Amit Vasu's presentation to a Toronto audience which included a discussion on the Azure Active Directory, sign-in model for 0365, directory synchronization tools, system requirements, and setting up the development environment.
5. June 5, 2015 5
Provides a robust set of capabilities to manage
users and groups
Comes in three editions
Free, Basic, Premium
World’s largest cloud directory
Identity and Access Management for the Cloud
6. June 5, 2015 6
Enable single sign-on to thousands of
cloud applications from Windows, Mac,
Android and iOS devices.
Works with third party identity providers
Simplify user access to any cloud app
7. June 5, 2015 7
Provides Multi-Factor Authentication
Security monitoring and Alerts
Machine learning based reports
Protect sensitive data and applications
12. June 5, 2015 12
Directory
Synchronization -
Overview
13. June 5, 2015 13
Synchronizes users, passwords, security groups, distribution lists,
contacts, and conference rooms.
Enables unified Global Address List with Exchange Online
Support multiple sync scenarios i.e. DirSync, DirSync/Password,
DirSync/SSO
Identity and Access Management for the Cloud
14. June 5, 2015 14
Default every 3 hours.
Can be modified by updating
Microsoft.Online.DirSync.Scheduler.exe.Config
Find the key: <add key="SyncTimeInterval"
value="3:0:0" /> and replace value with your
desired time.
Restart the Windows Azure Active Directory Sync
Service
Synchronization interval
15. June 5, 2015 15
Up to 50k objects with no verified domain
Increased to 300k objects with first verified domain
Each tenant is only granted one increase
Unlimited if you have Azure Active Directory Basic or Premium
subscription
Directory Quota Limit
16. June 5, 2015 16
Must be running version 6382.0000 or greater of the Directory Sync
tool in order to enable the Password Sync feature
Does not mean its SSO as there is not token sharing
Passwords are synchronized every two minutes
The synchronization of a password has no impact on currently
logged on users.
Password Sync
17. June 5, 2015 18
Location which is original source of Active Directory objects
Azure AD requires a single source of authority for every object.
By default, Azure AD directory objects are mastered in the cloud.
Source of Authority
18. June 5, 2015 19
Three scenarios where source of authority may get changed
for an object
Activate
Deactivate
Reactivate*
Changing Source of Authority
19. June 5, 2015 20
Directory
Synchronization -
Tools
20. June 5, 2015 21
Most commonly-known product is the Directory Sync tool
(DirSync).
Download link from the Office 365 portal.
Directory Sync
Relies on Forefront Identity Manager (FIM) for
Synchronization.
21. June 5, 2015 22
Successor to DirSync and eventually will replace DirSync.
Supports Multi-Forest Synchronization.
Advanced provisioning, mapping and filtering rules for objects
and attributes.
Azure Active Directory Synchronization (AAD Sync)
22. June 5, 2015 23
At some point in the future AADConnect will be the single choice.
Will also assist you to set up AD FS
AADConnect will simplify the deployment and configuration of your
end-to-end identity setup.
COMPARE FEATURES:
https://msdn.microsoft.com/en-us/library/azure/dn757582.aspx
Azure Active Directory Connect
24. June 5, 2015 25
64-bit edition of Windows Server 2008 Standard, Enterprise, or
Datacenter edition with SP1 or later
Windows Server 2008 R2 Standard, Enterprise, or Datacenter
edition with SP1 or later
Windows Server 2012 Standard or Datacenter
Windows Server 2012 R2 Standard or Datacenter
Directory Synchronization Computer - OS
25. June 5, 2015 26
It must be joined to Active Directory.
It must run the Microsoft .NET Framework 3.5 SP1 and the
Microsoft .NET Framework 4.5.1
It must run Windows PowerShell
It must be located in an access-controlled environment.
Directory Synchronization Computer
26. June 5, 2015 27
Windows Server 2003 forest functional mode or higher
32-bit or 64-bit Windows Server 2003 Standard Edition or Enterprise
Edition with Service Pack 1 (SP1)
32-bit or 64-bit edition of the Windows Server 2008 Standard or
Enterprise, Windows Server 2008 R2 Standard or Enterprise, or
Windows Server 2008 Datacenter or Windows Server 2008 R2
Datacenter.
Windows Server 2012 Standard or Datacenter.
Directory Synchronization – Domain Controller
27. June 5, 2015 28
You must have administrator permissions for the
following:
The computer running the Directory Sync tool.
Your company’s local Active Directory.
Your company’s Microsoft cloud service administrator account.
