatwork
 
Subsistemas de la seguridad social
Subsistemas de la seguridad socialSubsistemas de la seguridad social
Subsistemas de la seguridad socialMariaJose Diaz
 
March Sydney Office 365 Meetup - Office 365 and Hybrid Solutions... what work...
March Sydney Office 365 Meetup - Office 365 and Hybrid Solutions... what work...March Sydney Office 365 Meetup - Office 365 and Hybrid Solutions... what work...
March Sydney Office 365 Meetup - Office 365 and Hybrid Solutions... what work...Scott Hoag
 
WSO2 Identity Server
WSO2 Identity Server WSO2 Identity Server
WSO2 Identity Server WSO2
 
Resolución 311/16 CFE, Comunicación conjunta 1/17 y Documento Apoyo 1/17.
Resolución 311/16 CFE, Comunicación conjunta 1/17 y Documento Apoyo 1/17.Resolución 311/16 CFE, Comunicación conjunta 1/17 y Documento Apoyo 1/17.
Resolución 311/16 CFE, Comunicación conjunta 1/17 y Documento Apoyo 1/17.Pedro Roberto Casanova
 

Viewers also liked (17)

Azure AD with Office 365 and Beyond!
Azure AD with Office 365 and Beyond!Azure AD with Office 365 and Beyond!
Azure AD with Office 365 and Beyond!
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
 
MiA+BEST_ Brugge_mobility
MiA+BEST_ Brugge_mobilityMiA+BEST_ Brugge_mobility
MiA+BEST_ Brugge_mobility
 
Resume 2016
Resume 2016Resume 2016
Resume 2016
 
3. godina question tags
3. godina question tags3. godina question tags
3. godina question tags
 
Office 365 – SharePoint 2013 onprem hybrid
Office 365 – SharePoint 2013 onprem hybridOffice 365 – SharePoint 2013 onprem hybrid
Office 365 – SharePoint 2013 onprem hybrid
 
Io sy.stemppt
Io sy.stempptIo sy.stemppt
Io sy.stemppt
 
Webinar Azure - Dia 04
Webinar Azure - Dia 04Webinar Azure - Dia 04
Webinar Azure - Dia 04
 
Microsoft Azure webcast - MSP Egypt
Microsoft Azure webcast - MSP EgyptMicrosoft Azure webcast - MSP Egypt
Microsoft Azure webcast - MSP Egypt
 
4share step5
4share step54share step5
4share step5
 
Azure AD Connect - Office365 Day
Azure AD Connect - Office365 DayAzure AD Connect - Office365 Day
Azure AD Connect - Office365 Day
 
Office 365 in a hybrid world
Office 365 in a hybrid worldOffice 365 in a hybrid world
Office 365 in a hybrid world
 
Subsistemas de la seguridad social
Subsistemas de la seguridad socialSubsistemas de la seguridad social
Subsistemas de la seguridad social
 
March Sydney Office 365 Meetup - Office 365 and Hybrid Solutions... what work...
March Sydney Office 365 Meetup - Office 365 and Hybrid Solutions... what work...March Sydney Office 365 Meetup - Office 365 and Hybrid Solutions... what work...
March Sydney Office 365 Meetup - Office 365 and Hybrid Solutions... what work...
 
WSO2 Identity Server
WSO2 Identity Server WSO2 Identity Server
WSO2 Identity Server
 
Resolución 311/16 CFE, Comunicación conjunta 1/17 y Documento Apoyo 1/17.
Resolución 311/16 CFE, Comunicación conjunta 1/17 y Documento Apoyo 1/17.Resolución 311/16 CFE, Comunicación conjunta 1/17 y Documento Apoyo 1/17.
Resolución 311/16 CFE, Comunicación conjunta 1/17 y Documento Apoyo 1/17.
 
