Mixed Office365 and Exchange enviornment?
-
@Dashrender As Scott says its risk and complexity. If your connection to ADFS goes (ISP failure, maintenance works etc) your users lose connectivity to 365 services. To have failover you are relying on low TTL DNS change/propagation or an expensive failover DNS solution.
Plus the cost of Windows licensing for proxy and ADFS devices, resources on the VM host or physical hardware. Then the cost of the same at your failover site
Removing it was one of my happier days...
-
All that makes me wonder if/when we can have AD in the cloud, either fully or hybrid, and be safe.
-
@Dashrender said:
All that makes me wonder if/when we can have AD in the cloud, either fully or hybrid, and be safe.
That's been available for a while. But the federation limitations remain. There is both traditional AD in the cloud (NTG runs that way) and Azure's cloud AD service. It is that cloud service that is being discussed binding to.
-
@Dashrender said:
What's so bad about ADFS?
When you enable ADFS, Office 365 passes authentication requests to your infrastructure. It isn't a sync or cache. If your infrastructure is down, your clients can't authenticate. Sure, you can set up a multi-site cluster for ADFS to mitigate that issue, but the effort doesn't match the reward in most cases. Using DirSync, you can sync users and passwords from your AD environment with 365, so that users can login with the same username and password, though it isn't true SSO.
-
@scottalanmiller said:
@Dashrender said:
All that makes me wonder if/when we can have AD in the cloud, either fully or hybrid, and be safe.
That's been available for a while. But the federation limitations remain. There is both traditional AD in the cloud (NTG runs that way) and Azure's cloud AD service. It is that cloud service that is being discussed binding to.
What about doing something crazy like setting up an RODC in Azure or AWS, and put ADFS on that? or skip ADFS altogether and use something like Pertino for logons.
the purchase of my question is more: What is a good way to have a distributed AD authentication scheme for a spread out network of mobile users? or if not mobile, in a setup where you don't want to pay for an onsite server (though if you're small enough, an on site small HP would be much cheaper in the long run, of course, not as protected as one in the Azure or AWS network)
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
All that makes me wonder if/when we can have AD in the cloud, either fully or hybrid, and be safe.
That's been available for a while. But the federation limitations remain. There is both traditional AD in the cloud (NTG runs that way) and Azure's cloud AD service. It is that cloud service that is being discussed binding to.
What about doing something crazy like setting up an RODC in Azure or AWS, and put ADFS on that? or skip ADFS altogether and use something like Pertino for logons.
the purchase of my question is more: What is a good way to have a distributed AD authentication scheme for a spread out network of mobile users? or if not mobile, in a setup where you don't want to pay for an onsite server (though if you're small enough, an on site small HP would be much cheaper in the long run, of course, not as protected as one in the Azure or AWS network)
Pertino can't help you extend to Office 365, not can a hosted AD somewhere. None of those solutions do anything but deploy more of what you already have. Office 365 needs a federated Azure instance and none of those address that, they are all just normal, every day AD.
-
@Dashrender said:
the purchase of my question is more: What is a good way to have a distributed AD authentication scheme for a spread out network of mobile users?
For that, unrelated to Office 365, we use Pertino and it works pretty well and gets better all of the time.
-
With all that in mind, would it better the just not worry about the logon syncing between your inhouse AD and O365, treat them as two separate things with two different logons?
-
@Dashrender said:
With all that in mind, would it better the just not worry about the logon syncing between your inhouse AD and O365, treat them as two separate things with two different logons?
No, just use DirSync instead of ADFS. All of the benefits, none of the risk.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
All that makes me wonder if/when we can have AD in the cloud, either fully or hybrid, and be safe.
That's been available for a while. But the federation limitations remain. There is both traditional AD in the cloud (NTG runs that way) and Azure's cloud AD service. It is that cloud service that is being discussed binding to.
What about doing something crazy like setting up an RODC in Azure or AWS, and put ADFS on that? or skip ADFS altogether and use something like Pertino for logons.
If you're considering this from a DR perspective, a regular DC in a hosted environment would make sense. That way, if your on-premise infrastructure is unavailable, you can carry on as usual. I use AWS for my geographically distributed AD in my test lab, I have a DC on each side of the country.
the purchase of my question is more: What is a good way to have a distributed AD authentication scheme for a spread out network of mobile users? or if not mobile, in a setup where you don't want to pay for an onsite server (though if you're small enough, an on site small HP would be much cheaper in the long run, of course, not as protected as one in the Azure or AWS network)
What are you currently using for VPN?
Azure AD at this point isn't the full AD that you're familiar with. It's a platform to connect applications to. If you want to use Azure and use it for full AD, you'll need to spin up a Windows Server instance on Azure and set it up as a DC.