Monthly Archives: November 2013

How to Manage Azure with On-Premise Active Directory

When you sign up with a Windows Azure account, by default it creates an instance of Active Directory that resides in Windows Azure only called Windows Azure Active Directory (WAAD).  This is the same exact infrastructure that underlies Office 365. This blog post describes how to change Azure to leverage your existing Office 365 WAAD Instance.  You can then take advantage of your existing DirSync and ADFS servers to sign into the Azure Management Portal rather than using a Microsoft Account (Formerly Windows Live ID).

This is ideal for large enterprise customers who desire to have all authentication performed from Active Directory, so that if administrators leave the organization, they have one place to disable the account rather than multiple places.

For a quick 10 minute video overview of how this works, I recommend watching ”What is Windows Azure Active Directory”

The first step is to sign into the Windows Azure Management Portal:

https://manage.windowsazure.com

Then click on Active Directory from the left navigation menu,  and then click Add.

SNAGHTML10bff2d

You then choose ‘Use existing directory’

image

Then check the box ‘I am ready to be signed out now’

image

You will then be directed to a login page to sign in with your Office 365 organization ID (which should authenticate you with ADFS if you have that enabled).

If you are managing your Windows Azure Subscription with a Microsoft Account (Formerly Windows Live ID) rather than an Organizational ID, then you will be prompted for confirmation that you are okay granting your Microsoft Account (Formerly Windows Live ID) with Organizational Admin rights over your Office 365 directory.

The next step is to click on the Settings icon on the left navigation pane in the Azure Management Portal.

image

Then click on the subscription you want to change the directory to the new o365 WAAD directory.

image

You can then change the directory

image

Note: The behavior of this screen is a little different than what you may expect. For example, in the drop-down box I was expecting to see a list of all my directories and then I could select the one I wanted. Instead, it assumes you don’t want to select your existing directory and so that option won’t be listed.

Adding an Administrator

Adding an administrator is the same as before but now you have the option of selecting the Organizational ID as an option.

SNAGHTML1a45539

That’s it – you can now sign in using ADFS to manage Azure.

Configuring Windows Azure Active Directory for 3rd Party Single Sign-On

You can add 3rd party applications like Yammer, Twitter, Skype, etc to be enabled for Single Sign-On using WAAD integrated through your on-premises Active Directory. Users can access these applications through the new Azure Access Panel.

Windows Azure AD supports two different modes for signing onto 3rd party applications:

  • Federation using standard protocols
  • Password-based single sign-on

Federation-based single sign-on

Configuring Federation-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Windows Azure AD using the user account information from Windows Azure AD. In this scenario, when you have already been logged into Windows Azure AD, and you want to access resources that are controlled by a third-party SaaS application, federation eliminates the need for a user to be re-authenticated. Federated SSO is available for end user browsers which support JavaScript and CSS.

In this release of WAAD, the following applications support Federation-based SSO:

Box

Citrix GoToMeeting

Google Apps

Salesforce

Workday

Office 365 Exchange Online and SharePoint Online

Password-based single sign-on

Configuring password-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Windows Azure AD using the user account information from the third-party SaaS application. When you enable this feature, Windows Azure AD collects and securely stores the user account information and the related password.

Password-based SSO relies on a browser extension to securely retrieve the application and user specific information from Windows Azure AD and apply it to the service. Most third-party SaaS applications that are supported by Windows Azure AD support this feature.

For password-based SSO, the end user’s browsers can be:

  • IE 8, IE9 and IE10 on Windows 7 or later
  • Chrome on Windows 7 or later or MacOS X or later

  

Testing out Yammer with Password-based single sign-on

To try it out, I am going to add Yammer to the Active Directory applications. In this release of WAAD, Yammer only supports ‘Password-based single sign-on’ and not Federation-based SSO.


Note: If you already have ADFS on-premise, that is the recommended SSO integration for Yammer, as that is a better end-user experience than Password-based SSO. For information on configuring Yammer with your on-premise ADFS, see the Yammer SSO Implementation guide here: http://success.yammer.com/wp-content/uploads/2012/06/SSO-Implementation-Guide.pdf 

  

The first step is to add Yammer to my Applications. So within Azure, click on the Active Directory icon from the left navigation pane

Then click on the Directory that you just added.

Then click on the Applications tab

Then click Add

Select ‘Add an application for my organization to use’

Click on the Social Category and select Yammer

After adding Yammer, the next step is to assign which users will be assigned this application for SSO on their Access Panel.

As of this writing I am not aware of any powershell cmdlets for automating the assignment of users to applications. I checked the WAAD Powershell reference, which is where I would have expected to find those commands. Please email me at Joe.Stocker AT CatapultSystems.com if you are aware of cmdlets to manage this and I will update this post. thanks!

http://technet.microsoft.com/en-us/library/jj151815.aspx#BKMK_sso 

  

After highlighting a user(s) click the Assign button at the bottom of the screen

You will be prompted with an option of entering their Yammer credentials on their behalf. Otherwise the user will have the option of entering their password themselves later.

