Do you know how powerful Azure Active Directory (AAD) is? Do you know it’s not just an Azure or an Office 365 thing? I find that when I talk to people about Azure or when someone else is talking about it, topics like Azure Site Recovery (ASR), VMs in the cloud, or Azure Backup are in the conversation. But very few people talk about AAD, what I think is Microsoft’s killer hybrid service.
Connecting Azure AD
I heard a phrase around Ignite 2015 that I hadn’t before: Legacy AD (LAD); apparently that’s what Microsoft now call the AD that you have been running on servers since Windows Server 2000 (W2000). This is because Microsoft is investing in Azure AD, and expecting you to connect your LAD to AAD. This will make, at the lowest level, your users and their passwords available in the cloud:
- Federation: Using ADFS, you can connect AAD with LAD. AAD doesn’t store user accounts in this design. Instead details are continued to be stored in LAD, and AAD reaches out to LAD to authenticate or authorise users whenever there is a request – no connection = no sign-in. This is a single sign-on solution.
- Synchronisation: This is a solution that Microsoft has had many tools for, but now Azure AD Connect (AADConnect) does. Usernames and passwords are synchronised beween LAD and AAD, stored in both locations. The solution is more tolerant of failure than federation but not as scalable. This is known as shared sign-on.
Note that I’ve talked about users so far. We can now register devices in AAD (e.g. Windows 10) and via write-back, send these details back to LAD.
You Might Have Already Connected
You might not know this, but AAD is what provides user services for Office 365 (and other MSFT SaaS products). If you’ve deployed Office 365 with DirSync (or another sync tool) or ADFS then you have already accomplished the above. With a few mouse clicks in the O365 admin portal, you can make your domain appear an the Azure management portal.
AAD – Single Security Database for Microsoft SaaS
Microsoft uses AAD for all of their business cloud services:
- Office 365
- Azure Rights Management Services
- And more
This makes it really easy for a business to enable a user to avail of new services once you have configured AAD: you configure the domain, and then you can bring O365 or any of the other Microsoft online business services to those users in seconds.
Single Sign-On With Third-Party SaaS
Microsoft isn’t stupid; they know that you use third-party cloud services, such as SalesForce. And you know what? Microsoft wants to make that easier for you by enabling single sign-on. So not only can users use their single username/password combination to sign into their PC and access their servers, but now the same credentials can work with Microsoft cloud services and third-party services. This brings “shadow IT” under the control of IT. You can use the free Cloud App Discovery to scan a network, find what online services are being used by the business, and reign these services under control using AAD.
There is an upsell here. Microsoft sells AAD Premium (included in the EMS Suite) to enable SSO with more than 10 cloud services. This upgrade also brings in things like self-service password reset.
The Future is Now
Because AAS is a cloud service, it can be developed and improved at cloud pace which is weeks, not years. Feedback and innovation are driving rapid change. You can register devices, including Windows 10 PCs, with AAD. That’s pretty cool:
- Mobile workers can register with AAD
- It makes BYOD and remote working easier
- Cloud-centric SME’s might not need an on-premises DC anymore
If LAD is how we control policy on user devices, and we’re replacing LAD with AAD, how do we configure machines? The answer is Microsoft Intune. Intune can configure policy on managed devices. We’re told (I haven’t verified this for myself yet) that:
- A customer have configured AAD
- The customer has licensed for Intune with that domain
- A user registers their device in the AAD domain
- That device is automatically enrolled for management by Intune – and getting policy from Intune
How I’ve Done It
At work, we deployed the following solution to get AAD configured:
- We have 2 on-premises DCs, required for our Hyper-V cluster
- There is an Azure subscription and an O365 E3 subscription
- We deployed 2 Basic A-series VMs in an availability set in Azure on a VNET
- There is a site-to-site VPN connection between the on-prem network and the VNET
- The Azure VMs are joined to the domain and promoted to be DCs
- AADConnect is installed on one of the in-Azure VMs to connect with AAD (O365)
- Configure the domain in Azure AD via the O365 Admin Portal
And from there, we’ve opened up all of the power of Azure AD … albeit requiring additional licensing for the Premium edition