1. The often overlooked gems in Azure AD
Peter Selch Dahl – Azure MVP – I’m ALL Cloud First 
- Azure AD Domain Services, Azure AD App Proxy, Azure AD Managed Service Identity

2. Microsoft MCSA: Cloud Platform - Certified 2018,
Microsoft MCSA: Office 365 - Certified 2018,
Microsoft MCSE: Cloud Platform and Infrastructure - Certified 2018
Microsoft MCSA: 2016 Windows Server 2016,
Microsoft MCSA: 2012 Windows Server 2012,
Microsoft MCITP: 2008 Server and Enterprise Administrator,
Microsoft MCSA: 2008 Windows Server 2008,
Microsoft MCSA/MCSE : 2003 Security,
Microsoft MCSA/MCSE : 2000 Security,
VMWare Certified Professional VI3/VI4/VI5,
CompTIA A+, Network+,
EC-Council: Certified Ethical Hacker (CEH v7),
And more
Peter Selch Dahl
Freelance Cloud Architect, Azure MVP
Twitter: @PeterSelchDahl
www: www.peterdahl.net
Blog : http://blog.peterdahl.net
Mail : psd@apento.com

3. • Azure AD Domain Services
• Azure AD App Proxy
• Azure Managed Service Identity

4. Azure AD Domain Services

5. …
Contoso’s workloads/apps in Azure IaaS
Virtual network
Managed domain available
in Contoso’s VNet.

8. Azure
Subscribe to SaaS
applications
• Switch to using SaaS versions of
the app ex. Office 365
• Leverage Azure AD for SaaS app
management
• SaaS application gallery
• Easy provisioning,
conditional access control
Rewrite existing applications
• Rewrite apps to leverage Azure PaaS
• Leverage Azure AD
• OAuth/OpenID Connect for
modern authz.
• Ubiquitous developer libraries.
• Graph API – modern directory API
‘Lift-and-shift’ on-premises
applications to IaaS
• Move existing legacy ISV/LOB apps
to Azure
• May not have access to source code
or vendor support.

9. Highly available domain.
Domain controllers are patched automatically.
Secure locked down domain – compliant with
AD deployment best-practices.
Fault resilience of Azure.
Automatic health detection & remediation.
Automatic backups for disaster recovery.
No need to monitor replication to DCs.

10. …
Users, group memberships and passwords are synced from your Azure AD tenant.
Simple to deploy
• Cloud-only directories – no additional sync/replication software needed!
• Federated/synced directories – simply leverage your existing Azure AD Connect deployment.
Automatic background sync
to your managed domain
Sync users, groups, passwords,
SIDs to Azure AD

11. …
Contoso’s workloads/apps in Azure IaaS
Virtual network
Managed domain available
in your Azure VNet.
Azure AD
Connect
Automatic background sync
to your managed domain

13. Microsoft Identity: Bridging the GAP
FEBRUARY 10, 2019
@EWUGDK
13
Intune
Windows Server
Active Directory
Microsoft Azure
Active Directory
SSO
Token
OneDrive Office 365
Dynamics
Kerberos
TicketPRT
TGT

15. Azure AD Join Azure AD Domain Services
Authentication OAuth/OpenID Connect Kerberos, NTLM
Management
Mobile Device Management (MDM)
software like Intune
Group Policy
Networking
considerations
Works over the internet
• Requires machines to be on the
same virtual network as the
managed domain.
• Can use virtual network peering or
site-to-site VPNs to extend
connectivity.
Great for … Windows 10 devices
Server virtual machines deployed in
Azure

16. …
Contoso’s workloads/apps in Azure IaaS
Virtual network
• Domain-join your Azure IaaS virtual machines – Windows
Server and Linux
• Use your corporate credentials to log-in to VMs
• No need for local administrator accounts
• Use Group Policy (built-in GPO for computers container) to
manage & secure domain joined VMs.

