Dynamic Environment Manager Integration with OneDrive for Business

Overview

The adoption of cloud storage has been quick. Users expect to access their documents from anywhere and continue working on them, no matter what device or location they are using. They also expect to have the same user experience on any device. When they choose their favorite holiday picture as wallpaper or configure their personal email signature, those personal settings should follow the user to any device, just as their documents do.

An integration between VMware Dynamic Environment Manager (DEM) and OneDrive for Business has been developed. It is now possible to store DEM personal profile settings on OneDrive, making the DEM profile cloud-native and available on any device.

Use case: any Horizon VDI Windows desktop, physical Windows PC, or DAAS Windows desktop

One of the trends we see with customers is the move to cloud. Specifically, Office 365 has already been adopted by many of our customers. This paved the way for moving personal data and documents to the cloud, by leveraging OneDrive for Business. And because this has almost become the standard, we get regular customer requests asking if it is possible to leverage OneDrive to store the DEM user profiles. This brings a couple of benefits because you can access the DEM profile from any location, which allows easy roaming from on-prem to cloud or between public clouds. Another benefit is that customers can get rid of SMB shares and expensive VPN clients.

Diagram</p>
<p>Description automatically generated

Figure: Logical overview of the Dynamic Environment Manager infrastructure, that shows how OneDrive for Business can replace the SMB file share for the user profiles

The DEM user profile can now follow the user to any Windows PC, whether that is running on-premises or in any cloud. This allows for fast disaster recovery and easy scale-out scenarios, even across multiple cloud vendors.

Purpose

With the release of DEM 2111, support for OneDrive for Business has been added. This operational tutorial will show you how to configure the complete authentication flow to enable the DEM agent to store DEM user profiles on OneDrive for Business. Videos are also included to demonstrate the steps.

Audience

This operational tutorial is intended for IT administrators and product evaluators who are familiar with VMware Dynamic Environment Manager and VMware Workspace ONE Access. Familiarity with (Azure) Active Directory, identity management, and Office 365 is assumed. Knowledge of other technologies, such as VMware Horizon is also helpful.

Configuring Dynamic Environment Manager to Store User Profiles on OneDrive

This exercise helps you to configure Dynamic Environment Manager to store user profiles on OneDrive for Business. The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the steps in this exercise, you must have a Workspace ONE Access tenant and install and configure Dynamic Environment Manager, except for the Profile Archive share and the agent installation and configuration. The steps are covered in this operational tutorial.

In addition to the previous requirements, you must also have a working Azure AD and Office 365 environment.

  • The current integration requires an on-premises Active Directory federation with Azure AD and silent authentication to OneDrive for Business. Federation can be done with ADFS or with a third-party identity provider like Workspace ONE Access.
  • To generate the OneDrive access token for the logged-in user, on-premises Active Directory must synchronize the directory with Azure AD using AADConnect.
  • The Azure AD tenant administrator needs to provision the “DEM Azure AD Multi-Tenant App” (one-time action).

The required authentication flow that must be configured is shown in the next Figure.

Diagram

Description automatically generated

Figure: Authentication flow required for DEM to store user profiles on OneDrive

For this guide, Workspace ONE Access will be used for federation, to show that this can be done with VMware technology and because ADFS is already documented extensively on the Internet.

On-premises AD Directory Sync with Azure AD using AADConnect Tool

The first step is to synchronize the on-premises AD directory with Azure AD using the AADConnect tool so that Azure AD has the on-prem AD user details. Both federation and the AD directory sync are required so that the DEM agent can connect to the correct user's OneDrive account.

Custom installation of Azure Active Directory Connect has background information on the steps needed to configure the Azure AD Connect app to synchronize user accounts.

Perform the following steps:

  1. Download the Microsoft Azure Active Directory Connect installer, start the installation and select customize.
  2. Select Password Hash Synchronization as the sign-on method and enable the single sign-on option.
  3. Authenticate to Azure AD with an account that has the correct permissions.
  4. Connect to the on-prem AD and select to use an existing service account or let the installer create a new account.
  5. Select the on-premises attribute userPrincipleName to use as the Azure AD username.
  6. From a security standpoint, it is a best practice to only synchronize the OU that contains the useraccounts that are required in Azure AD.
  7. Select the mS-DS-ConsistencyGuid attribute to identify users with Azure AD.
  8. Enable Password writeback as an optional feature to keep passwords in sync.
  9. Provide the credentials for an on-premises Domain Administrator account to enable single sign-on and complete the installation.

The following video demonstrates this procedure:

 

 

On-premises AD Federation with Azure AD


For single sign-on, Workspace ONE Access is the identity provider and allows Office 365 to trust the Workspace ONE Access service for authentication to Office 365 apps. To use single sign-on to access these Office 365 applications, the Office 365 domain must be changed from ‘managed’ to ‘federated’. This means that the on-premises Active Directory will be federated with Azure AD to support silent authentication to OneDrive for Business.