Note: The Access Panel is a web-based portal that allows an end user with an organizational account in Windows Azure Active Directory to view and launch cloud-based applications to which they have been granted access by the Windows Azure AD administrator. For more information about the Access Panel see http://technet.microsoft.com/en-us/library/dn308586.aspx

During the preview period for Access Panel, the following URL must be distributed to all users who will be signing into applications integrated with Windows Azure AD.

https://account.activedirectory.windowsazure.com/applications

For example, for my user account, I have access to Exchange Online, SharePoint Online and Yammer. Therefore I see all three applications on my Access Panel.

I can then click on the settings icon in the bottom-right of Yammer to configure my current Yammer username and password.

When clicking Update Credentials I am then prompted to install some software.

This will prompt the user to download ‘Access Panel Extension.msi’ (1.53MB)

You are then brought to a Post Installation screen to insure you enable the add-on when prompted.

In my case, running Internet Explorer 11 on Windows 8.1, I had to manually enable the Add-on.

Now when I go back to step 1 to store my Yammer credentials, it allows me to do so.

Now when I click on the Yammer Icon, I am brought right into Yammer with no prompts.

  

Note: If a user’s credentials change in a Password-based single sign-on application like Yammer, the user must update their credentials in the lower-right of the application tile, and select “update credentials” to re-enter the username and password for that application.

The RMS Sharing Application (Preview) in 3 steps

The RMS Sharing Application is now generally available (As of November 19th)! still in preview as of this writing but you can evaluate it now. It is expected to be released in Q4 2013.  It allows you to share any file on any computer or mobile device.

This blog article walks you through the easy steps to get started with RMS Application Sharing.

Step 1 – Browse to https://portal.aadrm.com

After signing in with your existing Office 365 tenant username and password, you can then select the setup program to download based on the device type you want to install this application on.

For this blog, I clicked on the Windows icon.

This downloads a 50 MB zip file named “Microsoft Rights Management sharing application x64.zip”
Simply unzip and run setup.exe, and step through a 1 step setup program to configure RMS Application Sharing.

You must restart your computer after the installation before you can begin protecting content.

The installation installs four components into Programs and Features.

After a restart, you can now right-click on any file on your computer and either protect it in-place, or you can immediately share it with anyone [with a business email account].  Currently you can only share files with a business email account. Consumer email accounts should be available soon.
http://technet.microsoft.com/en-us/dn467883

For example, you can right-click on a PDF file and select ‘Share Protected’ from my Windows Explorer context window.

This brings up the common API for Application Sharing that will be consistent on any computer or mobile device since it all connects through the same SDK.

It then creates an email message with the file name appended with a .pfile extension.

If you send a file that is not able to be opened with an application that is RMS aware, then the notification that the recipient receives is that they are essentially under the honor system. For example, Adobe Reader doesn’t have the ability to manage the rights that the sender of the file is requesting.

So it seems that the potential of the new RMS capability is limited by the applications vendors that embrace and adopt the new RMS SDK. Right now that would be Microsoft Office 2010, 2013 and Foxit PDF Reader. The Foxit RMS Plug-in to the Foxit Enterprise Reader requires a paid license to integrate Foxit Enterprise Reader with AD RMS.
http://officepreview.microsoft.com/en-us/sharepoint-help/sharepoint-compatible-pdf-readers-that-support-microsoft-information-rights-management-services-HA102925502.aspx

Reference:

http://blogs.technet.com/b/rms/archive/2013/08/29/the-new-microsoft-rms-is-live-in-preview.aspx

Microsoft Information Protection Viewer User’s Guide
http://go.microsoft.com/fwlink/?LinkId=302325

Microsoft Information Protection Viewer Administrator’s Guide http://go.microsoft.com/fwlink/?LinkId=302329

http://www.foxitsoftware.com/landingpage/2012/07/Reader-Ads-RMS/?action=success&language=en-us

Enable AADRM in Exchange Online in 2 easy steps

On November 5th, 2013 Microsoft announced the general availability of a hosted version (SaaS) of Rights Management, called Windows Azure AD Rights Management (AADRM).

Azure RMS is now included in Office 365 E3, E4, A3, A4, plans, or you can purchase Azure RMS as a standalone subscription.

To license a user for AADRM, just assign an Office 365 license as you would an Exchange Online license.

I have previously written about the new AADRM in August, and I just finished a post about enabling it for SharePoint Online.

In this post, I will show you how simple it is to enable AADRM for your Exchange Online tenant. It is assumed that IRM has been activated in your tenant, if not, follow the first step in the post referenced above for SharePoint Online.

1. Connect to your Exchange Online account by using Windows PowerShell. View the reference links below if you need help with this step. Better yet, stop here if you are not sure how to do this step.

2. Run the following commands to enable Rights Management within Exchange Online (Pre-requisite – Azure RMS Admin Tool)

 

That’s it! IRM is now enabled for Exchange Online!

 

Recommendation

As a best practice, it is a good idea to run a get command before you run a set command so that you can validate that the set command made the change you wanted, and to have a reference in case  you need to roll back. Here are the results of the get command I ran for get-IRMConfiguration prior to running the set command.

Before RMS is enabled, the Outlook Web App interface does not allow a user to protect content within OWA.

After RMS is enabled through the powershell command above, the user who has been granted the RMS license through the o365 portal will now see the following within Outlook Web App. Note: This can take several hours before it will appear.

 

Reference

http://blogs.technet.com/b/rms/archive/2013/11/11/office-365-information-protection-using-azure-rights-management.aspx