4. Self-service Single
sign on
•••••••••••
Username
Identity as the control plane
Simple
connection
Cloud
SaaS
Azure
Office 365Public
cloud
Other
Directories
Windows Server
Active Directory
On-premises Microsoft Azure Active Directory
5. Going beyond on-premises
IDC predicts that 70 percent of organizations will embrace a
cloud-first strategy by 2016, getting there on their own pace
over a number of years, with many living in a hybrid
environment for quite some time. That flexibility— living in both
worlds—even with a cloud-first strategy, is nonnegotiable.1
1 Source: IDC CIO Agenda Webinar, 2013.
6. Making hybrid identity simple!
Azure Active Directory
Connect
Consolidated
deployment assistant
for your identity
bridge components
7. DirSync – supported, available in Office 365 portal
There is no announcement of deprecation yet.
Once that announcement occurs, at least 1 year of support
remains.
Azure AD Sync – supported.
Guide new deployments to Azure AD Connect.
Azure AD Connect is GA – available in Azure AD
Portal. New deployments should use this!
Which tools are supported?
8. DirSync (<50k objects)
In-place migration of all supported custom configurations.
Will not migrate unsupported configurations (such as removed
attribute flows).
Upgrade from DirSync & Azure AD Sync
9. DirSync (>50k objects)
Side-by-side deployment. Export DirSync configuration and
import in Azure AD Connect.
On DirSync box, wizard prompts you to export config file.
On new box, @ cmd prompt run AzureADConnect.exe /migrate,
specify config file.
Once full import and full sync complete, uninstall dirsync on old
box, on new box run wizard second time to turn off staging mode
Azure AD Sync
In-place upgrade.
Upgrade from DirSync & Azure AD Sync
10. Making Hybrid Identity Simple
Azure AD Connect with Express Settings Use one tool
instead of many
Get up and
running quickly (4
clicks)
Start here, then
scale up or add
options
Custom options to
address more
complex scenarios
13. Multi forest topologies
Use a full SQL Server edition for sync
Deploy a pilot using just a few users in a group
Don’t start sync right away (‘staging mode’)
Sign on using federation
Azure AD Premium features (write back passwords, users,
groups, and devices from the cloud)
Sync custom directory attributes to the cloud
Custom settings allow more advanced options
14. For all scenarios (Express Settings or Custom)
Office 365 or Azure AD subscription – free trial is OK
For custom Azure AD domains, configure your public DNS records
AD users have UPNs (IDFix)
Just for AD FS
SSL certificate is trusted on all ADFS+WAP host (Use a certificate based on a key
pair generated by a legacy Cryptographic Service Provider (CSP). Certificates with the CNG
private key are not supported).
Enable WinRM on all remote targets
Federation service name resolves
For write-back scenarios
AAD Premium, prepare Active Directory
Make sure you do first
15.
16. Choose Password sync for the most common deployment
needs
Federation with ADFS is an option for customers that have
more unique needs
Choosing Password Sync or AD FS for Sign On
• You already have AD FS or a 3rd party federation provider
• Security policy prohibits password hashes being sync’d to the cloud
• You require desktop SSO from domain joined machines on the corporate network
• You require some specific capabilities AD FS has
1. on premises multi-factor authentication or smart card support for sign on
2. soft account lockout or AD work hours policy
3. conditional access for both on premises and cloud resources
17. Synchronizes a hash of the password hash
The actual password never leaves on-premises and is not known by Azure
AD
When enabled, on-premises password policies apply
Password complexity policy
Password expiration policy
Protects password against pass the hash attacks
Cannot be used to access any on-premises resources
Can be used as a backup for federation
If password hashes are present in Azure AD, allows for a quick fail-over
Sign-in – password sync
18. Common multi-forest topologies
Separate forests
Each object in every forest will be represented in Azure
AD.
Forests with GALSync
Users and Contacts should join on mail attribute and be
represented only once.
Account-Resource forests
One or many Account forests with enabled accounts
and one Resource forest with disabled accounts. Joined
on objectSID and msExchMasterAccountSID
19.