17. https://docs.microsoft.com/en-
us/azure/active-directory-domain-services/active-
directory-ds-admin-guide-administer-group-policy

18. • Lift-and-shift IWA apps/websites to Azure IaaS VMs joined to AAD-DS domain.
• Deploy App Proxy connectors on Azure IaaS VMs joined to AAD-DS domain.
• Modernize app by delivering MFA & conditional access control.
• Use resource-based KCD to enable connectors to authenticate users.
…
App proxy connectors
Access in context of
user

19. Feature Azure AD Domain Services 'Do-it-yourself' AD in Azure VMs
Managed service Yes No
Secured & locked-down deployment Yes Needs to be secured
DNS server Yes (managed service) Yes
Domain or Enterprise administrator privileges No Yes
Domain join Yes Yes
Domain authentication using NTLM and Kerberos Yes Yes
Custom OU structure Yes Yes
Schema extensions No Yes
AD domain/forest trusts No Yes
LDAP read Yes Yes
Secure LDAP (LDAPS) Yes Yes
LDAP write No Yes
Group Policy Yes Yes
Geo-dispersed deployments No Yes
More information: https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-comparison

20. Azure AD Application Proxy

21. Microsoft Web Application Proxy Solutions
Conditional
Access
Web Application Proxy
 Microsoft Azure AD Proxy
 Part of the Azure AD Premium

22. Conditional Access Scenarios

23. Remote Access as a Service
 Easy to deploy and operate: minimal on-prem footprint
 Secure remote access to business applications with zero DMZ on-prem infrastructure deployment and no
network infrastructure change.
 Deep integration with Azure Active Directory
 Richness of AAD capabilities and experiences: IW access panel discovery and SSO, central application
management across SaaS and on-prem, machine learning traffic analysis, multifactor authentication, analytics
and reporting.
 Available for AAD Premium customers.
 More secure to the business: pre-DMZ protection
 All security verifications are outside of the organization premises done in cloud scale.
 DDoS attacks will not influence your business.

24. How it works
On-Premises Network
Expense
App
Benefits
App
Connector
Connector
Microsoft
Azure
Azure AD Application
Proxy Service
Request/Response
Queue
https://benefits-contoso.cwap.net

25. Remote Access as a Service
 Connectors are deployed on
corpnet
 Multiple connectors can be
deployed for redundancy and scale
 The connector auto connects to the
cloud service
 User connects to the cloud service
that routes their traffic to the
resources via the connectors
Azure Active Directory
Corporate
Network
DMZ
https://intranet-name.msappproxy.com
http://intranet

26. Traditional Remote Access – VPN/ Reverse Proxy
 Not a real security boundary, customer
have low level access to resources. A
trust on the device is implied.
 Requires client installation &
configuration
 Support legacy client/server apps
 Usually hardware based deployment
 Need to be deployed on DMZ usually
multi-site
Corporate
Network
DMZ

27. Managed identities for Azure resources

28. Protect your keys and secrets!

29. Protect your keys and secrets!
In-code passwords Azure KeyVault MSI 
BAD Better BEST

30. Managed identities for Azure resources
 Automatically managed service principals in Azure Active Directory, exclusively dedicated
for Azure services instances.
 They enable Azure workloads to authenticate to cloud services*, without needing
credentials in code.

31. Analogy
Keys
Built-in garage door opener
Hand-held garage door
opener
Virtual Machine
App Services
Functions
Etc.
Azure Storage, Key Vault,
Resource Manager, etc.
Keys
SAS Keys, username and
password, etc.
Built-in garage door opener
System assigned
managed identity
Hand-held garage door
opener
User assigned
managed identity
One resourceShared between
multiple resource

32. The bigger picture…
Application / script
Azure Active Directory
MSI Endpoint / Id Object
Azure VM, App Service, Function, etc.
Get token

33. The bigger picture…

34. Managed identity provisioning (ExampleusingVM)
1. Azure Resource Manager is the
orchestrator. Supported via: Portal, PowerShell,
CLI, Template, REST and Azure SDKs.
2. Service Principal gets created in Azure
AD. These are treated as special service
principals, which belong to a Managed Identity.
3. Service Principal details are given to
Compute Resource Provider. Resource is
created/updated with the identity details.
4. Managed Identity (service principal) can
be granted permissions via RBAC.
5. Code running inside the VM can request
tokens via IMDS.
6. Managed Identity sub-system requests
the actual token from Azure AD.

