Share this question

Welcome to Teachnovice Q&A, where you can ask questions and receive answers from other members of the community.

This is a collaboratively edited question and answer site for computer enthusiasts and power users. It's 100% free, no registration required.

Can I use Office365 or Azure AD as master record for Active Directory?

0 like 0 dislike
We have a small business and currently don't have a need for a domain within our office. We have a basic network and a single server running Windows Server 2008 R2 with some file shares and 3rd party apps.

We use Office 365 and have a Windows Azure subscription. The two seem to be keeping the Active Directory for our organisation in sync pretty well. (i.e. The data looks the same on both systems)

All of the thrid party apps we run on our app server support LDAP as an identity provider but because we don't run a domain we are having to get each user to create a new login/password for these services.

Ideally we'd like to get this server to sync from Azure/Office 365 and allow users to then authenticate using their Office365 credentials.

All of the literature I have found talks about synchronising FROM on-premise to Azure but we'd like to rather sync FROM Azure/Office 365 to our on premise server. I guess our on-premise server become a federated identity provider for our Office 365 directory...

Is this possible or do we need some 3rd party LDAP provider that can federate identities from Azure or Office 365?
asked Apr 16, 2015 by Adrian Hope-Bailie  

@NathanC there's a difference between running a domain controller in an Azure VM instance (not what this fellow is doing) and running Azure AD w/ DirSync for your O365 tenant, which is what he's talking about.

@MDMarra Ah, learned something from someone else's question. :)

@NathanC yeah Azure AD is something that exists in Azure and is accessible though a web interface for managing users, groups, and DirSync for use with Office 365 and Intune. It's not an actual server that you can log into interactively. It's some multitenant Microsoft AD variant with some web front-end special sauce.

Adrian - what did you end up doing? We are considering a similar route, curious how it ended up working out for you?

@aSkywalker - We ended up integrating the third party apps using different SSO mechanisms that are exposed by Azure AD. Once you have Azure AD it can act as a federated id provider for Oauth2, SAML etc so you aren't limited to LDAP

1 Answer

0 like 0 dislike
Short answer: No. However, like @Nathan-C described, you can stand up the required services using Azure Iaas (either DC+DirSync+ADFS or DC+Dircync w/pwd sync) in order to achieve single sign-on between your your Office365 apps and your on-prem apps. You would need to deploy a VPN link between Azure and your local network.

Azure AD is NOT "regular" Active Directory.
answered Apr 16, 2015 by Trondh  

Thanks, I suspected this was the case. What we have managed to do is configure most of our 3rd party apps to use OAuth2 for identity provision. We then installed the auth0 service from the Azure store and setup our Azure AD as an enterprise identity provider (connection) for the auth0 service. The 3rd party apps now use auth0 as ID provider which federates to our Azure AD. (hope I got my terminology right but basically the apps use OAuth2 to authenticate against auth0 which "proxies" our Azure AD)

Another comment on the proposed solution: We don't want to do this because we 1) like using Office 365 to manage our users 2) don't actually want to force our users to login to a domain which I assume implementing a DC would involve

1) is a fair point. 2) seems a bit unclear to me. If you mean implementing domain-joined workstations, there is no requirement to do this if you're implementing any of the dirsync options.

Is it possible to install DirSync on a DC? I think I read somewhere that it's not?

With the newest version of DirSync, you can install it onto a DC. It used to be the case that you couldn't.