There are a lot of businesses systems hosted on AWS that are using windows EC2 servers which are managed using AWS managed Active Directory. Also, Office365 suite of applications for emails and other productivity apps is one of the key operators in today’s technology landscape. If you manage both these systems for a business, as as an IT service administrator/owner/manager you might have been asked whether it is possible to have a single password for these two systems. That is the problem that we are going to solve today and I am going to share our experience of integrating AWS Managed Active Directory with Azure AD/Office365 login.

Let’s add one more item in the mix , if you have Azure AD joined Windows 10 laptops for end users, how will it affect user logins.

We are going to take you through some of the challenges that you might come across when you implement the change and how you can overcome those so that the implementation is as smooth as possible keeping in mind the user experience.

The below diagram is an excerpt from this detailed reference article that explains the process of integration which broadly defines the process of implementing it as follows:

Add two containers to AWS Microsoft AD for use by AD FS.

The process of migration is well explained by AWS and you should be able to go through the steps. In this article we are going to keep our focus on the challenges and pitfalls that come along during the migration process. As much as you would want to ,these kind of changes are hard to test in a UAT environment especially for Small and Medium Enterprises.

1.Below are some of the challenges/pitfalls that we came across during the implementation phase and would want to flag it here :

Create a separate Onmicrosoft domain account on Office 365 otherwise you will get the below errors

2. Do not try to set up AD FS component with Windows Server 2012/R2. Always use Windows Server 2016

3. Where it says use Microsoft AD administrator credentials of the Admin user and save it in the script variable, $localAdminCred, by running the following Windows PowerShell command, It is referring to the AWS admin account (Domain\admin)

C:\>$localAdminCred = (get-credential)

4. While setting up Active Directory Federation service (AD FS) if ADFS refuses to start with error 1297, this article will be helpful in resolving the error

5. If you see errors like below on the browser when trying to log into portal.office.com or SharePoint online , then the issue is with your Azure AD connect. Make sure that Azure AD connect is configured correctly

6. On Azure AD joined Windows 10 machines the logon credentials are cached for 10 logons by default. The normal behaviour is that expired password will work for windows logon until user enters the new password. After the new password is entered old password will continue to work.

If you want to make sure that the password change takes immediate effect , please make sure that the below property is set to a value of ‘0’ on users Windows 10 computers

However, I would always recommend you discuss this with your Desktop Management team or a Windows build/security expert as to how to best deal with this situation. This is subjective to your companies working style and policies.

We manage this on a client by client basis depending on their requirements.

7. Add your sts site to the intranet zone. After this you will never have to sign in to sts site once you login to your computer using your Azure AD login

8. Make sure that Modern authentication is enabled on users laptop to ensure that authentication works without any issues

9. You can add Chrome or other user agents to the AD FS configuration that supports WIA. This enables seamless logon to applications without having to manually enter credentials when you access resources protected by AD FS.

These were some of the challenges that we faced during integration of AWS AD with Azure AD. After solving these, we were successfully able to use a single password / AD FS SSO for Office365 emails/apps and apps hosted on AWS EC2 Windows instance.