Getting Started with Azure AD and Hybrid Identities

Jason Himmelstein, SharePoint MVP

Office 365 Advisory Services Manager@sharepointlhornhttp://www.sharepointlonghorn.com

Todd Klindt, SharePoint MVP

SharePoint Principal Architect@toddklindthttp://www.toddklindt.com/blog

Who is this Todd Klindt guy?

SharePoint MVP since 2006

Speaker, writer, consultant, Aquarius, Iowa Native

Fan of all sorts of Microsoft technologies

Personal Blog

www.toddklindt.com/blog

Twitter me! @toddklindt

If you’re not already sick of him

http://www.toddklindt.com/netcast

That other guy… Jason something

• SharePoint Server MVP

• Office 365 Advisory Services Manager, Rackspace

• ITPro enthusiast, Business Intelligence geek,

& general technology fan boy

• Re-installed Texan, die-hard Spurs, Longhorns, & Jaguars fan

• Geek Blog: www.sharepointlonghorn.com

• On the Twitters: @sharepointlhorn

• GitHub: www.github.com/jasonhimmelstein

© SPintersection. All rights reserved.http://www.SPintersection.com

Agenda

History lesson

Defining Terminology

Active Directory Core Concepts & Concerns

Topology & Security

Use Cases

Homework

© SPintersection. All rights reserved.http://www.SPintersection.com

History lesson

© SPintersection. All rights reserved.http://www.SPintersection.com

History lesson

The dark days – SharePoint 2003 & 2007

© SPintersection. All rights reserved.http://www.SPintersection.com

History lesson

Age of enlightenment - SharePoint 2010

© SPintersection. All rights reserved.http://www.SPintersection.com

History lesson

Age of the Internet - SharePoint 2013

© SPintersection. All rights reserved.http://www.SPintersection.com

Defining Terminology

© SPintersection. All rights reserved.http://www.SPintersection.com

Defining Terminology

Active Directory

User Principal Name

Azure Active Directory

Identity as a Service

DirSync

ADFS

Azure AD Connect

Azure AD Connect: Your Identity Bridge

Azure AD

Connect(sync + sign on)

Active Directory

LDAP

Hybrid Identity management

Azure Active Directory ConnectConsolidated deployment assistant for your identity bridge components

Common monitoring for your identity bridge components

© SPintersection. All rights reserved.http://www.SPintersection.com

Active Directory Core Concepts & Concerns

FSMO roles, AD DNS, WINS, NETBIOS, etc

Dirty, dirty directories

2003 (Everyone group) --> 2008 (Authenticated Users group)

IsCriticalSystemObject objects not synced (like Domain Users)

UPN issues around migration

Schema extensions

© SPintersection. All rights reserved.http://www.SPintersection.com

Topology & Security

ADFS vs DirSync

Multifactor Auth

© SPintersection. All rights reserved.http://www.SPintersection.com

Same Sign On scenario

© SPintersection. All rights reserved.http://www.SPintersection.com

Single Sign On scenario

© SPintersection. All rights reserved.http://www.SPintersection.com

Highly Available Auth scenario

© SPintersection. All rights reserved.http://www.SPintersection.com

Use Cases

Old environment moving to a new Hybrid Estate

New Farm Identities

Extranet situations

© SPintersection. All rights reserved.http://www.SPintersection.com

Pre-requisites for Installing Azure AD Connect

Office 365 tenant

1 Registered Domain URL

2 Machines

1 AD Domain Controller (ADDC)

Windows 2003 or later

1 Domain member server

Windows 2008 or greater

But really, Windows 2012 R2

© SPintersection. All rights reserved.http://www.SPintersection.com

Downloads

Package downloads on member server

Azure AD Connect

http://go.microsoft.com/fwlink/?linkid=615771&clcid=0x409

PowerShell Bits Windows PowerShell cmdlets for Office 365 management and deployment

https://www.microsoft.com/en-us/download/details.aspx?id=35588

Microsoft Online Services Sign-In Assistant for IT Professionals RTW http://www.microsoft.com/en-us/download/details.aspx?id=41950

Azure AD Module for Windows PowerShell http://go.microsoft.com/fwlink/p/?linkid=236297

© SPintersection. All rights reserved.http://www.SPintersection.com

CSSA (The Cloud Search Service Application)

Introduced in the August 2015 CU for SharePoint 2013

Combines on-prem Search index and SharePoint Online Search

Not Federation

Search results are not separated

Does not require a Search index on-prem

Allows cloud services to include on-prem content

Getting Comfortable with the new hybrid Cloud Search Service in SharePoint 2013

© SPintersection. All rights reserved.http://www.SPintersection.com

What are we can do…

“It’s not over complicating things… it’s fun!”

Using PowerShell to manage Office 365

“How screw up and lose friends”

Tales of woe from the field & what not to do

“Licensing a cat”

Creating accounts, syncing them & applying licenses

© SPintersection. All rights reserved.http://www.SPintersection.com

Param(

[Parameter(Mandatory=$true)]

[ValidateNotNullOrEmpty()]

[string] $User

)

# Add the Active Directory bits and not complain

if they're already there

Import-Module ActiveDirectory -ErrorAction

SilentlyContinue

Real world example

© SPintersection. All rights reserved.http://www.SPintersection.com

# Add the Azure Active Directory module

Import-Module MSOnline

# Define AD group that is synced to AAD and is

used for ODFB audience

$syncgroupname = "CloudSync"

$syncgroup =Get-ADGroup $syncgroupname

© SPintersection. All rights reserved.http://www.SPintersection.com

# Location to AAD Connect manual sync EXE

$syncclient = "C:\Program Files\Microsoft Azure AD

Sync\Bin\DirectorySyncClientCmd.exe"

# Name of the Azure License to apply

$license = "reseller-account:ENTERPRISEPACK"

© SPintersection. All rights reserved.http://www.SPintersection.com

# Azure AD domain suffix

$aadsuffix = "rackhybrid4.com"

# First, add the user to the group

Add-ADGroupMember -Identity $syncgroupname -

Members $User

# Remind them to recompile their SharePoint

audience

Write-Host "You'll need to recompile your

SharePoint audience to reflect the group change"

© SPintersection. All rights reserved.http://www.SPintersection.com

# Sync up to Azure AD

& $syncclient

# Now tweak the user in Azure AD

# First connect

Connect-MsolService

# Get the user

$aaduser = "$user@$aadsuffix"

© SPintersection. All rights reserved.http://www.SPintersection.com

# Set the user's location. Without that the

license will fail

Set-MsolUser -UserPrincipalName $aaduser -

UsageLocation "US"

# Set the user's license

Set-MsolUserLicense -UserPrincipalName $aaduser -

AddLicenses $license

© SPintersection. All rights reserved.http://www.SPintersection.com

MIM (Microsoft Identity Management)

The next version of FIM

ILM

MIIS

What are they trying to hide?

Better cloud and Windows 10 & 2016 support

Don’t upgrade SharePoint FIM

AD Team Blog Post

© SPintersection. All rights reserved.http://www.SPintersection.com

The Hybrid Picker

Helps you configure your hybrid options

Requires August 2015 CU

Shows up in Admin Tenant Console

Plan for the SharePoint Hybrid Picker

© SPintersection. All rights reserved.http://www.SPintersection.com

Links For Clicking

The Microsoft Cloud Show episode on Azure AD dev

Q & A