1. Partner Practice Enablement - Overview
This session introduces Microsoft Azure Active Directory and then progress into some key features of the service such as
configuring access to SaaS applications, supporting multi-factor authentication and then compare and contrast premium
features of the service. The module will also cover running Windows Server AD workloads in Azure Virtual Machines.
Audience: IT Professionals and Architects
Module 1 – Introduction to Microsoft Azure
Module 2 – Microsoft Azure Virtual Machines
Module 3 – Microsoft Azure Networking
Module 4 – Microsoft Azure Active Directory
Module 5 - Cloud Services and Websites
Module 6 - SQL Server and SharePoint
Module 7 - Management and Monitoring
2. CEO & Co-Founder of Opsgility, Experts in
Instructor-Led Microsoft Azure Training.
Prior to starting Opsgility Michael was a
Principal Cloud Architect with a leading
Solution Integrator and a fifteen year
Microsoft veteran. While at Microsoft
Michael's roles included being a Senior
Program Manager on the Microsoft Azure
Runtime team and a Senior Technical
Evangelist for Microsoft Azure Infrastructure
Services.
Michael was the original developer of the
Microsoft Azure PowerShell Cmdlets and is a
globally recognized speaker for conferences
such as TechEd and BUILD.
About the Instructor
Michael Washam
Microsoft Azure Trainer
http://www.opsgility.com
Twitter: @MWashamTX
michael@Opsgility.com
4. Agenda
Microsoft Azure Active Directory Introduction
Application Access
Azure AD Application Proxy
Multi-Factor Authentication (MFA)
Company Branding
Directory Integration
Running Windows Server AD / AD FS on Azure VM’s
6. Microsoft Azure Active Directory
What is it?
A multi-tenant service that provides enterprise-level identity and access management for the cloud.
Built to support global scale, reliability and availability.
Backed by a 99.99% SLA for Azure AD Premium or Basic
What can I do with it?
Manage users and access to cloud resources.
Extend your on premise Active Directory to the cloud.
Provide single-sign-on (SSO) across your cloud applications.
Reduce risks by enabling multi-factor authentication.
Support development’s need to build secure directory integrated applications for the enterprise.
6
13. Application Access Overview
Software-as-a-Service (SaaS) Applications
Organizations increasingly rely on SaaS applications to support business activities.
Microsoft Azure AD enables easy integration to many of today’s popular SaaS applications, such as
Salesforce, Box, Google Apps, DocuSign, DropBox. etc.
Tenets of Integrating SaaS Apps w/Microsoft Azure AD
Single Sign-On (SSO) enables users to access their applications using their organizational ID.
Account synchronization enables user provisioning/de-provisioning into application based on changes
in Windows Server AD and/or Microsoft Azure AD.
Centralized application access management.
Unified monitoring and reporting.
13
14. Support for Single Sign-On
Federation-based Single Sign-On
Users are automatically signed in to applications using their credentials from Microsoft Azure AD.
Password-based Single Sign-On
Users are automatically signed in to applications using their credentials from the 3rd party application.
15. Access Panel
http://myapps.microsoft.com
This is where users can discover the applications they have access to.
Features of the Access Panel
Users can change the password associated with their organizational account.
Users can edit multi-factor authentication-related contact and preference settings.
Users can view details about their account.
16. Access Panel for iOS 7
Provides SSO to Apps integrated
with your Azure Active Directory
Supports iPad and iPhone devices
Full parity with the web-based
Application Access Panel
Install “My Apps – Azure Active
Directory” from the Apple App Store
17. Public-Facing Application Gallery
Discover Available SaaS
Applications Without Signing
into the Azure Management
Portal
http://azure.microsoft.com/en-us/gallery/active-directory/
21. Cloud App Discovery
Visibility
Gain visibility into which cloud applications are being used within an organization.
Assess Risk and Remediate
See usage graphs based on users, requests, volume of data exchanged.
Identify top cloud applications being used in the organization.
Proceed with application integration (if appropriate).
Get Started
By General Availability (GA), will be integrated into the Azure Management Portal. Until then, sign up at
https://appdiscovery.azure.com/.
Install Agent on machines in the organization.
25. Azure AD Application Proxy
Reverse-Proxy as a Service
Builds on the Web Application Proxy capabilities in Windows Server 2012
R2.
Supports browser-based applications - http(s).
Cloud Connector Pattern
Simpler On-Premises Deployment
Connectors can be redundant for HA
Stateless Architecture (as compared to WAP with AD FS)
PREVIEW
26. Azure AD Application Proxy
On-Premises Network
Expense App
Benefits App
Connector
Connector
Microsoft
Azure
Azure AD Application
Proxy Service
Request/Response
Queue
How it works
https://benefits-contoso.cwap.net
PREVIEW
28. Multi-Factor Authentication (MFA)
What is it?
