Microsoft® Official Course

Module 13

Implementing Windows Azure Active Directory

Module Overview

Overview of Windows Azure AD•Managing Windows Azure AD Accounts

Lesson 1: Overview of Windows Azure AD

Extending AD DS Into the Cloud

What Is Windows Azure AD?

Windows Azure AD Authentication

Multifactor Authentication for Cloud-Based Users

Multifactor Authentication for Federated Users•What Is Windows Azure AD Access Control?

Extending AD DS Into the Cloud

•Cloud-based applications need highly available authentication

•Considerations for hosting AD DS in Windows Azure:• Create virtual machines to provide services• Requires one domain controller, one federation server, and one federation server proxy• Create a VPN for replication

•Benefits of hosting AD DS data in Windows Azure AD:• Simplified management• Reduced data in the cloud

What Is Windows Azure AD?

•Windows Azure AD provides identity as a service

•You can use Windows Azure AD for:• Office 365• Windows Intune• Your cloud-based applications for internal users• Your cloud-based or on-premises applications for external users• Cloud-based applications from vendors

•Windows Azure AD is platform independent

Windows Azure AD Authentication

• SSO:• Requires an STS• Authentication is performed on-premises• User name and password match on-premises identity store

• Cloud-based user:• Authentication is performed by Windows Azure AD• User name and password may not match on-premises identity store

•Web identity providers:• Authentication is performed by a web-based identity provider

• User name and password match a web-based identity store

Multifactor Authentication for Cloud-Based Users

•Multi-factor authentication increases security

•Cloud-based applications and mobile device credentials are more vulnerable

•Windows Azure Active Authentication:• Multi-factor authentication for cloud-based user accounts• Code provided by:

• Phone call• Text message• Active Authentication app

• The Active Authentication app is available for Windows Phone, iOS, and Android

Multifactor Authentication for Federated Users

•Multi-factor authentication with AD FS provides:• Web-based applications and services only• Built-in smart card support• Access to third-party modules

•Multi-factor authentication with VPN:• Uses multifactor authentication• Provides application access only after VPN connectivity• Supports all application types

What Is Windows Azure AD Access Control?

• Access Control:• Provides authentication services for applications• Simplifies application development• Provides a security token to web applications

• Authentication support:• AD FS• Microsoft account• Google• Yahoo!• Facebook• WS-Trust• OpenID

• Cross-platform support for web applications

Lesson 2: Managing Windows Azure AD Accounts

Account Management for Small Organizations

What Is Directory Sync?

How Directory Sync Synchronization Works

Considerations for Password Sync

Directory Sync Topologies

Using Windows PowerShell to Manage Accounts•What Is Windows Azure AD Graph?

Account Management for Small Organizations

•Manual creation of cloud-based users in a web console:• Is simple but not scalable• May be possible in a web-based console provided by an application

•The user name and password might not match an on-premises user account

What Is Directory Sync?

•Directory Sync synchronizes user accounts from on-premises AD DS to Windows Azure AD

•Cloud-based users with Password Sync eliminates password confusion for users

• Federated users:• Uses an STS to perform authentication• Eliminates password confusion for users

How Directory Sync Synchronization Works

• Initial synchronization:• Creates a new account if none exists• Sets a source anchor attribute• Performs a fuzzy match by using primary SMTP attribute

•With synchronization control:• Synchronized attributes cannot be controlled• Scope can be modified• Synchronization occurs every three hours• Default accounts and system objects are not synchronized• Synchronization can be disabled

•Recovering a deleted user in AD DS also recovers the user in Windows Azure AD

Considerations for Password Sync

• Password Sync prevents user confusion due to different passwords

• Password Sync scope is:• Performed for all cloud-based users• Not performed for federated users

• In the Password Sync process:• Password hashes are synchronized• Passwords synchronize from AD DS to Windows Azure AD• Password Sync agent runs every two minutes

• For password policies, consider that: • AD DS password policies are applied to synchronized passwords

• Password change is prompted only for on-premises AD DS

Directory Sync Topologies

•With one AD DS forest and multiple tenants:• Each identity is limited to one tenant• Each tenant is associated with a UPN• Multiple instances of Directory Sync are required• Directory Sync scope must be modified

• FIM-specific topologies:• Multiple AD DS forests to a single tenant• Non-AD DS directory

•Microsoft Exchange Server account and resource forests:• Can use Directory Sync in a resource forest• Can use AD FS in an account forest if required

Using Windows PowerShell to Manage Accounts

•Windows Azure AD Module for Windows PowerShell:• Manages Windows Azure AD features• Creates and manage objects

•Requirements for installation:• Windows 7, Window 8, Windows Server 2008 R2, or Windows Server 2012• Microsoft .NET Framework 3.5.1• Microsoft Online Service Sign-in Assistant

•Example code for connectivity:• $mycredential=Get-Credential• Connect-MsolService –Credential $mycredential

What Is Windows Azure AD Graph?

•Windows Azure AD Graph:• Provides programmatic access to Windows Azure AD• Is a REST API• Uses RBAC to control permissions• Uses Windows Azure AD for authentication

Lab: Implementing Windows Azure AD

Exercise 1: Implementing Windows Azure AD for Office 365•Exercise 2: Implementing Windows Azure AD for a Cloud-Based Application

Estimated Time: 30 minutes

Lab Scenario

A. Datum Corporation is exploring how to integrate its on-premises implementation of

AD DS with cloud‑based applications. The local implementation of AD DS has a single domain named Adatum.com. All users have a UPN based on this domain name that matches their email address.

 

Lab Review

•There are no review questions for this lab.

Module Review and Takeaways

•Review Questions