DCIM-B301

Leveraging Your OnPremises Directory

Infrastructure to Manage
Your Microsoft Azure Active
Aanchal Saxena
Directory
Identities
Ross Adams

Azure Active
Directory

Active Directory
An identity management system
spanning cloud and on-premises,
providing authentication, federation,
user provisioning, application access
control, and data protection
Combination of Windows Server AD and
Azure AD to secure the hybrid
enterprise

Your Apps
3rd party
apps

Microsofts
Cloud
Microsoft Dynamics CRM

Microsoft
Apps

Azure Active
Directory

Windows
Server
Active
Directory

On-Premises
Apps

Relationship to Windows Server AD

On-premises and cloud Active
Directory managed as one
Directory information
synchronized to cloud, made
available to cloud apps via
roles-based access control
Federated authentication
enables single sign on to
cloud applications

Your Apps
3rd party
apps

Microsofts
Cloud
Windows
Azure Active
Directory

Microsoft
Apps

Sync and Federation

Windows
Server
Active
Directory

Directory Integration options

3rd party
apps

Microsofts
Cloud
Microsoft Dynamics CRM

Microsoft
Apps

Windows
Server
Active
Directory

Passwords

Federation

Windows
Azure Active
Directory

Profile

No directory Integration
Profile Data only
Profile and Identity Data
Profile Data and
integrated
Authentication (SSO)
Profile and identity Data
with integrated

Your Apps

On-Premises
Apps

Which sync option is right for you?

No on-premises infrastructure
Cloud Only

Profile data - Groups, users and contacts

Active directory on-premises
LDAP compliant directory, CSV, SQL **
Cloud passwords good enough

Identity Data, aka Password Sync

Single AD forest on-premises
Same Sign on is good enough, no room for additional infrastructure

Integrated Authentication AKA SSO

STS infrastructure already exists
Cant sync passwords (Multi forest, smart cards)
SSO Required, audit or network isolation

What to do when you cant Sync

Support coming for syncing LDAP, CSV, SQL
sources
Still cant sync - Scriptable options
PowerShell Azure AD Module
Directory GRAPH

Some limitations here, such as setting

certain properties e.g. Email Addresses

Synchronizing your
data

Directory Sync
Enables on-premises directory data to be
projected into the cloud
Only synchronizes from single AD forest
Groups, contacts and users ~ 150 properties
Provides for a delta sync of changes - Sync timeframe is every 3 hours
Links on-prem object to cloud object using SourceAnchor unique on-prem ID (By default:
ObjectGUID)
On-prem master for all objects and properties
Proactively reports errors via email: No news is good news

Provides for rich integration experiences

Office Hybrid scenarios, requires two way sync for some properties

Directory Sync
What gets written back
ONLY gets written back if Hybrid Deployment is enabled
Exchange hybrid scenario (7 attributes on users and contacts): safe senders, mail coexistence, UM
Attribute

Feature

SafeSendersHash
BlockedSendersHash
SafeRecipientHash

Filtering Coexistence
enables on-premise filtering using cloud safe/blocked sender info

msExchArchiveStatus

Cloud Archive
Allows users to archive mail to the Office 365 service

ProxyAddresses (cloudLegDN)

Mailbox off-boarding
Enables off-boarding of mailboxes back to on-premise

cloudmsExchUCVoiceMailSettings

Voicemail Co-Existence
Enables on-premise mailbox users to have Lync in the cloud

msExchUserHoldPolicies

Litigation Hold:
Enables cloud services to determine which users are under
Litigation Hold.

In future: Users, groups and devices

Directory Sync
Matching on-premises and Cloud users
If user object in cloud has sourceAnchor value, match on sourceAnchor value
If no user object in cloud has sourceAnchor value, try and match based on SMTP
addresses
If SMTP address match succeeds, sourceAnchor value stamped on object already in cloud,
objects are matched
Subsequent sync runs will use sourceAnchor values

Directory Sync
Preparing for Directory sync
Every User must have a unique UPN and proxy addresses
SIP Address must match a verified domain
UPN suffix must match a verified domain

UPN Character restrictions

Only certain characters allows: Letters, numbers and .-_!#^~
No dot before @ symbol

Directory Sync
Handling Duplicates
First-in-wins i.e. duplicated object receives errors

Domain Validation
If UPN uses a non-registered domain, it will be replaced with: mailNickName @
[domain].onmicrosoft.com
SIP Address removed if not against a verified domain
Proxy Address removed if not against a verified domain and the user has an exchange
license

