Can I use Office365 or Azure AD as master record for Active Directory?
Solution 1
Short answer: No. However, like @Nathan-C described, you can stand up the required services using Azure Iaas (either DC+DirSync+ADFS or DC+Dircync w/pwd sync) in order to achieve single sign-on between your your Office365 apps and your on-prem apps. You would need to deploy a VPN link between Azure and your local network.
Azure AD is NOT "regular" Active Directory.
Solution 2
Microsoft recently started offering actual Active Directory services in Azure: https://azure.microsoft.com/en-us/services/active-directory-ds; if you only need centralized authentication, they can fully replace a local AD.
Solution 3
All of this information is old, I just wanted to help someone that was looking for it. Today 10/25/2016 I have 20 or so windows 10 laptops that connect and work with Azure AD services directly. It integrates and works perfectly with o365 and many other "cloud" services from Microsoft.
Adrian Hope-Bailie
Updated on September 18, 2022Comments
-
Adrian Hope-Bailie almost 2 years
We have a small business and currently don't have a need for a domain within our office. We have a basic network and a single server running Windows Server 2008 R2 with some file shares and 3rd party apps.
We use Office 365 and have a Windows Azure subscription. The two seem to be keeping the Active Directory for our organisation in sync pretty well. (i.e. The data looks the same on both systems)
All of the thrid party apps we run on our app server support LDAP as an identity provider but because we don't run a domain we are having to get each user to create a new login/password for these services.
Ideally we'd like to get this server to sync from Azure/Office 365 and allow users to then authenticate using their Office365 credentials.
All of the literature I have found talks about synchronising FROM on-premise to Azure but we'd like to rather sync FROM Azure/Office 365 to our on premise server. I guess our on-premise server become a federated identity provider for our Office 365 directory...
Is this possible or do we need some 3rd party LDAP provider that can federate identities from Azure or Office 365?
-
Nathan C over 10 yearsIf you're running AD in Azure, you can just run requests against that DC. You may need a VPN to link your network with azure, though. -
Nathan C over 10 years@MDMarra Ah, learned something from someone else's question. :)
-
MDMarra over 10 years@NathanC yeah Azure AD is something that exists in Azure and is accessible though a web interface for managing users, groups, and DirSync for use with Office 365 and Intune. It's not an actual server that you can log into interactively. It's some multitenant Microsoft AD variant with some web front-end special sauce. -
aSkywalker about 10 yearsAdrian - what did you end up doing? We are considering a similar route, curious how it ended up working out for you?
-
Adrian Hope-Bailie about 10 years@aSkywalker - We ended up integrating the third party apps using different SSO mechanisms that are exposed by Azure AD. Once you have Azure AD it can act as a federated id provider for Oauth2, SAML etc so you aren't limited to LDAP
-
Igor Gatis about 9 yearsI wonder whether one could setup a DC in VM with dirsync and have a replica DC on-premise connected through point-to-site connection. Would that work?
-
-
Adrian Hope-Bailie over 10 yearsThanks, I suspected this was the case. What we have managed to do is configure most of our 3rd party apps to use OAuth2 for identity provision. We then installed the auth0 service from the Azure store and setup our Azure AD as an enterprise identity provider (connection) for the auth0 service. The 3rd party apps now use auth0 as ID provider which federates to our Azure AD. (hope I got my terminology right but basically the apps use OAuth2 to authenticate against auth0 which "proxies" our Azure AD)
-
Adrian Hope-Bailie over 10 yearsAnother comment on the proposed solution: We don't want to do this because we 1) like using Office 365 to manage our users 2) don't actually want to force our users to login to a domain which I assume implementing a DC would involve
-
user596502 over 10 years1) is a fair point. 2) seems a bit unclear to me. If you mean implementing domain-joined workstations, there is no requirement to do this if you're implementing any of the dirsync options.
-
Adrian Hope-Bailie over 10 yearsIs it possible to install DirSync on a DC? I think I read somewhere that it's not?
-
user596502 over 10 yearsWith the newest version of DirSync, you can install it onto a DC. It used to be the case that you couldn't.
-
Kevin Tianyu Xu over 8 yearsHowever, starting from Windows 10, client machines can domain join to Azure AD.
-
JP Hellemons about 8 years@KevinTianyuXu do you have a source for that? Because that sounds great.
-
Frederik almost 8 years@JPHellemons - Technet article here explains how to set it up
-
user228546 over 6 yearsSo your servers are able to join the Azure domain without a local AD / DC?