Permissions
28. June 5, 2015 29
DirSync can be installed on Domain Controller
Requires version 6553.0002 and newer
Steps to install DirSync on a DC is exactly the same.
Directory Synchronization on Domain Controller
Just because you can does not mean you
should.
Follow the best practice and install DirSync on
separate server.
30. June 5, 2015 31
Setting up
Development
Environment
31. June 5, 2015 32
Sign up for Azure free one month trial
http://azure.microsoft.com/en-us/pricing/free-trial/
Create Domain Controller in Azure using the
following HOL
http://azure.microsoft.com/en-us/documentation/articles/active-directory-
new-forest-virtual-machine/
Sign-up for Office 365 trial (30 day)
https://portal.office.com/partner/partnersignup.aspx?type=Trial&id=3dd59a1
4-63ab-4c89-acce-c065ac672e46&msppid=2971477
32. • May 14th and 15th – 8am to 6pm PST (Pacific)
• Steve Guggenheimer Keynote at 8am on May 14th
• OPEN TO THE EVERYONE!
• 5 TRACKS
• IT Pro | Developer | Consumer | LATAM Track (Spanish) | Brazil Track (Portuguese)
• REGISTER HERE: http://mvp.microsoft.com/en-
us/virtualconference.aspx
• MVP Home Page > Events > 2015 Microsoft MVP Virtual Conference
Azure AD directories let you centrally control access to applications and resources, easily add existing resources (cloud services or on-premises applications), and integrate applications you are developing. Because it is a comprehensive service, Azure AD provides different benefits to people in different roles within an organization.
If you are a business decision maker, use Azure AD to achieve the promise of cloud applications and a mobile workforce with confidence that your governance requirements are being met.
If you are a service provider, use Azure AD to easily address your identity and access needs, connecting your services to your customers’ existing identity solutions while also reaching Microsoft Azure and Office 365 customers. Azure AD can also address all of your back-office access needs, so whether in-house or outsourced, you can be confident the right people have the right access.
If you are an IT professional, use Azure AD to increase your control and visibility of operations at "cloud speed." With Azure AD, you will know what people are using and empower them through self-service offerings.
In this model a user is created and managed in Office 365 and stored in Azure Active Directory, and the password is verified by Azure Active Directory. Azure Active Directory is the cloud directory that is used by Office 365. There is no equivalent user account on-premises, and there is nothing that needs to be configured to use this other than to create users in the Office 365 admin center.
Cloud Identity to Synchronized Identity. This transition is simply part of deploying the DirSync tool. You may have already created users in the cloud before doing this. If you switch from the Cloud Identity model to the Synchronized Identity model, DirSync and Azure Active Directory will try to match up any existing users. There are two ways that this user matching can happen. The first one occurs when the users in the cloud have previously been synchronized from an Active Directory source. In this case they will have a unique ImmutableId attribute and that will be the same when synchronization is turned on again. Users with the same ImmutableId will be matched and we refer to this as a “hard match.”
The second way occurs when the users in the cloud do not have the ImmutableId attribute set. In this case we attempt a “soft match,” which looks at the email attributes of the user to find ones that are the same. If we find multiple users that match by email address, then you will get a sync error. If you want to be sure that users will match using soft-match capabilities, make sure their PrimarySMTP addresses are the same both in Office 365 and in the on-premises Active Directory. If all of your users are entered in the cloud but not in your Active Directory, you can use PowerShell to extract them and then you can import them into Active Directory so that soft match will work.
In this model the user identity is managed in an on-premises server and the accounts and password hashes are synchronized to the cloud. The user enters the same password on-premises as they do in the cloud, and at sign-in the password is verified by Azure Active Directory. This model uses the Microsoft Azure Active Directory Sync Tool (DirSync).
Synchronized Identity to Federated Identity. This transition is required if you deploy a federated identity provider, because synchronized identity is a prerequisite for federated identity. The user identities are the same in both synchronized identity and federated identity. Because of this, changing from the Synchronized Identity model to the Federated Identity model requires only the implementation of the federation services on-premises and enabling of federation in the Office 365 admin center. Switching from Synchronized Identity to Federated Identity is done on a per-domain basis. The operation both defines the identity provider that will be in charge of the user credential validation (often a password) and builds the federation trust between Azure Active Directory and the on-premises identity provider. When you switch to federated identity you may also disable password hash sync, although if you keep this enabled, it can provide a useful backup, as described in the next paragraph.
This model requires a synchronized identity but with one change to that model: the user password is verified by the on-premises identity provider. This means that the password hash does not need to be synchronized to Azure Active Directory. This model uses Active Directory Federation Services (AD FS) or a third- party identity provider.