Office 365: Do’s and Don’ts, Lessons learned from the field
Office 365: Do’s and Don’ts, Lessons learned from the fieldOffice 365: Do’s and Don’ts, Lessons learned from the field
Office 365: Do’s and Don’ts, Lessons learned from the field
 

Similar to Get your Hybrid Identity in 4 steps with Azure AD Connect

CoLabora - Identity in a World of Cloud - June 2015
CoLabora - Identity in a World of Cloud - June 2015CoLabora - Identity in a World of Cloud - June 2015
CoLabora - Identity in a World of Cloud - June 2015CoLaboraDK
 
Office 365 Identity Management - SMBNation 2015
Office 365 Identity Management - SMBNation 2015Office 365 Identity Management - SMBNation 2015
Office 365 Identity Management - SMBNation 2015Robert Crane
 
SPS Lisbon 2018 - Azure AD Connect Technical Deep Dive
SPS Lisbon 2018 - Azure AD Connect Technical Deep DiveSPS Lisbon 2018 - Azure AD Connect Technical Deep Dive
SPS Lisbon 2018 - Azure AD Connect Technical Deep DiveMichael Noel
 
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018Michael Noel
 
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 Melbourne
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 MelbourneAzure Active Directory Connect: Technical Deep Dive - DWCAU 2018 Melbourne
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 MelbourneMichael Noel
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Jethro Seghers
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Jethro Seghers
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKPeter Selch Dahl
 
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018Max Fritz
 
O365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander BerkouwerO365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander BerkouwerNCCOMMS
 
Análisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónPlain Concepts
 
O365-AzureAD Identity management
O365-AzureAD Identity managementO365-AzureAD Identity management
O365-AzureAD Identity managementDavid Pechon
 
Understanding Cloud Identities - SMBNation 2015
Understanding Cloud Identities - SMBNation 2015Understanding Cloud Identities - SMBNation 2015
Understanding Cloud Identities - SMBNation 2015Robert Crane
 
Cloud Identity and Access Management
Cloud Identity and Access ManagementCloud Identity and Access Management
Cloud Identity and Access ManagementJarek Sokolnicki
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureSparkhound Inc.
 
Azure Day 1.pptx
Azure Day 1.pptxAzure Day 1.pptx
Azure Day 1.pptxmasbulosoke
 
Understanding Azure AD Webinar Presentation
Understanding Azure AD Webinar PresentationUnderstanding Azure AD Webinar Presentation
Understanding Azure AD Webinar PresentationNew Horizons Ireland
 
20160400 Technet- Hybrid identity and access management with Azure AD Premium
20160400 Technet- Hybrid identity and access management with Azure AD Premium20160400 Technet- Hybrid identity and access management with Azure AD Premium
20160400 Technet- Hybrid identity and access management with Azure AD PremiumRobin Vermeirsch
 

Similar to Get your Hybrid Identity in 4 steps with Azure AD Connect (20)

CoLabora - Identity in a World of Cloud - June 2015
CoLabora - Identity in a World of Cloud - June 2015CoLabora - Identity in a World of Cloud - June 2015
CoLabora - Identity in a World of Cloud - June 2015
 
Office 365 Identity Management - SMBNation 2015
Office 365 Identity Management - SMBNation 2015Office 365 Identity Management - SMBNation 2015
Office 365 Identity Management - SMBNation 2015
 
SPS Lisbon 2018 - Azure AD Connect Technical Deep Dive
SPS Lisbon 2018 - Azure AD Connect Technical Deep DiveSPS Lisbon 2018 - Azure AD Connect Technical Deep Dive
SPS Lisbon 2018 - Azure AD Connect Technical Deep Dive
 
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018
 
[Noel] Azure AD Connect Technical Deep Dive
[Noel] Azure AD Connect Technical Deep Dive[Noel] Azure AD Connect Technical Deep Dive
[Noel] Azure AD Connect Technical Deep Dive
 
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 Melbourne
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 MelbourneAzure Active Directory Connect: Technical Deep Dive - DWCAU 2018 Melbourne
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 Melbourne
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity Infrastructure
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
 
O365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander BerkouwerO365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
 
Análisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la información
 
O365-AzureAD Identity management
O365-AzureAD Identity managementO365-AzureAD Identity management
O365-AzureAD Identity management
 
Understanding Cloud Identities - SMBNation 2015
Understanding Cloud Identities - SMBNation 2015Understanding Cloud Identities - SMBNation 2015
Understanding Cloud Identities - SMBNation 2015
 
Cloud Identity and Access Management
Cloud Identity and Access ManagementCloud Identity and Access Management
Cloud Identity and Access Management
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft Azure
 
Azure Day 1.pptx
Azure Day 1.pptxAzure Day 1.pptx
Azure Day 1.pptx
 
Understanding Azure AD Webinar Presentation
Understanding Azure AD Webinar PresentationUnderstanding Azure AD Webinar Presentation
Understanding Azure AD Webinar Presentation
 
