Integration with Active Directory

%3CLINGO-SUB%20id%3D%22lingo-sub-2588940%22%20slang%3D%22en-US%22%3EIntegration%20with%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2588940%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20a%20client%20ask%20me%20this%20question%20and%20I%20couldn't%20answer%20it%20(or%20find%20out%20how%20to%20do%20it%20on%20google).%3C%2FP%3E%3CP%3EHere's%20the%20scenario%3A%3CBR%20%2F%3E1.%20Client%20has%20his%20own%20local%20domain%20(*.local)%20that%20is%20NOT%20exposed%20to%20the%20internet%3CBR%20%2F%3E2.%20Users%20bring%20their%20own%20laptops.%20They%20can%20log%20in%20to%20their%20laptops%20via%20their%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Foutlook.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eoutlook.com%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Epin%20(when%20the%20setup%20the%20laptop).%3CBR%20%2F%3E3.%20These%20users%20do%20get%20authenticated%20to%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Foutlook.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eoutlook.com%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Edomain%20(or%20however%20that%20works).%3C%2FP%3E%3CP%3EWhat%20he%20wants%20to%20do%20is%20setup%20share%20and%20folder%20permissions%20based%20on%20those%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Foutlook.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eoutlook.com%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eid's.%3C%2FP%3E%3CP%3EMy%20first%20thought%20was%20some%20kind%20of%20Federated%20services%20between%20his%20local%20AD%20and%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Foutlook.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eoutlook.com%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E(one%20way%2C%20from%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Foutlook.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eoutlook.com%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eto%20his%20local%20AD).%20Struck%20out%20on%20finding%20anything%20there.%3C%2FP%3E%3CP%3ESecond%20thought%20was%20created%20AD%20uid%2Fpwd%20and%20%22SSO'ing%22%20them%20with%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Foutlook.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eoutlook.com%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EID.%20Couldn't%20figure%20that%20one%20out%20either.%3C%2FP%3E%3CP%3EAnyone%20got%20any%20ideas%3F%20Is%20it%20even%20possible%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2588940%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2589594%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20with%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2589594%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1113160%22%20target%3D%22_blank%22%3E%40Michael185%3C%2FA%3E%26nbsp%3BUsually%20you'd%20set%20up%20Azure%20AD%20Connect%20or%20Azure%20AD%20Cloud%20Sync%20to%20enable%20hybrid%20identities.%20This%20would%20synchronize%20the%20users%20in%20the%20local%20Active%20Directory%20into%20Azure%20AD%2C%20which%20is%20used%20to%20power%20services%20like%20Exchange%20Online.%20You%20could%20do%20all%20kinds%20of%20fancy%20stuff%2C%20but%20in%20your%20case%2C%20if%20the%20idea%20is%20just%20to%20keep%20the%20users%20identity%20the%20same%2C%20above%20should%20work.%20Within%20the%20local%20domain%20the%20AD%20user%20can%20be%20used%20for%20sharing%20permissions%2C%20and%20the%20same%20username%20can%20be%20used%20to%20sign%20into%20eg.%20Exchange%20Online%2Fmail.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20more%20information%20on%20various%20topics%20related%20to%20hybrid%20identity%2C%20please%20have%20a%20look%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596319%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20with%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596319%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20need%20to%20have%20the%20*.local%20domain%20run%20in%20%3CA%20href%3D%22https%3A%2F%2Fbit.ly%2F3xehegA%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EHybrid%20mode%3C%2FA%3E%20with%20outlook.com%20(Azure%2FOffice365).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20way%20to%20achieve%20that%20would%20be%20to%20use%20Hybrid%20Azure%20Active%20Directory%20join.%3C%2FP%3E%3CP%3EHowever%2C%20In%20order%20to%20configure%20Hybrid%20Azure%20Active%20Directory%20join%2C%20it%20is%20a%20necessary%20to%20meet%20the%20following%20requirements%3A%3C%2FP%3E%3CUL%3E%3CLI%3EAzure%20AD%20Connect%3C%2FLI%3E%3CLI%3EAccess%20to%20Credentials%20of%20Global%20Administrator%20for%20your%20Azure%20AD%20Tenant%3C%2FLI%3E%3CLI%3EEnterprise%20Administrator%20credentials%20for%20each%20of%20the%20forests%3C%2FLI%3E%3C%2FUL%3E%3CP%3EIn%20below%20documentation%2C%20it%20is%20important%20to%20note%20that%20configurations%20are%20based%20utilizing%20Wizard%20in%20Azure%20AD%20Connect.%20Moreover%2C%20in%20order%20to%20use%20Hybrid%20Azure%20AD%20join%2C%20it%20is%20required%20that%20the%20devices%20on%20which%20it%20is%20being%20employed%20would%20have%20access%20to%20the%20following%20Microsoft%20Resources%20to%20organization%E2%80%99s%20network.%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fenterpriseregistration.windows.net%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fenterpriseregistration.windows.net%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdevice.login.microsoftonline.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdevice.login.microsoftonline.com%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fautologon.microsoftazuread-sso.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fautologon.microsoftazuread-sso.com%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20order%20to%20further%20view%20the%20documentation%2C%20you%20can%20visit%20on%20Microsoft%E2%80%99s%20documentation%20link%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-managed-domains%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-managed-domains%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

I had a client ask me this question and I couldn't answer it (or find out how to do it on google).

Here's the scenario:
1. Client has his own local domain (*.local) that is NOT exposed to the internet
2. Users bring their own laptops. They can log in to their laptops via their outlook.com pin (when the setup the laptop).
3. These users do get authenticated to the outlook.com domain (or however that works).

What he wants to do is setup share and folder permissions based on those outlook.com id's.

My first thought was some kind of Federated services between his local AD and outlook.com (one way, from outlook.com to his local AD). Struck out on finding anything there.

Second thought was created AD uid/pwd and "SSO'ing" them with outlook.com ID. Couldn't figure that one out either.

Anyone got any ideas? Is it even possible?

2 Replies

@Michael185 Usually you'd set up Azure AD Connect or Azure AD Cloud Sync to enable hybrid identities. This would synchronize the users in the local Active Directory into Azure AD, which is used to power services like Exchange Online. You could do all kinds of fancy stuff, but in your case, if the idea is just to keep the users identity the same, above should work. Within the local domain the AD user can be used for sharing permissions, and the same username can be used to sign into eg. Exchange Online/mail.

 

For more information on various topics related to hybrid identity, please have a look here.

You need to have the *.local domain run in Hybrid mode with outlook.com (Azure/Office365).

 

One way to achieve that would be to use Hybrid Azure Active Directory join.

However, In order to configure Hybrid Azure Active Directory join, it is a necessary to meet the following requirements:

  • Azure AD Connect
  • Access to Credentials of Global Administrator for your Azure AD Tenant
  • Enterprise Administrator credentials for each of the forests

In below documentation, it is important to note that configurations are based utilizing Wizard in Azure AD Connect. Moreover, in order to use Hybrid Azure AD join, it is required that the devices on which it is being employed would have access to the following Microsoft Resources to organization’s network.:

 

In order to further view the documentation, you can visit on Microsoft’s documentation link:

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains