Getting Started with Azure AD and Hybrid Identities

Getting Started with Azure AD and Hybrid Identities Jason Himmelstein, SharePoint MVP Office 365 Advisory Services Manager @sharepointlhorn http://www.sharepointlonghorn.com Todd Klindt, SharePoint MVP SharePoint Principal Architect @toddklindt http://www.toddklindt.com/blog

Who is this Todd Klindt guy? SharePoint MVP since 2006 Speaker, writer, consultant, Aquarius, Iowa Native Fan of all sorts of Microsoft technologies Personal Blog www.toddklindt.com/blog Twitter me! @toddklindt If you re not already sick of him http://www.toddklindt.com/netcast

That other guy Jason something SharePoint Server MVP Office 365 Advisory Services Manager, Rackspace ITPro enthusiast, Business Intelligence geek, & general technology fan boy Re-installed Texan, die-hard Spurs, Longhorns, & Jaguars fan Geek Blog: www.sharepointlonghorn.com On the Twitters: @sharepointlhorn GitHub: www.github.com/jasonhimmelstein

Agenda History lesson Defining Terminology Active Directory Core Concepts & Concerns Topology & Security Use Cases Homework

History lesson

History lesson The dark days SharePoint 2003 & 2007

History lesson Age of enlightenment - SharePoint 2010

History lesson Age of the Internet - SharePoint 2013

Defining Terminology

Defining Terminology Active Directory DirSync User Principal Name ADFS Azure Active Directory Azure AD Connect Identity as a Service

Azure AD Connect: Your Identity Bridge Azure AD Connect (sync + sign on) LDAP Active Directory

Hybrid Identity management Azure Active Directory Connect Consolidated deployment assistant for your identity bridge components Common monitoring for your identity bridge components

Active Directory Core Concepts & Concerns FSMO roles, AD DNS, WINS, NETBIOS, etc Dirty, dirty directories 2003 (Everyone group) --> 2008 (Authenticated Users group) IsCriticalSystemObject objects not synced (like Domain Users) UPN issues around migration Schema extensions

Topology & Security ADFS vs DirSync Multifactor Auth

Same Sign On scenario

Single Sign On scenario

Highly Available Auth scenario

Use Cases Old environment moving to a new Hybrid Estate New Farm Identities Extranet situations

Pre-requisites for Installing Azure AD Connect Office 365 tenant 1 Registered Domain URL 2 Machines 1 AD Domain Controller (ADDC) Windows 2003 or later 1 Domain member server Windows 2008 or greater But really, Windows 2012 R2

Downloads Package downloads on member server Azure AD Connect http://go.microsoft.com/fwlink/?linkid=615771&clcid=0x409 PowerShell Bits Windows PowerShell cmdlets for Office 365 management and deployment https://www.microsoft.com/en-us/download/details.aspx?id=35588 Microsoft Online Services Sign-In Assistant for IT Professionals RTW http://www.microsoft.com/en-us/download/details.aspx?id=41950 Azure AD Module for Windows PowerShell http://go.microsoft.com/fwlink/p/?linkid=236297

CSSA (The Cloud Search Service Application) Introduced in the August 2015 CU for SharePoint 2013 Combines on-prem Search index and SharePoint Online Search Not Federation Search results are not separated Does not require a Search index on-prem Allows cloud services to include on-prem content Getting Comfortable with the new hybrid Cloud Search Service in SharePoint 2013

What are we can do It s not over complicating things it s fun! Using PowerShell to manage Office 365 How screw up and lose friends Tales of woe from the field & what not to do Licensing a cat Creating accounts, syncing them & applying licenses

Param( ) [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $User Real world example # Add the Active Directory bits and not complain if they're already there Import-Module ActiveDirectory -ErrorAction SilentlyContinue

# Add the Azure Active Directory module Import-Module MSOnline # Define AD group that is synced to AAD and is used for ODFB audience $syncgroupname = "CloudSync" $syncgroup =Get-ADGroup $syncgroupname

# Location to AAD Connect manual sync EXE $syncclient = "C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe" # Name of the Azure License to apply $license = "reseller-account:enterprisepack"

# Azure AD domain suffix $aadsuffix = "rackhybrid4.com" # First, add the user to the group Add-ADGroupMember -Identity $syncgroupname - Members $User # Remind them to recompile their SharePoint audience Write-Host "You'll need to recompile your SharePoint audience to reflect the group change"

# Sync up to Azure AD & $syncclient # Now tweak the user in Azure AD # First connect Connect-MsolService # Get the user $aaduser = "$user@$aadsuffix"

# Set the user's location. Without that the license will fail Set-MsolUser -UserPrincipalName $aaduser - UsageLocation "US" # Set the user's license Set-MsolUserLicense -UserPrincipalName $aaduser - AddLicenses $license

MIM (Microsoft Identity Management) The next version of FIM ILM MIIS What are they trying to hide? Better cloud and Windows 10 & 2016 support Don t upgrade SharePoint FIM AD Team Blog Post

The Hybrid Picker Helps you configure your hybrid options Requires August 2015 CU Shows up in Admin Tenant Console Plan for the SharePoint Hybrid Picker

Links For Clicking The Microsoft Cloud Show episode on Azure AD dev

Q & A