Perform the following steps:

  1. Log in to the Workspace ONE Access admin console and get the SAML-signing certificate by navigating to Resources > Settings > SAML Metadata and copy the certificate to the clipboard.
  2. Paste the certificate into Notepad and remove any spaces and the lines -----BEGIN CERTIFICATE---- and -----END CERTIFICATE-----
  3. Confirm that the MSOnline PowerShell module is installed. Open an elevated PowerShell command and run the command Connect-MSolService to authenticate and connect to Azure AD.
  4. Run the following command to enable the federation:
    Set-MsolDomainAuthentication -Authentication Federated -DomainName domainxxx.com -IssuerUri tenantxxx.vmwareidentity.com -FederationBrandName Domainxxx -PassiveLogOnUri https://tenantxxx.vmwareidentity.com:443/SAAS/API/1.0/POST/sso -ActiveLogOnUri https://tenantxxx.vmwareidentity.com:443/SAAS/auth/wsfed/active/logon -LogOffUri https://login.microsoftonline.com/logout.srf -MetadataExchangeUri https://tenantxxx.vmwareidentity.com:443/SAAS/auth/wsfed/services/mex -SigningCertificate {paste the trimmed down certificate from Notepad here}
  5. Use the get-MSolDomain command to check if the federation was successful.

After the federation has been made, the DEM permissions need to be set. A DEM user should not be able to access another user's OneDrive root folder. In the case of OneDrive, access to another user’s OneDrive root gets restricted using the delegated permission at the Azure AD App.

This Azure AD multi-tenant App is hosted at the VMware tenant and the customer must provision the app to the customer tenant and consent to it. The app has delegated File.ReadWrite permission, which means that the effective file access permission of the logged-in user.

The app provisioning to the customer tenant is a one-time activity and this needs tenant administrator credentials. Perform the following steps:

  1. The first step is to get your Azure AD Tenant ID. This ID can be found in the Azure Admin Portal at the Azure Active Directory > Overview page.
  2. Go to this URL to provision the Dynamic Environment Manager Azure AD app https://login.microsoftonline.com/{customer tenant-id}/adminconsent?client_id=c504654f-97ac-4e31-ba2c-d8cb284bb948 and replace {customer tenant-id} with the ID found in step 1.
  3. Authenticate with an administrator account of the Azure tenant and click Accept to install the app.
  4. Verify if the DEM app was installed successfully by checking the installed Enterprise Applications in the Azure portal.

The following video demonstrates this procedure:

For more information, see Workspace ONE Access integration with Office 365.

Configure Workspace ONE Access

Now, the Workspace ONE Access tenant can be configured to support seamless single-sign-on. This requires a couple of changes on the Workspace ONE Access side:

  1. Install the Workspace ONE Access Connector.
  2. Add the Active Directory as an identity directory for Workspace ONE Access.
  3. Add the Kerberos connector as an Authentication Method.
  4. Add the Office365 with Provisioning app to Workspace ONE Access.
  5. Change the Access Policy to use the Kerberos authentication when needed.

The Kerberos Auth service requires inbound connectivity while the other services do not. This means that the VDI desktops running DEM need a line of sight to this connector hosted on an internal server.

Alternatively, the Kerberos service (port 443) can be published publicly, but this is not recommended from a security standpoint. To support desktops from the Internet, a better option is to use the VMware Tunnel VPN to allow TCP port 443 to the Kerberos service. The Tunnel would need to be connected pre-logon. This can be achieved with the custom config: <StartTunnelPreLogon>true</StartTunnelPreLogon> otherwise OneDrive will not download at logon.

Perform the following steps:

