Tag Archives: DirSync

Step-by-Step Guide to setup windows azure active directory – Part 02

This is the part 2 of the series of articles which will explain the setup and configuration of windows azure active directory. If you still not ready it you can find it here.

Step-by-Step Guide to setup windows azure active directory – Part 01

In part 01 we install a WAAD instance and add a domain. In this post let’s see how we can configure integration with local domain infrastructure.

WAAD can integrate with Local AD on 3 way.

1)    DirSync with Password Sync – Using this sync local users can log in to the windows azure service using same user name and password. But this is only sync the password. This is not providing SSO.
2)    DirSync with SSO – This is the most seamless integration method. To setup SSO it needs to have security token service installed and configured in local AD infrastructure such as active directory federation services (AD FS)
3)    Multi-Forest DirSync with SSO – This is very similar to the above option but this is works with multiple forest infrastructure. It’s quite complex but still seamless method for authentication.

In this demo I am going to use DirSync with SSO option. I will be using AD FS as the STS. This provides SSO experience for users to log in to local resources as well as cloud services.

IC704949

The detail check list for this process available on here it includes detail description about all the steps.

Here I list few major points which you should consider.

1)    The domain name you going to integrate should be a public domain name. Which means if you using domain name such as contoso.local you should add complete UPN suffix such as contoso.com. you can find a post I wrote about changing UPN on http://www.rebeladmin.com/2015/01/how-to-configure-multiple-user-principal-name-upn-suffixes/
2)    AD must be running with windows server 2003 R2 or greater.
3)    Based on the STS model you will need use the WAAD module for windows PowerShell to establish federation trust between azure AD and local AD.

AD FS

In demo I am using active directory federation service (AD FS) as the STS. I am not going to demonstrate how it can be set up in here. But if you not aware how to setup AD FS you can follow up the series of articles I wrote about AD FS. It can be found on http://www.rebeladmin.com/?s=Active+Directory+Federation+Services+%28AD+FS%29+

UPN Suffix

Before the integration process I add UPN suffix with public domain name to use for SSO. I also match it with the domain I added in Azure AD instance.

adsync1

adsync2

Install Azure AD PowerShell module for AD FS

To install the Azure AD PowerShell module for AD FS, log in to server as domain admin or enterprise admin. First install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from http://go.microsoft.com/fwlink/?LinkID=286152. Then download the module from http://go.microsoft.com/fwlink/p/?linkid=236297

Once download completes, double click on the installation file. Click next to continue.

adsync3

In next window accept the terms and click next.

adsync4

In next window select the installation path and click next.

adsync5

Then click install, to start the installation process.

adsync6

Setup Trust Relationship between AD FS and Azure AD

Load the PowerShell module we installed on above step.

adsync7

Run $msolcred = get-credential command. Once it prompt for the login, type the cloud administrator logins ( Global Admin user under the WaaD instance.

adsync8

Then run connect-msolservice -credential $msolcred and it will connect you to the Azure AD.

adsync9

If you are executing this commands from different server than AD FS server you need to run Set-MsolAdfscontext -Computer <AD FS primary server> . You need to replace <AD FS primary server> with AD FS server FQDN.

Then run New-MsolFederatedDomain –DomainName <domain> and <domain> need to replace with domain name which will use for SSO.

adsync10

Then you will get error similar to following. As it says we need to create proper DNS entry on our public DNS zone. I go ahead and created it as error says.
Then I can add domain using same command successfully. (Please note it take time to propagate dns changes once you do it in public dns)

adsync11

Now we have create the trust between Azure AD and local AD. Next step is to do the sync.

DirSync in Action

Go to https://go.microsoft.com/fwLink/?LinkID=278924&clcid=0x409 and download the DirSync Tool.

Once download finishes, double click on it. Then click next to continue.

adsync12

In next window accept the terms and click next.

adsync13

In next window can specify the installation path. Once done click on next to continue.

adsync14

Then it will start to do the installation.

adsync15

Once it finish select the option to “start the configuration wizard now” and click finish.

adsync16

Then it will start the configuration wizard. Click next to continue

adsync17

Then it ask for the Azure Ad credential. Provide the cloud administrator account info and click next.

adsync18

If you not set the directory sync to activate state in azure you will get error. You must activate it before continue.

adsync19

In next window it ask for local AD enterprise admin credentials. Once done click next to continue.

adsync20

In next window it asks if need to enable hybrid deployment. In here we giving permissions to azure AD to write changes to local AD. If you wish to allow, select the option and click next.

adsync21

Then it ask about password sync. It is required feature so I enable it and click next.

adsync22

Then it starting the configuration.

Once its completed, click next. Then it gives option to start the sync now. Click finish to start the sync.

adsync23

Once sync is done we can see azure AD updated with user accounts etc.

adsync24

Also Directory integration page shows when was the last sync happens etc.

adsync25

This ends the long article which were explaining the DirSync configuration with SSO.

