AD for a small office - active-directory

For a small office with 5 to 8 PCs I want to setup a central windows login like with a windows domain/AD.
There is a NAS for shared folders in place to store data.
I want to grant permissions on the NAS per user based on two groups – so a very simple setup.
What would be the easiest / simple way to setup?
Windows Server? A linux server with SMB? Azure AD DS? Or anything else?
Thanks for your ideas

If your NAS supports it, Azure AD (not Azure AD DS).
If your NAS dont support it, go all the way with Office365 and store files in the cloud with local sync and use softlinks.

Related

Azure Active Directory Integrated Authentication with SQL

I'm quite new to the Azure AD. So I will be grateful for any hint.
I need to enable members of a given domain (of a given Active Directory) to log in to Azure SQL Server using Azure Active Directory - Integrated Authentication.
So far I've logged into Windows and connected it to Azure Acticve Directory in Windows Setting.
Looking through the documentation, I understand that I need to select one of the authentication methods proposed by Microsoft within Azure Active Directory. The easiest seems to be Password hash synchronization. So I would like to pick this one (But if others are simpliest I am open to change that choice)
What is the easiest way to synchronise this? Can I avoid having to create a Windows Server VM and install Azure AD Connect there?
The current configuration of AD Connect on Azure Portal looks as follows:
To mention it again, the only service I care about is logging in via Azure Active Directory
I apologise if the whole question has been wrongly structured, but it is simply based on what I have found on the forums and in the documentation.
Thanks in advance for any tips
[for example: https://youtu.be/PyeAC85Gm7w?t=565, https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#using-an-azure-ad-identity-to-connect-using-ssms-or-ssdt, https://techcommunity.microsoft.com/t5/azure-sql-blog/azure-ad-pass-through-and-password-hash-authentication-support/ba-p/1269735]
You don't need Azure AD Connect or password hash sync unless you have an on-premise Windows Server AD that you want to sync to Azure AD. Should note that AD is not the same as Azure AD. You don't need Windows Server AD with Azure SQL, just Azure AD. To grant a certain security group access to the server, you can run CREATE USER [group-name-here] FROM EXTERNAL PROVIDER; in the Azure SQL DB. Then you can use standard SQL stuff to grant that "user" access to the DB/tables.
Users should then use Azure Active Directory - Universal with MFA as the authentication method in SQL Server Management Studio.

Directory Sync AD Connect multiple Domains

I’ve recently been asked to look at a sync issue with Azure AD, however the guy who set it up has left and we have no idea where it’s configured from (AD Connect server) and what it is actually synchronising.
We also want to start synchronising our PP domain to the same AZure AD tenant, is that possible with not knowing what is being synced already and how would I resolve any conflicts, so confused!
Hope someone can help
Thanks in advance
Yes, absolutely it is possible to sync multiple domains. the easiest way to to know what is synced is by opening the azure ad connect "synchronization Service" app elevated as administrator. if you click the connectors, tab you will see what domains / forests are configured to sync. I would use the wizard to config more forests / domains.
Here are the supported topologies: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-forests-single-azure-ad-tenant
Note that there can only be one azure ad connect syncing to a tenant at any given time, you cannot use multiple aad connect servers for that purpose.

Connecting to SQL Server using Windows authentication by multiple users through Client-Server App

Need help with connecting to SQL Server using Windows authentication by different users logging in to the clients using their domain account. We have thousands of users and is there a easy way to use a specific AD service account even though users login to these client machines using their windows account. I see some examples of that online if using IIS. But we need this to work with a client server app. Please help if there is a workaround. Thanks!
Typically you would either provision SQL Logins for the AD Groups containing the users, or (less secure) use a SQL Login with user/name and password embedded in the application configuration.

Sync Office 365 (AAD) with NEW on premise Active Directory

My small company (about 100 users) is currently using Office 365. There have previously not been any domain controller. I am building an on premise domain controller and want to sync it with Azure Active Directory (Office 365). I used the sync service, with a small subset of users to no avail.
My main question: Can you sync FROM an Azure Active Directory to a new on premise Active Directory? My understanding is that it's the opposite - the on premise Active Directory is the "master" if you will. Is there a way to set it up the opposite? As in, Office 365 being the "master" or "seed" for an on premise?
At present, the Azure AD connect support the Password writeback, Group writeback and Device writeback.
You can refer the options features of Azure AD Connect from here.
At this point in time, synchronizing users FROM Azure AD to on-premises AD is NOT possible.
As Fei Xue pointed out, there are certain things (such as user passwords, groups and devices) that can be synchronized back to on-prem AD, but not users.
Depending on what you are trying to achieve, Azure Active Directory DS might be worth exploring as it allows you to create a VNet in Azure which has a AD-like support (LDAP, Active Directory domain join, NTLM, and Kerberos authentication).
More info on Azure AD DS: https://azure.microsoft.com/en-us/services/active-directory-ds/

Using Active Directory with Microsoft Azure

I'm researching whether or not it makes sense for my company to use Azure for some outward facing applications. We need it to integrate with Active Directory so that it knows who they are without having to login to the site, kind of a single sign-on. Has anyone done anything like this or what tools I'd need to use to do it?
To elaborate a little, currently all of our intranet apps use Window Authentication with AD groups to determine who has what access and what level of access they have to the apps. So, once they log onto their machines, they don't have to login again to access any of our home grown apps. We're looking at using the Cloud but we want to keep the same login paradigm if at all possible. Ideas?
Thanks,
Jeremy
You can federate AD to Azure - you will need at least 1 server (on premise) running Windows Server 2008 R2 to get the ADFS bits (code name was Geneva). Then on the Azure side, you use the Azure App Fabric authentication. See MSDN.
An observation on Pat's answer:
*Then on the Azure side, you use the Azure App Fabric authentication. See MSDN
That is not necessarily correct. In the simplest form, which looks like what Jeremy needs, the web site on Windows Azure would simply trust the local ADFS server on-premises. To do this you would use WIF (Windows Identity Foundation).
This scenario is extensibly described in multiple documents. Check Here
A scenario in which you would use Windows Azure AppFabric (the latest CTP) is one in which the app would trust multiple identities simultaneously, and Appfabric would act as an "Identity Hub".

Resources