Design Decision: User Migration Considerations

Most end-users are connecting from outside of the Azure cloud when accessing cloud resources using their own devices or devices from your enterprise. The user and device characteristics influence greatly the design and architecture of the cloud environment and the recommended migration paths. How you manage your environment today imposes certain requirements if that management system is moving into Azure.

Users are managed primarily through the directory services. If you are using a cloud-only deployment of users, you would start by creating an Azure AD tenant. Then you link that tenant to Azure AD and create the users and groups directly within Azure AD. If you have an existing deployment, you can use Azure AD Connect to synchronize your AD users and groups to Azure AD automatically.

Usually, installing and configuring Azure AD Connect to synchronize with Azure AD is a bit of a time-consuming process. The time spent setting up Azure AD Connect is worth it because users are able to access resources easier. Implementing Azure AD is recommended as the best long-term cloud strategy for authentication.

Here are the questions you need to answer regarding User Management:

Which identity provider do I need for Citrix Cloud?

  • Citrix cloud supports the folloing identity providers natively:
    • On-premises Active Directory
    • Azure Active Directory
    • Citrix identity provider
    • Over 20 third-party federated providers such as Okta or Ping
  • Select the identity provider that makes the most sense for your Citrix Cloud deployment. Do not forget to consider all existing applications and their requirements to integrate with cloud services

  • Determine if using a federation established with an on-premises deployment is a requirement for user identities. Examples of potential federations include Kerberos-based SSO, SAML, or MFA with smart cards or hardware tokens like RSA SecurID.

How do I move my existing on-premises AD users and groups to Azure AD?

  • Review available Microsoft documentation to determine what design works best for your business requirements

  • Verify that the licensing model for your Azure AD supports the features and number of users for your environment.

  • Microsoft recommends installing a domain controller in Azure to synchronize with your on-premises domain controllers over Azure ExpressRoute or VPN. Having a domain controller in Azure improves the Azure AD Connect synchronization performance.

  • Install and configure Azure AD Connect and allow it to synchronize your users and group memberships over to Azure AD

  • A single Azure AD Connect server is limited to a single forest for synchronization. Using Azure AD Connect is more complicated when multiple AD domains within the same forest are involved in the synchronization process.

  • Depending on the hybrid identity required, different options may be enabled:
    • Password hash synchronization (PHS)
    • Pass-through authentication (PTA)
    • Multifactor Authentication (cloud-based only)
    • Single sign-on with Federated Services (smart cards, password expiry notifications, on-premises MFA)
  • If not all the users must be synchronized to Azure AD, Azure AD Connect supports filtering at the domain, organizational unit, attribute, or group level.

  • Filter the AD scope to only include objects that need to be in Azure AD

  • Large directories take a considerable time to import. Currently, Azure AD throttles write operations to 84,000 per hour so you need to allow adequate time for a full sync to occur.

  • Monitor and configure alerts using the Azure AD Connect Health portal in Azure

Azure Active Directory Hybrid Identity Design Considerations

Azure AD Connect sync: Understand and customize synchronization

Connect Azure Active Directory to Citrix Cloud

What is hybrid identity with Azure Active Directory?

Design Decision: User Migration Considerations

In this article