Learning Objectives: - How to deploy Microsoft Azure AD Connect and AD Federation Services with AWS Directory Service for Microsoft AD - How to authenticate user access to Office365 using AWS Directory Service for Microsoft AD - How to design and deploy AWS Directory Service for Microsoft AD

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ron Cully, AWS Directory Service
October 27, 2017
How to Integrate AWS
Directory Service with
Office 365

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What We Will Cover
What AWS Directory Service for Microsoft Active Directory Is
(AWS Microsoft AD)
Models for authenticating Office 365 with
Active Directory (AD) credentials
AWS Microsoft AD deployment models when using Office 365
Step-by-step set-up:
Use Azure AD Connect and Active Directory Federation Service
with AWS Microsoft AD

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What AWS Microsoft AD Is
AWS Managed, Actual Microsoft Active Directory
Windows 2012 R2 domain controllers (DC)
• ~3-click setup from Directory Service console
or script through API
• 2 DCs each in separate Availability Zones (AZs)
• Scale-out with additional DCs
• Dynamic DNS
• Compliance audited
• Healthcare Insurance Portability
and Accountability Act (HIPAA)
• Payment Card Industry (PCI)
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
AD
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
AD

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Microsoft AD: Shared Responsibilities
Customer - Administers
• Configure password policies
• Configure trusts (resource forest deployment)
• Configure Certificate Authorities (for LDAPS)
• Configure federation
• Administer users, groups, GPOs, other AD content
• Administration via Active Directory Users and
Computers (ADUC) and other standard AD tools
• Add domain controllers as needed
Amazon - Operates
• Multi-AZ deployment, patch, monitor,
DC recovery, snapshot, restore
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
AD
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
AD

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Microsoft AD: Two Editions
Enterprise
Edition
Standard
Edition
Storage Capacity 17GB 1GB
Performance
Optimized
100,000+
employees
Up to ~5,000
employees
Enterprise Edition = Standard Edition plus enterprise features
Currently same features
Priced per DC per hour (2 DC minimum)
30-day limited free trial

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Authentic ating Offic e 365 U s ing Ac tive D ir ec tor y
Model 1: Synchronized usernames and passwords
• Azure AD Connect synchronizes users and passwords to Azure AD
• Office 365 users log in to Azure AD with same username and password
• Issue: Requires domain admin privileges in AD; not possible with AWS Microsoft AD
Model 2: Synchronized usernames with pass-through authentication to AD
• Azure AD Connect synchronizes usernames to Azure AD
• Office 365 users log in to AD with their AD credentials
• Issue: Unsupportable by AWS while in preview
Model 3: Synchronized usernames with Active Directory Federation Service (AD FS) authentication
• Azure AD Connect synchronizes usernames to Azure AD
• Office 365 users log in to AD using federated authentication through AD FS
• Works with AWS Microsoft AD and also supports other SAML-based cloud applications

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Authentic ating Offic e 365 U s ing Ac tive D ir ec tor y
Model 1: Synchronized usernames and passwords
• Azure AD Connect synchronizes users and passwords to Azure AD
• Office 365 users log in to Azure AD with same username and password
• Issue: Requires domain admin privileges in AD; not possible with AWS Microsoft AD
Model 2: Synchronized usernames with pass-through authentication to AD
• Azure AD Connect synchronizes usernames to Azure AD
• Office 365 users log in to AD with their AD credentials
Model 3: Synchronized usernames with Active Directory Federation Service (AD FS) authentication
• Azure AD Connect synchronizes usernames to Azure AD
• Office 365 users log in to AD using federated authentication through AD FS
• Works with AWS Microsoft AD and also supports other SAML-based cloud applications

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Microsoft AD as a resource directory
Amazon
WorkSpaces
RDS for SQL
Server
Amazon
WorkDocs
Amazon
WorkMail
Amazon
QuickSight
AWS Management
Console
Amazon
Chime
Amazon
Connect
AWS Apps & Services
AWS Microsoft
AD Directory
Enable, Authenticate, &
Authorize
Manage,
Authenticate, & Authorize
Manage, Authenticate,
& Authorize
.NET
Applications
Server
SharePoint
Server
AD-aware Workloads
SQL ServerRemote
Desktop
Licensing
Manager
.NET SharePoint
SQL
Server
RD
Licensing
Enterprise
Certificate
Authority
Certificate
Services
On-Premises
Microsoft Active
Directory
On-Premises User
Credentials
Corporate Data
Center
SaaS Applications
Azure AD
SAML
Authenticate
Synchronize
Users
VPN
Direct
Connect
or
AD FS
Server
Azure AD
Connect
Server
Amazon
EC2
Amazon
Windows EC2
Instances
Amazon
Linux EC2
Instances

