5. Overview of Azure AD
Azure Apps
subscription 1
subscription 2
Azure AD is Microsoft’s multi-tenant, cloud based directory
and identity management service. Azure AD combines core
directory services, advanced identity governance, and
application access management.
7. Understanding the identity models
Azure / Azure / Azure /
Seamless Single Sign-OnPass-through authentication
8. Cloud identity
Pros:
Very Simple
No Servers on-premises
Single place for user management
No configuration on-premises
Cons:
Doesn’t support Win7 computer join
Doesn’t support computer management via GPO
Azure /
Azure /
9. Synchronized identity
Pros:
Simple
No big changes on-prem AD
On-prem is the user “master copy”
Users use the same password for on-premfor and
Azure resources (“Same SignOn”)
Cons:
Might need a new server or VM
2 places for user management*
Need to make sure the replication is always working
Azure AD
Connect
Azure /
13. Federated identity
Pros:
Full single sign-on
Audit all logons locally
On-prem AD does the authentication
Passwords don’t need to be synched
Better option for advanced scenarios
Immediate account disable and password changes
Supports sign-in restrictions by network location, client
or work hours.
Cons:
More Complex
Needs more servers
Needs Active Directory Federation Services (AD FS)
On-prem DCs, AD FS servers and internet link must be
highly available
Require a public certificate and solid domain name
Azure D
Connect
14. Federated identity - Authentication
The security token
contains claims about the
user, such as user name,
group membership, User
Principal Name (UPN), email
address, manager details,
phone number, and other
attribute values.
Azure Active Directory
Office 365
Azure Apps
Azure AD
Connect
Federation with Azure AD or O365
enables users to authenticate using
on-premises credentials and access
all resources in cloud.
19. Understanding the identity models
Azure / Azure / Azure /
Note:
Use the simplest identity model that meets your needs.
Is possible to switch between the models when needed
22. Introduction to Azure Active Directory
• Azure Active Directory (free)
• Azure Active Directory Basic
• Azure Active Directory Premium P1
• Azure Active Directory Premium P2
• Deploy Active Directory domain controllers on Azure
virtual machines
• Azure Active Directory Domain Services
23. Overview of Azure AD
• Microsoft-managed
• Multitenant by design
• Employs internet-friendly protocols
• Supports users, groups, applications, and devices
• Includes built-in MFA (Multi-factor Authentication) support
• No organizational units
• No support for GPOs
• No support for LDAP
• etc
24. Managing Azure AD users, groups, and devices
• Azure AD users:
• Cloud identities
• Directory-synchronized identities
• Management interfaces:
• Azure portal
• Windows PowerShell
• Office 365 admin Center
26. Azure AD free
• Is FREE
• Supports Single Sign On
• Supports on-prem AD replication with AD Connect
• Maximum 500,000 objects
• Managed by web interface or PowerShell
• Supports Windows 10 device registration
• Self-Service Password Change for cloud users
• Supports 'per user' or 'per authentication’ Multi-Factor
Authentication
• No SLA is provided for the Free tier of Azure Active Directory.
