Azure - Active Directory
I decided to have a look at connecting an on premise AD with Azure's and see how I get on. There are three different methods currently, the third only appeared in Preview after my Azure Infrastructure Training last October 2016, so they move fast!
Azure AD
There are three integration modes available:
- Identity Synchronisation with password hash sync - Auth against Azure AD
- Identity Synchronisation with Pass-through authentication - Auth against On Premise AD
- Identity Synchronisation with Federation Services - Auth against On Premise AD
The first gives you Same sign-on, the second & third Single Sign-on. The second option is in preview but no longer requires Federation Services.
Note: AADSync & DirSync are on the way out on April 13th 2017!
You use the same tool to set any of this up - Azure AD Connect
(Make sure you get the latest version!)
Now Azure AD is like Active directory lite in some respects. It's not fully fledged like the on premise version, don't expect you can open Users & Computers or Site & Services. See AD Domain Services for that level of AD control.
You need a validated Domain so I'm going to reuse my "xxxxxxxx.onmicrosoft.com" I created before as it's already verified. I'm going to let the tail way the dog a bit here and create a new on premise AD with the same domain name and see how that goes.
I've used Server 2012 R2 for the two VMs. The first is my on premise DC with some test accounts, the second will remain in a workgroup and not be doman joined. I'll install AD Connect here and see how I get on. To avoid the need to register a real DNS domain, I'm using contoso.com as my "on Premise" AD. My real lab.local isn't going to fly here. You need to add this Domain prior to connecting everything up:
It should be possible in both Portals but I was directed to the Classic one at one point so I did it there. It's viewable in both anyway. It says unverified but when you click on this in Classic it invites you to run AD Connect in your Domain and get a move on please!
So, installing Azure AD Connect on my Lab workgroup server vm presents an issue - the Express settings are not available (its not domain joined):
Now, I'd like to see what the Express options do for me but for now I'll click Customize. I've left the defaults blank and this then installs the Synchronisation Service before presenting you with the User sign-in method options:
Now I get the options as follows:
So, the second option and the Enable SSO box are the new Preview items currently.
I'll cancel and try the express option to see what that provides to compare these more advanced ones later. I'll spin up another VM and Domain Join it so I can return here later.
So, at this point I setup a new AD account in Azure AD and granted it Enterprise rights. My default account was rejected here. Log into Azure using this account once to set the password - you only get a temp password otherwise and the AD Connect will not like that! You should now have two accounts with lovely coloured circles as shown. EP is the account I'll enter into the AD Connect wizard (Mr. Elesto Plast to you...!!). MR is my original Azure account.
So, running the AD Connector Wizard in Express Mode you need to supply connection credentials to Azure and AD as expected. The azure ones come first:
Then there's the AD ones:
It says not validated still here but I'll have a look at that later. There's a option to tick a box below to continue unvalidated.
Then away it goes and sets up the Sync:
And if it's successful this is what you should see:
The tool installs a few new Programs as shown:
You can launch the Azure AD Connect program again to make changes but it pauses Syncing:
You can do a few things from there:
And there are new services running on the server also:So here is my on premise AD with three test accounts:
And here is Azure AD:
All sync'd up. Now the only problem is the unverified Domain so the accounts above have reverted to the @xxxxxxxx.onmicrosoft.com domain. Bit of a problem for seamless logging on.....
I'm not going to pay for a DNS Domain to test this out so this may be as far as I can take this currently.
Oh, one last thing - uninstalling - just select Azure AD Connect and you'll get this dialog to remove everything:
So, that's the Express Mode approach. Just one last thing. After you set this up, how do you use it? I understand from the client's point of view getting SSO is ideal, but when you deploy IAAS or PAAS in Azure how do you tie them to Azure AD on the cloud side?
If you deploy an IAAS server you'll see no mention of Azure AD during the build options. You could join it to something afterwards but Azure AD doesn't support computer accounts or group policy. You can "join" windows 10 to Azure AD but it's a very light touch "join". Azure AD really seems geared towards PAAS and any SAML 2.0 Application:
So, what do you do with all those IAAS VMs? Well, you could extend your on premise AD into Azure on a pair of VMs. If you're planning on moving a substantial percentage of your environment up there however, maybe you should rethink how you consume AD and the way your apps are written to take advantage of Azure AD going forward?
PAAS doesn't ask about Azure AD when you're deploying a SQL Database for instance. It would be the front end application where you would do the integration. The users aren't interested in the back end anyway and as an Azure Admin there's nothing in Azure AD to help / hinder your build here. Different from on premise where AD Group Policies can cripple Windows Clustering and Sharepoint installs when they prevent services from running etc. Grrrr...!
You should consider the following tasks and how you will manage them on Premise & in Azure during the interim state which could take years:
- Compliance
- Management
- AntiVirus
- Backups
- Patching
- Software deployment
- Security Auditing
- Upgrades (OS)
That's a brief look into Azure AD using the Express option. I hope it gives you a brief look at the possibilities and differences between it and the on premise one you're more familiar with. Pity about the DNS verification issue but otherwise it works more or less fine. Hope you found this useful and if I get some of the other Azure AD Connect options configured and working I'll work up a new post.