A method of authentication requiring the use of more than one
verification method to authenticate a user.
• Mobile Application
• Automated Phone Call
• Text Message
How it works?
Requiring any two or more verification methods
• Something you know (typically a password)
• Something you have (a trusted device that is not easily duplicated,
like a phone)
28
1. Login using username and password
2. Microsoft Azure MFA Challenge
3. Response to challenge from device
31. Azure AD Company Branding
Requirements
Azure Active Directory Premium or Basic (both require an EA)
Pages that can be custom branded
Sign-in page
Access Panel page
Components that can be changed
Banner Logo
Large Illustration (left of Sign-in page)
Background Color
Sign-in page text
33. Directory Sync
Synchronizes Users, Groups,
and Contacts to Windows
Azure AD.
Users will have a different
password in Windows Azure AD
than they have for the on-
premise AD.
34. Directory Sync w/Password Sync
An extension of ‘Directory Sync’
that also synchronizes a “hash”
of the user’s password.
Enables users to sign-in to
cloud applications using their
same on-premise password.
35. Directory Sync w/Single Sign-On
Users won’t be challenged to
enter username/password when
accessing cloud applications.
Authentication occurs in the
on-premise directory.
Requires an on-premises STS,
such as ADFS.
36. Writeback Capability (“DirSync”)
Self-Services Password Reset with Writeback
Writeback capability enables password resets to be persisted
back to on-premises Server AD
A feature of the Azure Active Directory “DirSync” Tool
Only available in Azure AD Premium
38. Synchronization with DirSync
DirSync Intervals
Directory Sync runs on 3 hour intervals.
Password Sync runs on 2 minute intervals.
Password Writeback’s occur instantly.
DirSync On-Demand
Start-OnlineCoexistenceSync (PowerShell)
39. Monitoring DirSync
Directory Synchronization logs events in the Windows
Application Event Log.
Event Source: “Directory Synchronization”
Synchronization Service Manager for a UI Experience
C:Program FilesWindows Azure Active Directory SyncSYNCBUSSynchronization
ServiceUIShellmiisclient.exe
Create Security Group “MIISAdmins” on the DirSync Server and add the logged in user to the group.
Reference: http://support.microsoft.com/kb/2791422
40. Azure Active Directory Sync (“AAD Sync”)
Azure Active Directory Sync (“AAD Sync”)
New “One Sync” Tool, replaces DirSync
General availability and available for download
Features
Onboard Multi-Forest Server AD Deployments to Azure AD
Advanced provisioning, mapping and filtering rules
Map multiple on-premises Exchange organizations to a single
Azure AD tenant
44. Why Server AD in a Azure VM?
Business Drivers
Support for pre-requisites for existing applications, such as SharePoint.
High Availability Solutions for SQL Server Databases using Always-On Availability Groups.
Disaster Recovery solution for branch offices and a limited set of VM’s.
Dev/Test Workloads.
45. Azure VM Considerations
From an Existing Physical Machine
P2V a physical machine and move to Windows Azure
Move the DC’s VHD file to Windows Azure
Create the VM from the VHD
Starting with a new Virtual Machine
Build a new Virtual Machine and replicate directory to Windows Azure
46. Azure VM Considerations (continued…)
Attach data disk (caching turned off)
Don’t use D: ( temporary physical disk)
Put logs and account DB on attached disk to avoid
data loss
47. Azure VM Considerations (continued…)
IP Addressing
Microsoft Azure VM’s require use of a DHCP leased IP address.
The lease is an infinite ‘dynamic’ lease, but not the same as ‘static assigned’ address that you would
expect to use in and on-premises environment.
The leased IP address is routable for the duration of the lease, which is determined by the life time of
the service (or VM).
Set a Static IP in the Virtual Network using the Set-AzureStaticVNetIP cmdlet.
48. Azure VM Considerations (continued…)
Deploy DNS on the Domain Controller
The Windows Azure DNS does not cover the AD DNS records needed.
Register the DNS server in the Virtual Network.
50. Running AD FS on Azure VM’s
ADFS Best Practices call for Load balancing the AD FS
Proxy and STS endpoints for high availability.
If running this workload in Azure, use the Azure
Internal Load Balancer.
• Requires Regional Virtual Network
53. Running ADFS On-Premises
Deploy AD FS Proxy Servers in Azure.
Establish a site-to-site VPN or Express Route between
the on-premises network and the Azure Virtual
Network.
Ideal for Production Environments.
55. Summary
Microsoft Azure Active Directory Introduction
Application Access
Azure AD Application Proxy
Multi-Factor Authentication (MFA)
Company Branding
Directory Integration
Running Windows Server AD / AD FS on Azure VM’s