Set up trust between Azure AD and local AD

Question

We are moving some VM's and Cloud Services into Azure, but we need those services to still connect back to the AD of our partner. I'm a developer, not a sysadmin, so I'm not sure how to do this, or if it's even possible.

From my understanding we will need to do something like this:

1. Set up Virtual Network in Azure
2. Set up site-to-site VPN between Azure and partner's datacenter
3. Set up Cloud Services / VM's in Azure (inside the VNet from #1)
4. Set up a domain in Azure AD, say we call it "AzureDomain"
5. Set up a trust between the Azure AD domain, and our partner's AD domain ("PartnerDomain").
6. Set up windows services / IIS AppPools in Azure Cloud Services/VM's to run under an account in our Azure AD domain, e.g., "AzureDomain\service_account"
7. Have partner grant permissions to "AzureDomain\service_account" to access any network share / database / etc resources that it needs.

Did I miss any steps? For example, is there some kind AD sync necessary, either AzureDomain => partner's DC, or PartnerDomain => Azure DC?

I don't care if the services in the Azure infrastructure run under an account in Azure AD, or one in the partner's AD. I just want the simplest solution possible that will allow the services in Azure to access resources in the partner's datacenter.

Answer 1

You won't be able to create a trust between Azure AD and your PartnerDomain. What you probably want to do is to use DirSync (http://technet.microsoft.com/en-us/library/jj151800.aspx) to keep the two AD instances in sync. This way, youre in effect extending your PartnerDomain onto Azure AD. It's smart to deploy at least 1-2 replica domain controllers as Azure VMs so that your cloud-based services will be able to contact the domain even if the site-to-site vpn link goes down.