http www itproguy com Session Objectives And Takeaways
http: //www. itproguy. com
Session Objectives And Takeaways
Local authentication in Windows Azure Datacenter – West US Contoso CORP SITE – Las Vegas, NV N VP el n n Tu AD Share. Point Cloud Service Virtual Network RDS
Disaster Recovery Windows Azure Datacenter – West US Contoso CORP SITE – Las Vegas, NV VP NT l e n un AD Share. Point Cloud Service Virtual Network Website
Personal Services Organizational Services Live ID Microsoft Account Org. ID Organizational Account On. Microsoft Account (Azure AD Account) Examples: alice@outlook. com alice@live. com Examples: alice@contoso. com alice@contoso. onmicrosoft. com User
Why Windows Azure AD? Office 365 CORP App Office 365 Azure AD AD Windows Azure MP Azure AD AD CRM Online Windows In. Tune
Cloud-Only / No Integration 1. Cloud Only / No Integration 2. Directory Synchronization 3. Directory and Federated SSO Office 365 Windows Azure Active Directory Contoso customer premises Joe@contoso. msonline. com Admin Portal/ Power. Shell/GRAPH Authentication platform Id. P AD Joe@contoso. com Provisioning platform Dynamics CRM Online Directory Store CORP App Windows Intune
Directory Synchronization 1. No Integration 2. Directory Synchronization 3. Directory and Single sign-on (SSO) Office 365 Windows Azure Active Directory Contoso customer premises Admin Portal/ Power. Shell/GRAPH Id. P AD Directory Sync (Dir. Sync) Provisioning platform Dynamics CRM Online Authentication platform Id. P Directory Store CORP App Windows Intune
Directory Synchronization Options Dir. Sync Office 365 Connector Power. Shell & Graph API Suitable for Organizations using Active Directory (AD) Suitable for large organizations with Suitable for small/medium size certain AD and Non-AD scenarios organizations with AD or Non-AD Supports Exchange Co-existence scenarios Complex multi-forest AD scenarios Coupled with AD FS, provides best option for federation and synchronization Non-AD synchronization through Microsoft premier deployment support Does not require any additional software licenses Requires Forefront Identity Manager and additional software licenses Multi-forest available through MCS+Partners Forefront Identity Manager (FIM) Suitable for all organizations. Most Robust for Sync. More features: Password Reset, Compliance, Access, Policy, and Group Management Not a highly recommended option compared to Dir. Sync or FIM Connector Performance limitations apply with Power. Shell and Graph API provisioning Power. Shell requires extensive scripting experience Power. Shell option can be used where the customer/partner may have wrappers around Power. Shell scripts (eg: Self Service Provisioning) As this is a custom solution, Microsoft support may not be able to help if there are issues
Directory and Federated SSO 1. No Integration 2. Directory Synchronization 3. Directory and Federated SSO CORP App Windows Azure Active Directory Contoso customer premises Active Directory Federation Server 2. 0 Id. P AD Directory Sync (Dir. Sync) Trust Admin Portal/ Power. Shell/GRAPH Provisioning platform Dynamics CRM Online Authentication platform Id. P Directory Store Office 365 Windows Intune
Federation options AD FS Works with AD Third-party STS Works with AD & Non-AD Shibboleth Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Recommended where customers may use existing non-AD FS Identity systems with AD or Non-AD Single sign-on Secure token based authentication Support for web and rich clients Microsoft supported Third-party supported Microsoft supported for integration only, no shibboleth deployment support Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program Works with AD and other directories on-premises Works for Office 365 Hybrid Scenarios Suitable for educational organizations Recommended where customers may use existing non-AD FS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook only
