Share via


Manage identities for single-forest hybrid environments using cloud authentication

 

How can this guide help you?

Corporate users want to be able to use applications that reside in the cloud from anywhere and any device, but they cannot because they do not have a way to authenticate.

This guide provides a prescriptive, tested design about how to integrate an on-premises directory with a cloud directory so that users can easily access applications that reside in the cloud from anywhere and any device. This access is accomplished using cloud authentication. For an example of using on-premises authentication, see Manage identities for single-forest hybrid environments using on-premises authentication.

Cloud Authentication Problem

In this solution guide:

  • Scenario, problem statement, and goals

  • What is the recommended planning and design approach for this solution?

  • Why are we recommending this design?

  • What are the high-level steps to implement this solution?

Scenario, problem statement, and goals

This section describes the scenario, problem statement, and organizational goals that are useful as examples for this guide.

Scenario

Your organization is a medium-sized corporation. Your organization’s sales staff works all over. When they make a sale, they are required to access a computer that is joined to the corporate network, either from a hub location or via VPN, and enter that sale in a custom application that runs on the corporate network.

Because these sales are not always recorded in real time, it has made inventories difficult to manage. This has led to back orders and delays. Also, the sales staff has been complaining that they often do not have the ability to access the corporate network when they are at a customer’s place of business, and they would like to be able to enter the information via their tablets or smartphones.

Your organization’s developers have recently developed a new customer relations management application that will make it easier for field sales agents to submit orders from any device that has Internet access.

Your organization has decided to host this application in the cloud. This will allow the sales force to quickly enter a sale from their tablet or smartphone at the time of the sale without having to connect to the corporate network first. Your organization anticipates that this will greatly improve inventory management.

Problem statement

Your organization has determined that the new application will be hosted in Microsoft Azure. However, your organization currently does not have an authentication provider that will be able to authenticate the sales staff to the new application that will be hosted in Azure.

The overall problem you want to solve is:

As a system architect or IT administrator, how can you provide users with a common identity when accessing resources that are on-premises and cloud-based? How can you manage these identities and keep the information synchronized across several environments without using excessive IT resources?

Providing access to this application will require the ability to authenticate the sales personnel with an authentication provider. Your organization wants to restrict access to the CRM application to the sales staff because they are currently the only employees who will need to access it.

Your organization has looked at the options and agrees to allow cloud authentication against an instance of Azure AD. Your organization has determined this will be less expensive and easier to set up because currently they do not have any instances of Active Directory Federation Services (AD FS) on-premises. Also, because they have sales staff all over the world, the cloud authentication will provide a better experience, especially in areas of lower bandwidth. Your organization is concerned with the resources required to manage these identities—there is only one Active Directory administrator, and the administrator needs to be able to get this solution up and running quickly.

Your organization’s developers have added the code to make this happen. It is now up to the Active Directory administrator to get his instance of Azure AD set up. The Active Directory administrator needs to be able to leverage the on-premises Active Directory to populate its instance of Azure AD. The Active Directory administrator must be able to do this quickly. He does not have time to clean up his current Active Directory environment or to recreate every user account in Azure. Also, your organization wants the sales staff to be able to use the same password they use when logging on to the corporate network. Your organization does not want the sales staff to have to remember multiple passwords.

Organizational goals

Your organization’s goals for its hybrid identity solution are:

  • Ability to manage identities in the on-premises directory and in the cloud.

  • Ability to quickly set up synchronization with the on-premises single-forest directory.

  • Ability to provide a cloud authentication provider.

  • Ability to quickly set up synchronization with its on-premises directory.

  • Ability to control who and what gets synchronized to the cloud.

  • Ability to provide a secure sign-in experience no different than the one it has today.

  • Ability to quickly get on-premises identity systems cleaned up and well managed so that they can be the source for the cloud.

This section describes the solution design that addresses the problem described in the previous section and provides high-level planning considerations for this design.

By using Azure AD, your organization is able to integrate the on-premises instance of Active Directory with the Azure AD instance. This instance will then be used to provide cloud authentication, as the following diagram shows.

Cloud Authentication Solution

The following table lists the elements that are part of this solution design and describes the reasons for each design choice.

