All posts by Vijay Krishnan

High availability federated authentication for Office 365 in Azure? Drootoo can help.

From your current on-premise IT infrastructure, you have decided to take baby steps and move to the cloud for taking advantage of the various benefits it affords in terms of expenditure treatment, optimal use of resources, lesser cost of operations, operational flexibility and a lot more. Email management with Exchange or other mail servers and their integration with the existing active directory, productivity applications, messaging and other communication applications has always needed more resources than felt necessary. Many organizations have hence made the leap to the cloud with Office 365 or Google Suite. Hence, the question as to how such domain users can be enabled to access Office on the cloud.
                From a web application perspective, it needs the users to be authenticated in order to access their data. When it is an enterprise web application, integration with the in-house identity management solution is called for. In Windows environments, this is the Active Directory. In Office 365, “choosing if identity management is configured between your on-premises organization and Office 365 is an early decision that is one of the foundations of your cloud infrastructure”. Please note that once the choice is made, reverting to another choice takes a lot of work in this regard. The various options including the scenarios they are suitable for is documented at https://docs.microsoft.com/en-us/office365/enterprise/about-office-365-identity
                Unless this is a trial of Office 365 or where there is No Active Directory or where there is a Very Complex On-Premises Active Directory that one doesn’t want to work with, the choice for large enterprises is to integrate Office 365 by using federated authentication. For a more detailed decision tree, please review the document at https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn

 

It is always a good practice to test the desired implementation, and see for yourself the effort involved, whether it works with your environment, and how it all comes together. https://docs.microsoft.com/en-us/office365/enterprise/federated-identity-for-your-office-365-dev-test-environment has the steps to create the required test environment, along with configuration for the participating servers and O365 portal settings. Once testing is completed successfully, deployment options can be considered based on the usage of O365 services. In organizations with heavy usage of productivity and communication applications, ensuring high availability for that is a given. https://docs.microsoft.com/en-us/office365/enterprise/deploy-high-availability-federated-authentication-for-office-365-in-azure has the steps to deploy a high availability federated authentication for Office 365 in Azure.

 

The steps involve virtual machines in a single cross-premises Azure virtual network (VNet). Further, highly available Cross-Premises and VNet-to-VNet connectivity needs to be established. Towards this, one would expect the VPN gateway to handle that, however this is to be noted – “Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections. The switch over will cause a brief interruption” – https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

 

For establishing a dual-redundancy: active-active VPN gateways for both Azure and on-premises networks, you create and setup the Azure VPN gateway in an active-active configuration, and create (at least) two local network gateways and two connections for your (at least) two on-premises VPN devices with the result being a full mesh connectivity of (at least) 4 IPsec tunnels between your Azure virtual network and your on-premises network. The same active-active configuration can also be applied to Azure VNet-to-VNet connections by creating active-active VPN gateways for both virtual networks, and connecting them together to form the same full mesh connectivity of (at least) 4 tunnels between the two VNets.

 

How Drootoo makes this a Snap!?

With Drootoo core services, Provision Cloud Resources is a single, simplified section from where the required cloud resources on Azure can be created for this purpose of integrating on-premises and O365 for user authentication and identity management. Compute options can be used to create the desired VM instances, among the regions exposed by the cloud provider. Our Network options enable creation of Virtual Network, Gateway and VPN connections required to complete the task.

One also wonders whether this collection of configured options can be made available in a cloud resource template like that of AWS CloudFormation. Our new innovation, Drootoo Blueprint, is a  provider agnostic way to provision a collection of resources on the cloud. In this case, a single Drootoo Blueprint can be created with the required resources by the Active Directory and Network experts in an organization. It can be reviewed by the technology management chain of command. Once satisfied with the desired configuration, the Drootoo Blueprint can be Launched to provision the collection of resources on a single/ multiple/ mix of cloud service providers. The Drootoo Blueprint is available for reuse, along with options for version control.

Our future vision is to enable solution providers, system integrators and other organizations to create, share and reuse Drootoo Blueprints, thereby enabling organizations with limited technical resources to simply select and deploy the required cloud resource solutions for their businesses.