20160400 Technet- Hybrid identity and access management with Azure AD Premium
20160400 Technet- Hybrid identity and access management with Azure AD Premium20160400 Technet- Hybrid identity and access management with Azure AD Premium
20160400 Technet- Hybrid identity and access management with Azure AD Premium
 

Get your Hybrid Identity in 4 steps with Azure AD Connect

  • 1. Azure AD Connect Get your Hybrid Identity in four steps! Ronny de Jong Consultant & MVP | Inovativ @ronnydejong
  • 2. Agenda  Making Hybrid Identity Simple  More topologies, more scenarios  Walk through Express & Custom Setup  Monitor your Hybrid Identity
  • 3. Making Hybrid Identity Simple? - Today
  • 4. Self-service Single sign on ••••••••••• Username Identity as the control plane Simple connection Cloud SaaS Azure Office 365Public cloud Other Directories Windows Server Active Directory On-premises Microsoft Azure Active Directory
  • 5. Going beyond on-premises IDC predicts that 70 percent of organizations will embrace a cloud-first strategy by 2016, getting there on their own pace over a number of years, with many living in a hybrid environment for quite some time. That flexibility— living in both worlds—even with a cloud-first strategy, is nonnegotiable.1 1 Source: IDC CIO Agenda Webinar, 2013.
  • 6. Making hybrid identity simple! Azure Active Directory Connect Consolidated deployment assistant for your identity bridge components
  • 7.  DirSync – supported, available in Office 365 portal  There is no announcement of deprecation yet.  Once that announcement occurs, at least 1 year of support remains.  Azure AD Sync – supported.  Guide new deployments to Azure AD Connect.  Azure AD Connect is GA – available in Azure AD Portal. New deployments should use this! Which tools are supported?
  • 8.  DirSync (<50k objects)  In-place migration of all supported custom configurations.  Will not migrate unsupported configurations (such as removed attribute flows). Upgrade from DirSync & Azure AD Sync
  • 9.  DirSync (>50k objects)  Side-by-side deployment. Export DirSync configuration and import in Azure AD Connect.  On DirSync box, wizard prompts you to export config file.  On new box, @ cmd prompt run AzureADConnect.exe /migrate, specify config file.  Once full import and full sync complete, uninstall dirsync on old box, on new box run wizard second time to turn off staging mode  Azure AD Sync  In-place upgrade. Upgrade from DirSync & Azure AD Sync
  • 10. Making Hybrid Identity Simple Azure AD Connect with Express Settings  Use one tool instead of many  Get up and running quickly (4 clicks)  Start here, then scale up or add options  Custom options to address more complex scenarios
  • 13.  Multi forest topologies  Use a full SQL Server edition for sync  Deploy a pilot using just a few users in a group  Don’t start sync right away (‘staging mode’)  Sign on using federation  Azure AD Premium features (write back passwords, users, groups, and devices from the cloud)  Sync custom directory attributes to the cloud Custom settings allow more advanced options
  • 14.  For all scenarios (Express Settings or Custom)  Office 365 or Azure AD subscription – free trial is OK  For custom Azure AD domains, configure your public DNS records  AD users have UPNs (IDFix)  Just for AD FS  SSL certificate is trusted on all ADFS+WAP host (Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider (CSP). Certificates with the CNG private key are not supported).  Enable WinRM on all remote targets  Federation service name resolves  For write-back scenarios  AAD Premium, prepare Active Directory Make sure you do first
  • 15.
  • 16.  Choose Password sync for the most common deployment needs  Federation with ADFS is an option for customers that have more unique needs Choosing Password Sync or AD FS for Sign On • You already have AD FS or a 3rd party federation provider • Security policy prohibits password hashes being sync’d to the cloud • You require desktop SSO from domain joined machines on the corporate network • You require some specific capabilities AD FS has 1. on premises multi-factor authentication or smart card support for sign on 2. soft account lockout or AD work hours policy 3. conditional access for both on premises and cloud resources
  • 17.  Synchronizes a hash of the password hash  The actual password never leaves on-premises and is not known by Azure AD  When enabled, on-premises password policies apply  Password complexity policy  Password expiration policy  Protects password against pass the hash attacks  Cannot be used to access any on-premises resources  Can be used as a backup for federation  If password hashes are present in Azure AD, allows for a quick fail-over Sign-in – password sync