27. Azure AD Basic
• Self-Service Password Reset for cloud users,
• Company Branding (Logon Pages/Access Panel customization)
• SLA of 99.9 percent uptime
• No Object Limit
28. Azure AD Premium P1
• Self-service group and app management
• Automatic password rollover for group accounts
• Self-service password reset and account unlock with write-back
• Conditional Access based on device state (Allow access from managed
devices)
• Conditional Access based on group and location
• MDM (Mobile Device Management) auto-enrollment, Self-Service Bitlocker recovery,
Additional local administrators to Windows 10 devices via Azure AD Join,
Enterprise State Roaming
• Advanced security reports and alerts
• Enterprise SLA of 99.9 percent
• Multi-Factor Authentication
• Azure AD Connect Health
• Cloud App Discovery
• Dynamic groups
29. Azure AD Premium P2
• Azure AD Privileged Identity Management:
• Uses machine learning to understand what would be a normal operation, can detect
Impossible travel situations, IP addresses with suspicious behaviour, etc
• Enables on-demand, just-in-time administrative access
• Generates reports about administrator access history
• Azure AD Identity Protection:
• Monitors identity usage patterns
• Assigns risk levels to users
• Implements risk-based policies
• Privileges given are time-limited, MFA enforcement, etc
• Enterprise SLA of 99.9 percent
33. Planning to deploy Active Directory domain
controllers on Azure virtual machines
• Reasons for placing domain controllers in Azure:
• Keeping authentication requests from Azure-based services within Azure
• Extending on-premises Active Directory to Azure
• Enhancing resiliency of directory synchronization and federation deployments
• Deployment scenarios:
• AD DS in Azure
• AD DS in an on-premises infrastructure with cross-premises connectivity
• AD DS in an on-premises infrastructure and in Azure
34. Azure AD Domain Services
• Supports:
• LDAP
• Azure Active Directory domain join
• NTLM
• Kerberos
• Group Policy
• OUKey points:
• Avoids domain controllers in Azure
• Is highly-available service
• SLA —guarantee at least 99.9%
• Minimises the traffic from Azure VM to your on-prem DC
• You pay an hourly charge based on the size of your directory
• Supports your traditional directory-aware apps alongside your modern
cloud apps
• Must be connected to a VNET and has an IP, (client DNS)
• UPN format is recommended – Jackson@nh.ie instead nhackson
• Supports On-prem AD synchronization with Azure AD connect
35. Azure AD Domain Services – Replication
Azure AD and Azure AD Domain Services
36. Azure AD Domain Services – Replication
On-premises AD, Azure AD and Azure AD Domain Services
38. Azure AD Domain Services – Limitations
Limitations:
• Single managed domain serviced by Azure AD Domain Services for a
single Azure AD directory.
• Cannot use Azure AD Domain Services with federated Azure AD
• Cannot use Azure AD Domain Services with Pass-through
Authentication
• You cannot add domain controllers to the managed domain
• You cannot connect to domain controllers for the managed domain
using Remote Desktop.
• You are not granted Domain Administrator or Enterprise Administrator
privileges
• No control over the synchronization (+-20 minutes)
• You cannot pause the service to “pause” the Billing
• You cannot extend the schema
44. Pass-through Authentication - Configuration
Users from all managed domains in your tenant can sign in using Pass-through Authentication.
However, users from federated domains continue to sign in using Active Directory Federation
Services (AD FS) or another federation provider that you have previously configured. If you
convert a domain from federated to managed, all users from that domain automatically start
signing in using Pass-through Authentication. Cloud-only users are not impacted by the Pass-
through Authentication feature.
46. Seamless Single Sign-On
How to disable Pass-through Authentication?
Rerun the Azure AD Connect wizard and change the user sign-in method from
Pass-through Authentication to another method. This change disables Pass-
through Authentication on the tenant and uninstalls the Authentication Agent
from the server. You have to manually uninstall the Authentication Agents from
other servers.
48. Azure Active Directory Pass-through Authentication
with Seamless Single Sign-On
Uses Azure AD connect
AD FS is not needed
Installs an Agent on on-prem DCs
Needs 2 configurations on GPO
Creates a computer account for Azure AD on local AD domain
Allows your users to sign in to both on-premises and cloud-based
applications using the same passwords
Validates users' passwords directly against your on-premises Active
Directory
Good option for organizations that don't want to send users' passwords
outside
Integrated with self-service password management including password
writeback and password protection(banning commonly used passwords)
User sign-ins into Office 365 client applications that support modern
authentication - Office 2016, and Office 2013 with modern
authentication.
It’s free
49. Seamless Single Sign-On - Configuration
Users from all managed domains in your tenant can sign in using Pass-through Authentication.
However, users from federated domains continue to sign in using Active Directory Federation
Services (AD FS) or another federation provider that you have previously configured. If you
convert a domain from federated to managed, all users from that domain automatically start
signing in using Pass-through Authentication. Cloud-only users are not impacted by the Pass-
through Authentication feature.