35. The bigger picture…

36. Access patterns using managed identities
1. Services that support Azure AD authentication
 Azure Resource Manager
 Azure Key Vault
 Azure Data Lake
 Azure SQL
 Azure Event Hubs
 Azure Service Bus
 Azure Storage
 Azure AD Graph API
2. Services that depend on Access Keys for authentication
 Access keys stored in: Azure Key Vault or Azure Resource Manager

37. T: +45 82 32 32 32
F: +45 82 32 32 22
M: info@proactive.dk
W: www.proactive.dk

38. A shift in IT focus…..

39. NAC at a glance
10-02-2019
Insert text in footer
39
We are the world’s largest regional aircraft leasing company
Global Leader in
Regional Aircraft
Leasing and Financing.
Focus on larger
regional aircraft (70-130
seat segment)
518 70+
70 customers in 47
countries. Global
presence and diversified
client base
21years
Long track record of
consistent and profitable
growth. Consistently
achieve high levels of
profitability and ROE
BBB+
Investment Grade
Rating by Kroll Rating
Agency
Value of owned aircraft.
Leading Lessor with
ATR, Bombardier and
Embraer
7.8bn
Employees Globally
250+
Ejet af danmarks 7 rigeste, EQT og KIRKBI (LEGO Group)

40. Azure Hybrid infrastructure at NAC before transition
Hyper-V High-Availability & Resiliency
Primary site
DirectAccess virtual machine
Service Manager virtual
machine
Exchange virtual machine
Shamrock virtual machine
Exchange
replica
virtual
machine
Shamrock
replica
virtual
machine
Replicate over
LAN link
SAN
Send/receive
replica traffic
SAN
R1 R2
P1 P2
Replica site
Nordic Aviation Capital was one of the first companies in Denmark to establish a Microsoft hybrid cloud setup
between the datacenter in Billund, Jutland in the summer of 2014. The goal was to bring the servers closer to the
end-users and reduce latency.
• Running a classic Microsoft Windows 2012 R2
Hyper-V HA setup
• Using System Center 2012 R2:
• Service Manager
• Configuration Manager
• Operations Manager
• Virtual Machine Manager
• Microsoft DirectAccess Multi-site setup
• Microsoft Distributed File System (DFS-R)
• Microsoft SQL servers
• Applications servers
More than 70+ servers in Azure & On-prem

41. Before the cloud native transition to Microsoft
Nordic Aviation Capital was one of the first companies in Denmark to establish a Microsoft hybrid cloud setup
between the datacenter in Billund, Jutland in the summer of 2014. The goal was to bring the servers closer to the
end-users and reduce latency.
Microsoft case story
Azure Datacenters used in hybrid:
• East US
• North Europe
• South East Asia
Main datacenter in Billund, Jutland
Case: https://www.slideshare.net/PeterDahl/customer-story-nac-the-journey-from-microsoft-hybrid-cloud-to-microsoft-native-cloud

42. After the completed transition to Microsoft Azure
Some of the SaaS applications used today.

43. After the completed transition to Microsoft Azure
Billund Toronto Ireland Fort Lauderdale SingaporeOpen AP / Roaming
Azure AD DS
(Legacy services)
ShamrockLaserNet OCR
3.Party SaaS
(Printix, PeopleHR, etc.)
Azure Active Directory / Azure Conditional Access
Simplified network design, distributed cloud services and a lot of happy users.

44. A shift in IT focus…..Improving business productivity