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Manage,
Authenticate, & Authorize
AWS Microsoft AD as a primary directory
Amazon
WorkSpaces
AWS Microsoft
AD Directory
RDS for SQL
Server
Amazon
WorkDocs
Amazon
WorkMail
Amazon
QuickSight
AWS Management
Console
Amazon
Chime
Amazon
Connect
AWS Apps & Services
.NET
Applications
Server
SharePoint
Server
AD-aware Workloads
SQL ServerRemote
Desktop
Licensing
Manager
.NET SharePoint
SQL
Server
RD
Licensing
SaaS Applications
Azure AD
Enable, Authenticate, &
Authorize
SAML
Authenticate
Synchronize
Users
Manage, Authenticate,
& Authorize
Enterprise
Certificate
Authority
Certificate
Services
Amazon
Windows EC2
Instances
Amazon
Linux EC2
Instances
Amazon
EC2
AD FS
Server
Azure AD
Connect
Server
Federate
ADSync
AD FS
On-Premises
Microsoft Active
Directory
On-Premises User
Credentials
Corporate Data
CenterVPN
Direct
Connect
or
AD FS
Server
Azure AD
Connect
Server

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1. Create AWS Microsoft AD directory
2. Join EC2 Windows server to AWS Microsoft AD
domain (admin instance)
3. Install AD Administration tools on EC2*
4. Join EC2 Windows server to AWS Microsoft AD
domain (AD FS instance)*
5. Join EC2 Windows server to AWS Microsoft AD
domain (Azure AD Connect instance)*
6. Create AD FS service account in AWS Microsoft
AD using AD Users and Computers
7. Set up Office 365 account
8. Set up Azure AD domain
Set Up Environment (Prerequisites)
AWS Microsoft AD
AD
1
adfsserver
EC2
AD FS Server
(Windows Server 2016)
4
adsync
EC2
Azure AD
Connect
5
Install AD
Admin
Tools
3
management
2
EC2
AD Administration
Tools
ADFSSVC
6
Office 365
7
Azure
AD
8
*Can be the same instance

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prerequisites You Must Create
• Virtual Private Cloud (VPC)
• Two subnets in different AZs
• Optional on-premises link
• Virtual Private Network (VPN)
• Amazon Direct Connect
Availability Zone
10.0.2.0/24
Availability Zone
10.0.3.0/24
Optional
VPN
Direct
Connect
OrOr
On-premises
Data Center
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• One AWS
Security Group
During Creation AWS Creates
• 2 DCs with
Dynamic DNS
• Elastic Network
Interface in your
subnets
Availability Zone
10.0.2.0/24
Availability Zone
10.0.3.0/24
Optional
VPN
Direct
Connect
OrOr
On-premises
Data Center
AWS Managed
Microsoft AD
DC
AWS Managed
Microsoft AD
DC
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Key-pair (PEM) file
• EC2 Windows
(Install AD Administration Tools)
Best Practice After Creation You Create
• DHCP Option Sets
• AWS Security Group
• IAM Role/Policy for EC2
(AmazonEC2RoleforSSM)
Availability Zone
10.0.2.0/24
Availability Zone
10.0.3.0/24
Optional
VPN
Direct
Connect
OrOr
On-premises
Data Center
AWS Managed
Microsoft AD
DC
AWS Managed
Microsoft AD
DC
DHCP
Option
Set
AD Admin
Tools
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS/Customer Permissions Model
88-856-43-585 88-856-43-585
Domain
“administrator”
OU
“admin”
Customer
AWS is domain
administrator
AWS creates OU
for customer &
delegates “admin”
permissions

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1. Create the AD FS required container in AWS
Microsoft AD
Enable Office 365
Office 365
EC2
Azure AD
Connect
EC2
AWS Microsoft AD
AD
Azure
AD
1
AD FS
Container
EC2
AD Administration
Tools
awsexample.com
management adfsserver adsync
AD FS Server
(Windows Server 2016)

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create the AD FS Container
Generate and save a global unique identifier (GUID) to use
AD Admin
Tools
10.0.2.0/24
AWS Managed
Microsoft AD
DC
Username: <yourdomain>admin

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create the AD FS Container (continued)
Create a parent container named ADFS and a child container with the name of your GUID

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Verify Your Containers

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1. Create the AD FS required container in AWS
Microsoft AD
2. Install AD FS on EC2 Windows Server 2016
(Requires AD FS 2016)
Enable Office 365
Office 365
EC2
Azure AD
Connect
EC2
AWS Microsoft AD
AD1
Azure
AD
2
Install
AD FS
AD FS
Container
EC2
AD Administration
Tools
awsexample.com
management adfsserver adsync
AD FS Server
(Windows Server 2016)

