Before I am going to describe my questions, I would like to tell you that I am a web developer and not a security/Active Directory or Azure specialist, so please be gentle :-)
I work for a large international financial services company. We have a global IT department that provides member firms with services that we use (Active Directory 2012).
In my member firm, we are currently considering migrating custom build websites to Azure. All the custom build websites are implemented with Kerberos and Single Sign-On using Active Directory. Some of these websites read & write information in Active Directory.
The challenge that we are facing is how we can migrate these websites to Azure whilst using the enterprise's Active Directory. I searched for detailed information about solutions available but haven't found anything that answered my questions. My questions:
What solutions are there for connecting Azure with an enterprise's Active Directory?
What are the advantages and disadvantages for these solutions?
What are the requirements for these solutions?
Perhaps there is a book/blog/whitepaper that answers my questions?
AFAIK you cannot use directly the corp AD from Azure. You must use Azure Active Directory. However, there are solution to keep the corp AD and the Azure AD in sync. For example read Connecting AD and Azure AD: Only 4 clicks with Azure AD Connect, which shows how to use Azure AD Connect to link the Azure AD with your corp AD. It will basically mirror one corporate AD forest with an Azure AD account, and keep it up to date by periodic re-sync. The net effect is that you develop your cloud apps to authenticate and authorize based on the Azure AD, but the Azure AD will mirror the corp AD. There will be a delay in propagating changes to Azure AD, eg. an employee added to the "domain\sales" group will not be allowed to access the "Sales" app for some hours until the Azure AD sync catches up with the corp AD change.
Related
Looking for ideal solution in Azure AD to automatically sync users between two Azure AD Tenants
The scenario i'm looking for is as follows
Corporate and our business project has separate Azure AD Tenants
Want to leverage Corp Azure AD to sync internal users directly to my projects Azure AD to avoid onboarding all new ppl into the company
When some internal employee leaves, sync off-boarding as well so that if Corp removes someone from Azure AD, it gets removed from my Projects AD as well
What are the best options for me ?
Azure B2B sync using external identities
Azure Lighthouse
Others ?
Can users be automatically synced without them requiring to click some activation/invitation link in emails ? Can this be fully automated without "invite link emails " etc ?
Looking for some assistance
AADConnect(AzureAD connect) can synchronize the same users, groups, and contacts from a single Active Directory to multiple Azure AD tenants.
These tenants can be in different Azure environments.
You will need to deploy an AADConnect server for every Azure AD tenant you want to synchronize to.
Note: One AADConnect server can synchronize to not more than one Azure AD tenant.
Reference:sync ad objects to multiple azure ad tenants
Also see use-scim-to-provision-users-and-groups
In our organization, we are using Google Apps for Work for emails, calendar, document repository.
We also have some other services that we are using our google account to authenticate with SSO support. Simply google account is our SSO account that we want to use in all services we are using.
There are few exceptional services that we were not able to setup Google as identity provider. One of them is Azure Services. In azure, you can provision Azure Active Directory and create accounts in it and use that accounts to access many other Azure Services, such as Azure SQL Databases. If you are using Visual Studio Team Service, you can also configure VSTS to backed by AAD, then you can access to VSTS using AAD Account.
My question is, is there a way to configure AAD to delegate authentication on google side ?
If we can do this, then we would be able to use our Google Account to access all azure services
No, Microsoft services pretty much don't support any accounts other than Azure AD & Microsoft Account at this time.
You could set up Azure AD as the Identity Provider for your Google Apps account. I'm sure there would be some tedious steps in the process to get your users moved over but it should work. When your users attempt to login to Google Apps they would get redirected to an Azure AD sign in page and then redirected back to Google.
Some marketing material can be found here:
https://azure.microsoft.com/en-us/marketplace/partners/google/googleapps/
What am I missing here? I'm thinking of moving my data center to Azure. I've created a corporate virtual network that has my ADs, my certificates, basically the family jewels of the company that I'm trying to build in the cloud. I've plugged up every obvious security hole that I can think of except one: the login to the Azure Portal is just a simple user id/password. If someone picked off my Microsoft Live user id, all they need is a password cracker. And a disgruntled or dismissed employee could easily cause havoc. Is there some way to lock down the portal? Does anyone in the security business think these Azure web sites are secure?
You can use Azure AD to properly secure the portal authentication. Azure AD is designed to securely authenticate applications in the cloud and it is supported by the majority of Microsoft solutions like Azure Portal. It will provide features like MFA, access control, self-service password reset, etc.
Although Microsoft Accounts also support some of these features, you can't force your users to specific policies, that's why Azure AD is important for enterprise level security.
Once you create a directory for your company through Azure Portal and synchronize your AD objects with Azure AD using the AAD Connect tool you will be able to login to Azure Portal using your corporate credentials and force users to use Multi-factor authentication or even apply other policies.
