The authorities set the task to implement the operations of creating, editing and moving users to the local Active Directory from an asp.net application hosted in Azure. Is it possible to do this, and if so, by such means? Is it possible to do without Azure Active Directory. Will LDAP work in the cloud? Do I need to configure something in the local AD?

  • I think there should be no problems. In the application, you simply specify the path to LDAP and work with it. Have you tried connecting to your LDAP from within the application? - Ella Svetlaya
  • @EllaSvetlaya is connected to the local machine, but not from the cloud, does not allow access. I just have a suspicion that Azure AD is then done, that cloud services can no longer connect to AD in any way. - Sergey Tambovtsev
  • It depends on how you connect, it should work. - Ella Svetlaya

1 answer 1

Yes you can. Azure AD is not needed for this at all. In AD, too, do not have to configure anything. You can use the usual .NET libraries to access LDAP (well, or Active Directory). There are many good and safe ways.

  • The first is through a virtual network and VPN.
  • The second is the creation of asynchronous, passive communication with LDAP through Queue and service (you don’t even have to open ports in the grid).
  • The third is the creation of a simple web service that will need to be hosted in the corporate network and which will be accessed by the UI. I mean, all the main business logic should be in it.
  • It is possible that you can arrange communication through Azure Hybrid Connection (BizTalk Services), but I'm not sure if this will work with LDAP.

I will describe the easiest way (from my point of view):

  1. Create an Azure Virtual Network with a range of addresses that do not intersect with the addresses of your corporate network (optionally, you can choose your DNS Server to access the machines by their name, rather than the ip)
  2. Create a LoCal Network with a range of addresses of your corporate network and specify your Public IP
  3. Create a VPN-Gateway in a virtual network (static routing is usually enough) here is an example or a video about it .
  4. Connect to your Gateway from the corporate network to the VPN Gateway in Azure
  5. Create in Azure a new App Service (Azure Website) at a minimum the tariff plan Standard
  6. Integrate your App into a virtual network
  7. Develop your application locally
  8. Deploy your App Service App
  9. Voila, you can safely access your Directory Service on your network from your App.

UPDATE:

On the way to work, I had the idea that Standard’s Azure Websites (App Serivces) was probably too expensive. Take better place for this Azure Web Role A0 level. It costs several times cheaper, and it can also be configured to use a virtual network.

PS Touched in one of the answers, the possibility to realize this with the help of Azure AD is excluded, because Azure AD and just AD are not exactly the same thing. Including sync, you do not get direct access to AD, but you get some kind of copy of its attributes in Azure AD. There is no Organizational Units (OU's) in Azure AD. Accordingly, there will be nowhere to move users and nowhere. The maximum that you can do is configure the change and inverse synchronization of some AD-Attributes. Here is a list of attributes that are synchronized in AAD . "Writeback" (synchronization in the opposite direction) is supported only by some of them. In addition, Writeback at this time (March 2016) is still in the preview phase.

  • Vooot I for the same reason, AAD exclude that moving between units is impossible. We will try your option, thanks for the detailed instructions! :) - Sergey Tambovtsev
  • now convinced =) - rdorn
  • @ sergeitambovtsev: look, I have a small update in the post gash. You will need it. - Walter Nuss