I have an Windows Azure Subscription when the administrator has a Microsoft Account.
This account has a Default active directory and I need to configure my Office365 domain to authenticate my applications with corporate accounts.
I cant remove the default directory.
Thank you
The management portal will not let you do what you are asking. It will not let you associate your Azure account with an existing Windows Azure Active Directory (WAAD) instance, and manage it through the Azure portal. You can, however, still use your Office365 instance of WAAD to as an identity provider through Azure Access Control Service (ACS). For a good starting place on using ACS for adding claims based authentication to your web application look here. For instructions on how to provision a WAAD tenant as an IdP for ACS look here.
Related
we have an Infrastructure for one customer in Azure which require many configurations like MFA with VPN and Remote Desktop (this one is the reason why I'm confused with Azure AD).
The installation should be only in Azure, that's mean there is no local AD which could be synced to it.
I've created an seperated Azure Directory for them and configured an AD DS inside it so I can join the Azure VMs to it.
My problem here is I was asked to configure MFA for remote desktop users along with the VPN connection. The requirement the MFA that I should install an local NPS with MFA Extenstion and the local AD users should be synced with Azure AD. Which in my case it's not possible to do it since there is no local Network for this customer.
This problem as I understood is because that we don't have permissions to administrate Azure AD DS Active Directory and by this we can't register the NPS with MFA Extension with it. here are some Links related to this topic:
Request to Support NPS/RADIUS for Azure AD Domain Services
Integrate Remote Desktop Gateway with Azure MFA
Integrate VPN with Azure MFA
My question here is:
1) the seperated Azure AD for this tenant is a good Idea? Is it not better to just create an Azure AD Domain Services inside our Company Azure AD and sync the required groups to it? what is the best practice for this situation?
2) In order to use the Azure MFA here, what should I do? is there any other option in Azure to implement such a scenario?
I will be glad for any help or explaination.
Do we need Azure Active directory premium to do Role-based or Group based Authorization ?
I ask this question because my Azure portal is not giving me "Users" tab as mentioned in this link.
Group-based access is a Basic/Premium feature as defined here.
Using Azure Active Directory (Azure AD) with an Azure AD Premium or Azure AD Basic license, you can use groups to assign access to a SaaS application that's integrated with Azure AD.
You can only assign individual users to apps after you enable User assignment required to access app. But the Users tab should definitely be available though.
In our organization, we are using Google Apps for Work for emails, calendar, document repository.
We also have some other services that we are using our google account to authenticate with SSO support. Simply google account is our SSO account that we want to use in all services we are using.
There are few exceptional services that we were not able to setup Google as identity provider. One of them is Azure Services. In azure, you can provision Azure Active Directory and create accounts in it and use that accounts to access many other Azure Services, such as Azure SQL Databases. If you are using Visual Studio Team Service, you can also configure VSTS to backed by AAD, then you can access to VSTS using AAD Account.
My question is, is there a way to configure AAD to delegate authentication on google side ?
If we can do this, then we would be able to use our Google Account to access all azure services
No, Microsoft services pretty much don't support any accounts other than Azure AD & Microsoft Account at this time.
You could set up Azure AD as the Identity Provider for your Google Apps account. I'm sure there would be some tedious steps in the process to get your users moved over but it should work. When your users attempt to login to Google Apps they would get redirected to an Azure AD sign in page and then redirected back to Google.
Some marketing material can be found here:
https://azure.microsoft.com/en-us/marketplace/partners/google/googleapps/
I currently have an Office 365 tenant with around 1,400 users all licensed. We have enabled the Azure AD tenant with the same account and are now using Azure AD Dirsync to have same sign-on to Office 365.
We are now having an external Sharepoint site developed and have been offered either ADFS or Azure AD ACS as an authentication method. As we've already got an Azure AD subscription (through Office 365) I thought this would be the easiest method. However, when in my tenant on https://manage.windowsazure.com, I have access to Active Directory, can add a new directory but cannot add a new Access Control service. It's greyed out and says "not available" underneath.
I've tried talking to Office 365 support, who referred me to Azure support, who then said we don't have support so can't help. I've spoken to Azure sales and they've referred me to Azure support, who then guess what, said we don't have support.
