fbpx

Posted on by admin

Enable Workplace 365 with AWS Managed Microsoft AD without user password synchronization

In this article, we explain ways to use AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) make it possible for your users to gain access to Microsoft Workplace 365 without synchronizing passwords using Azure Active Directory (Azure AD) Pass-through Authentication (PTA). This helps it be simpler to configure Microsoft Workplace 365 with AWS Managed Microsoft AD. Azure Advertisement PTA reduces administration overhead by eliminating the necessity to deploy and manage complicated federation or password synchronization infrastructure. In addition, it helps you satisfy your organization’s safety standards as you can continue to utilize and manage more powerful password policies making use of AWS Managed Microsoft Advertisement.

Previously, AWS enabled one to access Office 365 with credentials that you manage within AWS Managed Microsoft Advertisement. AWS do this by deploying Azure AD Connect and Active Directory Federation Services for Windows Server 2016 (AD FS 2016) with AWS Managed Microsoft AD. While AWS proceeds to aid this model, the concentrate of this post would be to explain a brand new, supported design that produces exactly the same result without having deploying a password or federation synchronization implementation. In the brand new model, when customers sign in to Workplace 365, Azure Advertisement PTA validates their passwords against AWS Managed Microsoft Advertisement directly.

We explain how exactly to use Azure Advertisement Hook up to synchronize users from AWS Managed Microsoft Advertisement into Azure Advertisement. We then demonstrate how exactly to enable Azure Advertisement Connect PTA to immediately authenticate users straight against your AWS Managed Microsoft Advertisement directory. We do that in four steps:

  1. Delegate permissions to your Energetic Directory Domain Services (Advertisement DS) Connector accounts.
  2. Configure the AWS protection group rules for the Azure Advertisement Connect server.
  3. Install and configure Azure Advertisement Connect Pass-through Authentication with AWS Managed Microsoft Advertisement.
  4. Make use of an AWS Managed Microsoft Advertisement user account to register to Workplace 365.

Prerequisites

The instructions in this article assume that you realize how exactly to create Amazon Elastic Compute Cloud (Amazon EC2) for Windows Server instances and how exactly to use Remote Desktop Protocol (RDP) to get on the instances. In addition they assume you finished the following tasks:

  1. Created an AWS Managed Microsoft AD directory.
  2. Joined an Amazon EC2 for Windows Server instance to the AWS Managed Microsoft AD domain you’ll make use of as your Azure AD Connect server. You’re showed by us how exactly to install Azure Advertisement Connect with this instance later. Azure AD Connect facilitates later Windows Server 2012 R2 or, because of this post, we make use of Windows Server 2019. Without in scope of the blog, as the Azure Advertisement Connect server just requires outbound traffic, the Azure ought to be run by you Advertisement Connect server in an exclusive subnet, with outbound visitors routed with a NAT example or gateway in a open public subnet, see VPC with public and private subnets.
  3. Joined an Amazon EC2 for Windows Server instance to the AWS Managed Microsoft AD domain you’ll use as your administration server instance (Administration).
  4. Install Active Directory Management Tools on your own Management instance.
  5. Using Energetic Directory Computers and Customers on your own Management instance, create a typical user named AADConnectSvc within your AWS Managed Microsoft AD directory. The AADConnectSvc standard user will be used as your AD DS Connector account. You will utilize the AD DS Connector accounts (AADConnectSvc) in Azure Advertisement Connect later.
  6. Created a dynamic Office 365 subscription.
  7. Added and verified your domain in Office 365.

Solution overview

You may use Azure Advertisement Pass-through Authentication with AWS Managed Microsoft Advertisement to:

  • Synchronize customers from AWS Managed Microsoft Advertisement to Azure Advertisement.
  • Assign a permit to and make use of an AWS Managed Microsoft Advertisement identity to register to Workplace 365.

Figure 1 displays how Azure Advertisement Connect Server orchestrates the synchronization of Advertisement identities from AWS Managed Microsoft Advertisement to Azure AD. In addition, it demonstrates how Azure Advertisement Connect Pass-through authentication validates customers’ credentials whenever a user signs directly into Office 365.

Figure 1: Architecture diagram of AD synchronization and pass-through authentication between your AWS Managed Microsoft AD and Workplace 365Physique 1: Architecture diagram of AD synchronization and pass-through authentication between your AWS Managed Microsoft AD and Workplace 365
  1. Delegate Advertisement permissions to the Advertisement DS Connector account utilizing the Management instance.
  2. You install and configure Azure Advertisement Connect Pass-through authentication with AWS Managed Microsoft Advertisement.
  3. AWS Managed Microsoft Advertisement identities are usually synchronized to Azure Advertisement using the Azure Advertisement Connect server.
  4. User signs directly into Office 365.
  5. Azure Advertisement communicates with the Azure AD Connect server to validate consumer credentials.
  6. Azure AD Connect server validates user’s credentials with the AWS Managed Microsoft Advertisement.
  7. Consumer successfully signed directly into Workplace 365 with AWS Managed Microsoft Advertisement credentials.

