Dynamics CRM with Windows Essentials AD + Azure AD

Question

I'm trying to configure a new Dynamics CRM 2016 on premise installation with Claims based authentication for Sharepoint Online (Office 365) and Internet facing access.

We currently have a Windows 2012 R2 Essentials domain controller synchronizing with Office 365, I'm aware we should not change passwords on any online services but instead use the local account so it syncs up the new password.

At the time we wanted to be as lean as possible in terms of setup in the office, so Essentials was the obvious choice, but I now think it's a bit too essential when you want to add-on other services! Is that correct?

I've seen this article, http://blog.kloud.com.au/2014/06/06/claims-based-federation-service-using-microsoft-azure/, that explains how to leverage ACS for the CRM's claims federation, which would sort the CRM login.

But I am slightly concerned about rolling this out without having single sign on configured across the directory. e.g. sync down the password from Azure to the onprem AD and apparently that's not possible with this setup, see https://social.technet.microsoft.com/Forums/windowsserver/en-US/97cdba31-afda-49a0-bd71-cdd408b22fe6/windows-server-2012-r2-essentials-and-azure-active-directory-sync-tool?forum=winserveressentials

Before I commit to using ACS (available in Azure premium only), I want to ensure we'll also be able to rool-out single sign on across the directory as it is, or if we need to migrate to a new DC (not on essentials) and use AADConnect instead? See https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/ that includes a ADFS and thus not needing ACS.

Am I just mixing concepts? Is my concern unfounded?

Has anyone been able to do this kind of setup before?

Any help on this would be greatly appreciated.

Answer 1

Take this with a grain of salt as I don't have a lot of exposure directly with the Essentials server.

The simplest setup for just the password management is to use Azure AD Sync (installed on separate server not essentials) with Azure AD Premium. This supports two way password hash support. CRM doesn't even factor into the equation here for that to work. You can disable management for the Essentials server and then use this option, but you lose the fancy Dashboard and management tools.

I would also do this after hours - I don't know the details of how it breaks the connection or what effect that will have on users. Once you start up the Azure AD Sync it should be able to match up the existing users. You can also try this before disabling the essentials server (just don't enable password sync).

Depending on your browser and how CRM are configured you may have what looks like SSO (if creds are passed directly) because the passwords are shared, but it's not really SSO of course. You can keep this setup and publish CRM thru an application proxy service also available in Azure at this point to route all authentication thru Azure AD.

For SSO Setup

You are heading down the correct path. You can trial this setup today with out changing your essentials server sync setup. The only thing you will be lacking is the password writeback support.

To get password write back you need to disable sync on your essential server and use the Azure AD Connect tool. You also need the Azure AD Premium subscription and then you can able the password write backs.