Extending on-premises identities to the cloud

Categories: Cloud Infrastructure
Tags: Microsoft Azure
SUR18_SurfaceHolidayFamily_Attract_001

I wrote last week about Wingtip Toys, who as a company have challenges around cloud identity. You can catch up with this blog here, Vuzion’s Will Jones blogs on Cloud Identity.

The challenge I want to talk about solving today, is how to extend their existing on-premises identities to the cloud.

As a reminder, Wingtip has 3,000 users, all in an on-premises Active Directory Domain Services (ADDS). These users are located both externally and internally, with their bespoke applications, currently hosted on-premises.

As the company branches out they want to start using cloud identity for new applications developed in Azure – mindful of the potential impact on users, especially for those using both legacy and on-premises applications.

This is where Azure AD Connect comes in

Azure AD Connect allows you to integrate on-premises identity with Azure AD. Essentially, users and groups that exist in ADDS are automatically created and updated in Azure AD, including a user’s password. There is also the ability to provide password write-back. A user can change their password in Azure AD, and it will be synced back to ADDS.

This is ideal for Wingtip Toys. However, as they have such a large external user base in their ADDS instance, synchronizing all these users into their tenant could become unmanageable and present its own challenges. 

Therefore, Wingtip Toys are going to create two tenants. One is their business tenant Wingtiptoys.com. This tenant is the identity service for everything Wingtip utilise within the Microsoft cloud, from Office 365 to Azure. The second tenant will contain all external users.

Azure AD Connect supports synchronizing to multiple Azure AD Tenants, so long as the objects themselves do not exist in more than one tenant at a time – as per this diagram from Microsoft Docs.
So, Wingtip Toys will end up with two tenants – one for their internal users, and one for their external users.

How will it help Wingtip achieve goals?

Well, Wingtip can now start developing applications that leverage Azure AD for authentication. Their new cloud applications will outsource their authentication, configured as a multitenant application, so users in both tenants can authenticate. The same identity can be used for both on-premises and new cloud applications. They can even enable self-service password reset for those external users. Users can login to both the on-premises and cloud applications with the same username/password, without recoding the old applications.

If you are wondering about outsourced identification, then I will cover this in more detail in part 3 of this series about cloud identity, when I look at integrating Azure AD identity into an application for Wingtip Toys.

Wingtip Toys is now at stage one of their Identity journey. Further challenges still to be solved include for business to business identity, automated signup and partner security policies. These will all be resolved as we continue this identity Journey.

Related Articles

FSLogix - improving the user profile experience for Windows Virtual Desktop ...

FSLogix was acquired by Microsoft in late 2018 and they now provide it to properly licensed WVD users for no additional cost.

Important notification for all CSP re-sellers

All VAR and MSPs that have CSP reseller accounts with Microsoft need to transition to Microsoft Partner Centre before 31 January 202...

How thinking holistically about Azure can instigate change within your busin...

Many partners now seek a re-engineered solution for customers, enabling them to become more efficient and save money.

Acronis Cyber Cloud 8.0 - What's new?

With Acronis Cyber Cloud 8.0, Acronis are making managing cyber protection easier, more efficient, and even more secure for all envi...