Note: This website post runs on the single Microsoft Home windows Server running Azure Advertisement Connect Pass-through Authentication broker. For high availability, it is possible to install additional Authentication brokers on Microsoft Home windows Servers, see Ensure high availability.

Phase 1: Delegate permissions to your Dynamic Directory Domain Services (Advertisement DS) Connector accounts

In this task, you delegate basic read AD permissions to your Advertisement DS Connector account (AADConnectSvc). The Advertisement DS Connector account (AADConnectSvc) can be used by Azure Advertisement Connect to hook up to and read AD objects inside your AWS Managed Microsoft Advertisement directory. To delegate the permissions, download and utilize the ADSyncConfig PowerShell module contained in the Azure AD Connect set up.

Perform the next steps after signing into the Management instance utilizing the admin user take into account the AWS Managed Microsoft AD directory:

The. Download the ADSyncConfig PowerShell module from the Azure Advertisement Connect installation

  1. Download and initiate the Azure AD Connect installation on the Management instance.
  2. On the Welcome web page of the Microsoft Azure Active Directory Connect wizard, the installation by selecting x near. At this time, the Azure Advertisement Connect installation offers downloaded the ADSyncConfig PowerShell module to the Management example.
  3. Confirm the ADSyncConfig PowerShell module provides been downloaded and is in the next location: 
    C:Program FilesMicrosoft Azure Energetic Directory ConnectAdSyncConfigAdSyncConfig.psm1

B. Configure permissions to your Advertisement DS Connector accounts

  1. Import the ADSyncConfig PowerShell module, utilizing the adhering to Windows PowerShell command. 
    Import-Module "C:Program FilesMicrosoft Azure Energetic Directory ConnectAdSyncConfigAdSyncConfig.psm1"
  2. Add simple read permissions to your AWS Managed Microsoft Advertisement directory for the Advertisement DS Connector accounts (AADConnectSvc) by running the next Windows PowerShell command. Make sure to replace the real names in textual content with the titles from your own AWS Managed Microsoft Advertisement directory. 
    Set-ADSyncBasicReadPermissions -ADConnectorAccountName AADConnectSvc -ADConnectorAccountDomain “” -ADobjectDN “OU=Customers,OU=,DC=,DC=” -SkipAdminSdHolders -Confirm:$false
  3. Next, you will increase permissions to your Advertisement DS Connector accounts (AADConnectSvc) by running the next Home windows PowerShell command. The permissions enable Azure to control the source anchor for AWS Managed Microsoft Advertisement identities synchronized to Azure Advertisement. Make sure to replace the brands in textual content with the titles from your own AWS Managed Microsoft Advertisement directory.

    Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName AADConnectSvc -ADConnectorAccountDomain “” -ADobjectDN “OU=Customers,OU=,DC=,DC=” -SkipAdminSdHolders -Confirm:$false

Stage 2: Configure the AWS security group guidelines for your Azure Advertisement Connect server

In this task, you configure the AWS safety group rules which means that your Azure AD Connect server can communicate with Azure AD. To get this done, you need to add outbound guidelines to your Azure AD Connect server AWS security team to allow outbound visitors on HTTPS (port 443) and HTTP (port 80).

Follow these steps to configure AWS security team rules:

  1. In the navigation pane of the Amazon EC2 console, choose Security Groups.
  2. In the list, choose the security group for the Azure AD Connect server, and choose Actions then, Edit outbound rules.
  3. Choose Add Rule. Choose HTTPS for Type and Anywhere for Destination. Choose Save rules.
  4. Next, choose Add Rule. Choose HTTP for Type and Anywhere for Destination. Choose Save rules.

Step 3: Install and configure Azure AD Connect Pass-through Authentication with AWS Managed Microsoft AD

Follow the outlined steps to set up Azure AD Connect Pass-through Authentication on the Azure AD Connect server. The Azure AD Connect server synchronizes your users from AWS Managed Microsoft AD to Azure AD and manages password validation against your AWS Managed Microsoft AD directory.

Perform the next steps after signing into the Azure AD Connect server utilizing the admin user take into account the AWS Managed Microsoft AD directory:

  1. Download and initiate installing Azure AD Connect on the Azure AD Connect server.
  2. On the Welcome page of the Microsoft Azure Active Directory Connect wizard, accept the license privacy and terms notice, and select Continue then.
  3. On the Express Settings page, in the bottom of the page, select Customize.
  4. On the Install required components page, select Install.
  5. On the User sign-in page, select Pass-through authentication, and select Next then.
  6. On the Connect to Azure AD page, enter your Office 365 global administrator account credentials, and select Next.
  7. On the Connect your directories page, for DIRECTORY TYPE, select Active Directory, and for FOREST, select your AWS Managed Microsoft AD Forest, and select Add Directory.

