Handling identities in a hybrid cloud is often no easy task. Configuring ADFS with Office 365 and Azure should not be difficult. Generally speaking using the cloud is not necessarily rocket science. However, things can get very complicated depending on the on the server infrastructure a company already has in place when deciding to move to the cloud.
A very common scenario is using resource forests and account forests in the same organization. Typically the resource forest is configured for some services, like Exchange or SharePoint and the account forest contains account information for client login. Many larger organizations have opted for such a scenario a while back and probably nowadays they want to move some workloads to the cloud. The big question for identity folks is, how should directory synchronization and identity federation be implemented in a resource/account forest scenario?
The problem here is that users in the account forest don’t have the service specific AD attributes populated, like the Exchange specific attributes, while in the resource forest we would have linked mailboxes with disabled users. I think we may better understand this with this picture:
Assuming that the two way transitive trust between the resource and account forest is already created (as it is a prerequisite for this type of scenario), configuring ADFS should not cause any problem from the authentication perspective. We could run DirSync or Azure AD Sync in the account forest and configure ADFS either in the resource forest or in the account forest. Important is only that the ADFS service account has the necessary permissions to login users that reside the other forest.
However, if we want to run an Exchange Hybrid in such a scenario, things get more difficult. Regarding the synchronization, if we run it against the resource forest, all synced users will be disabled users, and won’t be able to login to Office 365. If we run the synchronization in the account forest, the user accounts will have no Exchange attributes synchronized. If we run Azure AD Sync against both forests we will most probably have user mismatch errors in the synchronization engine.
An acceptable plan in this scenario is to have the AD schema on the account forest extended with the Exchange attributes, set up directory synchronization against the account forest and ADFS against the resource forest. The trick here is that when we run the directory synchronization wizard, we have to check the option to use it in an Exchange hybrid environment. This will allow certain Exchange attributes needed for the hybrid functionality to be written back from Exchange Online into the corresponding local AD attributes. If DNS, firewalls and proxies are configured correctly, basic Exchange hybrid functionality will work smoothly. The hybrid CAS should be placed, obviously, also in the resource forest.
Still in this circumstances we will have limitations in having the mailbox on premises and the archive on Exchange Online. When we will try to connect Outlook and access the online archive we will most probably get an “access denied” error and the Outlook ETL traces would confirm that.
If we really want to benefit from all Exchange hybrid features, including on premises mailboxes and online archives, the recommended way would be to consolidate resource and account forest into a single forest. Again, this is a very painful process since we would have to migrate AD data with tools like ADMT, but also the Exchange infrastructure. The end result will be, on the other hand, rewarding, since we would benefit from all Exchange hybrid features, including online archiving. Of course, when the 2 forests are consolidated to a single forest, we would run DirSync against the new forest, set up ADFS in the new forest and the Exchange Hybrid CAS will also be there.
As I said, things aren’t easy in resource/account forest environments when we want to move to the cloud, but if we have a clear idea on what it will work and what limitations we would face, we could plan accordingly.
I am open to any questions or other ideas.
Latest posts by Dan Patrascu-Baba (see all)
- ADFS in multi forest environments - 20/10/2017
- #Build 2017 – some exciting things - 10/05/2017
- Testing Azure AD per app MFA and conditional access based on network location - 29/07/2016