Understanding the identity models - Cloud identity - Synchronized identity. - Federated identity Introduction to Azure Active Directory Azure Active Directory Domain Services

1. Microsoft Official Course
Understanding
Azure AD

2. Jackson Felden
jackson.felden@nhireland.ie
https://www.linkedin.com/in/jacksonfelden/

3. Seminar outline
• Understanding the identity models
• - Cloud identity
• - Synchronized identity.
• - Federated identity
• Introduction to Azure Active Directory
• Azure Active Directory Domain Services

4. Microsoft Official Course
Understanding the identity
models

5. Overview of Azure AD
Azure Apps
subscription 1
subscription 2
Azure AD is Microsoft’s multi-tenant, cloud based directory
and identity management service. Azure AD combines core
directory services, advanced identity governance, and
application access management.

6. Understanding the identity models
Azure / Azure / Azure /

7. Understanding the identity models
Azure / Azure / Azure /
Seamless Single Sign-OnPass-through authentication

8. Cloud identity
Pros:
Very Simple
No Servers on-premises
Single place for user management
No configuration on-premises
Cons:
Doesn’t support Win7 computer join
Doesn’t support computer management via GPO
Azure /
Azure /

9. Synchronized identity
Pros:
Simple
No big changes on-prem AD
On-prem is the user “master copy”
Users use the same password for on-premfor and
Azure resources (“Same SignOn”)
Cons:
Might need a new server or VM
2 places for user management*
Need to make sure the replication is always working
Azure AD
Connect
Azure /

10. DirSync
Synchronization
Synchronization
"Same SignOn"
Synchronized identity - Authentication
Azure AD
Connect
Active Directory
Domain Controller
Azure Active Directory
Office 365
Azure Apps

11. Installing and configuring Azure AD Connect
• Use express settings for:
• Single Active Directory forest
• Default synchronization settings
• Use customized settings for:
• Multiple forests with duplicate identities
• Federation scenarios
• Custom synchronization settings, for example writeback
• Installing Azure AD Connect with express settings:
• Installs the synchronization engine
• Configures Azure AD Connector
• Configures the on-premises AD DS connector
• Enables password synchronization
• Configures synchronization services
• Configures synchronization services for Exchange hybrid deployment
(optional)

12. Azure AD Connect components

13. Federated identity
Pros:
Full single sign-on
Audit all logons locally
On-prem AD does the authentication
Passwords don’t need to be synched
Better option for advanced scenarios
Immediate account disable and password changes
Supports sign-in restrictions by network location, client
or work hours.
Cons:
More Complex
Needs more servers
Needs Active Directory Federation Services (AD FS)
On-prem DCs, AD FS servers and internet link must be
highly available
Require a public certificate and solid domain name
Azure D
Connect

14. Federated identity - Authentication
The security token
contains claims about the
user, such as user name,
group membership, User
Principal Name (UPN), email
address, manager details,
phone number, and other
attribute values.
Azure Active Directory
Office 365
Azure Apps
Azure AD
Connect
Federation with Azure AD or O365
enables users to authenticate using
on-premises credentials and access
all resources in cloud.

15. Federated identity - Authentication

16. Federated identity – High Availability
ISP1
ISP2

17. Federated identity – on Azure
AD Connect
AD FS
Proxy
AD FS
Server
AD FS
ServerDC
VPN
Gateway
DC VPN
On-premises
AD FS
Proxy

18. Federated identity – on Azure

19. Understanding the identity models
Azure / Azure / Azure /
Note:
Use the simplest identity model that meets your needs.
Is possible to switch between the models when needed

20. Microsoft Official Course
Demo:
Managing Azure AD users
and groups

21. Microsoft Official Course
Introduction to Azure
Active Directory

22. Introduction to Azure Active Directory
• Azure Active Directory (free)
• Azure Active Directory Basic
• Azure Active Directory Premium P1
• Azure Active Directory Premium P2
• Deploy Active Directory domain controllers on Azure
virtual machines
• Azure Active Directory Domain Services

23. Overview of Azure AD
• Microsoft-managed
• Multitenant by design
• Employs internet-friendly protocols
• Supports users, groups, applications, and devices
• Includes built-in MFA (Multi-factor Authentication) support
• No organizational units
• No support for GPOs
• No support for LDAP
• etc

24. Managing Azure AD users, groups, and devices
• Azure AD users:
• Cloud identities
• Directory-synchronized identities
• Management interfaces:
• Azure portal
• Windows PowerShell
• Office 365 admin Center

25. The table of Nines - SLA

26. Azure AD free
• Is FREE
• Supports Single Sign On
• Supports on-prem AD replication with AD Connect
• Maximum 500,000 objects
• Managed by web interface or PowerShell
• Supports Windows 10 device registration
• Self-Service Password Change for cloud users
• Supports 'per user' or 'per authentication’ Multi-Factor
Authentication
• No SLA is provided for the Free tier of Azure Active Directory.