Azure Active Directory features and capabilities
Azure Active Directory Hybrid Identity Design Considerations
Integrating your on-premises identities with Azure Active Directory
Assume there exists and O365 instance where user identities are managed in the cloud - see the Cloud Identity section here: https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9
Assume there also exists a separate Azure subscription that maintains it's own Active Directory, as well as an assortment of other resources such as SQL Databases, VMs, Virtual Networks, etc...
Can the two (the O365 instance and the Azure AD) use the same domain? Given it seems like Office 365 uses an Azure AD under the covers, my question is really just asking if two Azure Active Directories can use the same domain. Unfortunately, I can't find much online with regards to answers for this and I can't yet test it.
If you had two Active Directory tenants using the same example.com domain, and you logged into the portal with bob#example.com How would the portal know which tenant was responsible for bob?
An Azure Active Directory tenant much be authorative over the domains that are associated with it.
What you can do is associate the Office 365 Active Directory with an Azure subscription (or as many Azure Subscriptions as you have) and then you will have SSO across all of your subscriptions and Office 365.
This is probably the simplest guide on how to achieve that - it is for RemoteApp, but the underlying concept is the same.
Two Azure Active Directories cannot have same domain.
Technically O365 instance with a tenant name (.onmicrosoft.com) is an Azure AD. Office 365 is just a SaaS application attached to every Azure AD. Basically for Office 365, Identity Management backend is Azure AD. Basically if we have a domain abc.com added/verified in tenant A , it means that we can create users in tenant A with user#abc.com. If we were able to add the same domain in tenant B, which is not possible practically but if we consider theoretically, there would be a user user#abc.com in tenant B too! Hence its impossible to have same domain with two Azure AD.
If you have a domain abc.com under a tenant - contoso.onmicrosoft.com (does not matter whether its in Office 365). If we want to view this directory in azure portal (classic) and if you know the global administrator of this directory, we can add it to the Azure Classic portal (use custom directory) option (comes up for live account service admin).
https://azure.microsoft.com/en-us/documentation/articles/active-directory-how-subscriptions-associated-directory/#manage-the-directory-for-your-office-365-subscription-in-azure
Also, Office 365 subscription gives you benefit of free "Access to Azure Active
Directory" subscription to all office 365 Global administrators. This is given to effectively manage the users in office 365 via Azure AD as well (SSPR, MFA settings- which is not available via O365 portal).
https://support.office.com/en-us/article/Register-your-free-Azure-Active-Directory-subscription-d104fb44-1c42-4541-89a6-1f67be22e4ad
I currently have an Office 365 tenant with around 1,400 users all licensed. We have enabled the Azure AD tenant with the same account and are now using Azure AD Dirsync to have same sign-on to Office 365.
We are now having an external Sharepoint site developed and have been offered either ADFS or Azure AD ACS as an authentication method. As we've already got an Azure AD subscription (through Office 365) I thought this would be the easiest method. However, when in my tenant on https://manage.windowsazure.com, I have access to Active Directory, can add a new directory but cannot add a new Access Control service. It's greyed out and says "not available" underneath.
I've tried talking to Office 365 support, who referred me to Azure support, who then said we don't have support so can't help. I've spoken to Azure sales and they've referred me to Azure support, who then guess what, said we don't have support.
Has anyone else managed to implement an Azure Access Control service from an Office 365 tenancy using the free Azure Active Directory subscription? I get the feeling I just need to buy a cheap Azure subscription and the option would become available, but without knowing for sure I'm a bit hesitant about taking the plunge.
Thanks.
I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried in one of my pay-as-you-go subscriptions.
You are (still) able to create a namespace but I suggest you to also take a look into the identity possibilities Azure AD itself has. Azure AD has currently only support for SAML 2.0 (and a lot of other protocols but they are not directly relevant for SharePoint). I know SharePoint (on-premises) only talks SAML 1.1 so that's where ACS comes in. You can read more about this topic here. Azure AD itself is going to support SAML 1.1. The only question is when. (see one of the comments from the source mentioned below this answer)
I also would make one remark about Azure AD ACS because this is going to be replaced by Azure AD. The only question left is when.
ACS Capabilities in Azure AD
As we've mentioned previously, we are adding ACS-like capabilities into Azure AD. In the coming months, as part of a feature preview Azure AD administrators will be able to add federation with social identity providers, and later custom identity providers to Azure AD. This will allow app developers to use Azure AD to simplify the identity implementation in their apps, similar to how developers use ACS today. We look forward to getting your feedback on the preview to improve these experiences.
Migrating ACS Customers to Azure AD
Once these new ACS capabilities of Azure AD are out of preview and generally available, we will start migrating ACS namespaces to use the new Azure AD capabilities.
Source: The future of Azure ACS is Azure Active Directory
Quick solution:
Create an Azure paid account. Add the administrator user of the paid account in the Office 365 directory, and set it as global administrator of this later directory (you can add users from other directories).
Then switch back to the paid account. The new global administrator will be able to manage the Office 365 directory and add a namespace.