Microsoft Dynamics CRM Online is a part of Microsoft Office365 product suite and hence when we provision a Dynamics CRM Online environment, we automatically get an Azure AD to manage all the CRM Online users. We login to O365 Admin Portal (https://portal.office.com) to manage the CRM users. Dynamics CRM Online users can only be added and de-activated from O365 Admin portal and not within Dynamics CRM Online portal.
Azure Active Directory (Azure AD)
Azure Active Directory (Azure AD) is the directory behind Office 365 used to store user identities. So any user who wants to access any O365 resources needs to identify itself to Azure AD and Dynamics CRM Online users are no exception. For this purpose, users receive Azure AD credentials which are separate from their corporate credentials and this is known as “Cloud Identity”.
But all organisation wants to offer its users a more seamless experience when accessing cloud services as separate sets of credentials for on-premises and cloud applications undoubtedly affect the user experience. So the very first question that arises is how do we provide a seamless user experience to users when accessing Dynamics CRM Online.
There are two ways to achieve this –
Copy the On-premises user IDs to the cloud in the form of cloud identity. This will emulate a seamless scenario where users are providing the same user name as their corporate user name is for Dynamics CRM Online; however, the identity provider still remains Azure AD. This model is called Synchronized Identity or Same Sign-On model.
The other alternative is to allow users to sign into Azure AD using their corporate user credentials. In other words, the identities in the cloud are synchronized copies (w/ a limited subset of attributes) of their associated on-premises identity references. This model is known as Federate Identity or Single Sign-On model.
How to achieve Synchronized Identity
While Azure AD has three different editions: Free, Basic and Premium; the Free version is being offered by Office 365. So when we buy Dynamics CRM Online, we already have subscribed to an Azure $0 subscription. We can use Directory Synchronization (DirSync) tool, based on the Microsoft Forefront Identity Manager (FIM) product, to synchronize the user IDs from the corporate AD to Azure AD.
When to use Synchronized Identity model
Synchronized Identity model is very easy to configure. As password synchronization is available in this model, which makes it very useful for many customers who have an on-premises directory to synchronize with and their users will have the same password on-premises and in the cloud. Unless one needs any specific advanced features offered by Federated Identity model, Synchronized Identity is a good option to implement.
What tools are used for Synchronized Identity
Directory Synchronization (DirSync)
DirSync can synchronize only Single-forest environment. Active Directory multi-forest environment synchronization cannot be done using DirSync.
Azure Active Directory Connect (Azure AD Connect)
For multi-forest synchronization, Microsoft has released a tool in September 2014, called the Azure Active Directory Synchronization Services (Azure AD Sync) and then recently has released Azure Active Directory Connect (Azure AD Connect) tool, a single and unified wizard that streamlines and automates the overall onboarding process for both directory synchronization with on-premises AD mono-forest and multi-forest environments (including password (hash of hash) synchronization) and single sign-on if you want to.
Synchronized Identity Model Decision Matrix
The following decision matrix is suggested to synthesize the considerations regarding the DirSync and Azure AD Sync/Connect for Synchronized Identity model.
General queries regarding Synchronized Identity model using DirSync
The credential synchronization to public cloud is not permitted as per security policies!
Don’t worry. Passwords are double hashed (or hash of hash) before storing on cloud. The password hash stored in the on-premises Active Directory database is not replicated as it is in Azure AD. The synchronization engine rather re-hashes it to a SHA256 hash before transmitting it securely to Azure AD where in turn it is encrypted before being stored in the cloud database. As a result, even if the SHA256 hash of the initial hash is stolen, it could not be used as an attempt to connect to the on-premises network.
What about High Availability specially when DirSync can run only in one server?
While DirSync can only run in one server, but that isn’t a strong reason of not getting high availability because if DirSync is offline still users can login to Dynamics CRM Online as Azure AD doesn’t need an active connection to DirSync server for authentication. Moreover, a SQL server database can be prepared for a faster restore using DirSync.
How do I achieve local AD remediation before cloud synchronization?
For cloud synchronization, DirSync has certain requirements on attributes in the on-premises active directory. Aligning the attribute values with the DirSync requirements is commonly known as Active Directory remediation, which can be achieved with the use of IdFix Tool.
Synchronized Identity is still a very useful choice for customers who wants to implement a simple solution for Single Sign On scenario and DirSync is widely used tool for this purpose. However, with the introduction of Azure AD Connect, Microsoft is trying to simplify the process of synchronization and I believe Azure AD Connect will be the most popular tool soon. We will discuss Azure AD Connect tool in details in the next blog post.