Synchronization Errors
Synchronization errors are communicated to the technical contact via email
Administrators must address these errors through on-premises changes

Password Sync
What is it
Feature of the Directory Sync tool
Synchronizes user password hash from your on-premises Active Directory to Azure Active
Directory.
Doesnt require something to be installed on all DCs

Why use it
Users can use the same credentials to login into both on-premises
No additional infrastructure required on premises
No dependency on on-premises infrastructure for authentication

How Password Sync works

DirSync polls one of your Domain
Controller to get user password hash

Azure
Active
Directory

It then re-hashes the password hash

with SHA 256
Re-hash of the password hash is sent
to the cloud via SSL

Directory
f(h(x))
Sync Tool

Windows
Server
Active
Directory

h(x
)
h(x
h(x)
)

= f(h(x))
Password
hash stored
in DC

Password Sync How secure is it?

We never see your plain text password. Ever.
What we send hash of your password
We re-hash password hash using multiple
iterations of SHA256
Cannot use password hash to access your
resources
All transportation done using SSL
We only send passwords for synced users

Password Sync
Managing passwords polices
Password complexity policies configured in the on-premises AD apply in the cloud, i.e. you
mange them on-premises.
Cloud password is set to Never Expire

Managing user password resets

Users cannot change their password in the cloud
Users can only change their passwords on-premises
Admins can reset users password on the cloud

Password Write-back
What is it
Part of AAD Premium
Only via Self-service password reset

How do I enable it
Admin needs to turn-on the feature using DirSync PSH commandlet:
Enable-OnlinePasswordWriteBack

When does it write back

Cloud authenticated (managed) user and password sync is enabled
On-premises SSO authenticated (federated) user

Security
All communication takes place over SSL
Registration of public/private key pairs for transport and encryption, you keep the private
keys

Password Write-Back
(Registration)

Admin turn on feature

using: EnableOnlinePasswordWriteBack

Generate two sets of

private/public pair of keys:

Windows
Azure
Active
Directory

Public
Key

Authentication
Password Encryption
Directory
Sync Tool

Windows
Server
Active
Directory

Private
Key

Password Write-Back

(Write-back flow)

User resets password using SSPR

We encrypt the password using your tenant

Windows
specific key that only you know how to
Azure
Active
decrypt
f(x)
Directory
DirSync is listening for password resets.
g(x)
x
It gets user identity and encrypted
password.
It decrypts the password and sends it to your onprem Active Directory. If password matches the
Directory
on-prem password requirements, then user
Sync Tool
password is updated.
Only after receiving success for on-prem
Windows
write-back, we encrypt the password and
Server
Active
store it in the cloud
Directory

Reset password
=x
x

= f(x)

f(x) = xx

Azure AD Sync
Whats included
Possible to reduce set of attribute syncd based on the services
Support for a number of Multi forest scenarios
Easier management for filtering objects via simple UX
Support for attribute mapping rules via a simple UX

Whats missing
Password sync
Password write back
Hybrid configuration, i.e. no write back today

Whats coming
Production Support, i.e. not for Production today
Support for other directories, such as LDAP, SQL or CSV
http://social.technet.microsoft.com/wiki/contents/articles/24061.aadsync-scenario-overvie

Multi-Forest sync with AAD Sync

Multi-Forest Scenarios
Disparate Forests
Full mesh forests, i.e. GAL sync
Account and Resources forest models

Complex Multi Forest

Azure Active Directory Connector is still the tool of choice

Demo
Azure AD Sync

Federating your
identities

What does SSO mean

Admin View
Single Credential to manage on-premises
Single place to manage polices
IDP is you

User View
I have a single credential to log into my PC and my Cloud services
I may be prompted to enter it more than once, but is always the same credential

Some differences
Username must be in email notation, user@domain.com

Azure Active Directory and

Federation
Support
for a variety of protocols and STS
WS-Federation, WS-Trust, WS-MetadataExchange
SAML-P
OpenID Connect
Oauth 2.0
Support for third party STS same as works with Office 365 program

Office support
Primarily WS-* for rich clients
Limited SAML support for passive (web) usage
Support coming for Oauth

Core Integration details

Three things to remember
IssuerID
Must be unique per top level domain
Used to locate the domain to validate the token

