WVD Mixed AD Environment AAD and Local AD - azure-active-directory

Most of my customers have a split AD environment, they are logging into their machine via their local AD e.g. user1#domain1.net and accessing O365 with user1#fire.domain2.gov the UPNs do not match. The Azure tenant and Azure AD exist on the O365 UPN.
Only workaround we have found is to add the UPN fire.domain2.gov to the local AD object or add the O365 account to the local domain. Any other workarounds that might work and has anyone else ran into this?

I'm told Alternate login ID will not work. No, AltID is used with ADFS. There is no ADFS in La County anymore (Dan Jorenby)
We are trying to setup a deployment for an government entity in LA county where they already have a local Ad and AAD accounts for Office 365, but no sync is set between them. Do you have any suggestion on how he can bind them together to be able to use them in WVD?

In order to access your on-premises and Azure resources with single identity, you need to sync your user's objects from on-premises active directory to Azure Active directory via azure ad connect.
You need to create a custom domain in Azure in order to sync your user objects from on-premises to Azure.
Ex: you can configure a custom domain for fire.domain2.gov in azure. You can add the same domain name in on-premises by adding additional UPN suffix in Active directory domain and trust.
In order to get the detailed information check Article

Related

Identity authentication over smb for Azure file share

I have mounted an azure file share on an azure VM using access keys ,the VM is not doman joined with the azure active directory instance.Please let me know if below scenario's will work out:-
If i apply acl's on the folders and sub folders will the acl's be
enforced in the mounted drive on the VM?
Will AZURE RBAC apply if someone tries to upload a file from the VM?
Note:- The Azure VM is on a VNET which has access to azure active directory.
Any information/answer/suggestion on the above questions would be greatly appreciated.
ACLs can exist for domain or non-domain accounts. Having a machine that is not domain joined, can obviously not set domain ACLs. So in that case local-server ACLs is all you can hope to get.
If another server mounts the share, and there is not another local user account + SID mapping, then there is no way these ACLs have any meaning on the second machine. But they will be enforced.
So that one will work albeit questionable in terms of usefulness.
RBAC is really a management plane construct. Meant to govern who can manage which Azure resource --> not access which data planes. Now in the case of AD / AAD DS support for Azure file shares, the team has decided to "stretch" the meaning of RBAC to govern share-level ACLs via Kerberos (where normal RBAC is OAuth only!)
Enough of the backend: What this basically means, is that there can be no support for local server accounts.
THese accounts only exist on a local server, not in AAD and certainly not DIRSYNC'ed from on-prem AD into AAD. So that means RBAC cannot work for local accounts, only for domain accounts.
I'm unclear what your scenario is.
A user coming into the server with some sort of local user credential?
Then creating/copying a file into a mounted Azure file share to that VM? --> That can work because there is no RBAC and since this is all happening through that single server that has that local user account, ACLs for these local accounts work natively.
A user coming into the server with a domain cred? --> will not work as the server isn't domain joined.
A user coming in with a local-server account and then using the Azure file share not via SMB mount but by going to the Azur file share directly: Cannot work because it's not a domain account and non-dimain accounts cannot work against Azure file shares. You'd use the srtorage access key to mount the file share to the VM, then you have access and leave auth. to the server with the set of local accounts.
Before you enable Azure AD over SMB for Azure file shares, make sure you have completed the following prerequisites:
Select or create an Azure AD tenant.
You can use a new or existing tenant for Azure AD authentication over SMB. The tenant and the file share that you want to access must be associated with the same subscription.
To create a new Azure AD tenant, you can Add an Azure AD tenant and an Azure AD subscription. If you have an existing Azure AD tenant but want to create a new tenant for use with Azure file shares, see Create an Azure Active Directory tenant.
Enable Azure AD Domain Services on the Azure AD tenant.
To support authentication with Azure AD credentials, you must enable Azure AD Domain Services for your Azure AD tenant. If you aren't the administrator of the Azure AD tenant, contact the administrator and follow the step-by-step guidance to Enable Azure Active Directory Domain Services using the Azure portal.
It typically takes about 15 minutes for an Azure AD DS deployment to complete. Verify that the health status of Azure AD DS shows Running, with password hash synchronization enabled, before proceeding to the next step.
Domain-join an Azure VM with Azure AD DS.
To access a file share by using Azure AD credentials from a VM, your VM must be domain-joined to Azure AD DS. For more information about how to domain-join a VM, see Join a Windows Server virtual machine to a managed domain.
Note:Azure AD DS authentication over SMB with Azure file shares is supported only on Azure VMs running on OS versions above Windows 7 or Windows Server 2008 R2.
Select or create an Azure file share.
Select a new or existing file share that's associated with the same subscription as your Azure AD tenant. For information about creating a new file share, see Create a file share in Azure Files. For optimal performance, we recommend that your file share be in the same region as the VM from which you plan to access the share.
Verify Azure Files connectivity by mounting Azure file shares using your storage account key.
To verify that your VM and file share are properly configured, try mounting the file share using your storage account key. For more information, see Mount an Azure file share and access the share in Windows.