Solution design element

Why is it included in this solution?

Azure Active Directory Sync tool

Is used to synchronize on-premises directory objects with Azure AD. For an overview of this technology, see Directory synchronization roadmap.

Password Sync

A feature of the Azure Active Directory Sync tool that synchronizes user passwords from your on-premises Active Directory to Azure AD. For an overview of this technology, see Implement Password Synchronization.

IdFix DirSync Error Remediation Tool

Provides customers the ability to identify and remediate the majority of object synchronization errors in their Active Directory forests. For an overview of this technology, see IdFix DirSync Error Remediation Tool.

Password Sync is a feature of the Azure Active Directory Sync tool that synchronizes user passwords from your on-premises Active Directory to Azure AD. This feature enables your users to log in to their Azure AD services (such as Office 365, Intune, and CRM Online) using the same password they use to log in to your on-premises network. This will provide your users with the ability to have a secure sign-on that is the same as if they were signing in to the corporate network.

The IdFix DirSync Error Remediation Tool can be used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration. This will allow you to quickly identify any issues that may occur with synchronization before you start synchronizing. Using this information, you can make changes to your environment so that you can avoid these errors.

Why are we recommending this design?

This design is recommended because it addresses the design goals of your organization. That is, there are two ways to provide authentication to Azure based resources: through cloud authentication or via on-premises authentication using a security token serviceSTS.

Your organization’s first design goal is to have the ability to quickly set up synchronization with its on-premises instance of Active Directory. This design represents the quickest way to synchronize your on-premises Active Directory with Azure AD.

Second, your organization wanted the ability to provide a secure sign-in experience no different than the one it has today. By using this design, users will sign in with the same user name and password they use today and the experience will be no different.

What are the high-level steps to implement this solution?

You can use the steps in this section to implement the solution. Make sure to verify the correct deployment of each step before proceeding to the next step.

  1. Prepare for directory synchronization.

    Verify system requirements, create the right permissions, and allow for performance considerations. For more information, see Prepare for directory synchronization. After you complete this step, verify you have a completed worksheet showing your selected solution design options.

  2. Activate directory synchronization.

    Activate directory synchronization for your company. For more information, see Activate directory synchronization. After you complete this step, verify you have the features configured.

  3. Set up your directory synchronization computer.

    Install the Windows Azure AD Synchronization Tool. If you’ve already done so, learn how to upgrade, uninstall, or move it to another computer. For more information, see Set up your directory sync computer. After you complete this step, verify you have the features configured.

  4. Synchronize your directories.

    Perform an initial sync and verify that the data synchronized successfully. You will also learn how to configure the Azure AD Synchronization Tool to set up recurring synchronization and how to force directory synchronization. For more information, see Use the Configuration Wizard to sync your directories. After you complete this step, verify you have the features configured.

  5. Activate synced users.

    Activate the users in the Office 365 portal before they can use the services to which you have subscribed. This involves assigning them a license to use Office 365. You can do this individually or in bulk. For more information, see Activate synced users. After you complete this step, verify you have the features configured. Note that this is an optional step and is required only if you are using Office 365.

  6. Verify the solution.

    After the users have been synchronized, test logging in to https://myapps.microsoft.com. If you have Office 365 applications, you will see them here. A regular user can log in here without needing an Azure subscription.

See also

Content type

References

Product evaluation/Getting started

Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment using DirSync with Password Sync

Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment with Federation (SSO)

Planning and design

AD FS Design Guide in Windows Server 2012

Directory integration

Deployment

Windows Server 2012 R2 AD FS Deployment Guide

Directory synchronization roadmap

Single sign-on roadmap

Operations

AD FS Operations

Support

Troubleshoot directory synchronization

Forefront Identity Manager Forum

Windows Azure Forums

Reference

Checklist: Use AD FS to implement and manage single sign-on

Determine which directory integration scenario to use

Community resources

Cloud Identity

Related solutions

Manage mobile devices and PCs by migrating to Configuration Manager with Windows Intune

Related technologies

Azure

Forefront Identity Manager 2010 R2

Active Directory Federation Services