  1. The Workspace ONE Access Connector needs to be installed and connected. Installing Workspace ONE Access Connector describes the required steps in detail.
  2. After the connector is installed, the Active Directory can be added using the Workspace ONE Access admin console. Navigate to Integrations > Directories, click Add Directory, and select Active Directory.
    1. See Integrating Active Directory with Workspace ONE Access for the required steps.
  3. Because the Kerberos Authentication will only be used by internal computers, let’s define a Network Range that identifies those internal computers. Navigate to Resources > Policies and click Network Ranges. Add a network range that contains the internal IP addresses of the computers and name it.
  4. Now, Kerberos authentication can be added to Workspace ONE Access. First, the Kerberos Connector Authentication Method must be added. In the Access Admin Console, navigate to IntegrationsConnector Authentication Methods, click New, and select Kerberos.
    1. If you have multiple Kerberos Auth services installed behind a load balancer, make sure to set the Enable Redirect slider to Yes.
  5. Now the Kerberos Identity Provider can be added to Access. Navigate to Integrations > Identity Providers, click Add Identity Provider and select Create Workspace IDP.
    1. Under Network, select the internal IP range defined.
    2. IdP hostname should contain the FQDN of the (load-balanced) Kerberos Auth Service.
    3. For details, see Configuring Kerberos Authentication in Workspace ONE Access.
  6. To allow Office 365 and OneDrive or Business to use the newly created federation, an app needs to be added to Workspace ONE Access to enable single sign-on. In the Access Admin Console, go to Resources and click New to add a new SaaS Application. Search for 365 and select the Office365 with Provisioning app from the list.
    Follow the installation wizard and under Application Parameters add the tenant and issuer values. The tenant should contain the federated domain name, and issuer should contain the URL of the Workspace ONE Access tenant. Click next and assign the application to an existing or new Access Policy. Click Save & Assign to assign the application to your Office365 users. 
  7. To enable computers to use the Kerberos Authentication, the Workspace ONE Access Policies must be changed. In the Access Admin Console, navigate to Resources > Policies and either edit the default_access_policy_set or create a new policy.

The following video demonstrates this procedure:

For more information about the Kerberos Authentication service, watch this video by expert Peter Bjork: https://youtu.be/RalPRWBHOww

Configure DEM Agent

As the last step, the DEM agent must be installed and configured. The DEM agent must be version 2111 or newer to support the integration with OneDrive.

In this example, the DEM agent will be configured in NoAD mode, but the same functionality is available when the DEM agent gets configured through a GPO.

For non-ADFS deployments (like Workspace ONE Access), the customer must specify the domain name. This allows the DEM agent to share the domain name to Azure AD so that the login to OneDrive can be seamless.

This tutorial assumes DEM is already installed and configured in NoAD mode.

Perform the following steps:

  1. Make the following changes to the NoAD.xml file:
    1. Add the line OneDriveEnabled="1" to enable the integration
    2. Enter a log directory location inside the user profile. For example OneDriveLogDirectory="%LOCALAPPDATA%\OneDriveLog"
    3. For non-ADFS federation, the Integrated Windows Authentication (IWA) needs to be disabled. To enable using Interactive Authentication instead, add the line IsIWA="0"
    4. For non-ADFS federation, it’s mandatory to configure the Domain Hint so that the login to OneDrive can be seamless. Add the line DomainHint="your-domain.tld"
  2. Install the DEM agent on Horizon VDI desktops.
  3. Add the URL for the Kerberos Connector to the Local Intranet Zone, to enable seamless authentication. The GPO setting to configure this can be found in:
    1. User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List
    2. For details, see Configuring your Browser for Kerberos Authentication in Workspace ONE Access.
  4. Finally, log in to a virtual desktop to test.

The following video demonstrates this procedure:

For more information, see Configuring OneDrive for Business Integration.

Best Practices

Configuring time synchronization on all Workspace ONE Access service and connector instances is required for a Workspace ONE Access deployment to function correctly. Set up time synchronization using an NTP server.

Make sure the authentication to OneDrive is seamless. This can be tested by browsing to https://portal.office.com or to the URL of the Workspace ONE Access portal. Authentication should happen without any additional clicks or prompts for usernames and passwords.

Notes:

  1. MFA and Azure AD conditional access are not supported.
  2. Add the Kerberos Connector URL to the IE Intranet zone to make sure that the Kerberos Connector gets trusted, and authentication happens seamlessly.
  3. Change these two checkboxes in the Workspace ONE Access setup to enable seamless login:
    1. Disable Show the System Domain on the login page
    2. Enable Hide “Change to a different domain” link on the login page

Summary and Additional Resources

Now that DEM is configured to store user profiles in OneDrive for Business cloud, users can roam to any Windows desktop and maintain their personal experience. This offers a great user experience and makes migration to Windows 11 or a DAAS solution easy and painless for both the IT department and the users.

Additional Resources

For more information about Dynamic Environment Manager or Workspace ONE Access you can explore the following resources:

Changelog

The following updates were made to this guide:

Date

Description of Changes

2022/07/11

  • Initial publication

About the Author

Pim van de Vis is a Senior Solutions Architect at VMware. Pim has years of experience with different IT infrastructures and focuses on VMware End-User Computing (EUC) products Workspace ONE and Horizon. In his current role as Subject Matter Expert, he works a lot with Workspace ONE UEM, helping customers with the transition to Windows 10 Modern Management.

You can reach Pim on Twitter: @pimvandevis

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com


Filter Tags

Workspace ONE Dynamic Environment Manager Workspace ONE Access Document Operational Tutorial Overview Intermediate Manage Office365