Maintaining Business Continuity for Office 365 Using Azure
Organisations that are buying into Office 365 are doing so on the basis that it is a robust, 24/7, always available service and which may be an improvement on the existing on-premises solutions it is replacing. However, there is a requirement to implement identity integration and authentication services to support login to Office 365 and it may be difficult for some companies to provide a similar 24/7 capability for these elements from their on-premises data centres.
In these situations, building a resilient identity and authentication infrastructure in Azure may be an attractive option.
With many organisations moving to cloud applications such as Office 365 and Intune, there is a requirement to implement an infrastructure to synchronise on-premises Active Directory identities to Azure Active Directory and enable an authentication service. At its simplest, this could be a one server deployment of Azure AD Connect enabled with Password Sync but, for many organisations, Active Directory Federation Services (ADFS) is a required solution to provide true single sign-on and other benefits such as login control and auditing. Since the cloud services are available 24/7, there is a related requirement to enable the identity services to also be available 24/7.
To support this requirement, ADFS would implemented in a high availability (HA) configuration because the loss of this service means that users cannot log in. Additionally, because of the need for this to be available externally so that mobile users can login, an additional service, Web Application Proxy (WAP), is also installed in a high availability configuration to provide secure publishing. So, with a single AD Connect server (which does not have an HA capability), two ADFS and two WAP servers, there are a minimum of five servers to install.
Of course, this can be implemented in an on-premises data centre but, aside from the fact that it is counter-intuitive to migrate services to the cloud and then implement another five servers on-premises, many organisations don’t offer fully supported, 24/7 data centres. In this situation, these organisations can choose to build these services in the Microsoft Azure platform.
Cloud Identity Services in Azure
Microsoft Azure is a collection of highly resilient, cloud-integrated services offering everything from virtual machines through to big data, media services, developer services and many other functions. The cloud identity infrastructure can be fully built using Azure virtual machines which offers up to a 99.95% SLA.
The core requirement to support this solution is an Azure subscription with a connection back to the on-premises data centre. This can simply be created using a standard VPN or, more strategically, with an ExpressRoute connection.
With this platform in place, the identity infrastructure can be deployed. This will be the AD Connect server, two ADFS servers and two WAP servers, with the latter two configured into a DMZ-style, separated network.
Yet, whilst this configuration will support cloud authentication, it is not a standalone solution since it requires the VPN to be up to allow authentication requests to be completed. Therefore, the final element that needs to be included is at least two domain controllers for any domain that hosts users accounts. With these in place, and a correctly designed site configuration, the connection back to the data centre is no longer critical to authentication since every request can be completed within the Azure-based services.
If you are an organisation using FIM or other solutions for identity management, then there could be a consideration as to whether this should also be deployed in the Azure platform. Equally, your availability requirements may be even more stringent and deployment in a single Azure data centre might not be appropriate. In this case it would be quite possible to deploy a more complex architecture across two Azure data centres.
For many organisations, Office 365 and cloud in general represents the future of application delivery but there is a requirement to consider how to support the associated authentication services appropriately and ensure they do not become a productivity blocker in the event of some systems or connectivity failure in the on-premises data centre.
Using Azure as the platform for these services can provide the capability to ensure business continuity for Office 365 or other ADFS-integrated cloud services, such as ServiceNow, regardless of the status of the on-premises systems. If the users can get an Internet connection, they will still be able to authenticate to the cloud.
If you would like more information on how Silversands can help you to build an Azure identity services platform, or any other aspect of Azure or Office 365, please contact us at firstname.lastname@example.org or call 01202 360000.
About the partner
Silversands is an experienced Microsoft Systems Integrator, specialising in designing and enablement of hybrid solutions. Our customers say they use our services because of our level of technical excellence, coupled with an ability to address the real business issues in an agile way.More content by this partner