Federated Identity to Synchronized Identity. You can convert a domain from the Federated Identity model to the Synchronized Identity model with the PowerShell command Convert-MsolDomainToStandard. Since the password sync option in DirSync is a recent addition, some customers will make this transition to take advantage of that and simplify their infrastructure. This transition can also be a useful backup in case there is a failure with the federated identity provider, because any failure with the federated identity provider—including the physical server, the power supply, or your Internet connectivity—will block users from being able to sign in.
Synchronization is per user basis and in chronological order.
In Azure AD environment, source of authority refers to the location which is original source of Active Directory objects
Azure AD requires a single source of authority for every object. By default, Azure AD directory objects are mastered in the cloud.
Once Directory Synchronization has been activated, the source of authority is transferred from the cloud to the on-premises Active Directory (after the first sync cycle has been completed).
All subsequent changes to the cloud objects (exception of licensing) are mastered from the on-premises Active Directory and the corresponding cloud objects are read-only.
Administrators cannot edit cloud objects if the source of authority is on-premises.
Activate: When you activate directory synchronization and then synchronize directories, the source of authority for any cloud object that is matched to an on-premises object is transferred from the cloud to your on-premises Active Directory.
NOTE: Activating directory synchronization is a requirement for an Exchange hybrid deployment, an Active Directory Federation Services 2.0 (AD FS 2.0)/single sign-on (SSO), and the staged Exchange migration scenarios.
Deactivate: When you deactivate directory synchronization, the source of authority is transferred from the on-premises Active Directory to the cloud.
*Reactivate: When you reactivate directory synchronization, the source of authority is transferred from the cloud back to your on-premises Active Directory (where it previously resided).
For Directory Sync, the most commonly-known product is the Directory Sync tool (DirSync).
This tool is the one offered from the Office 365 portal when you are setting up synchronization.
DirSync relies on Forefront Identity Manager (FIM) for Synchronization.
Azure AD Synch will replace DirSync and be included for all AAD, Office 365 and other Microsoft cloud service customers.
Provides both a simplified deployment experience and advanced synchronization server.
Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!)
Activate: When you activate directory synchronization and then synchronize directories, the source of authority for any cloud object that is matched to an on-premises object is transferred from the cloud to your on-premises Active Directory.
NOTE: Activating directory synchronization is a requirement for an Exchange hybrid deployment, an Active Directory Federation Services 2.0 (AD FS 2.0)/single sign-on (SSO), and the staged Exchange migration scenarios.
Deactivate: When you deactivate directory synchronization, the source of authority is transferred from the on-premises Active Directory to the cloud.
*Reactivate: When you reactivate directory synchronization, the source of authority is transferred from the cloud back to your on-premises Active Directory (where it previously resided).
It must run Windows Server as operating system. The following versions of the Windows Server operating system are supported:
It must be joined to Active Directory.
It must run the Microsoft .NET Framework 3.5 SP1 and the Microsoft .NET Framework 4.5.1
If you are running Windows Server 2008 or higher, the .NET Framework will already be installed
It must run Windows PowerShell
For Windows Server 2003, you need to download Windows PowerShell.
For Windows Server 2008 or higher, you need to enable Windows PowerShell.
It must be located in an access-controlled environment.
Active Directory forest
Windows Server 2003 forest functional mode or higher
Domain controller
32-bit or 64-bit Windows Server 2003 Standard Edition or Enterprise Edition with Service Pack 1 (SP1)
32-bit or 64-bit edition of the Windows Server 2008 Standard or Enterprise, Windows Server 2008 R2 Standard or Enterprise, or Windows Server 2008 Datacenter or Windows Server 2008 R2 Datacenter.
Windows Server 2012 Standard or Datacenter.
To run the Directory Sync tool, you must have administrator permissions for the following:
The computer running the Directory Sync tool.
Your company’s local Active Directory.
Your company’s Microsoft cloud service administrator account.
To install the Directory Sync tool, you need enterprise admin rights during only the installation process. When you’ve installed the tool, a non-privileged Active Directory account will be required. This non-privileged account is created automatically when the Directory Sync tool is being installed.
DirSync can be installed on Domain Controller
Requires version 6553.0002 and newer
Steps to install DirSync on a DC is exactly the same.
Administrator installing the tool will need to log-off and log-on again after the Installation Wizard is complete and before the Configuration Wizard is run.
To run the Directory Sync tool, you must have administrator permissions for the following:
The computer running the Directory Sync tool.
Your company’s local Active Directory.
Your company’s Microsoft cloud service administrator account.