![\"image\"](\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2015\/06\/image5.png\" "\\"image\\"")
<\/a><\/p>\nConnecting Azure AD<\/h2>\n
I heard a phrase around Ignite 2015 that I hadn\u2019t before: Legacy AD (LAD); apparently that\u2019s what Microsoft now call the AD that you have been running on servers since Windows Server 2000 (W2000). This is because Microsoft is investing in Azure AD, and expecting you to connect your LAD to AAD. This will make, at the lowest level, your users and their passwords available in the cloud:<\/p>\n
- \n
- Federation<\/strong>: Using ADFS, you can connect AAD with LAD. AAD doesn\u2019t store user accounts in this design. Instead details are continued to be stored in LAD, and AAD reaches out to LAD to authenticate or authorise users whenever there is a request \u2013 no connection = no sign-in. This is a single sign-on solution.<\/li>\n
- Synchronisation<\/strong>: This is a solution that Microsoft has had many tools for, but now Azure AD Connect (AADConnect) does. Usernames and passwords are synchronised beween LAD and AAD, stored in both locations. The solution is more tolerant of failure than federation but not as scalable. This is known as shared sign-on.<\/li>\n<\/ul>\n
Note that I\u2019ve talked about users so far. We can now register devices in AAD (e.g. Windows 10) and via write-back, send these details back to LAD.<\/p>\n
You Might Have Already Connected<\/h2>\n
You might not know this, but AAD is what provides user services for Office 365 (and other MSFT SaaS products). If you\u2019ve deployed Office 365 with DirSync (or another sync tool) or ADFS then you have already accomplished the above. With a few mouse clicks in the O365 admin portal, you can make your domain appear an the Azure management portal.<\/p>\n
AAD \u2013 Single Security Database for Microsoft SaaS<\/h2>\n
Microsoft uses AAD for all of their business cloud services:<\/p>\n
- \n
- Office 365<\/li>\n
- Azure<\/li>\n
- Intune<\/li>\n
- CRM<\/li>\n
- Azure Rights Management Services<\/li>\n
- And more<\/li>\n<\/ul>\n
This makes it really easy for a business to enable a user to avail of new services once you have configured AAD: you configure the domain, and then you can bring O365 or any of the other Microsoft online business services to those users in seconds.<\/p>\n
Single Sign-On With Third-Party SaaS<\/h2>\n
Microsoft isn\u2019t stupid; they know that you use third-party cloud services, such as SalesForce. And you know what? Microsoft wants to make that easier for you by enabling single sign-on. So not only can users use their single username\/password combination to sign into their PC and access their servers, but now the same credentials can work with Microsoft cloud services and third-party services. This brings \u201cshadow IT\u201d under the control of IT. You can use the free Cloud App Discovery to scan a network, find what online services are being used by the business, and reign these services under control using AAD.<\/p>\n
There is an upsell here. Microsoft sells AAD Premium (included in the EMS Suite) to enable SSO with more than 10 cloud services. This upgrade also brings in things like self-service password reset.<\/p>\n
The Future is Now<\/h2>\n
Because AAS is a cloud service, it can be developed and improved at cloud pace which is weeks, not years. Feedback and innovation are driving rapid change. You can register devices, including Windows 10 PCs, with AAD. That\u2019s pretty cool:<\/p>\n
- \n
- Mobile workers can register with AAD<\/li>\n
- It makes BYOD and remote working easier<\/li>\n
- Cloud-centric SME\u2019s might not need an on-premises DC anymore<\/li>\n<\/ul>\n
Replacing GPO<\/h2>\n
If LAD is how we control policy on user devices, and we\u2019re replacing LAD with AAD, how do we configure machines? The answer is Microsoft Intune. Intune can configure policy on managed devices. We\u2019re told (I haven\u2019t verified this for myself yet) that:<\/p>\n
- \n
- A customer have configured AAD<\/li>\n
- The customer has licensed for Intune with that domain<\/li>\n
- A user registers their device in the AAD domain<\/li>\n
- That device is automatically enrolled for management by Intune \u2013 and getting policy from Intune<\/li>\n<\/ul>\n
How I\u2019ve Done It<\/h2>\n
At work, we deployed the following solution to get AAD configured:<\/p>\n
- \n
- We have 2 on-premises DCs, required for our Hyper-V cluster<\/li>\n
- There is an Azure subscription and an O365 E3 subscription<\/li>\n
- We deployed 2 Basic A-series VMs in an availability set in Azure on a VNET<\/li>\n
- There is a site-to-site VPN connection between the on-prem network and the VNET<\/li>\n
- The Azure VMs are joined to the domain and promoted to be DCs<\/li>\n
- AADConnect is installed on one of the in-Azure VMs to connect with AAD (O365)<\/li>\n
- Configure the domain in Azure AD via the O365 Admin Portal<\/li>\n<\/ul>\n
And from there, we\u2019ve opened up all of the power of Azure AD \u2026 albeit requiring additional licensing for the Premium edition
![\"Smile\"](\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2015\/06\/wlEmoticon-smile.png\")
<\/p>\nTechnorati Tags: Azure<\/a>,Active Directory<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"Do you know how powerful Azure Active Directory (AAD) is? Do you know it\u2019s not just an Azure or an Office 365 thing? I find that when I talk to people about Azure or when someone else is talking about it, topics like Azure Site Recovery (ASR), VMs in the cloud, or Azure Backup are … Continue reading “Azure’s Biggest “Secret” – Azure Active Directory”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":18426,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[5],"tags":[169,170],"class_list":["post-18424","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-active-directory","tag-azure"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/aidanfinn.com\/wp-content\/uploads\/2015\/06\/Azure-Active-Directory-Users.png","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/18424","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=18424"}],"version-history":[{"count":5,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/18424\/revisions"}],"predecessor-version":[{"id":18466,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/18424\/revisions\/18466"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/media\/18426"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=18424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=18424"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=18424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Synchronisation<\/strong>: This is a solution that Microsoft has had many tools for, but now Azure AD Connect (AADConnect) does. Usernames and passwords are synchronised beween LAD and AAD, stored in both locations. The solution is more tolerant of failure than federation but not as scalable. This is known as shared sign-on.<\/li>\n<\/ul>\n