Wednesday, 16 September 2015

Azure Active Directory: Tomorrow’s Identity Management, Today

   By Debra Littlejohn Shinder

Identity and access management form the backbone of your network security plan, and now with the integration of on-premises and cloud-based services in a hybrid environment, organizations need a solution that will simplify user access to cloud apps and allow them to get to the resources they need no matter what type or brand of computing device they’re using. 

Microsoft’s answer to this is Azure Active Directory, which will not only enable your users to access your SaaS applications and Office 365 but also lets you publish your on-premises web apps so that they can be accessed from computers, tablets or smart phones running Windows, Android, iOS or OS X. 

Your on-premises Active Directory and other directory services can be synchronized automatically with Azure AD. You can sync users, groups and contacts to the cloud and Azure AD supports both directory sync with password synchronization and directory sync with single sign-on:


  • Directory sync with password sync: users can sign into Azure AD with the same username and password they use for accessing the company network.
  • Directory sync with single sign-on:  users can use their company AD credentials to access both cloud and on-premises resources seamlessly. You can even have single sign-on across multiple AD forests using Active Directory Federation Services (ADFS). 


All of this convenience doesn’t come at the cost of security. Users can enjoy all the benefits of single sign-on and administrators can breathe easy knowing that the access channels are secured. 

You have the option of enabling Azure multi-factor authentication to provide more protection for your sensitive and confidential data and applications, and security monitoring will keep you apprised of what’s going on with both your cloud apps and your on-premises apps. 

Active Directory integration tools, Azure Active Directory Sync and Azure Active Directory Synchronization Tool (DirSync) have been replaced by Azure Active Directory Connect, which encompasses their same functionalities and can be downloaded from the Microsoft Azure web site. This tool lets you easily connect your on-premises directories with your Azure AD via a wizard-based interface that will deploy and configure all of the necessary components for you. 


Credit: Microsoft Azure Directory


Azure AD Connect has three parts: Sync Services, AD FS and the health monitoring service (Azure AD Connect Health). AD FS is optional; it’s used to create a hybrid solution with your on-premises AD FS deployment. In order to install Azure AD Connect, you’ll need to have Enterprise Administrator credentials, along with a subscription to Azure and Azure AD Premium (or the trial version). You’ll also need an Azure AD Global Admin account and your AD domain controller needs to be running Windows Server 2008 or above. 

The installation wizard will help you to select the type of synchronization that’s best for your organization (password sync or single sign-on), then it will install the software components that are needed in order to deploy the type of synchronization you chose. After the components are installed, it will verify the integration of the on-premises and cloud directories to ensure that everything is working. 

By default, Azure AD Connect installs an instance of SQL Server 2012 Express, creates the appropriate groups and assigns the necessary permissions to them. However, if you want, you can use a SQL server that you already have. You’ll need to specify its name in the options configuration section of the wizard. You also might want to create an account for the sync services to use instead of using the default account, so that you can choose your own password. When you use the default, Azure AD Connect generates a password automatically and you don’t know what it is. Usually you won’t need to, but there are some advanced tasks that do require you to know and enter the password. 

The quickest and easiest way to integrate your on-premises and cloud directories is to use the Express installation option. It is for single-forest configurations and uses the password hash sync type so users can log onto the cloud with the same password they use for the corporate network. It’s a quick and simple process with just six steps. If you want more options, you want to go with the Custom installation, which lets you choose Federation with AD FS or password sync, lets you add more directories to sync, and gives you far more flexibility and control over identities and features such as Azure AD app and attribute filtering, password and user writeback, and more. Writeback means that password changes made in Azure AD and users created in Azure AD will be written back to the on-premises directory. 

Azure Active Directory brings your on-premises and cloud assets together for maximizing the benefits of both. You can find much more good information about Azure at www.cloudcomputingadmin.com.



Author Profile

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.

She is also a tech editor, developmental editor and contributor to over 20 additional books. Her articles are regularly published on TechRepublic's TechProGuild Web site and WindowSecurity.com, and has appeared in print magazines such as Windows IT Pro (formerly Windows & .NET) Magazine.