Microsoft Azure Active Directory (AAD or Azure AD) is a cloud identity platform that serves to provide integration between on-premises Active Directory domains, Microsoft Azure, and third-party cloud solutions.

This article discusses the integration options available for itopia WorkAnywhere (formerly Cloud Automation Stack [CAS]) and Microsoft Azure AD.

Despite its name and somewhat similar role, Azure Active Directory (AAD) is a separate and distinct solution from Microsoft Active Directory Domain Services (AD DS, or simply AD). The table below provides some key information and differences between the products.

In general, Active Directory is intended to perform user authentication on a private network, and Azure AD is intended to perform user authentication across the public internet. Although their functionality may appear similar, their underlying structures are fundamentally different, and Azure AD is designed to work in tandem with AD DS rather than to serve as a replacement for it.

itopia WorkAnywhere deployments rely on Microsoft Active Directory to provide user authentication and authorization, group policy objects (GPOs) enforcement, and as a prerequisite for Microsoft Remote Desktop Services (RDS). Session Hosts and other infrastructure servers must be joined to an on-premises AD domain; the use of Azure AD without an on-premises AD domain cannot fulfill these functions properly.

As such, WorkAnywhere does not currently provide integration with Azure AD for user authentication; users must log in to the Cloud VDI Portal and/or into their Cloud Desktops using their Active Directory identities. However, itopia does support synchronizing your on-premises Active Directory domain with an Azure AD directory for use by other third-party solutions. Depending on Active Directory model you choose for your WorkAnywhere deployment, you can deploy Microsoft Azure AD Connect into your domain and establish synchronization of your users, groups, and other objects with an Azure AD instance.

Additionally, certain management features in Azure AD can be used in conjunction with WorkAnywhere. Password writeback allows your users perform self-service password resets in the Azure AD portal; their new passwords are then synchronized down to their corresponding on-premises Active Directory user object. When password writeback is enabled in Azure AD Connect, WorkAnywhere will recognize password changes originating in Azure AD, and users can access their Cloud Desktops using the new password.

Similarly, group writeback will synchronize changes to group membership from Azure AD to the corresponding on-premises AD group. When you enable group writeback in Azure AD Connect and configure auto-import in WorkAnywhere, you can manage group membership (and Collection Pool assignment) in Azure AD, and WorkAnywhere will automatically detect those changes.

In most cases, you will want to sync user and group accounts to Azure AD from your on-premises AD domain. Depending on the Active Directory model you choose for your WorkAnywhere deployment, you may need to deploy Azure AD Connect into a different domain to allow synchronization of user and group objects into Azure AD:

Use the following links to learn more about Azure AD and connecting your on-premises AD instance. You can also contact itopia support or your account executive to learn more about Azure AD and WorkAnywhere.