I have recently been involved with a project whereby we wanted to use Microsoft Azure to host an application, and for users of this application to be able to login using their local Windows login details and for their permissions to be synced with Active Directory. To achieve this we identified that we could make use of Microsoft Azure Active Directory (online) synced with our local Active Directory on our network.
Here’s how we achieved the synchronisation between both directories (NOTE: we already have an Azure subscription and a working Windows network using Windows Server 2008 R2):
- Add a new Active Directory Service in the Azure Management Portal (New -> App Services -> Active Directory -> Directory)
- Add a new domain (go to Domains and select Add)
- Enter the domain name ([domainname]) e.g. mycompany.com, and select “I plan to configure this domain for single sign-on with my local Active Directory”
- Click Add
- Install ADFS 2.0 on your Active Directory server – download: ADFS 2.0 RTW (this may be a farm or standalone setup, it doesn’t matter but setting up a farm with only one server is no more complicated and reduces future restrictions)
- Install Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 – download: Update Rollup 2 for ADFS 2.0
- Install Microsoft Online Services Sign-In Assistant for IT Professionals RTW – download: Microsoft Online Services Sign-In Assistant for IT Professionals RTW (this is apparently needed but I noticed does conflict with Windows Azure Active Directory Sync installation on Windows Server 2008 R2)
- Install Azure Active Directory Module for Windows PowerShell (64-bit version) – download: Azure Active Directory Module for Windows PowerShell
- Run PowerShell and enter the following commands:
- run $msolcred = get-credential
- Enter Azure credentials – this needs to be a non-federated login and probably comes in the format [[email protected]] – you may need to create this new user in Azure with Global Administrator permissions
- run connect-msolservice -credential $msolcred
- run get-msoldomain – you should see [domainname] added to the list with Status as Unverified
- run Get-MsolDomainVerificationDNS -DomainName [domainname] -mode dnstxtrecord
- Note the [label], [text] and [Ttl]
- Go to your public domain control panel and create a TXT record on your public domain name using the noted values:
- Sub-domain: [label]
- Content: [text]
- TTL: [Ttl]
- Go back to PowerShell and enter the following commands:
- run New-MsolFederatedDomain -DomainName [domainname]
- run get-msoldomain – you should now see that [domainname] now has a Status of Verified
- Refresh Azure Management Portal and view the domains – again you should see that [domainname] has a Status of Verified
- Download and install Windows Azure Active Directory Sync Setup – download: Microsoft Azure Active Directory Sync Services (this may require uninstallation of Microsoft Online Services Sign-In Assistant for IT Professionals RTW)
- At the end of the installation untick “Start Configuration Wizard now” and complete the installation (this is required on domain controllers or else you will get the error “A constraint violation occurred”) – you may also need to reboot at this point if you get any issues
- Enter the details of your Azure Active Directory admin user used previously (this probably comes in the format [[email protected]]) and continue – note I received the following error at this point which required a reboot: “Configuration Error: Unable to establish a connection to the authentication service. Contact Technical Support”
- Enter the details of a domain administrator or a user that has access to read (and maybe write, depending on your next choice) your Active Directory and continue
- Tick “Enable Hybrid Deployment” if you want Azure to write to your local Active Directory and continue
- Tick “Enable Password Sync” if you want users to use the same password online as on your network and continue
- At this point I had a failure: if this happens try clicking Retry as this was successful for me
- Tick”Synchonize your directories now” and continue
- Your system should now be syncing between Azure Active Directory and your local Active Directory – it may take a few hours for this to complete; you can verify by checking in Event Viewer (under Application events) and by looking at the user list within Azure Active Directory
The whole process was not overly complicated, and anyone who has basic admin skills should be able to complete it. However I did note that the Microsoft instructions were quite convoluted and clearly intended for a highly complex setup. As noted in step 5 I installed a farm but with only one server, this means I can expand in future as my setup needs it. Additionally I did not need to setup network load balancing or additional certificates, all of which are out of scope for this post.
If you’re having a go at this good luck, I hope this guide is helpful.
One reply on “How to integrate Microsoft Azure Active Directory with your local Active Directory”
good job steve!