13

We have a small business and currently don't have a need for a domain within our office. We have a basic network and a single server running Windows Server 2008 R2 with some file shares and 3rd party apps.

We use Office 365 and have a Windows Azure subscription. The two seem to be keeping the Active Directory for our organisation in sync pretty well. (i.e. The data looks the same on both systems)

All of the thrid party apps we run on our app server support LDAP as an identity provider but because we don't run a domain we are having to get each user to create a new login/password for these services.

Ideally we'd like to get this server to sync from Azure/Office 365 and allow users to then authenticate using their Office365 credentials.

All of the literature I have found talks about synchronising FROM on-premise to Azure but we'd like to rather sync FROM Azure/Office 365 to our on premise server. I guess our on-premise server become a federated identity provider for our Office 365 directory...

Is this possible or do we need some 3rd party LDAP provider that can federate identities from Azure or Office 365?

Adrian Hope-Bailie
  • 255
  • 4
  • 8
  • If you're running AD in Azure, you can just run requests against that DC. You may need a VPN to link your network with azure, though. – Nathan C Nov 04 '13 at 16:56
  • 1
    @NathanC there's a difference between running a domain controller in an Azure VM instance (not what this fellow is doing) and running Azure AD w/ DirSync for your O365 tenant, which is what he's talking about. – MDMarra Nov 04 '13 at 17:25
  • @MDMarra Ah, learned something from someone else's question. :) – Nathan C Nov 04 '13 at 17:35
  • @NathanC yeah Azure AD is something that exists in Azure and is accessible though a web interface for managing users, groups, and DirSync for use with Office 365 and Intune. It's not an actual server that you can log into interactively. It's some multitenant Microsoft AD variant with some web front-end special sauce. – MDMarra Nov 04 '13 at 17:44
  • 1
    Adrian - what did you end up doing? We are considering a similar route, curious how it ended up working out for you? – aSkywalker Jun 10 '14 at 21:43
  • @aSkywalker - We ended up integrating the third party apps using different SSO mechanisms that are exposed by Azure AD. Once you have Azure AD it can act as a federated id provider for Oauth2, SAML etc so you aren't limited to LDAP – Adrian Hope-Bailie Jun 11 '14 at 22:50
  • I wonder whether one could setup a DC in VM with dirsync and have a replica DC on-premise connected through point-to-site connection. Would that work? – Igor Gatis Jun 16 '15 at 00:30

4 Answers4

11

Short answer: No. However, like @Nathan-C described, you can stand up the required services using Azure Iaas (either DC+DirSync+ADFS or DC+Dircync w/pwd sync) in order to achieve single sign-on between your your Office365 apps and your on-prem apps. You would need to deploy a VPN link between Azure and your local network.

Azure AD is NOT "regular" Active Directory.

Trondh
  • 4,191
  • 23
  • 27
  • 1
    Thanks, I suspected this was the case. What we have managed to do is configure most of our 3rd party apps to use OAuth2 for identity provision. We then installed the auth0 service from the Azure store and setup our Azure AD as an enterprise identity provider (connection) for the auth0 service. The 3rd party apps now use auth0 as ID provider which federates to our Azure AD. (hope I got my terminology right but basically the apps use OAuth2 to authenticate against auth0 which "proxies" our Azure AD) – Adrian Hope-Bailie Nov 05 '13 at 17:35
  • Another comment on the proposed solution: We don't want to do this because we 1) like using Office 365 to manage our users 2) don't actually want to force our users to login to a domain which I assume implementing a DC would involve – Adrian Hope-Bailie Nov 05 '13 at 17:38
  • 1) is a fair point. 2) seems a bit unclear to me. If you mean implementing domain-joined workstations, there is no requirement to do this if you're implementing any of the dirsync options. – Trondh Nov 06 '13 at 15:12
  • Is it possible to install DirSync on a DC? I think I read somewhere that it's not? – Adrian Hope-Bailie Nov 06 '13 at 15:57
  • 4
    With the newest version of DirSync, you can install it onto a DC. It used to be the case that you couldn't. – Trondh Nov 06 '13 at 21:18
  • 4
    However, starting from Windows 10, client machines can domain join to Azure AD. – Kevin Tianyu Xu Oct 21 '15 at 00:12
  • @KevinTianyuXu do you have a source for that? Because that sounds great. – JP Hellemons Jun 14 '16 at 09:51
  • 2
    @JPHellemons - Technet article [here](https://blogs.technet.microsoft.com/enterprisemobility/2015/05/28/azure-ad-join-on-windows-10-devices/) explains how to set it up – Frederik Jul 18 '16 at 08:53
3

All of this information is old, I just wanted to help someone that was looking for it. Today 10/25/2016 I have 20 or so windows 10 laptops that connect and work with Azure AD services directly. It integrates and works perfectly with o365 and many other "cloud" services from Microsoft.

Ahh ... It's a programming thi
  • 131
  • 2
3

Microsoft recently started offering actual Active Directory services in Azure: https://azure.microsoft.com/en-us/services/active-directory-ds; if you only need centralized authentication, they can fully replace a local AD.

Massimo
  • 68,714
  • 56
  • 196
  • 319
0

No. Azure AD is not really AD. It has less functionality in that it has a more limited schema, and as a service it can't be used to authenticate/manage devices as you can with a real Domain Controller and AD.

The use case they support is using Azure AD to manage the logins on Windows 10 machines; and you can use Microsoft Intune for any management (that you would get with policies/management from a 'real' full AD installation)

I'll caution that even the proposed solution- it's not fully 'baked' yet, and if you try it, you will be an early adopter. It's somewhat incomplete functionality (for example, management is non-existant for Macs; you can't do Azure AD join on for OS X), and it's a bit buggy (sometimes machines can auth and join, sometimes silently fail.)

YMMV

Dan R
  • 1