  • 18. Common multi-forest topologies Separate forests Each object in every forest will be represented in Azure AD. Forests with GALSync Users and Contacts should join on mail attribute and be represented only once. Account-Resource forests One or many Account forests with enabled accounts and one Resource forest with disabled accounts. Joined on objectSID and msExchMasterAccountSID
  • 19.
  • 20.
  • 21.  Intended to make it easy to pilot and evaluate Azure AD and Office 365  In from AD for User, Group, and Contact -> sets cloudFiltered to TRUE if NOT in group  When you add/remove users from group -> they are added/removed in AAD  Only objects which are direct members of the group will be present in Azure AD  Remove the filter when ready to ‘go live’  2nd pass Wizard option under Customize Synchronization Options Filter users and devices based on group
  • 22.
  • 23.  Password write-back  Change and set password in Azure AD and have the password policy verified with on-premise Windows Server Active Directory.  User write-back  A user created in Azure AD is created in on-premise AD. Optional Features – Write-back
  • 24.  Group write-back  “Groups in Office 365” will be written back to your on-premise Exchange forest (you need Exchange 2013 CU8 or later)  These groups are mastered in Azure AD  Does not support security groups or distribution groups  Device write-back  Requires Windows Server 2012 R2 AD schema, create configuration object and container Optional Features – Write-back cont’d
  • 25.  Bring your own AD attributes to Azure AD  Attributes defined on users and groups  Single-valued attributes only  Integer, LargeInteger, DateTime, Binary, Boolean, String  Limit of 100 extension values written to a single object  Limit of 256 characters per string extension value  Limit of 256 bytes per binary extension value Optional Features – Directory Extensions
  • 26.
  • 27.  An active sync server which is not exporting  Includes password sync and password write-back  Moving from one server (e.g. DirSync) to another  Warm stand-by for rapid disaster recovery  Also used for FIM+Azure AD Connector to Azure AD Connect migration Staging mode
  • 28.  Change sync options  Remove group filter  Enable/disable staging mode  Enable/disable write-backs  Add additional domains and forests  Forests for sync  Domains for federation Second Pass – Run the wizard a 2nd time
  • 30.  Multiple Azure AD Connect to same tenant  Sync: not supported - use same Azure AD Connect instance for multiple (untrusted) forests.  AD FS: deploy separate farms for untrusted forests, supported  Same Azure AD Connect to multiple tenants  Not officially supported for sync – previously there was a ‘side- by-side’ workaround for DirSync Common questions
  • 31.  Included in Azure AD/Office 365 license:  The installation wizard  Synchronize from on-premises to Azure AD regardless of source directory  Write-back for Exchange hybrid deployment  Requires Azure AD Premium:  Write-back (password, user, group, ….)  Additional licenses required for:  SQL Server if needed Licensing
  • 32.  Accidental delete prevention  On by default  Cannot export more than 500 deletes (default)  Can be configured with:  Enable-ADSyncExportDeletionThreshold  Disable-ADSyncExportDeletionThreshold  Configuration stored in Azure AD Export Deletion Threshold
  • 33. Monitor Your Hybrid Identity!
  • 34. Azure AD Connect Health • Monitor ADFS service for reliable & highly available authentication • Email notification for critical alerts • Analyze ADFS logins for usage & capacity planning based on app, authentication, network location & failures • Perform forensic analysis on top users with bad passwords • Troubleshoot with easy access to critical performance counters
  • 35. How does it work? • Download & install agent on all ADFS/proxy servers • Health agent runs locally on the server & collects data and performs configuration checks • Includes synthetic transactions • Health agent pushes data to the health service • Requires certain URL’s in MSFT cloud to be accessible from the ADFS or proxy servers • Health service processes data to generate alerts, trends & reports • Azure portal provides view to reports ADFS/ADFS Proxy/WAP Servers Microsoft Azure AD Connect Health View Alerts, Reports and Login trends
  • 37.  Session Objective(s):  Understand the default configurations the wizard creates  Understand what can be done with the wizard and what requires additional config  Azure AD Connect is the (sync+authn) tool going forward for connecting on premise directories to Azure AD / O365 Session Objectives And Takeaways
  • 38. Q & A Time... Next Session 14:30 – 15:30: "Azure Automation – Introduction Jakob Gottlieb Svendsen"
  • 39. Thanks To All Our Sponsors
  • 40. We Need Your Feedback  SCU Europe session planner planning.systemcenteruniverse.ch  SCU Europe WP app  Watch out for a survey invitation after the conference