In this E-book, we are going to talk about how Azure Active Directory can be used to extend on-premise user identities to the Cloud so that users can continue to use and connect to corporate resources while on the move
Extending an on-premise Windows Server Active Directory (AD) infrastructure into the Cloud is an important topic to consider when planning the migration or implementation of cloud-based applications.
In this E-book, we are going to talk about how Azure Active Directory can be used to extend on-premise user identities to the Cloud so that users can continue to use and connect to corporate resources while on the move.
In current modern working environments, users expect to be able to work from any location using a variety of devices like mobile phones, tablets, and laptops. These devices can be used to connect to corporate services and data located on-premise or in the cloud.
The explosion of devices is eroding the standards-based approach to corporate IT and bringing challenges to IT professionals. Users need to be productive while being able to access corporate services in a compliant and secure way. Corporate services need to know and trust the identity of the connecting user in order to allow or deny access to them.
Identity for Microsoft Cloud Services
Microsoft offers two types of “clouds”:
- “Public Cloud” for end-users containing your personal Microsoft account that gives access to services like Xbox live, Outlook.com, one-drive.
- “Enterprise Cloud” containing your Microsoft Azure Active Directory account that gives you access to enterprise services like Office 365, Microsoft Dynamics, Intune, amongst others. The “Enterprise Cloud” can also be configured to expose services using your corporate domain name (e.g., your corporate email address ).
Microsoft supports different types of identity models:
- Cloud Identity – This is used by companies that do not have on-premise servers. Typically used by small businesses that only require cloud-based services like Office365.
- Synchronised Identity – This is the most commonly used model and is used by companies that have a mixture of Cloud and on-premise services. This model allows the user to use the same identity (username and password) to connect to both on-premise and cloud services. This is accomplished by keeping a copy of the user identity in the Cloud that is held in sync with the on-premise identity.
- Federated Identity – This model allows users to connect to corporate services using identities provided by a wide range of external identity providers (e.g., social providers like FaceBook, LinkedIn, etc.).
You will need to look into your company’s specific requirements to determine which model is best for your needs. If your requirements change, you will be able to switch to a different model, you are not locked to your original choice, but it may require some substantial work to change things.
The Microsoft Azure Infrastructure
Microsoft Azure provides a worldwide infrastructure that allows users to connect from anywhere in the world in a fast and reliable way. This infrastructure is made of 54 regions worldwide connected by more than 100,000 miles of fibre and subsea cables and containing over 130 edge sites that allow connections directly to the fibre network.
Some of the options to extend your corporate services to the Cloud are:
- Hybrid Cloud – Use Azure virtual networks to extend your Datacenter into the Cloud and create hybrid applications (you can find more on hybrid apps here: https://docs.microsoft.com/en-us/hybrid/app-solutions/overview-patterns- solution-examples).
- Identity Management – Extend your identity to the Cloud and connect to a variety of services like Office 365, Azure, and third-party SAAS (Software As A Service) services.
The Hybrid Cloud
Some of the benefits of adopting a Hybrid Cloud approach are:
- Global Scale and Reach – As discussed before, Azure has over 54 regions worldwide; this means that you will always be able to find a datacentre relatively close to you and your customers.
- Time savings – There has been a reported 97% improvement in setting up and configuring development and test environments and ongoing maintenance.
- Business Continuity – Ensure constant app availability across all the regions by having applications, services, and data available
Extend Your Infrastructure
Own the base, rent the rest! Extend your Datacenter by building capacity on-demand.
With Windows Azure, you can literally create a virtual “datacenter” in the Cloud. You can do this by leveraging a feature called Virtual Network (VNET), which allows you to create a logically isolated section of Azure and treat it like your own network. You can customise the network configuration for a VNET, create subnets, assign private IP addresses, and bring your DNS server if you wish.
Within a virtual network, you can create a public-facing subnet for your webservers that provide public-facing access to the Internet and place your backend systems, such as databases or application servers, in a private-facing subnet with no Internet access.
You can connect your Datacenter to these Azure VNETs using a VPN. This way, you will be treating the virtual network in Azure, almost as if it were an extension of your on-premise Datacenter. You can domain join your VMs with an AD running on-premises or an AD running inside of the virtual network. You can have hybrid multi-tier apps with perhaps the presentation and logic tiers running in Azure, and the database tier running on-premises for compliance reasons.
Windows Azure provides first-party tested Windows Server images for quickly deploying standard services like SharePoint, SQL, Active Directory, and also a variety of third-party applications. This makes it easier to implement these services in the Cloud.
Here are some use cases for extending your infrastructure to Azure:
- Hybrid apps and hybrid IT: When apps live both in the Cloud and on-premises and need to synch with an on-premises directory, simply bring DirSync into Virtual Machines.
- Specific AD capabilities in the Cloud: When applications in need of on- premises optimised AD capabilities are moving to cloud and Windows Azure Active Directory is not an option, bring your AD into Virtual Machines. Same AD, same skill sets and the same trustworthy capabilities.
