I'm looking to setup AD for our company. We have developed a cloud based app that needs robust permissions abilities, which AD easily can handle. The app is bases out of Heroku which runs on AWS. I really need AD to manage logins and organizational hierarchy.
I'd like to use a cloud based service to act as the primary Domain controller and in the future, setup on-premise servers to provide local authentication to manage file/print and computer services. This is a secondary need to the authentication needs for our app.
Does anyone know if this architecture is possible? That is, a AD's DC in Azure with replicated services to other on-premise servers, at a later time? This seems to be the reverse of most setups in Azure. I'm ok with using other cloud services than Azure. It just seems they have the most documentation for cloud AD setups.
Any thoughts or help would be greatly appreciated.
Thanks,
AT
Although I wouldn't go for Cloud to be my primary DC, here are some guidelines which might help you:
Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines
Install a new Active Directory forest in Windows Azure
In order to fully validate your scenario, how do you think to join the Heroku computers to your domain controller? Because joining the server where your application runs will make the total sense of what you are trying to achieve.
If you just want to provide LDAP access from your application to the primary DC, and your app is not part of the Domain, then it makes no sense to install AD in Azure.
If you plan to just query the AD for organizational structure, I highly suggest that you take a look at the Windows Azure Active Directory and its Graph API. this is what you need, in the case you will not join any computers to the domain, because Windows Azure Active Directory is not a Domain Controller.
UPDATE
Please update your question with better description of simply to allow our Heroku based app to pull in the directory structure and login information to allow our users to authenticate to it. - I am afraid I can't really understand the application architecture and user login flow here.
Related
I have created an Xamarin Android App with an Azure App Service back end. When I looked at securing the connection, I don't really care about individual users, but I want to make sure that only someone running my app can access the database. Is there a way to authenticate the app itself rather than individual users? What is the best practice in this scenario?
If you don't care about user, there are a few approaches and the security level may vary. If you want to simplify integration and deployment among Azure services, you should consider using Azure AD as an identity and access management in your entirely system. That said, your back-end and Xamarin app are authorized and authenticated via Azure AD. You need to register your native app in Azure AD which you can refer here https://learn.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-native-client
Another approach is to use certificate-based authorization against Azure Active Directory, which is more controlled and security rather than client secret. In this case, persons installing your app must also install certificate before sending request to Azure App Service and retrieve database from Azure SQL Database. The level of authorization is free of choice, but the first gateway is always Azure AD.
I have a web application deployed on Azure with the Azure Active Directory security enabled (the express setting). So, when I try to access the application, I need to be a part of the AD to have access.
I would like to add more features to the application, like displaying the current user logged in, implement a logout, managing permissions etc... I believe I can achieve all of things with Azure Graph API.
However, to do this, I will need to test some stuff locally. Is there any way to simulate Azure AD locally? It is "switched on" on Azure and everything works great there, but ain't got nothing to simulate this on my local machine.
There is no "local" or "offline" version of Azure AD available.
Your options at this time are:
Test using an actual Azure AD tenant. You can create your own test tenant to allow you to make changes as necessary, postponing the need to work with the admin of your corporate Azure AD until you're ready to go to production.
Create your own Mock STS that implements the OpenID Connect protocol and use that during development/testing. The risk here is that you'll have to make sure that this Mock STS behaves just like Azure AD does or close enough for your purposes.
As a side note, you can create a feedback entry asking for a feature on this in the Azure AD Feedback Forum
I am a developer working on a think client application. One of our customers wants us to provide hosting for the application and I have set up azure remote app for this. The customer is asking if it will work with single sign on.
From what I can see it can work if I have access to their directory. For example if I could join their domain or change my default directory to be their directory it should work. Is this good practice though? From what I see the only way to do this is give their administrators access to my subscription.
Is there another way?
Azure Remote App offers two deployment options
- RemoteApp cloud deployment enables user logon with Microsoft account or corporate credentials federated with Azure Active Directory
- RemoteApp hybrid deployment enables full access to on-premises network, and user logon with corporate credentials federated with Azure Active Directory
So in both cases, you may have single sign on for your customer application, provided his current identity provider (for example On premise Active Directory) is federated with Azure Active Directory
Hope this helps
Best regards
Stéphane
Is it sensible to set up Active Directory in Azure, purely for managing identities in the virtual environment? (update: identities as in log on to the vm not our software). We don't currently have an on-site AD installation. Should we be looking at integrating our on-site systems with this AD controller too?
Are there any alternatives to just installing it in a VM following the MSDN instructions here? (mainly in terms of scope for making bad decisions during initial configuration as someone with no real sysadmin or AD experience!)
There is a preview currently running which sounds like a better fit for your purposes. Whether you integrate with your on-prem AD is your call of course. To do so you can use ADFS to ACS to link through from your Azure app.
http://www.windowsazure.com/en-us/home/features/identity/
Is it possible to use an Azure virtual machine as an Active Directory server with ADFS 2.0 and integrate it with ACS ?
Regards ,
James Roeiter
Having AD server (with RMS also) in cloud is an ask which I have heard time to time from Azure users and it sure is a great addition to have it running in Windows Azure or any cloud. Various organization's IT is asking the same as well however As of now with current Windows Azure it is not possible.
A few might suggest that using Windows Azure VM Role however, I would say that there are concern over that as well do to persistence and other issues so I would say it is not possible with Windows Azure VM Role as well and there are other issues related with Active Directory product as well to run in Cloud scenarios.
If I answer it directly, I would say as of now it is not supported and suggested scenario to have AD on Windows Azure and will not work due to various reasons.
You can now install AD on Azure in a persistent state. Its still preview but I have just got an standalone AD on a separate network on Azure. I haven't finished wiring up ADFS and ACS but given a little time to get my head around it and I will be there.
Why would you like to put your AD server in Azure? If it just for testing - you can. However the current state of Windows Azure only allows you to have a VM Role, which is Stateless. That means, you may prepare your VM with the AD, all configured for ACS and fill up with users. However you can't rely on any changes to be persisted (including password changed, user edits). VM Role is stateless, which means you will lose your changes once the role is recycled or rebooted, or healed.
So the final answer for the current Windows Azure offering would be - don't do that now, unless you want to just play around and see if it works.
** EDIT **
I am not an AD expert, what I managed to do and have an "in-house-virtualized" lab is to have ADFS on VM integrated with ACS. Another VM running Windows 7, which is domain joined to my AD. Then a web deployed application which leverage ACS with ADFS integration. Everything works fine.
As for storing AD data on external persistent storage - I don't know if it is possible, and how to configure that (already told you I am not AD expert). But if you know how to configure the storage for AD, and if you can store it in an SQL Azure, it is worth to give it a try.
And, finally, as Sandrino mentioned read the provided link to ZDNet's blog post, which has information you might find helpful.