1. No Integration 2. Directory Only 3. Directory and SSO Appropriate for • Smaller orgs without AD on -premise Pros • No servers required onpremise • Same Domain name for users possible Cons • No SSO • No 2 FA • 2 sets of credentials to manage with differing password policies • IDs mastered in the cloud Pros • Users and groups mastered on-premise • Enables co-existence • Single server deployment Cons • No 2 FA until Spring 2013 • 2 sets of credentials to manage with differing password policies OR Manual / 3 rd Party password Sync OR use FIM • No SSO Pros • SSO with corporate cred • IDs mastered on-premise • Password policy controlled on-premise • 2 FA solutions possible • Enables hybrid scenarios • Location isolation • Ideal for multiple forests Cons • Additional Servers required for AD FS
[Server 1] [Server 2]
Users Dedicated Federation Servers Federation server proxies NLB servers Comments <1, 000 0 0 1 Deploy AD FS on two DCs 1, 000– 15, 000 2 2 2 Install NLB on proxies 15, 000– 60, 000 2+1 for every 15, 000 users 2+ 2+ Install NLB on proxies or use dedicated NLB implementation http: //technet. microsoft. com/en-us/library/jj 151794. aspx
[Server 1] [Server 2]
[Windows Azure from Server 1] [Server 2] [Server 1]
[Server 1] [Windows Azure from Server 1] [Server 1]
[In Windows Azure] New-Msol. Domain -Name $Selected. Suffix -Authentication Federated $Domain = Get-Msol. Domain -Domain. Name $Selected. Suffix if ($Domain. Status -eq 'Verified') { Write-Host ' ' Write-Host 'Domain is verified. If it is a subdomain of an existing domain, this is automatic. ' Write-Host ' ' } else { Write-Host ' ' Write-Host -No. Newline 'Domain verification code: ' Get-QSMsol. DNSVerification. Text -Domain $Selected. Suffix Write-Host ' '
Server 1] [In Windows Azure on Set-Msol. Dir. Sync. Enabled $true [on Server 1] Install-Windows. Feature ADFS-Federation
[Server 1]
[On Server 1] Install-Adfs. Farm -Certificate. Thumbprint $Certificate. Thumbprint ` -Federation. Service. Name $script: ADFSSubject. Name ` -Service. Account. Credential $script: ADFSCredentials ` -Overwrite. Configuration Start-Process -File. Path ("$env: System. RootADFSFSPConfig. Wizard. exe") -Wait -Argument. List @( ` '/Hostname', $script: ADFSSubject. Name, ` '/Username', $script: ADFSAccount. Name, ` '/Password', (Convert. From-QSSecure. String. To. Plaintext -Secure. String $script: ADFSAccount. Password)
[Server 1] [Server 2]
[Windows Azure from Server 1] [Server 2] [Server 1]
[In Windows Azure on Server 1] New-Msol. Federated. Domain -Domain. Name $Domain
[On Server 1] Write-QSTitle 'Download, install, and configure the Dir. Sync tool' $Dir. Sync. Filename = $script: Current. Executing. Path + 'Dir. Sync. exe' if (-not (Require-QSDownloadable. File -File. Name $Dir. Sync. Filename -URL 'http: //g. microsoftonline. com/0 BX 10 en/571')) { Write-QSError 'Dir. Sync download failed. ' return } Write-Host 'Running Dir. Sync installer. . . ' Start-Process -File. Path $Dir. Sync. Filename -Argument. List @('/quiet') Wait http: //support. microsoft. com/kb/2681562
[On Server 1] Write-Host 'Requesting synchronization credentials. . . ' $Target. Credentials = Get-Credential -Message 'Permanent Synchronization Credentials' Write-Host 'Requesting local credentials. . . ' $Source. Credentials = Get-Credential -Message 'Local Active Directory Administrator' Write-Host 'Requesting online coexistence configuration information. . . ' $Configuration = Get-Coexistence. Configuration -Target. Credentials $script: Msol. Credential Write-Host 'Configuring local coexistence configuration information. . . ' Set-Coexistence. Configuration -Source. Credentials $Source. Credentials Target. Credentials $Target. Credentials Write-Host 'Requesting an immediate synchronization. . . ' Start-Online. Coexistence. Sync
[Server 1] [Server 2]
Document Step # PS Script Step # Component of Configuration Actual Time Taken 1 1 -2 Initial Software Installation (pre-requisites)*, *** 1 min 12 sec 1 3 Office 365 Readiness Tool 5 min 48 sec 2 4 -5 Add Domain Name in Windows Azure AD 27 sec 3 6 Activate Dir. Sync Support 10 sec 4 7 -14 Install and Configure On-Premise AD FS Server 1** 2 min 53 sec 5 15 -22 Install and Configure AD FS Proxy Server 2*, **** 6 min 12 sec 6 23 -24 Configure Windows Azure AD Federation Support 41 sec 7 25 -27 Install and Configure Dir. Sync 3 min 26 sec
~20 Minutes
Windows Azure Subscription VPN
http: //aka. ms/AD 2 AAD http: //technet. microsoft. com/en-us/library/jj 713614. aspx http: //aka. ms/github
Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a Comm. Net kiosk or log on at www. 2013 mms. com. Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.
- Slides: 45