Key Considerations in Architecting Active

Directory Federation

Alexander YimWSHFC

NCSHA, Nashville on Sept 28th, 2015

Running your AD in Cloud for your domain:

• Current status of Office365

• Need for SSO (Single Sign On)

• Microsoft Azure server vs. AWS (Amazon Web Services)

• ADFS (AD Federation Service) running on Azure server

• Preparations for the ADFS Migration

• MessageOps script for SSO

• Other options: Using F5’s BIG-IP APM solution for ADFS

• Other concerns..

SSO (Single Sign On)

• Cloud AD server running outside the FireWall

• Issues with Microsoft’s earlier version of ADFS

• Major improvement in recent years

• Renamed: from DirSync to Azure AD Sync Tool

• Has M/S ever been hacked? Do we know?

• Any time, Any where, on Any devices

Microsoft Azure Server for SaaS

• Office365

• Dynamic SQL

• SharePoint

• vs. AWS (Amazon Web Services)

• Virtualization vs. SaaS (Software as a Service)

Preparations for Azure ADFS Migration

• Identify and Resolve errors in the on-premise AD

• Use IdFix DirSync Error Remediation Tool

• Change UPN (User Principal Name) to match Email Addresses in Office365: e.g. jeffsmith > jeff.smith@abc.com

• Fix the List of Errors: .local, etc

• Microsoft added ADFS running on Azure in Admin of O365

• One chance to make the right decision

Vendor script for Password Sync

• Tiny script by MessageOps using PowerShell

• Works great until it breaks ..

Kg$2Ebi%*9

Other options:

• F5 Networks’ BIG5-IP APM appliance (Access Policy Management)

• Able to change passwords outside the F/W

• Email a temp password

• Two-Factor or Multi-Factor Authentication using SMS, iPhone, etc.

F5 APM solution:

Thank you!