Today, it's common for organizations to drive several Active Directory forests, whether historically, to use a resource and account forest scenario, or to separate services from user accounts. Now that we have these environments, we have a clear need to discuss the different options available for synchronizing identities to the AAD and its usage with Office 365. In this chapter, we will discuss the three most commonly-used scenarios in the field and discuss the synchronization and authentication options you can use for designing a suitable and flexible IAM solution. Additionally, we will talk about the alternative login ID options and Azure Active Directory Authentication Libraries (ADAL), for use with the new modern authentication scenarios with Office 365 and the Office suite installed on your computer. A solution without monitoring would be dangerous. For monitoring reasons, we will take a deep dive into the AAD Connect Health functionality...
In this section, we will describe the required information for designing the synchronization in multi-forest environments with the Azure AD Connect tool. This section is divided into the following topics:
UPN suffix decisions (recap)
Supporting the separate technologies scenario
Handling a full mesh scenario with optional GAL synchronization
Providing synchronization for an account and resource forest scenario
Understanding AAD Connect Rule Precedence logic
First we will start with a short recap of UPN suffixes and how Azure AD Connect handles different UPN states and configurations.
As we have already mentioned, and you already know, the UserPrincipalName (UPN) is one of the most relevant user attributes in the connection from a local Active Directory to the Azure Active Directory (AAD). AAD Connect follows the rules shown in the following figure:
As you can see in the previous figure, AAD Connect uses...
Authenticating users in multi-forest environments is just a bit more complex than doing it in a typical single-forest deployment. You should already be aware of the basics of the different authentication protocols and the AD FS thanks to previous chapters. The configuration of the integration with Office 365 is a straightforward process; with the Convert-MsolDomainToFederated command, you create everything needed in your ADFS configuration. With the switch SupportMultipleDomain, you can define if you are using a multi-forest scenario.
Next, we will start with the supported and possible scenarios in the case of using multiple forests and Office 365. We will focus on the AD FS server deployment. Furthermore, you can always attach an AD FS proxy/WAP to these scenarios.
This section will cover the following scenarios:
Typical single-forest deployment
Two or more Active Directory forests running separate AD FS instances
Running one AD FS instance...
In special scenarios, you need to work with the alternate login ID concept. In this case, you use another attribute than the UPN, for example, the e-mail address. Be aware that this way is usually the last option (in our opinion). Normally, we always try to work out our solutions with the usage of the UPN.
This section will cover the following topics:
Disassociation of AAD UPN from AD DS UPN and trade-offs
What does modern authentication mean?
How does Outlook authentication work today?
How authentication happens with Word and SharePoint Online
In case you choose the alternate login ID, your AAD instance will still require a username in the UPN format, such as jnick@inovit.ch. To provide this solution, you need to customize your AAD Connect, or other synchronization solutions, and your federation options. The following figure gives you an idea of the solution design and the different authentication flows:
...
In this section, we will provide you with some helpful information to help you differentiate between AD FS and the Azure B2B and B2C functionality. We used to have many discussions before the two services, Azure B2B and B2C, became available in the preview state. This section is divided in two areas:
Comparing AD FS versus Azure B2B
Comparing AD FS versus Azure B2C
We will start with the main differences between AD FS and the Azure B2B scenario. With Azure B2B comes the capability to invite users from partner organizations to access applications on your own AAD instance. With AD FS, you could provide the same functionality with claims provider trusts to any partner organization based on AD FS.
However, you will hit the following differences:
With AD FS you, are very flexible and you can run any customized scenario
However, the following requirements need to be fulfilled:
Partner requires Federation Service
Certificate handling
Administrative...
In the previous chapters, we discussed different solution patterns with ADFS, including the relying party trusts and the claims rule language. On top of these features, we will focus on several capabilities that will soon be available with the new Windows Server 2016. Many of these scenarios were already available in Windows Server 2012 R2, so you only need to upgrade if you want to use these extended solutions. The section is separated into two main areas:
Using a custom attributes store to populate claims
Using a new identity store as claims provider
First, we will start with the custom attribute stores.
Basically, attribute stores are data sources that can be used to populate claims. For business reasons, you can provide additional information in claims that are not stored in Active Directory. With ADFS, you can use the following additional attribute stores, which are shown in the following figure...
Working through this chapter you should have gathered the knowledge to be able to design a multi-forest identity synchronization and federation environment, including the AAD Connect Health service for monitoring. Additionally, you should have discovered the most relevant concepts about the new AAD Authentication Library (ADAL) and be able to describe a practical example, such as the usage of Word and SharePoint Online. Finally, you should be able, and feel comfortable, to design a complex hybrid IAM platform with multiple forests. You should also be able to compare ADFS and Azure B2B/B2C functionality for your own design needs. Last but not least, we provided ideas on using additional identity and attribute stores with new Windows Server 2016 ADFS 4.0 capabilities, which will help you to support external user scenarios with a rich subset of providing claims and authentication.
In the following chapter, we will install and configure the enhanced identity infrastructure. In particular...
© 2016 Packt Publishing Limited All Rights ReservedAuthor (1)
