One of the most common question driven by the push to Cloud is: How do I get my on premise accounts working with the cloud services I am using now?
From the perspective of Microsoft Dynamics CRM, but not only, SMBs typically have an on premise infrastructure, with a local Active Directory setup. For those that have not yet embraced Office 365, but want to take advantage of Microsoft Dynamics CRM, this process might seem a little daunting. Yet, it needs not be.
Directory integration is the way to tackle scenarios where an on premise directory service needs to integrate with Microsoft Azure Active Directory, aka Microsoft Azure AD. Some of the benefits touted by Microsoft for this hybrid deployment scenario are:
- Simplified administration
- Streamlines sign-in experience
- Unified administration experience for both user and device identities
- Unified application administration
- Leverage single sign-on to cloud based solutions
Specific scenarios are supported for a hybrid identity infrastructure. Choosing one of the supported scenarios depends on the type of service you want to offer your users. The following table provided by Microsoft at https://msdn.microsoft.com/en-us/library/azure/jj573649.aspx describes the difference between two common deployment scenarios. But let’s first have a look at the available options.
Directory sync (directory synchronization, DirSync) is the configuration that allows management of directory objects from your on premise Active Directory. The changes are synchronized up to your tenant.
The downside to this approach is that users will have separate user id and passwords between the on premise and cloud services. Not ideal, other than for unified administration experience.
DirSync with Password Sync
As the next step up from plain vanilla directory sync, DirSync with password sync allows users to use the same username and password across all services, cloud based and on premise. This already makes life easier for users, by reducing the need to memorize another username and password. It also leverage the same unified administration experience, making it easy enough for administrators to deal with account changes.
DirSync with Single Sign-On
Taking the previous scenario a step further, in DirSync with single sign-on users not only use the same account and password, but seamless authentication with cloud services is available when locally logged in with the provided account credentials. This means no authentication prompts at all when accessing both local and cloud resources with your Active Directory account credentials.
The setup in this scenario is a little more complex, requiring the organization to have not only the typical on premise Active Directory, but also to provide a security token service hosted on premise. Typically this is ADFS (Active Directory Federation Services).
From a Dynamics CRM perspective, you will required this setup anyway if you intend to deploy your on premise hosted Dynamics CRM in an IFD (Internet Facing Deployment) scenario.
Multi-forest DirSync with Single Sign-On
Extending on the previous scenario, this scenario requires a similar setup, but offers synchronization across multiple forests. The Active Directory structure is comprised typically of a few logical components, including Organizational Units (OUs), Domains, Domain Trees, Forests. For details on the structure and components of Active Directory you can have a quick look at the following link, but it is advisable to talk to an AD expert for deployment/configuration.
With all this information in mind, when launching on the journey to extend your services to cloud, take into consideration what type of Hybrid Identity Infrastructure you need to implement. Err on the side of caution, and go with the minimum required scenario.
Azure AD Connect is the newest kid on the block for hybrid integration tools. For an introduction to the tool, as well as a link to other tools comparison see the following knowledge base (KB) article in the official documentation:
NOTE: This has been an awareness overview, always involve your AD Administrator or an AD expert when making any changes to your Active Directory infrastructure.