Professional Documents
Culture Documents
Leveraging Your On-Premises Directory Infrastructure To Manage Your Microsoft Azure Active Directory Identities DCIM-B301
Leveraging Your On-Premises Directory Infrastructure To Manage Your Microsoft Azure Active Directory Identities DCIM-B301
Azure Active
Directory
Active Directory
An identity management system
spanning cloud and on-premises,
providing authentication, federation,
user provisioning, application access
control, and data protection
Combination of Windows Server AD and
Azure AD to secure the hybrid
enterprise
Your Apps
3rd party
apps
Microsofts
Cloud
Microsoft Dynamics CRM
Microsoft
Apps
Azure Active
Directory
Windows
Server
Active
Directory
On-Premises
Apps
Your Apps
3rd party
apps
Microsofts
Cloud
Windows
Azure Active
Directory
Microsoft
Apps
3rd party
apps
Microsofts
Cloud
Microsoft Dynamics CRM
Microsoft
Apps
Windows
Server
Active
Directory
Passwords
Federation
Windows
Azure Active
Directory
Profile
No directory Integration
Profile Data only
Profile and Identity Data
Profile Data and
integrated
Authentication (SSO)
Profile and identity Data
with integrated
Your Apps
On-Premises
Apps
Synchronizing your
data
Directory Sync
Enables on-premises directory data to be
projected into the cloud
Only synchronizes from single AD forest
Groups, contacts and users ~ 150 properties
Provides for a delta sync of changes - Sync timeframe is every 3 hours
Links on-prem object to cloud object using SourceAnchor unique on-prem ID (By default:
ObjectGUID)
On-prem master for all objects and properties
Proactively reports errors via email: No news is good news
Directory Sync
What gets written back
ONLY gets written back if Hybrid Deployment is enabled
Exchange hybrid scenario (7 attributes on users and contacts): safe senders, mail coexistence, UM
Attribute
Feature
SafeSendersHash
BlockedSendersHash
SafeRecipientHash
Filtering Coexistence
enables on-premise filtering using cloud safe/blocked sender info
msExchArchiveStatus
Cloud Archive
Allows users to archive mail to the Office 365 service
ProxyAddresses (cloudLegDN)
Mailbox off-boarding
Enables off-boarding of mailboxes back to on-premise
cloudmsExchUCVoiceMailSettings
Voicemail Co-Existence
Enables on-premise mailbox users to have Lync in the cloud
msExchUserHoldPolicies
Litigation Hold:
Enables cloud services to determine which users are under
Litigation Hold.
Directory Sync
Matching on-premises and Cloud users
If user object in cloud has sourceAnchor value, match on sourceAnchor value
If no user object in cloud has sourceAnchor value, try and match based on SMTP
addresses
If SMTP address match succeeds, sourceAnchor value stamped on object already in cloud,
objects are matched
Subsequent sync runs will use sourceAnchor values
Directory Sync
Preparing for Directory sync
Every User must have a unique UPN and proxy addresses
SIP Address must match a verified domain
UPN suffix must match a verified domain
Directory Sync
Handling Duplicates
First-in-wins i.e. duplicated object receives errors
Domain Validation
If UPN uses a non-registered domain, it will be replaced with: mailNickName @
[domain].onmicrosoft.com
SIP Address removed if not against a verified domain
Proxy Address removed if not against a verified domain and the user has an exchange
license
Synchronization Errors
Synchronization errors are communicated to the technical contact via email
Administrators must address these errors through on-premises changes
Password Sync
What is it
Feature of the Directory Sync tool
Synchronizes user password hash from your on-premises Active Directory to Azure Active
Directory.
Doesnt require something to be installed on all DCs
Why use it
Users can use the same credentials to login into both on-premises
No additional infrastructure required on premises
No dependency on on-premises infrastructure for authentication
Azure
Active
Directory
Directory
f(h(x))
Sync Tool
Windows
Server
Active
Directory
h(x
)
h(x
h(x)
)
= f(h(x))
Password
hash stored
in DC
Password Sync
Managing passwords polices
Password complexity policies configured in the on-premises AD apply in the cloud, i.e. you
mange them on-premises.
Cloud password is set to Never Expire
Password Write-back
What is it
Part of AAD Premium
Only via Self-service password reset
How do I enable it
Admin needs to turn-on the feature using DirSync PSH commandlet:
Enable-OnlinePasswordWriteBack
Security
All communication takes place over SSL
Registration of public/private key pairs for transport and encryption, you keep the private
keys
Password Write-Back
(Registration)
Windows
Azure
Active
Directory
Public
Key
Authentication
Password Encryption
Directory
Sync Tool
Windows
Server
Active
Directory
Private
Key
Password Write-Back
(Write-back flow)
Reset password
=x
x
= f(x)
f(x) = xx
Azure AD Sync
Whats included
Possible to reduce set of attribute syncd based on the services
Support for a number of Multi forest scenarios
Easier management for filtering objects via simple UX
Support for attribute mapping rules via a simple UX
Whats missing
Password sync
Password write back
Hybrid configuration, i.e. no write back today
Whats coming
Production Support, i.e. not for Production today
Support for other directories, such as LDAP, SQL or CSV
http://social.technet.microsoft.com/wiki/contents/articles/24061.aadsync-scenario-overvie
Demo
Azure AD Sync
Federating your
identities
User View
I have a single credential to log into my PC and my Cloud services
I may be prompted to enter it more than once, but is always the same credential
Some differences
Username must be in email notation, user@domain.com
Office support
Primarily WS-* for rich clients
Limited SAML support for passive (web) usage
Support coming for Oauth
ImmutableID
Used to locate the user, must be provisioned before login
Source Anchor attribute in Directory Sync and AAD Sync
Case sensitive
SAML-P uses NameID claim
UPN
User principal name, the common name of the user, should match what is in the Azure AD
SAML-P uses IDPEmail claim
Setting up Federation
Need to prove you own the UPN domain of
users
Verified by DNS TXT/MX records
Cant prove you own the domain, e.g. company.local, dont panic we have an answer
Demo
Alternate Login ID
External Accounts
Accounts from outside your organization
Other Azure AD Accounts
Microsoft Accounts
Pre-integrated hundreds
popular SaaS apps.
Easily add custom cloud-based
apps. Facilitate developers with
identity management.
SaaS apps
Consumer identity
providers
Microsoft
Azure
Microsoft Azure
http://technet.microsoft.com/en-US/evalcenter/dn2
05286
Azure Pack
http://www.microsoft.com/en-us/server-cloud/produ
cts/windows-azure-pack
http://azure.microsoft.com/en-us/
Related content
DEV-B344 Building Web Apps and Mobile Apps Using
Microsoft Azure Active Directory for Identity
Management
DCIM-B382 Cloud Identity and Access Management:
Microsoft Azure Active Directory Premium
OFC-B317 Microsoft Office 365 Directory
Synchronization and Federation Options
PCIT-B326 Providing SaaS Single Sign-on with Microsoft
Azure Active Directory
Azure Identity and Access Management or Office 365
Resources
Learning
Sessions on Demand
http://channel9.msdn.com/Events/Tec
hEd
TechNet
Resources for IT Professionals
http://microsoft.com/technet
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.