Tata AIG General Insurance Company - Insurer Innovation Award 2024
2018-09-03 aOS Aachen - Azure AD Identity - Frank Küppers
1. – Grundlagen, Möglichkeiten, Best Practice Ansätze.
Zentralisierte Identitäts- und Zugriffsverwaltung in Hybrid Umgebung mit Ihrem
lokalem Active Directory
Office 365 / Azure AD Identity
Management (as a Service)
2. |03.09.2018 Azure AD Identity - Frank Küppers
Erschienen 2006 /2009 Erschienen 2010 /2011
4. |
Identity Management
03.09.2018 Azure AD Identity - Frank Küppers24.09.2018 Azure AD Identity - Frank Küppers
SaaS appsMicrosoft Azure
Active DirectoryOther Directories
5. |
Identity as a service: core architecture
On-premises and private cloud
(Active Directory) Federation Services
SaaS
apps
Custom
apps
10,000 + apps
Windows Server
Active Directory
Other apps
Core Identity Management
HR
Other Directories
Sync
Other Directories
Devices
03.09.2018 Azure AD Identity - Frank Küppers
6. |
Azure Active Directory (Azure AD)
Microsoft’s “Identity Management as a
Service (IDaas)” for organizations
Millions of independent identity systems
controlled by enterprise and government
“tenants”
Information is owned and usable by the
controlling organization - not by Microsoft
Born as an on-premise identity system for
employees, has now extended into the cloud
1 Trillion
Azure AD
authentications
since the release
of the service
50 M
Office 365 users
active every
month
>1 Billion
authentications
every day on
Azure AD
More than
500 M
objects hosted on
Azure Active
Directory
Azure AD
manages identity
data for
>5 M
organizations
86%
of Fortune 500
companies on
Microsoft Cloud
(Azure, O365, CRM
Online and PowerBI)
03.09.2018 Azure AD Identity - Frank Küppers
8. |
Azure Active Directory?
03.09.2018 Azure AD Identity - Frank Küppers
Azure Active Directory (AAD)
• Azure Active Directory is a comprehensive, highly
available identity and access management cloud solution
that combines core directory services, advanced identity
governance, and application access management.
9. |
Azure Active Directory? - A game of standardization
• Custom LOB applications can
integrate with Azure Active
Directory
• Sign in to Active Directory-
integrated applications with
cloud identities
• Active Directory-integrated
applications can access Office
365 and other web APIs
• Applications can extend Azure
Active Directory schema
• Cross-platform support (iOS,
Android, and Windows)
• Open Standards
• (SAML 2.0, OAuth 2.0, OpenID
Connect, Odata 3.0)03.09.2018 Azure AD Identity - Frank Küppers
10. |
Azure AD in Hybrid
03.09.2018 Azure AD Identity - Frank Küppers
Azure AD Connect (AADC)
11. |
Azure AD and Single sign-on or Same Sign On (SSO)
03.09.2018 Azure AD Identity - Frank Küppers
Passsword Sync (PHS)
Active Directory Federation Services (ADFS)
Pass-Through Authentication (PTA)
Seamless SSO
12. |
Use to Solve SSO to modern applications on premise or SSO to Azure Active Directory
SAML 2.0
oAUTH 2.0
OpenID Connect
Active Directory Federation Services (ADFS)
13. |
Pass-Through Authentication - PTA
Contoso Corpnet
AAD STS
AD App
Proxy
1 2
3
4
5
6
78
Connector
2
03.09.2018 Azure AD Identity - Frank Küppers
14. |
Value vs Complexity
03.09.2018 Azure AD Identity - Frank Küppers
Complexity
Value
Cloud only
Accounts
AAD Connect
+ AD FS
AAD Connect
+ PTA and SSO
AAD Connect
+ PHS and SSO
AAD Connect
Cloud Accounts
AAD Connect
+ PHS
15. |
Azure Active Directory Application Proxy
Publish on premise applications and use AAD SSO
Easily add SSO to current applications
Add SSO to form based and Kerberos applications
Azure AD authentication capabilities:
Username and password synced from on-prem AD
Federated login to on-prem or other federation servers
Multi-factor authentication
Customized login screen
Authorization based on user or groups
SSO to Office365, thousands of SaaS apps and all applications integrated with
AAD
Reports, auditing and security monitoring based on big data and
machine learning.
