Microsoft Azure Active Directory (AAD or Azure AD) is a cloud identity platform that serves to provide integration between on-premises Active Directory domains, Microsoft Azure, and third-party cloud solutions.
This article discusses the integration options available for itopia WorkAnywhere (formerly Cloud Automation Stack [CAS]) and Microsoft Azure AD.
Understanding Azure Active Directory
Despite its name and somewhat similar role, Azure Active Directory (AAD) is a separate and distinct solution from Microsoft Active Directory Domain Services (AD DS, or simply AD). The table below provides some key information and differences between the products.
|Microsoft Active Directory||Azure Active Directory|
In general, Active Directory is intended to perform user authentication on a private network, and Azure AD is intended to perform user authentication across the public internet. Although their functionality may appear similar, their underlying structures are fundamentally different, and Azure AD is designed to work in tandem with AD DS rather than to serve as a replacement for it.
WorkAnywhere and Azure AD
itopia WorkAnywhere deployments rely on Microsoft Active Directory to provide user authentication and authorization, group policy objects (GPOs) enforcement, and as a prerequisite for Microsoft Remote Desktop Services (RDS). Session Hosts and other infrastructure servers must be joined to an on-premises AD domain; the use of Azure AD without an on-premises AD domain cannot fulfill these functions properly.
As such, WorkAnywhere does not currently provide integration with Azure AD for user authentication; users must log in to the Cloud VDI Portal and/or into their Cloud Desktops using their Active Directory identities. However, itopia does support synchronizing your on-premises Active Directory domain with an Azure AD directory for use by other third-party solutions. Depending on Active Directory model you choose for your WorkAnywhere deployment, you can deploy Microsoft Azure AD Connect into your domain and establish synchronization of your users, groups, and other objects with an Azure AD instance.
Additionally, certain management features in Azure AD can be used in conjunction with WorkAnywhere. Password writeback allows your users perform self-service password resets in the Azure AD portal; their new passwords are then synchronized down to their corresponding on-premises Active Directory user object. When password writeback is enabled in Azure AD Connect, WorkAnywhere will recognize password changes originating in Azure AD, and users can access their Cloud Desktops using the new password.
Similarly, group writeback will synchronize changes to group membership from Azure AD to the corresponding on-premises AD group. When you enable group writeback in Azure AD Connect and configure auto-import in WorkAnywhere, you can manage group membership (and Collection Pool assignment) in Azure AD, and WorkAnywhere will automatically detect those changes.
What to Sync to Azure AD
In most cases, you will want to sync user and group accounts to Azure AD from your on-premises AD domain. Depending on the Active Directory model you choose for your WorkAnywhere deployment, you may need to deploy Azure AD Connect into a different domain to allow synchronization of user and group objects into Azure AD:
|New AD Domain or New Google Managed Domain||Existing AD Domain or Extended AD Domain||New AD Domain or New Google Managed Domain with AD Trust|
|Deploy Azure AD Connect in:||The new AD domain or Google Managed domain||The existing AD domain||The existing AD domain (i.e. the "trusted" or "accounts" domain)|
|Considerations:||This option does not support Azure AD joined devices, as the Cloud Desktop computer accounts reside in a separate AD forest and are not therefore not synced with Azure AD|
Use the following links to learn more about Azure AD and connecting your on-premises AD instance. You can also contact itopia support or your account executive to learn more about Azure AD and WorkAnywhere.