    Figure 2: Decide on a directory to include

    Figure 2: Decide on a directory to add

  8. In the AD forest account screen, select Use existing AD account, enter your AD DS Connector account (AADConnectSvc) credentials, and select OK.

    Figure 3: Add an AD forest account

    Figure 3: Add an AD forest account

  9. Now that you’ve added your AWS Managed Microsoft AD directory, on the Connect your directories screen, select Next.
  10. On the Azure AD sign-in configuration page, select userPrincipalName in the USER PRINCIPAL NAME field, and select Next.

    Figure 4: Choose the USER PRINCIPAL NAME

    Figure 4: Choose the USER PRINCIPAL NAME

    Note: If you don’t have a matching UPN suffix for the Azure AD domain in AWS Managed Microsoft AD UPN suffix. It is possible to add a fresh UPN suffix to AWS Managed Microsoft AD. After adding the brand new UPN suffix to AWS Managed Microsoft AD, it is possible to update your users UPN by below following steps. The UPN attribute format combines the user’s login name and the UPN suffix. The UPN suffix can be your AWS Managed Microsoft AD domain name.

    In the next example from the Account tab of the AWS User Properties in the Active Directory Users and Computers tool, the user’s UPN is awsuser@awsexample.com. The UPN is established by combining the User logon name, awsuser, and the UPN suffix, @awsexample.com.

    Figure 5: Example user properties

    Figure 5: Example user properties

  11. On the Domain and OU filtering page, select Sync selected OUs and domains, pick the Users OU under your NetBIOS OU, and choose Next then.

    Note: AWS Managed Microsoft AD stores your users and computers under a separate OU together with your domain’s NetBIOS name.

    Figure 6: Domain and OU filtering

    Figure 6: Domain and OU filtering

  12. On the Uniquely identifying your users page, select Next.
  13. On the Filter users and devices page, select Next.
  14. On the Optional features page, select Next.
  15. On the Ready to configure page, select Start the synchronization process when configuration completes, and select Install.
  16. Select Exit. Your Azure AD Connect installation is complete.

Note: Automagically, the Azure AD Connect sync scheduler runs every half an hour to synchronize your AWS Managed Microsoft AD identities to Azure AD. It is possible to change this schedule using PowerShell. To find out more, read Azure AD Connect sync: Scheduler.

Tip : need immediately to synchronize a big change, you can manually take up a sync cycle beyond your scheduled sync cycle from the Azure AD Connect sync instance. Open a Windows PowerShell session being an administrator and run the next Windows PowerShell commands:

Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta

Step 4: Use an AWS Managed Microsoft AD user account to register to Office 365

The next steps explain how exactly to assign a license to an AWS Managed Microsoft AD user account, and use that account to register to Office 365 with the AWS Managed Microsoft AD user account UPN.

  1. Use a browser to gain access to the Office 365 admin center making use of your global administrator account.
  2. Assign a license to a user you created in your AWS Managed Microsoft AD directory.
  3. Sign in with the AWS Managed Microsoft AD user account at https://portal.office.com.

You’ve successfully configured and used Azure AD Pass-through and used it to register to Office 365 together with your AWS Managed Microsoft AD user account!

Note: It is possible to configure Azure AD smart lock out to compliment your AWS Managed Microsoft AD password policies.

Summary

In this article, we showed you how exactly to use Azure AD Hook up to synchronize user names from your own Active Directory in AWS into Azure AD in order that Office 365 may use those identities. You enabled Azure AD Pass-through Authentication to authenticate the identities against your AWS Managed Microsoft AD directory without passwords synchronized or stored in Azure AD or Office 365.

When you have feedback concerning this post, submit comments in the Comments section below. When you have questions concerning this post, take up a new thread on the AWS Directory Service forum or contact AWS Support.

Want more AWS Security how-to content, news, and show announcements? Follow us on Twitter.

Author

Darryn Hendricks

Darryn is really a Senior Cloud Support Engineer for AWS Single Sign-On (SSO) located in Seattle. He could be passionate about cloud computing, identities, automation, and helping customers leverage these key blocks when moving to the cloud. Beyond work, he loves hanging out along with his daughter and wife.

Author

Rogier van Geest

Rogier is really a Senior Specialized Solution Architect for Microsoft Workloads on AWS who wants to help customers move the needle on the migrations in to the AWS Cloud. Each day in his free time Rogier is really a foodie who enjoys preparing a brand new meal.