Search This Blog

Sunday, March 23, 2014

Setup Identity Access Infrastructure Using Windows Azure Active Directory

 

We are going to explore on Window Azure Active Directory. Some people tend to misunderstand the concept of on-premise active directory vs Azure Active Directory and always assume both is the same and work exactly like Active Directory in Azure VM.

How Windows Azure Active Directory is different?

image

It’s allow centrally manage users’ access to Windows Azure and other Microsoft online services like Microsoft Office 365 and other non Microsoft Saas application.

We can provisioning and de-provisioning of user accounts stored in cloud directory to the SaaS application that your organization uses.

To get started, you need to have Windows Azure or Office365 subscription.

Where do we get user account?

a. Manual create from Windows Azure Management Portal

b. Existing Office365 directory

c. Sync from on-premise Active Directory

Tool to use - Active Directory Sync Tool. It will provide one way sync user account and password.

To download this tool, click here.

image

image

Once synced, you can verify directory synchronization from Windows Azure Management Portal.(Active Directory | Users)

  • Highlighted in yellow – is an account create an user account from Azure Management Portal
  • Meanwhile the rest of the account – is the result of sync from on premise Active Directory

image

You can verify access to Windows Azure Active Directory Portal by using the following URL:- http://activedirectory.windowsazure.com/ 

image

Login as Global Administrator will provide full access to manage Windows Azure Active Directory.

image

Login with “User Role” - only able to view own details and change their own profile.

image

Future:-

Application Access

Next step is configure Application Access through Windows Azure Active Directory. For our lab example, we are using Box (www.box.com)

1. Click Add, select BOX as an application that your organization use. Make sure you have a BOX subscription either Business (allow for 1 SSO Integration) or Enterprise (allow an Unlimited SSO).

2. Once the application is added, simply follow the steps in the management portal to complete the connection

image

Step 1:- Configure Single Sign on- For our testing purpose, I’m selecting “Password Sign Sign On”. If you select Windows Azure AD Single Sign On, do remember to send the metadata file to Box support team in order to enable SSO.

image

Step 2:- Enable user provisioning to Box once a user is assign to the BOX. Here you are require to enter your BOX subscription credential to allow authorization to use Windows Azure SSO on BOX.

image

Step 3:- Granted user which you would like to give access to Box.

image

Finally, perform testing an application access by login to Application Access Panel:-

http://myapps.microsoft.com.

Only user which has granted access will be able to see their application listed in the portal.

image

Here are list of applications that you can test

a) Dropbox for Business

b) Google App for Business

c) Skydrive

d) Office365 for Exchange Online

e) Office365 for Sharepoint Online

For more complete list of app support Windows Azure Active Directory, please check out here. There are total of 1021 app which support integration with Active Directory and Single Sign On.