This is suitable for organisations where Windows 10/11 devices can be deployed and managed in the NHSmail Intune tenant with Local Active Directory User Identity enhancements. The Cloud + SSO Track is recommended to organisations with:
- A reliance upon on-premise resources
- Minimal AD Group Policy and device configuration requirements
- Applications and resources relying on user identity authentication
This track is provisioned through Intune Autopilot and has connectivity through AAD Join with the ability to access NHS.net Azure AD and NHSmail Cloud Services. In addition to the services for a ‘Cloud Only’ device mentioned previously, SSO Sync allows the user to access print, storage, folders, and apps & services (without needing an on-premises AD Domain-joined device).
ü SSO to Local Organisation AD (apps and resources) for end users via on-premises AD User authentication
ü Improved device estate security via defined baselines
üCentralised Intune platform with preserved local autonomy
üSSO to NHSmail Cloud apps for end users
üRemote, cloud management of all devices or MECM ‘co-management’
The architecture for the cloud and SSO track is illustrated in the following thumbnail. Please click to enlarge the view.
Cloud + SSO Track Setup
This section explains the technical steps to be implemented for the Cloud + SSO Track.
A Service Request is to be raised by an organisation wanting to onboard Windows 10 & 11 devices via the Cloud + SSO Track.
- Organisations are required to carry out several pre-requisite activities before they raise the Service Request.
- Organisations are required to carry out several provisioning activities after they raise the Service Request.
The following process flow outlines the pre-requisite activities to be completed by each organisation. Please click to enlarge the view
Local Administrators will be required to confirm that the pre-requisite activities have been completed before the Service Request can be submitted. The declaration questions are below:
- Has your organisation onboarded to NHSmail Intune?
- Is TANSync, BDS Solution or Microsoft Identity Manager (MIM) in place at your organisation?
- Is Same Sign On configured at your organisation?
- Is there a dedicated Domain Controller configured for use as part of the Cloud + SSO Track and Hybrid Track setup?
- Which setup are you planning to implement?
The below table outlines the pre-requisite activities in more detail. Please ensure that each activity is properly assessed, and necessary actions planned. If a Service Request is raised and one or more of the pre-requisite activities is not complete, the Service Request will be closed, and the LA will be directed to re-submit once they are in place.
|Configure / check custom identity solution
(i.e., TanSync / MIM / BDS)
There is a requirement for a custom identity solution to support user provisioning via the NHSmail Portal and API. TANSync is an Identity Management Solution provided by NHSmail which enables organisations to synchronise local people identities and contacts with the NHSmail API.
If not enabled prior to the adoption of the Hybrid SyncEngine, synchronization of objects and identities to Azure AD Nhs.net will not take place.
What action do I need to take?
There is a dedicated team that supports Tansync configuration. LA’s are responsible to engage the support team to complete this pre-requisite.
Guidance for Tansync and connector can be found in Tansync and Connectors – NHSmail Support
Other synchronisation tools can be used such as MIM / BDS.
|Configure / check Same Sign On||Description
Ensure the Same Sign On solution is enabled for your organisation to provide simple password management for users by ensuring the bi-directional synchronisation of passwords between NHSmail and your organisations local active directory.
If the Same Sign On solution is not configured prior to the Hybrid onboarding, it will prevent the:
What action do I need to take?
There is a dedicated team that supports Same Sign On configuration. LA’s are responsible to engage the support team to complete this pre-requisite.
General Guidance for SSO found in the Same Sign On Onboarding Guide.
|Stand up a Dedicated AD Domain Controller (DC)||Description
A specific DC is required to allow Hybrid operations. A server must be built with global catalogue and infrastructure master roles in readiness for connectivity to a secure edge/VLAN.
Without the DC pre-provisioned, Hybrid Setup will be delayed due to replication and presentation issues. Once the Service Request is raised, the DC connectivity steps will be shared by the Intune Live Service Team.
What action do I need to take?
Each organisation is responsible for provisioning a server or VM to host the DC roles and ensure that the DC can replicate roles and directory functions within the organisations domain/forest.
Once the pre-requisite activities have been completed, please progress to reviewing the below provisioning activities and completing the Service Request.
Guidance will be provided by the Intune Live Service Team for each activity, however, please ensure your organisation has the correct technical resources available to action the following high-level activities.
|Configure and validate VPN Connectivity and firewall rules||Local Administrators should configure a VPN appliance to provide a tunnel endpoint for the Cloud + Same Sign On Track to ensure that the required ports are open for key protocols.||Organisation|
|Configure Hybrid VLAN and DC IP||Based on the information disclosed in the Cloud + SSO Track and Hybrid Track Service Request, the Local Administrator should configure an Edge or DMZ VLAN to host the Domain controller and allocate an IP for that host.||Organisation|
|Validate Internal Active Directory Replication with Hybrid Domain Controller||Once presented to the Edge VLAN, the Domain Controller should be validated for internal domain consistency and directory replication.||Organisation|
|For Hybrid User – Add Users to TANSync OU||Local Administrators will add users to a specified OU to enable Cloud + Same Sign On Track functionality.||Organisation|
|Add DNS Conditional Forwarder||Local Administrators will add the NHSmail DNS resolvers to existing AD DNS servers to enable DNS query forwarding.||Organisation and Intune Live Service Team|
|Add Forest Trust for Local Org||Local Administrators will work with NHSmail Live Service Team to enable an External Forest Trust from their AD to the Hybrid AD infrastructure.||Organisation and Intune Live Service Team|
|Add SyncEngine Account Delegation for Local Org AD OU’s||Local Administrators will provide an AD Delegation via the forest trust to support the LDAP functionality of the solution.||Organisation and Intune Live Service Team|
|Test end-to-end Functions||Local Administrators will work with the Hybrid Infrastructure provisioning teams to validate the end-to-end functions, including connectivity, devices, and users.||Organisation and Intune Live Service Team|
|Last Reviewed Date||11/08/2022|