If you have any question feel free to contact me on rebeladm@live.com

Image Source : https://msdn.microsoft.com/en-us/library/azure/dn441213.aspx

Windows Azure Active Directory (WAAD)

4ac52e5b-b3ac-4fbd-bbc7-bd4bae8403da

In previous article I explain the difficulties had on “cloud” to extend organization’s identity management. Therefor most of the applications, services on cloud used to have their own identity stores.

With Windows Azure AD, it allows to extend the local infrastructure identity management to the cloud seamlessly to allow users to get self-service capabilities and single-sign-on access. So end users no need to worry about the way they can access organization’s resources, services etc. or where it’s located (on-premises or cloud).

In before when deal with identity management in hybrid cloud setup, most of time you need to “replicate” the setup on cloud and on-premises in order to get them work with proper access control. But Azure AD allows to “sync” with existing system and allows to control access management in central location.

Windows Azure Active Directory provides centralized identify management for office365, windows intune, over 1000 SaaS applications. Not only that it provides techniques, tools to integrate your own cloud-based application or services. It also allows to “sync” with in-house active directory environment using “DirSync” and AD FS (Active Directory Federation Services) features.

Currently there is 3 versions of Windows Azure Active Directory.

Free – Free edition allow you to sync with in-house active directory environments, get SSO with Azure services and thousands of Saas applications.

Basic – This version gets all the features of free version plus group-based access management, self-service password reset, windows azure active directory application proxy to publish on-premises web applications in to cloud. It also includes enterprise level SLA which guarantee 99.9% uptime. 

Premium – This version includes all the features of free and basic versions plus self-service group management, security reports and alerts, multi-factor authentication and Microsoft identity manager (MIM).

You can get more info from following nice video.

Major benefits of WAAD

1.    Centralized identify management – You can manage logins for AD or WAAD from any remote location and from any device.
2.    Advanced Access Control – you can set rules to control the access to cloud application and resources based on users, devices, locations etc.
3.    Single-Sign-On (SSO) – Provides SSO for cloud, on-premises resources and applications. It also supports for thousands of SaaS applications available in market.
4.    Application Proxy – we can allow external user access to applications published via in-built AD application proxy. Its access can control via rules and policies according to company requirements.
5.    Advanced Reporting – It provides daily usage reports, access reports. It also allow to use custom reporting based on azure Ad reporting API.

This is the end of the post and in next post lets see how to setup WAAD. If you have any question about the post, feel free to contact me on rebeladm@live.com

Image source: http://files.channel9.msdn.com/thumbnail/4ac52e5b-b3ac-4fbd-bbc7-bd4bae8403da.png

Active Directory in Hybrid Cloud

Cloud”, the most common term now in IT, its everywhere . Companies which provides IT services bringing their products and services in to the cloud rapidly. “Hosting services” was the first industry affect with it and now its spread to even small companies, individual professionals. With introduce of everyday products like Microsoft office365 every one start to understand the benefits of the “cloud”. Some organizations are use their own private cloud while some are completely move in to public cloud services.

One of the main concern people had about cloud was how they can bring there infrastructure services, resources, applications without impact to productivity. For example most organizations uses Single-Sign-On (SSO) to reduce the complexity of the authentication and authorization process. After we move organization’s resources, products, services to cloud if SSO do not work it still preventing full benefits of the cloud in end user prospective. The same time it will make impact on productivity directly. This access control and authentication concerns are more applying in to “Hybrid Cloud” systems. In Hybrid cloud some resources, services, application will run on-premises and some will be run from public cloud or private cloud setup in data center. This is the most commonly used cloud model in industry.

One of the solution used to address this is federation services. But issue is not every application or products uses same standards, protocols for identity management. As we know most of available products supports integration with AD services. Even Microsoft gives relevant tools, techniques to succeed with SSO on application development. So if you have working infrastructure system with all company requirement, how you convince management to move in to cloud system which will needs to deal with identity and access issues?

Well, Microsoft has found the solution for this. “Microsoft cloud – Azure” and windows server 2012 allows to extend the active directory in to the cloud. It allows to use claim based authorization. We can use windows azure AD as the identity store for the hybrid cloud and easily integrate other systems such as web portals, email system, crm, non-Microsoft apps. Also it can sync with the on-premises windows server active directory using “DirSync (Windows Azure Active Directory Sync Agent)” with AD FS (Active Directory Federation Services).

clip_image001_1E3725C4

In next posts let’s see how we can configure Azure AD and how it works with integration. If you have any question about post feel free to contact me on rebeladm@live.com

Image Source: http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-98-54-metablogapi/clip_5F00_image001_5F00_1E3725C4.png