Hosting a website in Azure that is secured with on-premise domain credentials has never been easier. In this post, I’ll walk you through how to setup Azure Active Directory and Azure AD Synchronization (AAD Sync). In a future post, I’ll show you how to use your extended Azure Active Directory to authenticate users to an MVC application using ASP.NET Identity. Now, on to configuring Azure AD and Azure AD Synchronization.
Configure Azure Active Directory for your AD Domain name
The first step is to configure an Azure Active Directory domain to
Go to the Azure Management Portal and select “New” –> “Active Directory” –> “Directory” –> “Custom Create”.
My local AD domain is named brosteins.com, so I named my Azure AD directory “Brosteins” with a FQDN of brosteins.onmicrosoft.com.
After the domain is crated in Azure Active Directory, go to the “Domains” tab and select “Add a Custom Domain”. My local AD domain is brosteins.com, so I entered this as the domain name. I did not select the option indicating that I will be configuring single sign-on (SSO). SSO requires ADFS (Active Directory Federated Services) and I do not want to configure ADFS at this time. At some point in the future, I may configure ADFS. At that time, I can reconfigure my Azure AD.
After pressing “Add”, I went to the second page of the wizard. This page gives you information that needs to go into your domain’s public DNS record. There is a link with instructions on how to add this DNS record to popular domain registrars. I entered the information into my domain registrar’s DNS page and waited approximately 30 seconds. I pressed the “Verify” button and my domain name was verified successfully.
After verifying your domain, go to the “Directory Integration” tab and switch the Directory Sync status from “Deactivated” to “Activated”. When you press the “Save” button, Azure will confirm that you want to enable directory synchronization, noting that once sync is configured, your local directory settings will overwrite any users in the cloud.
After confirming this change, Azure will work to enable your active directory for synchronization. This may take a few minutes. Mine took approx. 10 seconds. Once complete, your directory will indicate it have been activated.
Install and Configure Azure Active Directory Sync Services (AAD Sync) on a Domain-joined Computer
In September of 2014, Azure AAD Sync went GA, replacing DirSync. I downloaded the new AAD Sync tool from Microsoft here: http://www.microsoft.com/en-us/download/details.aspx?id=44225.
The initial install of AAD Sync takes approximately 30 seconds. After the initial install, a configuration wizard automatically launches. To complete the install, select an installation directory and agree to the terms. As part of the installation a SQL Express LocalDB will be installed to track the synchronization between your local AD and Azure AD.
After the installation, the configuration wizard prompts you for credentials to you Azure AD. This account must be a Global Administrator in your Azure AD. I recommend creating an account solely used for synchronization purposes.
I created an account named ADSync@brosteins.onmicrosoft.com and gave it the Global Administrator permission.
Once the account has been created, you will be assigned a temporary password. In order to use this account, you must sign into the account once and change the password. I logged into https://account.activedirectory.windowsazure.com with the new account, which prompted me to change the password. After changing the password, you can use this account in the AAD Sync configuration wizard.
In the next step of the configuration wizard, enter an AD forest to synchronize (I used brosteins.com) and enter a username and password. I also created a separate service account to be used solely for this purpose. Be sure to click the “Add Forest” button.
The next step of the wizard is used to ensure users across all forests are uniquely identified. Because I’m only syncing one forest, I left all fields as default and pressed “Next”.
The next step allows you to configure additional synchronization features. You can read more about these features at: http://msdn.microsoft.com/en-us/library/azure/dn757602.aspx#BKMK_OptionalFeatures. I want to use Azure AD for authorization against the brosteins.com domain, so I checked the box for “Password synchronization”.
The final step of the configuration wizard summarizes all of my selections.
After continuing, the wizard will configure your synchronization. The configuration took approximately 30 seconds for me. Once finished, you will be prompted to synchronize now. I chose to synchronize the directory now.
Verify the Initial Synchronization
In this step, we will go back to the Azure Management Portal to ensure the synchronization occurred. Navigate back to your Azure AD and go to the “Directory Integration” and “Users” pages. You should see a recent sync message on the Directory Integration page, and new user accounts on the Users page.