Cloud + Same Sign On Configuration

This is suitable for organisations where Windows 10/11 devices can be deployed and managed in the NHSmail Intune tenant with Local Active Directory User Identity enhancements. The Cloud + Same Sign On Track is recommended for organisations with:

• A reliance upon on-premises user authentication to resources
• Minimal AD Group Policy and device configuration requirements
• Applications and resources relying on user identity authentication

This track is provisioned through Intune Autopilot and has connectivity through AAD Join with the ability to access NHS.net Azure AD and NHSmail Cloud Services. In addition to the services for a ‘Cloud Only’ device mentioned previously, Same Sign On Sync allows the user to access print, storage, folders, and apps & services (without needing an on-premises AD Domain-joined device).

Benefits

ü Same Sign On to Local Organisation AD (apps and resources) for end users via on-premises AD User authentication

ü Improved device estate security via defined baselines

üCentralised Intune platform with preserved local autonomy

üSame Sign On to NHSmail Cloud apps for end users

üRemote, cloud management of all devices  or MECM ‘co-management’

 

The architecture for the cloud and Same Sign On track is illustrated in the following thumbnail. Please click to enlarge the view.

 

Cloud + Same Sign On Track Setup  

This section explains the technical steps to be implemented for the Cloud + Same Sign On Track.

A Service Request is to be raised by an organisation wanting to onboard Windows 10 & 11 devices via the Cloud + Same Sign On Track.

• Organisations are required to carry out several pre-requisite activities before raising a Service Request.
• Organisations are required to carry out several provisioning activities after raising a Service Request.

Pre-requisite Activities  

 

The following process flow outlines the pre-requisite activities to be completed by each organisation. Please click to enlarge the view

 

Local Administrators will be required to confirm that the pre-requisite activities have been completed before the Service Request can be submitted. The declaration questions are below:

• Has your organisation onboarded to NHSmail Intune?
• Is TANSync, BDS Solution or Microsoft Identity Manager (MIM) in place at your organisation?
• Is Same Sign On configured at your organisation?
• Is there a dedicated Domain Controller configured for use as part of the Cloud + Same Sign On Track and Hybrid Track setup?

The below table outlines the pre-requisite activities in more detail. Please ensure that each activity is properly assessed, and necessary actions planned. If a Service Request is raised and one or more of the pre-requisite activities is not complete, the Service Request will be closed, and the LA will be directed to re-submit once they are in place.

Pre-Requisite Activity	Detail	Owner
Configure / check custom identity solution  (i.e., TanSync / MIM / BDS)	Description There is a requirement for a custom identity solution to support user provisioning via the NHSmail Portal and API. TANSync is an Identity Management Solution provided by NHSmail which enables organisations to synchronise local people identities and contacts with the NHSmail API. Impact  If not enabled prior to the adoption of the Hybrid SyncEngine, synchronization of objects and identities to Azure AD Nhs.net will not take place. What action do I need to take? There is a dedicated team that supports Tansync configuration. LA’s are responsible to engage the support team to complete this pre-requisite. Guidance for Tansync and connector can be found in Tansync and Connectors – NHSmail Support Other synchronisation tools can be used such as MIM / BDS.	Organisation
Configure / check Same Sign On	Description Ensure the Same Sign On solution is enabled for your organisation to provide simple password management for users by ensuring the bi-directional synchronisation of passwords between NHSmail and your organisations local active directory. Impact  If the Same Sign On solution is not configured prior to the Hybrid onboarding, it will prevent the: Ability to use the same password when accessing local workstations, NHSmail services, applications using NHSmail single sign on and Azure Active Directory Application of a single Password Policy for both NHSmail and Local AD Alignment of password expiry dates between NHSmail and Local AD What action do I need to take? There is a dedicated team that supports Same Sign On configuration. LA’s are responsible to engage the support team to complete this pre-requisite. General Guidance for Same Sign On found in the Same Sign On Onboarding Guide.	Organisation
Stand up a Dedicated AD Domain Controller (DC)	Description  A specific DC is required to allow Hybrid operations. A server must be built with global catalogue and infrastructure master roles in readiness for connectivity to a secure edge/VLAN. Impact  Without the DC pre-provisioned, Hybrid Setup will be delayed due to replication and presentation issues. Once the Service Request is raised, the DC connectivity steps will be shared by the Intune Live Service Team. What action do I need to take? Each organisation is responsible for provisioning a server or VM to host the DC roles and ensure that the DC can replicate roles and directory functions within the organisations domain/forest.	Organisation

Once the pre-requisite activities have been completed, please progress to reviewing the below provisioning activities and completing the Service Request.

Provisioning Activities  

The following process flow outlines the high-level provisioning activities that must be completed. Please click to enlarge the view

 

Guidance will be provided by the Intune Live Service Team for each activity, however, please ensure your organisation has the correct technical resources available to action the following high-level activities.

Provisioning Activity	Description	Owner
Configure and validate VPN Connectivity and firewall rules	Local Administrators should configure a VPN appliance to provide a tunnel endpoint for the Cloud + Same Sign On Track to ensure that the required ports are open for key protocols.	Organisation
Configure Hybrid VLAN and DC IP	Based on the information disclosed in the Cloud + Same Sign On Track and Hybrid Track Service Request, the Local Administrator should configure an Edge or DMZ VLAN to host the Domain controller and allocate an IP for that host.	Organisation
Validate Internal Active Directory Replication with Hybrid Domain Controller	Once presented to the Edge VLAN, the Domain Controller should be validated for internal domain consistency and directory replication.	Organisation
For Hybrid User – Add Users to TANSync OU	Local Administrators will add users to a specified OU to enable Cloud + Same Sign On Track functionality.	Organisation
Add DNS Conditional Forwarder	Local Administrators will add the NHSmail DNS resolvers to existing AD DNS servers to enable DNS query forwarding.	Organisation and Intune Live Service Team
Add Forest Trust for Local Org	Local Administrators will work with NHSmail Live Service Team to enable an External Forest Trust from their AD to the Hybrid AD infrastructure.	Organisation and Intune Live Service Team
Add SyncEngine Account Delegation for Local Org AD OU’s	Local Administrators will provide an AD Delegation via the forest trust to support the LDAP functionality of the solution.	Organisation and Intune Live Service Team
Test end-to-end Functions	Local Administrators will work with the Hybrid Infrastructure provisioning teams to validate the end-to-end functions, including connectivity, devices, and users.	Organisation and Intune Live Service Team

CLICK HERE for Windows Deployment and Migration next steps!

Last Reviewed Date

19/03/2024