- Identity synch with Office 365: When you need to synch identity with O365 and want to minimise your on-premises identity infrastructure, rely on running AD in Virtual Machines. Even when you have an on-premises identity infrastructure synching with Office 365, simply build your high availability copy in Virtual Machines and keep working when internet connectivity is down.
- When you need to accommodate variable and increasing needs of .NET and Windows Server apps: spin up trustworthy infrastructure with no code changes required, use Windows Azure building blocks – such as Service Bus or Media Services and many more from partners in Windows Azure Store – to boost your existing app.
- When you want to participate in software as a service business model, as an app vendor, and host all or part of an existing .NET or Windows Server app in the Cloud with no changes, build your offer on scalable, trustworthy Windows Azure infrastructure.
As you think about using the public Cloud, some issues must be taken into consideration. These issues present challenges to IT departments but also create opportunities for SMBs.
If like most organisations, you have your existing servers and IT infrastructure in either on-premise Datacenters or 3rd part colocation facilities you also must have IT staff (in-house or from a third party partner) to maintain it. When considering using the public cloud, you need to think about how you are going to integrate it with your current infrastructure to avoid throwing away your investment so far. This means that you may have to consider running applications with parts running on and off-premises.
You may also be running a variety of OSs, databases, middleware and toolsets from multiple IT vendors. In this case, you will want to make sure the Cloud you choose can handle your complex needs. Leveraging existing IT investments can be an essential and attractive decision in this situation.
If you have a mixture of on-premise services (e.g. LOB applications) and Cloud services (e.g. Office 365) you will want to make sure that your users can connect to all of them using a unique identity. This is where Azure AD can be a powerful service to create a seamless environment for your end-users.
Lastly, you can use the public Cloud to provide an environment for storage, backup and disaster recovery. Important company information, as well as the IT infrastructure, can be replicated, copied, or stored to provide business continuity when it is needed the most.
For users to have the best experience connecting to the corporate services in a secure way you need to:
- Unify your environment – Deliver a unified application and device management on-premise and in the Cloud.
- Enable Users – Allow users to work on the devices of their choice and provide consistent access to corporate resources using a unique identity.
- Protect your data – Help protect corporate information and manage risk.
Users are more productive having a single sign-on to access all of their resources. It’s also much easier and secure for organisations to deal with a unique identity for each user instead of multiple identities. A single identity means a user will only have a set of credentials to remember which minimises the “human nature” pitfalls of having to manage multiple passwords and usernames (e.g. password reminders in post-it notes).
Having the on-premise user identity replicated in Azure Active Directory gives users access to on-premise and in the Cloud corporate resources in a unified way. Users get access to services like Office 365, Intune and SAAS applications via their Azure Active Directory identity and to on-premise resources (LOB Apps, Web Apps, file storages, etc.) using their on-premise identity provider (e.g. Active Directory, LDAP, etc.) Because these two identities are synchronised, the credentials used by the user, to connect to Cloud and on-premise resources, are the same.
Which Identity Model to Choose
As we have seen before there are three main models that you can choose from Cloud, Sync and Federated. Which one to choose will depend on your organisation’s specific requirements.
- Cloud – With this model, the user identities are stored and managed in the Cloud. This usually is the most attractive solution to small businesses that do not have any on-premise infrastructure.
- Sync – This is the most commonly used model. It allows organisations to bridge their existing on-premise identity services into the Cloud and provide a seamless experience to end-users. This is accomplished by having a synchronised copy of the on-premise user identity in the Cloud.
- Federated – This model allows you to keep your on-premise identity infrastructure but also allows you to “Trust” identities from third parties identity providers like Social providers (FaceBook, LinkedIn, etc.) or other organisations (called B2B federated identity).
The diagram above should help you decide which route to take.
If you do not have an on-premise Active Directory (AD), you should take the cloud identities route which will give you an identity managed by Azure AD that will allow you to connect to cloud services like Office365, SAAS integrations, etc.
If you already have an on-premise AD then you should take the Hybrid identities route which will allow your users to access both on-premise and in cloud services in a unified way using a unique set of credentials.
Directory Integration Options
Two of the options to expand your services to the Cloud are:
- Integration with Azure Active Directory using Azure AD connect tool – with this approach, your users will have a copy of their on-premise identity in Azure Active Directory. This copy is kept in sync with the on-premise version using the “Azure AD Connect Tool”.
- Extend on-premises Active Directory, DNS and Line of Business (LOB) applications to Microsoft Azure using a VPN – This option allows you to take advantage of the Azure Infrastructure as a Service platform and move some of your on-premise services to the Cloud. The first step to implement this option is to extend the Active Directory Domain Services to Azure. Doing this will allow you to:
- Support Cloud-based solutions that require NTLM or Kerberos authentication or domain-joined virtual machines.
- Add additional cloud services and\or applications at any time in the future.