Microsoft Azure
Active Directory
Corporate
Network
DMZ
https://app1-
contoso.msappproxy.net/
http://app1
03.09.2018 Azure AD Identity - Frank Küppers
18. |
Azure AD Management - Azure Multi-Factor Authentication (MFA)
03.09.2018 Azure AD Identity - Frank Küppers
Azure MFA Service (Cloud)
Azure MFA Server
Multi-Factor Authentication for Office 365
Azure Active Directory Global Administrators
19. |
Contoso
Azure Active Directory
Global admins
Org-wide permissions
Manage global settings
Create structure and policy
Delegate permissions and
resources
Regional admins
Manage regional users,
devices, and applications
Set local policy
Regional policy and app
management
“Must login with MFA”
“Have license/access to regional
apps”
Support for distributed
organizational models
Autonomous mgmt. while
keeping common identity and
org boundary
Delegate administration to
subsidiaries
User management
App procurement and mgmt.
Scope policy
US East Germany India
AsiaEuropeNorth Am
Administrative Units: In private preview
03.09.2018
Azure AD Identity - Frank
Küppers
20. |
Azure B2B vs B2C (and B2E)
03.09.2018 Azure AD Identity - Frank Küppers
21. |
B2B (Business-to-Business) B2C (Business-to-Consumer )
• Integrated with Corp AAD tenant (B2E)
• Invitation system
• Enterprise Tenants
• Can be used with Office 365
• Are included with AAD
• “Special” AAD tenant
• Social Providers
• No support for Office 365
• Separate licensing (no. of auth and users)
03.09.2018 Azure AD Identity - Frank Küppers
22. |
Scenarios for B2B or B2C
• Lot’s of external users with social login -> b2c
• Small set of external users of partner company -> b2b
• Share Office 365 resources with partner -> b2b
• Share access to corporate cloud apps -> b2b/b2c
• Delegation of account management -> b2b
03.09.2018 Azure AD Identity - Frank Küppers
23. |
Azure AD Security
03.09.2018 Azure AD Identity - Frank Küppers
Windows Intune
Mobile device settings
management
Mobile application
management
Selective wipe
Microsoft Azure Active Directory Premium
security reports, and
audit reports, multi-
factor authentication
Self-service password
reset and group
management
Connection between
Active Directory and
Azure Active Directory
Microsoft Azure Rights Management service
Information protection Connection to on-
premises assets
Bring your own key
24. |
Azure AD Security
03.09.2018 Azure AD Identity - Frank Küppers
PIM - Azure AD Privileged Identity Management
(Azure AD IP) - Azure AD Identity Protection
AIP – Azure Information Protection
25. |
Azure AD Privileged Identity Management
03.09.2018 Azure AD Identity - Frank Küppers
33. |
Web
Apps
Mobile
Apps
API
Management
API
Apps
Logic
Apps
Notification
Hubs
Content Delivery
Network (CDN)
Media
Services
HDInsight Machine
Learning
Stream
Analytics
Data
Factory
Event
Hubs
Mobile
Engagement
Biztalk
Services
Hybrid
Connections
Service
Bus
Storage
Queues
Backup
StorSimple
Site
Recovery
Import/Export
SQL
Database
DocumentDB
Redis
Cache
Search
Tables
SQL Data
Warehouse
Azure AD
Connect Health
AD Privileged
Identity Mngt
Operational
Insights
Cloud
Services
Batch Remote App
Service
Fabric Visual Studio
Application
Insights
Azure SDK
Team Project
Active
Directory
Multi-Factor
Authentication
Automation
Portal
Key Vault
Store /
Marketplace
VM Image Gallery
& VM Depot
SECURITY &
MANAGEMENT PLATFORM SERVICES HYBRID
OPERATIONS
03.09.2018 Azure AD Identity - Frank Küppers
34. |
Azure Active Directory (AD) Domain Services
03.09.2018 Azure AD Identity - Frank Küppers
Azure Vm´s or Network´s ?
Support for domain-join
Integrated with Azure AD
NTLM and Kerberos
authentication
Group Policy
Organizational Units (OU´s
for service accounts)
High availability
35. |03.09.2018 Azure AD Identity - Frank Küppers
Vielen Dank
Die dargestellten Informationen haben einen mündlichen
Vortrag unterstützt. Gültig ist insofern das gesprochene Wort.
Die Foliensammlung stellt kein selbständiges Dokument dar
und ist weder zitierfähig, noch zur Weiterverbreitung bestimmt.
Falls Sie Informationen aus dieser Foliensammlung verwenden
möchten, stehe ich Ihnen gerne zur Verfügung – ich bitte Sie, in
diesem Fall Kontakt mit mir aufzunehmen.
Weitere Infos:
Frank.Kueppers@bechtle.com