It has been a while since I last blogged about anything. Well, you know there is work, life, family, and etc. The habit of writing about your project experience is the last thing on your mind when you go through above throughout the day, weeks, months, and an entire year in my case. However, I have been working on Microsoft Cloud based identify management solution called Azure Active Directory Premium and have been tasked to implement this in my company. It is quite intriguing and fascinating which is leading me to open up my dusty notebook and write up some more about my experience working on implementing this innovative solution.
Incase you don’t know what Azure AD Premium is; it is a part of the Microsoft Enterprise Mobility (EMS). The Azure AD Premium feature set was developed to support four scenarios: Your directory in the cloud, centrally managed identities and access, monitoring and protect access to cloud applications, and empower end users. Let’s get into the weeds of what this solution will deliver for us.
OVERVIEW:
Like many other companies out there, we are also exploring the possibilities of getting into the cloud business. We host majority of our environment on premise but it doesn’t hurt to explore some features of Office 365 Cloud and where better to start then to implement Azure AD Premium. The three key objects we are trying to accomplish from this are:
- Self-Service Password Reset Portal
- Multi-factor Authentication (MFA)
- Single Sign On (SSO)
Now, no one is talking about moving everything to the cloud, but instead we are building a foundation to move to the cloud in the future and there is indeed an IF and WHEN. Overall, it will be a Hybrid Azure AD Premium build out and will serve the purpose for both on premise and cloud accounts, access, authentication, and applications.
ARCHITECTURE:
From architecture standpoint, it is VERY important to understand what is the business driven driver here. You can start off with speaking with the stake holders and obtain their perspective on how they would utilize this solution. This will help you determine the final architecture of the solution before you present it back to the stake holders and upper management. In our case, we will be presenting a hybrid model where both on premise and cloud will be in coexistence with one another. The architecture would similar to this:


IMPLEMENTATION:
Since I will not be covering a lot of operational steps such as getting the right licenses in place or identifying pilot users and such, I will mention some of the these steps during implementation stage because we will be needing proper licenses to implement anything related to Premium environment. See some of the keys stages of implementation:
- Upgrade your existing DirSync (Directory Sync) to Azure AD Connect. Make sure password write back policy is enabled during the upgrade process
- Have your licenses in order in Office 365 portal. In our case, we purchased EMS (Enterprise Mobility Suite) which will provide us capabilities of Azure AD Premium, MFA, and Rights Management Services for future Exchange Online mailboxes
- Have the designated administrator be part of Global Admin group in Office 365 portal
- Access Azure AD Portal through https://manage.windowsazure.com with your global admin account
- Customize the Azure AD Premium application login page. See the link for great instruction from MS on how to do it
- https://azure.microsoft.com/en-us/documentation/articles/active-directory-add-company-branding/
- One point I would make is that if you have ADFS in your environment and you are federating your primary domain such companyxyz.com with ADFS then you will need to customize your ADFS login page with that of Azure AD Premium customization
- Build Self-Service Password Reset portal
- Follow this post by Microsoft to get this step accomplished. it isn’t just turning on the feature but a lot of decision making that needs to go into place before this feature and its subsets are enabled
- https://azure.microsoft.com/en-us/documentation/articles/active-directory-passwords/
- Configure Multi-Factor Authentication
- MFA is designed to provide that added layer of security for the applications that are moving to the cloud for Single Sign On purpose. You can utilize MFA to generate a second layer of authentication. To see the methods of authentications, please read this article
- https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba
- Azure Single Sign On
- In my perspective, the thing that I’m most excited about is the implementation of a Single Sign On solution through cloud services
- Our plan is to migrate our SSO capabilities for various applications from on premise ADFS farm / environment to Azure SSO
- There is a lot of technical planning that goes behind it but from my experience architecting application move to Azure cloud is that you would want to confirm if your application support SAML 2.0
- There are two types of initiation when it comes to SAML 2.0 (SP and IDP)
- In IDP Initiated SSO (Unsolicited Web SSO) the Federation process is initiated by the IDP sending an unsolicited SAML Response to the SP
- In SP-Initiated, the SP generates an AuthnRequest that is sent to the IDP as the first step in the Federation process and the IDP then responds with a SAML Response
- There are two types of initiation when it comes to SAML 2.0 (SP and IDP)
- https://azure.microsoft.com/en-us/documentation/videos/overview-of-single-sign-on/
CONCLUSION:
In closing, if your company is planning on doing Azure AD Premium Implementation with all of the capabilities I mentioned above, you will really like the results and best part about it is that there is so much more you can integrate with it and explore as Microsoft is always releasing latest and greatest updates to improve their platform.