Has anyone else managed to implement an Azure Access Control service from an Office 365 tenancy using the free Azure Active Directory subscription? I get the feeling I just need to buy a cheap Azure subscription and the option would become available, but without knowing for sure I'm a bit hesitant about taking the plunge.
Thanks.
I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried in one of my pay-as-you-go subscriptions.
You are (still) able to create a namespace but I suggest you to also take a look into the identity possibilities Azure AD itself has. Azure AD has currently only support for SAML 2.0 (and a lot of other protocols but they are not directly relevant for SharePoint). I know SharePoint (on-premises) only talks SAML 1.1 so that's where ACS comes in. You can read more about this topic here. Azure AD itself is going to support SAML 1.1. The only question is when. (see one of the comments from the source mentioned below this answer)
I also would make one remark about Azure AD ACS because this is going to be replaced by Azure AD. The only question left is when.
ACS Capabilities in Azure AD
As we've mentioned previously, we are adding ACS-like capabilities into Azure AD. In the coming months, as part of a feature preview Azure AD administrators will be able to add federation with social identity providers, and later custom identity providers to Azure AD. This will allow app developers to use Azure AD to simplify the identity implementation in their apps, similar to how developers use ACS today. We look forward to getting your feedback on the preview to improve these experiences.
Migrating ACS Customers to Azure AD
Once these new ACS capabilities of Azure AD are out of preview and generally available, we will start migrating ACS namespaces to use the new Azure AD capabilities.
Source: The future of Azure ACS is Azure Active Directory
Quick solution:
Create an Azure paid account. Add the administrator user of the paid account in the Office 365 directory, and set it as global administrator of this later directory (you can add users from other directories).
Then switch back to the paid account. The new global administrator will be able to manage the Office 365 directory and add a namespace.
In my company, we are using Office365 for our emails.
In addition to this, we are using Windows Azure Active Directory to secure some applications.
Now I've been asked to create some kind of link between our users in Office 365 and Windows Azure Active Directory.
The point would be to have some admin applications deployed and secured with WAAD but for which the users are the ones from Office365.
I've found lots of documentation on the web on how to sync directories but not really anything stating clearly that this is possible.
I'd like to insist on the fact that it is our own application that we'd like to secure like this.
Thanks
(Edit 2018-03-23: This answer was updated to reflect changes in the new Azure portal.)
The underlying directory for Office 365 is Azure Active Directory (Azure AD). This means that if you have an Office 365 account, you already have a directory -or "tenant"- in Azure AD.
In your case, I think what you want to do is move from securing your application with a different Azure AD tenant (under a different domain), to securing your applications with the tenant you got when you started using Office 365. The key here is to be able to get access to your Office 365 tenant from the Azure portal.
All you need to do is sign in to the Azure portal (https://portal.azure.com) with you Office 365 account (which, remember, is an Azure AD account), and head over to the "Azure Active Directory" blade. (Note: You do not need an Azure subscription in order to manage your Azure AD tenant in the Azure portal.)
Now you can go about adding and configuring apps to the Office 365 tenant so that you can use that tenant to secure your apps.
Extra: Since you've already started doing things with another Azure subscription (presumably your Microsoft Account, MSA --formerly LiveID--), you might be interested in transferring that Azure subscription to be owned by an account in your primary Azure AD tenant: https://learn.microsoft.com/en-us/azure/billing/billing-subscription-transfer
If the aim is to make the Office 365 directory available inside the Azure portal, this currently works:
In the Azure portal, under Active Directory, click the New button, then Directory, then Custom Create. In the Directory pull-down, select 'Use existing directory' and follow the instructions to sign out and sign in using your Office 365 admin user. This will make your Office 365 directory available inside your Azure portal (in addition to any other Azure directories you have access to.)
When you setup your Azure Subcription did you use the same account you used when you setup your Office 365 Subscription? If so you should be able to see an existing WAAD instance when you log into Azure that has your #*.onmicrosoft.com domain registered against it. If you don't see that you may be able to add the domain to Azure subscription assuming of you are the domain admin. See here: http://blogs.msdn.com/b/bspann/archive/2013/10/20/adding-existing-o365-directory-to-azure-msdn-subscription.aspx
For the sake of completion, I hope the OP would come back and accept the answer provided by Philippe.
I found this that was quite helpful: http://blogs.technet.com/b/ad/archive/2013/04/29/using-a-existing-windows-azure-ad-tenant-with-windows-azure.aspx