ImmutableID
Used to locate the user, must be provisioned before login
Source Anchor attribute in Directory Sync and AAD Sync
Case sensitive
SAML-P uses NameID claim

UPN
User principal name, the common name of the user, should match what is in the Azure AD
SAML-P uses IDPEmail claim

Setting up Federation
Need to prove you own the UPN domain of
users
Verified by DNS TXT/MX records
Cant prove you own the domain, e.g. company.local, dont panic we have an answer

Configuring the trust

AD FS use New-MsolFederatedDomain, configures the cloud and AD FS for you
Not using AD FS, use the New-MsolDomain, Confirm-MsolDomain

Converting a domain to federation

AD FS Convert-MsolDomainToFederated, configures the cloud and AD FS for you
Not using AD FS, use Set-MsolDomainAuthentication

Federation need to know

Conversion is a big switch all users must
user federated credentials to logon
Ensure you have a cloud based admin to revert in the event of a problem.

All authentication is dependent on your

infrastructure
Ensure you have the right redundancy, network and server
Azure may be an option but requires a DC too

Consider password sync as a backup plan

Enables users to use cloud based accounts with the same password if your STS is
unavailable
NOTE: it can take up to 2 hrs for the change from federated to managed to take affect

What if I use a .Local UPN

Can you change it?
Often easiest answer, but can be difficult, smart cards, legacy applications etc

I cant change it? Now what?

Get Windows Server 2012 R2 with the latest update

New support for Alternate Login ID

Allows you to specify an alternate single value UPN like attribute as the login identifier,
e.g. Mail
Does mean additional lookups for authentication
Support for cross forest lookup

http://technet.microsoft.com/en-us/library/dn659436.aspx for more information

Using Alternate Login ID

Make sure you have an admin outside the
domain to be updated
Setup a standard Trust via Azure AD PowerShell
Modify the claim rule as highlighted:
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountna
me"]=> issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/claims/UPN",
"http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
query = "samAccountName={0};userPrincipalNameMail,objectGUID;{1}",
param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "$
{user}"), param = c.Value);

Demo
Alternate Login ID

I have Azure AD now what

Azure Active Authentication
Cloud based 2FA, powered by market-leading PhoneFactor platform
Authenticating millions of logins and transactions each month
Support for controls based on locations, i.e. ip whitelist

Integrated control and access to SaaS

applications
Use your directory data to control access, by group or user

Build cloud based applications while

maintaining control of authentication
Use the data in the cloud for your apps, for example group memberships, custom
attributes etc.

External Accounts
Accounts from outside your organization
Other Azure AD Accounts
Microsoft Accounts

Used today in SharePoint and Azure

Management
Can be used in your LOB apps
Managed as you would any user in your
tenant

Many applications, one identity

repository
Connect and Sync Windows
Server Active Directory with
Windows Azure.
Windows Server
Active Directory

Pre-integrated hundreds
popular SaaS apps.
Easily add custom cloud-based
apps. Facilitate developers with
identity management.

SaaS apps

LOB & custom apps

Consumer identity
providers

Identities and applications in one place.

For More Information

Windows
Server
System
Center
Azure Pack

Windows Server 2012 R2

Microsoft
Azure

Microsoft Azure

http://technet.microsoft.com/en-US/evalcenter/dn2
05286

System Center 2012 R2

http://technet.microsoft.com/en-US/evalcenter/dn2
05295

Azure Pack

http://www.microsoft.com/en-us/server-cloud/produ
cts/windows-azure-pack

http://azure.microsoft.com/en-us/

Come Visit Us in the Microsoft Solutions Experience!

Look for Datacenter and Infrastructure Management
TechExpo Level 1 Hall CD

Related content
DEV-B344 Building Web Apps and Mobile Apps Using
Microsoft Azure Active Directory for Identity
Management
DCIM-B382 Cloud Identity and Access Management:
Microsoft Azure Active Directory Premium
OFC-B317 Microsoft Office 365 Directory
Synchronization and Federation Options
PCIT-B326 Providing SaaS Single Sign-on with Microsoft
Azure Active Directory
Azure Identity and Access Management or Office 365

Resources
Learning
Sessions on Demand

http://channel9.msdn.com/Events/Tec
hEd

TechNet
Resources for IT Professionals

http://microsoft.com/technet

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn
Resources for Developers

http://microsoft.com/msdn

Complete an evaluation and enter

to win!

Evaluate this session

Scan this
QR code
to evaluate
this session.

 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.