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Install AD FS: Add the AD FS Feature
AD FS
Server
10.0.2.0/24
AWS Managed
Microsoft AD
DC
Username: <yourdomain>admin

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Install AD FS: Install SSL Certificate
Use Microsoft Enterprise Certificate Authority
https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/
Import using Microsoft Management Console (MMC)

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Install AD FS: Add Certificate MMC

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Install AD FS: Import Certificate for AD FS

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Install AD FS: Get the Cert Thumbprint

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Install AD FS: Set $adminConfig
AD FS
Server
10.0.2.0/24
AWS Managed
Microsoft AD
DC
GUID of AD FS Container

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Install AD FS: Get ADFSSVC User Creds

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Install AD FS: Get Your OU Admin Creds

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Install AD FS: Install AD FS Server

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Install AD FS: Publish DNS A Record
Obtain your AD FS EC2 instance public IP address (AWS EC2 dashboard)
Log in to your DNS hosting provider to add the record
Hostname: sts.awsexample.com
Record Type: A
IP Address: 34.215.72.57

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Install AD FS: Enable AD FS Sign-in Page

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
adsync
1. Create the AD FS required container in AWS
Microsoft AD
2. Install AD FS on EC2 Windows Server 2016
(Requires AD FS 2016)
3. Connect Office 365 to authenticate to AD FS
Enable Office 365
Office 365
EC2
Azure AD
Connect
EC2
AWS Microsoft AD
AD1
2
Azure
AD
Install
AD FS
AD FS
Container
3
EC2
AD Administration
Tools
awsexample.com
management adfsserver
AD FS Server
(Windows Server 2016)

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Integrate AD FS with Azure AD
From your AD FS instance, as admin, connect to Azure AD using Windows PowerShell
https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-msonlinev1?view=azureadps-1.0

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Integrate AD FS with Azure AD ( c o n t i n u e d )
Set context to the AD FS server using the internal FQDN
Set-MsolADFSContext -computer adfsserver.awsexample.com
Convert Azure AD to use adfsserver for federated authentication to your AD domain
Convert-MsolDomainToFederated –domain awsexample.com

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
adsync
1. Create the AD FS required container in AWS
Microsoft AD
2. Install AD FS on EC2 Windows Server 2016
(Requires AD FS 2016)
3. Connect Office 365 to authenticate to AD FS
4. Install Azure AD Connect on EC2 Windows and
configure to synchronize usernames only to Azure
AD
Enable Office 365
Office 365
EC2
Azure AD
Connect
EC2
AWS Microsoft AD
AD1
2
Azure
AD
Install
Azure AD
Connect
Install
AD FS
AD FS
Container
3 4
EC2
AD Administration
Tools
awsexample.com
management adfsserver
AD FS Server
(Windows Server 2016)

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Azure AD
Connect
10.0.2.0/24
AWS Managed
Microsoft AD
DC
Synchronize Users to Azure AD
Download Azure AD Connect MSI and install with Custom settings
On the Connect Directories page choose
Active Directory as the directory type, choose
your Microsoft AD Forest as your Forest
Enter your AWS Microsoft AD admin credentials

36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Select User Container to Synchronize

37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
adsync
1. Create the AD FS required container in AWS
Microsoft AD
2. Install AD FS on EC2 Windows Server 2016
(Requires AD FS 2016)
3. Connect Office 365 to authenticate to AD FS
4. Install Azure AD Connect on EC2 Windows and
configure to synchronize usernames only to Azure
AD
5. Log in to Office 365 with AWS Microsoft AD user
credentials
Enable Office 365
Office 365
EC2
Azure AD
Connect
EC2
AWS Microsoft AD
AD1
2
4
Azure
AD
Install
Azure AD
Connect
Install
AD FS
AD FS
Container
3
5
EC2
AD Administration
Tools
awsexample.com
management adfsserver
AD FS Server
(Windows Server 2016)

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Assign Office 365 License and Log In
https://portal.office.com/adminportal/home#/homepage
Use global administrator account
https://portal.office.com
Use AD credentials for a licensed user

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
References
Documentation and Blog Posts
• How to Enable Your Users to Access Office 365 with DS for Microsoft Active Directory Credentials
https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-
microsoft-active-directory-credentials/
• How to set up AWS Microsoft AD and join an EC2 instance for administration
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html/
• How to Enable LDAPS for Your Microsoft AD Directory
(setting up Microsoft enterprise Certificate Authority)
https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/
• AWS Directory Service
https://aws.amazon.com/directoryservice/
• AWS Directory Service Documentation
https://aws.amazon.com/documentation/directory-service/

40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!