27. Azure AD Basic
• Self-Service Password Reset for cloud users,
• Company Branding (Logon Pages/Access Panel customization)
• SLA of 99.9 percent uptime
• No Object Limit

28. Azure AD Premium P1
• Self-service group and app management
• Automatic password rollover for group accounts
• Self-service password reset and account unlock with write-back
• Conditional Access based on device state (Allow access from managed
devices)
• Conditional Access based on group and location
• MDM (Mobile Device Management) auto-enrollment, Self-Service Bitlocker recovery,
Additional local administrators to Windows 10 devices via Azure AD Join,
Enterprise State Roaming
• Advanced security reports and alerts
• Enterprise SLA of 99.9 percent
• Multi-Factor Authentication
• Azure AD Connect Health
• Cloud App Discovery
• Dynamic groups

29. Azure AD Premium P2
• Azure AD Privileged Identity Management:
• Uses machine learning to understand what would be a normal operation, can detect
Impossible travel situations, IP addresses with suspicious behaviour, etc
• Enables on-demand, just-in-time administrative access
• Generates reports about administrator access history
• Azure AD Identity Protection:
• Monitors identity usage patterns
• Assigns risk levels to users
• Implements risk-based policies
• Privileges given are time-limited, MFA enforcement, etc
• Enterprise SLA of 99.9 percent

30. Azure AD Premium P2 - Identity Protection

31. Azure AD Premium P2 - Identity Protection

32. Azure AD Premium P2 - Identity Protection

33. Planning to deploy Active Directory domain
controllers on Azure virtual machines
• Reasons for placing domain controllers in Azure:
• Keeping authentication requests from Azure-based services within Azure
• Extending on-premises Active Directory to Azure
• Enhancing resiliency of directory synchronization and federation deployments
• Deployment scenarios:
• AD DS in Azure
• AD DS in an on-premises infrastructure with cross-premises connectivity
• AD DS in an on-premises infrastructure and in Azure

34. Azure AD Domain Services
• Supports:
• LDAP
• Azure Active Directory domain join
• NTLM
• Kerberos
• Group Policy
• OUKey points:
• Avoids domain controllers in Azure
• Is highly-available service
• SLA —guarantee at least 99.9%
• Minimises the traffic from Azure VM to your on-prem DC
• You pay an hourly charge based on the size of your directory
• Supports your traditional directory-aware apps alongside your modern
cloud apps
• Must be connected to a VNET and has an IP, (client DNS)
• UPN format is recommended – Jackson@nh.ie instead nhackson
• Supports On-prem AD synchronization with Azure AD connect

35. Azure AD Domain Services – Replication
Azure AD and Azure AD Domain Services

36. Azure AD Domain Services – Replication
On-premises AD, Azure AD and Azure AD Domain Services

37. Azure AD Domain Services - Setup

38. Azure AD Domain Services – Limitations
Limitations:
• Single managed domain serviced by Azure AD Domain Services for a
single Azure AD directory.
• Cannot use Azure AD Domain Services with federated Azure AD
• Cannot use Azure AD Domain Services with Pass-through
Authentication
• You cannot add domain controllers to the managed domain
• You cannot connect to domain controllers for the managed domain
using Remote Desktop.
• You are not granted Domain Administrator or Enterprise Administrator
privileges
• No control over the synchronization (+-20 minutes)
• You cannot pause the service to “pause” the Billing
• You cannot extend the schema

39. Understanding the identity models
Azure / Azure / Azure /

40. Azure AD Domain Services - pricing

41. Microsoft Official Course
Azure AD Connect:
-Pass-through authentication
-Seamless Single Sign-On

42. Pass-through authentication

43. Pass-through authentication – Cloud App

44. Pass-through Authentication - Configuration
Users from all managed domains in your tenant can sign in using Pass-through Authentication.
However, users from federated domains continue to sign in using Active Directory Federation
Services (AD FS) or another federation provider that you have previously configured. If you
convert a domain from federated to managed, all users from that domain automatically start
signing in using Pass-through Authentication. Cloud-only users are not impacted by the Pass-
through Authentication feature.

45. Pass-through Authentication - Configuration

46. Seamless Single Sign-On
How to disable Pass-through Authentication?
Rerun the Azure AD Connect wizard and change the user sign-in method from
Pass-through Authentication to another method. This change disables Pass-
through Authentication on the tenant and uninstalls the Authentication Agent
from the server. You have to manually uninstall the Authentication Agents from
other servers.

47. Azure Active Directory Seamless Single Sign-On

48. Azure Active Directory Pass-through Authentication
with Seamless Single Sign-On
Uses Azure AD connect
AD FS is not needed
Installs an Agent on on-prem DCs
Needs 2 configurations on GPO
Creates a computer account for Azure AD on local AD domain
Allows your users to sign in to both on-premises and cloud-based
applications using the same passwords
Validates users' passwords directly against your on-premises Active
Directory
Good option for organizations that don't want to send users' passwords
outside
Integrated with self-service password management including password
writeback and password protection(banning commonly used passwords)
User sign-ins into Office 365 client applications that support modern
authentication - Office 2016, and Office 2013 with modern
authentication.
It’s free

49. Seamless Single Sign-On - Configuration
Users from all managed domains in your tenant can sign in using Pass-through Authentication.
However, users from federated domains continue to sign in using Active Directory Federation
Services (AD FS) or another federation provider that you have previously configured. If you
convert a domain from federated to managed, all users from that domain automatically start
signing in using Pass-through Authentication. Cloud-only users are not impacted by the Pass-
through Authentication feature.

50. Azure Active Directory Seamless Single Sign-On

51. Seamless Single Sign-On – GPO configuration

52. Seamless Single Sign-On – GPO configuration

53. Seamless Single Sign-On – Event Viewer

54. Azure Certification and Courses
Course 10979: Microsoft Azure Fundamentals
Course 20532: Developing Microsoft Azure Solutions
Course 20533: Implementing Microsoft Azure Infrastructure
Solutions
Course 20535: Architecting Microsoft Azure Solutions