Can we update properties of user which has source of authority as Windows Server AD in azure active directory?

Users in azure active directory has source of authority option. It contains either azure active directory or Windows Server AD. So users which has source of authority Windows Server AD they are not updating their fields. Please clear my doubt.
No, you cannot update attributes for on premise users synced using azure ad connect in azure ad. You need to edit attributes in the local ad.

Azure AD Directory Services Domain Name Guideline

When configuring Azure AD directory services, we would like to use the name "xxx.com". "xxx.com" is not publicly owned by us and we cannot acquire it.
Does anyone foresee any issues with us using this name when configuring the DNS domain name for AD directory services or should we only specify a domain name that we can control public DNS records for?
Also should the domain we specify match one of the custom domains that we have added to custom domain list in Azure AD?
I suppose "xxx.com" you mentioned is the initial domain name in the form of domainname.onmicrosoft.com which is also the primary domain name. The initial domain name cannot be changed or deleted, but you can add your custom domain name to Azure AD as well.
You can select any custom domain name which can be verified in Azure AD. The domain you specify should match one of the custom domains that you have added to custom domain list in Azure AD. Also, If you want to add a third-level domain name such as domainname.contoso.com to your directory, you should first add and verify the second-level domain, such as contoso.com. The subdomain will be automatically verified by Azure AD.
If you plan to federate your on-premises Windows Server AD with Azure
AD, then you need to select the I plan to configure this domain for
single sign-on with my local Active Directory checkbox when you run
the Azure AD Connect tool to synchronize your directories. You also
need to register the same domain name you select for federating with
your on-premises directory in the Azure AD Domain step in the wizard.
Reference: Add a custom domain name to Azure Active Directory

How to migrate existing OU - Structure to new Azure AD

How do I migrate an existing OU-structure from the old AD to the new Azure AD?
I have been trying to configure the Azure AD Connector Synchronization Tool for this but without success. Not sure what configuration it is supposed to have.
Anyone know? Thanks.
Do you mean the “old AD” is on-premise AD? In some ways, Windows Azure AD is an extension of the on-premise Active Directory, but not all features available in Azure AD. Azure AD does have a domain name, it does contain users and groups. It contains Service Principals, like on-premise AD, that represent applications. But there is no tree of domains, no trusts between domains or forests. Indeed there are no forests, no Group Policy, no OUs.
If you want to create OU, please try Azure AD Domain Services which supports to create custom Organizational Units and group policy in some limited way.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-features/

Sync Office 365 (AAD) with NEW on premise Active Directory

My small company (about 100 users) is currently using Office 365. There have previously not been any domain controller. I am building an on premise domain controller and want to sync it with Azure Active Directory (Office 365). I used the sync service, with a small subset of users to no avail.
My main question: Can you sync FROM an Azure Active Directory to a new on premise Active Directory? My understanding is that it's the opposite - the on premise Active Directory is the "master" if you will. Is there a way to set it up the opposite? As in, Office 365 being the "master" or "seed" for an on premise?
At present, the Azure AD connect support the Password writeback, Group writeback and Device writeback.
You can refer the options features of Azure AD Connect from here.
At this point in time, synchronizing users FROM Azure AD to on-premises AD is NOT possible.
As Fei Xue pointed out, there are certain things (such as user passwords, groups and devices) that can be synchronized back to on-prem AD, but not users.
Depending on what you are trying to achieve, Azure Active Directory DS might be worth exploring as it allows you to create a VNet in Azure which has a AD-like support (LDAP, Active Directory domain join, NTLM, and Kerberos authentication).
More info on Azure AD DS: https://azure.microsoft.com/en-us/services/active-directory-ds/

Resources