I have an Office365 account with about 10 users. Do I need to setup a domain controller server(or VM) to add these machines to or can I simply use Azure and a cloud based version(a bit like JumpCloud(https://jumpcloud.com)
No need to set up a domain controller to manage your Office365 accounts.
With a combination of JumpCloud and an SSO solution such as Bitium (one of JumpCloud's partners), you gain centralized management of your Office365 user accounts from one cloud-based location, and use those same accounts for the rest of your organization, whether on your desktops, servers, WiFi, or any LDAP client apps.
Related
We have a couple of VMs in Azure, and want to use one of them as an RDS session host for user workstations. This requires us to buy CALs and setup the appropriate RDS services.
No problem there, but it also requires the VM to be joined to an Active Directory domain, which we don't have.
Azure offers AD Domain Services, but at USD$100 per month, it seems pricey, for not much return.
Since Active Directory is a standard Windows service, is there anything stopping us from simply installing this role on one of our existing VMs and running our own domain controller?
If not, why would anyone be paying monthly for Azure AD DS?
Any advantages to either approach? We're a small enterprise, and will not be using AD for managing resources, only for identity management.
How do I restrict remote AAD (Work/School) connected personal machines with Group Policy enforced from the AADDS VM?
This client's company is fully remote and is looking for a cloud group policy solution.
Is there anyway to use AADDS to accomplish this task?
Thanks,
To manages machines/computers with group policy the machine should be joined with domain(on prem domain controller or azure adds) Once the machine is joined to domain you can apply group policies.
If you are looking to use azure ad ds managed instance . it gives the ability to join computers on a domain without any need to manage or deploy a Domain Controller. The users can sign-in by using their existing corporate credentials.
If you want to manage group policy with adds managed instance, you need to create an additional vm with sevrer OS and you need to install required server roles to preform additional operations.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
Or else you can use Azure AD registered devices, The goal of Azure AD registered devices is to provide your users with support for the bring your own device (BYOD) or mobile device scenarios.
You can find more information Here about device management in azure Azure AD.
We have tried sssd utility which does LDAP auth to windows AD however we have to manage individual servers for user/group permissions, there is no central management with sssd.
Also, we are trying to use FREEIPA but seems like it's another directory service and we need to create another domain and then establish trust between windows domain & IPA domain however we don't want to choose that route.
Is there a way to just integrate the FreeIPA with windows AD without creating FREEIPA domain.
No, there is no such way. FreeIPA is not a tool, it is full functioning identity management system, similar to Active Directory but for POSIX environments. You aren't deploying it on a single machine as a separate application.
There are plenty other tools that utilise existing Active Directory deployment to store own information and handle Linux machines but most of them are commercially available.
However, I wonder why you are claiming there is no central management with SSSD for direct AD integration. SSSD with id_provider = ad supports group policies in AD, so you can apply those rules centrally. Technically you also can store SUDO rules in AD LDAP, though it wouldn't be easily manageable compared to FreeIPA.
We are considering deploying some of our intranet web applications to Azure. The web applications are built using ASP.NET MVC. Source code is available, it is fully under our control. All our company machines are Windows 7 or up, part of a windows domain, sitting behind proxy a server. Users are registered in AD. What authentication technology would you recommend for a secure and convenient login experience? We prefer to save the employees from creating, remembering, typing in yet another username/pwd. Single-Sign-On is wonderful for the users. Can we achieve something similar? Up to what extent do we have to compromise on the convenience?
Reasons to move to Azure: Azure does not have the bureaucratic deployment obstacles that our intranet has. Furthermore, deploying webapps to Azure is just soooo easy and wonderful.
Azure Active Directory extends on-premises AD into the cloud, enabling users to use their organizational account to not only sign in to their domain-joined devices and company resources, but also all of the web and SaaS applications
(office 365) needed for their job.
Federated Single Sign-On for applications that support SAML 2.0, WS-Federation, openID connect.
Password based for apps with a html sign on page and Existing SSO using ADFS.
I have a very small office with 2 Windows 8 machines, and people work remotely. Because we use Office 365 and Azure we're already setup with Azure Active Directory (AD). When users VPN in to the office they can use with AD account. However, I wonder if it is possible to allow the on premise Win-8 machines to log in using their AD account? We have no on premise servers (excluding NAS).
No - Windows Azure AD currently does not support domain joined machines and machine/user authentication. It is different in this way than Windows Server Active Directory.
Windows Azure AD currently is centered around user authentication for web based applications.