We are moving some VM's and Cloud Services into Azure, but we need those services to still connect back to the AD of our partner. I'm a developer, not a sysadmin, so I'm not sure how to do this, or if it's even possible.
From my understanding we will need to do something like this:
- Set up Virtual Network in Azure
- Set up site-to-site VPN between Azure and partner's datacenter
- Set up Cloud Services / VM's in Azure (inside the VNet from #1)
- Set up a domain in Azure AD, say we call it "AzureDomain"
- Set up a trust between the Azure AD domain, and our partner's AD domain ("PartnerDomain").
- Set up windows services / IIS AppPools in Azure Cloud Services/VM's to run under an account in our Azure AD domain, e.g., "AzureDomain\service_account"
- Have partner grant permissions to "AzureDomain\service_account" to access any network share / database / etc resources that it needs.
Did I miss any steps? For example, is there some kind AD sync necessary, either AzureDomain => partner's DC, or PartnerDomain => Azure DC?
I don't care if the services in the Azure infrastructure run under an account in Azure AD, or one in the partner's AD. I just want the simplest solution possible that will allow the services in Azure to access resources in the partner's datacenter.
Best Answer
You won't be able to create a trust between Azure AD and your PartnerDomain. What you probably want to do is to use DirSync (http://technet.microsoft.com/en-us/library/jj151800.aspx) to keep the two AD instances in sync. This way, youre in effect extending your PartnerDomain onto Azure AD. It's smart to deploy at least 1-2 replica domain controllers as Azure VMs so that your cloud-based services will be able to contact the domain even if the site-to-site vpn link goes down.