20.
21. Intended to make it easy to pilot and evaluate
Azure AD and Office 365
In from AD for User, Group, and Contact -> sets cloudFiltered to TRUE if
NOT in group
When you add/remove users from group -> they are added/removed in
AAD
Only objects which are direct members of the group will be present in
Azure AD
Remove the filter when ready to ‘go live’
2nd pass Wizard option under Customize Synchronization Options
Filter users and devices based on group
22.
23. Password write-back
Change and set password in Azure AD and have the password policy
verified with on-premise Windows Server Active Directory.
User write-back
A user created in Azure AD is created in on-premise AD.
Optional Features – Write-back
24. Group write-back
“Groups in Office 365” will be written back to your on-premise Exchange
forest (you need Exchange 2013 CU8 or later)
These groups are mastered in Azure AD
Does not support security groups or distribution groups
Device write-back
Requires Windows Server 2012 R2 AD schema, create
configuration object and container
Optional Features – Write-back cont’d
25. Bring your own AD attributes to Azure AD
Attributes defined on users and groups
Single-valued attributes only
Integer, LargeInteger, DateTime, Binary, Boolean, String
Limit of 100 extension values written to a single object
Limit of 256 characters per string extension value
Limit of 256 bytes per binary extension value
Optional Features – Directory Extensions
26.
27. An active sync server which is not exporting
Includes password sync and password write-back
Moving from one server (e.g. DirSync) to another
Warm stand-by for rapid disaster recovery
Also used for FIM+Azure AD Connector to Azure AD
Connect migration
Staging mode
28. Change sync options
Remove group filter
Enable/disable staging mode
Enable/disable write-backs
Add additional domains and forests
Forests for sync
Domains for federation
Second Pass – Run the wizard a 2nd time
30. Multiple Azure AD Connect to same tenant
Sync: not supported - use same Azure AD Connect instance
for multiple (untrusted) forests.
AD FS: deploy separate farms for untrusted forests, supported
Same Azure AD Connect to multiple tenants
Not officially supported for sync – previously there was a ‘side-
by-side’ workaround for DirSync
Common questions
31. Included in Azure AD/Office 365 license:
The installation wizard
Synchronize from on-premises to Azure AD regardless of
source directory
Write-back for Exchange hybrid deployment
Requires Azure AD Premium:
Write-back (password, user, group, ….)
Additional licenses required for:
SQL Server if needed
Licensing
32. Accidental delete prevention
On by default
Cannot export more than 500 deletes (default)
Can be configured with:
Enable-ADSyncExportDeletionThreshold
Disable-ADSyncExportDeletionThreshold
Configuration stored in Azure AD
Export Deletion Threshold
34. Azure AD Connect Health
• Monitor ADFS service for reliable
& highly available authentication
• Email notification for critical alerts
• Analyze ADFS logins for usage &
capacity planning based on app,
authentication, network location &
failures
• Perform forensic analysis on top
users with bad passwords
• Troubleshoot with easy access to
critical performance counters
35. How does it work?
• Download & install agent on all
ADFS/proxy servers
• Health agent runs locally on the server &
collects data and performs configuration
checks
• Includes synthetic transactions
• Health agent pushes data to the health
service
• Requires certain URL’s in MSFT cloud to be
accessible from the ADFS or proxy servers
• Health service processes data to generate
alerts, trends & reports
• Azure portal provides view to reports
ADFS/ADFS Proxy/WAP
Servers
Microsoft Azure AD
Connect Health
View Alerts, Reports and
Login trends
37. Session Objective(s):
Understand the default configurations the wizard creates
Understand what can be done with the wizard and what
requires additional config
Azure AD Connect is the (sync+authn) tool going
forward for connecting on premise directories to
Azure AD / O365
Session Objectives And Takeaways
38. Q & A Time...
Next Session 14:30 – 15:30:
"Azure Automation – Introduction
Jakob Gottlieb Svendsen"
40. We Need Your Feedback
SCU Europe session planner planning.systemcenteruniverse.ch
SCU Europe WP app
Watch out for a survey invitation after the conference