Scribd
Upload
152 views46 pages

Building ADFS Infrastructure On Azure

This document provides guidance on building an Active Directory Federation Services (ADFS) infrastructure on Microsoft Azure. It discusses design options for an ADFS setup, including having 2 ADFS servers, 2 web application proxy servers, 2 domain controllers, and 1 Azure Active Directory Connect server. It also covers planning considerations for ADFS, Azure subscriptions, naming standards, deployment tools like Azure Resource Manager templates and PowerShell, load balancers, security, additional virtual machine configuration, and the overall deployment process.

Uploaded by

Le Phuoc Hoai Chinh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
152 views46 pages

Building ADFS Infrastructure On Azure

This document provides guidance on building an Active Directory Federation Services (ADFS) infrastructure on Microsoft Azure. It discusses design options for an ADFS setup, including having 2 ADFS servers, 2 web application proxy servers, 2 domain controllers, and 1 Azure Active Directory Connect server. It also covers planning considerations for ADFS, Azure subscriptions, naming standards, deployment tools like Azure Resource Manager templates and PowerShell, load balancers, security, additional virtual machine configuration, and the overall deployment process.

Uploaded by

Le Phuoc Hoai Chinh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 46

Building ADFS Infrastructure on Azure

Kaido Järvemets Trevor Sullivan


http://blog.coretech.dk/author/kaj/ Art of Shell, Founder
Coretech A/S, Senior Consultant https://artofshell.com
trevor@artofshell.com
Kaido Järvemets Trevor Sullivan

Kaidja pcgeek86

MVP MVP, Docker Captain

10 years experience 12 years experience

Family, traveling, ConfigMgr, PowerShell Beer, motorcycles, nature, guns, code


Session Focus

This session focus is on Azure IaaS components that are


related with ADFS.

Focused on Azure Resource Manager (ARM) API, not


classic Service Management interface.
Session Focus
• Deployment methodology
• Deployment tools
Azure Legacy
A quick note …
Avoid Service Management
The Azure Service Management API is outdated, less
flexible, and not as well supported.

Microsoft is investing heavily into the Azure Resource


Manager (ARM) API and Portal.
Azure Information - two portals
Old Management Portal New Management Portal Ibiza
Azure Portal Features
Resource Search
Custom Dashboards
Resource Groups (securable management containers)
Design Options
Design Options - 1
Design Options - 2
ADFS Setup
• 2x ADFS Servers
• 2 x WAP Servers
• 2 x Domain Controllers
• At least 2
• 1 x Azure AD Connect
• Directory Synchronization
Planning for ADFS

http://bit.ly/CTADFSDesign
Subscriptions
Your account for Microsoft Azure
Azure Subscriptions
• Pay-as-you-go
• Prepaid subscriptions
• Buy from a Microsoft Reseller
• Azure Enterprise Agreement
Azure Enterprise Agreement
• Azure Enterprise Agreement
• Address - https://ea.azure.com
• Requires planning
• Free 1 hour onboarding call
• http://aka.ms/AzureEntSupport
ARM Architecture

Azure Subscription
Resource Group Resource Group Resource Group
(Network) (Windows) (Linux)
Demo
Azure Enterprise Agreement
Portal
Demo
Azure Portal
Resources
Infrastructure resources in Azure
Resources
• Azure Subscriptions
• Naming Standards
• Azure cmdlets or ARM templates
• VPN
• Load Balancers
• Security
• Domain Controllers
Naming Standards
Naming Standards
• Make sure that you have a good naming standard
before building services on Azure
• Resource Groups
• Resources
• Virtual Networks
• Network Interfaces
• Virtual Machines
• Public IP addresses
• Add tags to every resource, if possible
• Billing, Test, Production, Department
Naming Standards
Demo
Naming Standards
Deployment
How should I deploy to Azure?
Declarative Provisioning
ARM Templates – Deploy many resources at once
• Deploy with Portal (“Deploy to Azure” button)
• Deploy with PowerShell
• Deploy with xPlat CLI
• Deploy with ARM REST API
Imperative Provisioning
Deploy one resource at a time
• Deploy with Portal
• Deploy with ARM PowerShell
• Deploy with xPlat CLI
• Deploy with ARM REST API
Which technique should I use?

Declarative and imperative provisioning will both cost


development time.

Declarative provisioning provides a modular approach to


resource management.
Azure cmdlets or ARM templates
• Do not build manually services on Azure
• Waste of time and money
• Dev, Test and Production
• Automatic provisioning and de-provisioning
• Azure PowerShell Module
• Much easier
• Azure Resource Manager Templates
• Visual Studio with Azure SDK
• Requires more knowledge
Demo
Azure PowerShell Module and
ARM Templates
Connectivity
VPN
• Two options to connect your datacenter with Microsoft
Azure
• Azure Site to Site
• Express Route
• You can do both at the same time, if needed
Load Balancers
• Native Azure Load Balancer
• HA Proxy
• Marketplace
• Kemp LoadMaster
• Marketplace
ADFS Load Balancer Health Checks

http://bit.ly/CTADFSPROBE
Log analytics for Azure Load Balancer

http://bit.ly/CTAZURELOADSTAT
Demo
Building Load Balancers
KEMP
Security
Security
• RBAC & Policy
• Who has access to what?
• Administration model
• Network Security Groups
• Per subnet
• Per network interface
• Barracuda
• Marketplace
Demo
Azure RBAC and Security
Additional Configuration
• Do not deallocate Domain Controllers on Azure
• Shutdown the DC inside the VM
• Add one additional data disk for database, logs and
Sysvol
• No disk caching
• Separate AD Site for Azure DCs
• Add VMs to Availability Set
Demo
Additional VM configuration
Process

Configure Azure Alerts Plan naming conventions


Set up Application Insights Resource Group Architecture
RBAC rules

Monitor Plan

Deploy Build
Create Resource Groups Create Resource Groups
Build ARM Templates Build ARM Templates
Key takeaways
• Make sure that you have a good naming standard
• Define your administration model
• Automate, Automate, Automate
• Use Azure Enterprise Agreement
• Evaluate your options for Load Balancers
• Azure native, KEMP, HAProxy
• Evaluate your options for Firewall rules
• Azure native NSG or Barracuda
And Then …

You might also like