Azure Cloud School: Identity in Azure

Transcript

1. None

2. https://www.meetup.com/microsoft_tech_oslo/

3. None
4. None

5. 5 • Authentication was integrated Auth (Kerberos/NTLM) • Authorization :

   Active Directory Security Groups • User Data: LDAP and ADSI • Kerberos was not a problem, application servers were joined to domain and port 88 was open in the internal network • Kerberos tickets included group SIDs for access decisions Application Had Free Access to Corporate Identities Applications Ran Almost Entirely On-Premises • RPC to a DC was not a problem
6. None

7. Customers Azure AD as the control plane On-premises Partners Azure

   Cloud Public cloud Microsoft Azure Active Directory BYO Windows Server Active Directory
8. None

9. https://azuremarketplace.microsoft.com

10. Azure AD Design Objectives Built on Open Standards High Availability

    Support Compliance Standards High Scale Embrace Hybrid Multi Tenancy
11. None

12. https://login.microsoftonline.com

13. None
14. None

15. Directory as a service 500,000 object limit No object limit

    No object limit No object limit for Office 365 user accounts User/group management (add/update/delete)/user-based provisioning, device registration, User-based access management/provisioning, Basic Security/usage reports Yes Yes Yes Yes Singe Sign On 10 apps per user (pre- integrated SaaS and developer-integrated apps) 10 apps per user(free tier + Application proxy apps) No limit (free, Basic tiers +Self-Service App Integration templates 1) 10 apps per user (pre- integrated SaaS and developer-integrated apps) Self-service password change for cloud users Yes Yes Yes Connect (sync engine that extends on-premises directories to Azure Active Directory) Yes Yes Yes Premium + basic features Group-based access management/provisioning – Provisioning customization Yes Yes Self-service password reset for cloud users Yes Yes Yes Company branding (logon pages/access panel customization) Yes Yes Yes Application Proxy Yes Yes SLA Yes Yes Yes Premium features Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups P1,P2 Self-service password reset/change/account unlock with on-premises write-back P1,P2 Advanced usage reporting P1,P2 Multi-factor authentication (cloud and on-premises (MFA server)) P1,P2 Limited cloud only for Office 365 apps MIM CAL + MIM server P1,P2 Cloud app discovery P1,P2 Automated password rollover P1,P2 Connect Health P1,P2 Conditional Access (User, Application, Location, Device rules) P1,P2 Identity Protection P2 Privileged Identity Management P2 Yes Yes Yes Yes MDM auto-enrolment, Self-Service Bitlocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join, Enterprise State Roaming Yes

16. kr 0 / user / month kr 8.12 / user

    / month kr 48.7 / user / month kr 73 / user / month
17. None

18. Microsoft Azure Active Directory Identity synchronization with password (hash) sync

    Identity synchronization User attributes are synchronized using identity synchronization services, including a password hash; authentication is completed against Azure Active Directory User attributes are synchronized using identity synchronization tools; authentication is passed back through federation and completed against Windows Server Active Directory ADFS Microsoft Azure Active Directory
19. None

20. Azure Active Directory Connect ADFS Sync engine Azure Active Directory

    Connect Consolidated deployment assistant for your identity bridge components. All currently available sync engines will be replaced by the sync engine included in the Connect tool. Assisted deployment of ADFS will be available through Azure Active Directory Connect. ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios. DirSync Azure Active Directory Sync FIM+Azure Active Directory Connector ADFS

21. • • • • • • • • • •

22. • • • • • • • •

23. • • • • • •

24. Microsoft Account (MSA) Work or School Account Cloud-based user Synchronized

    user Native AAD account Guest AAD account Can be Azure admin Can be Azure AD admin Microsoft Account (MSA) Work or School Account Cloud-based user Yes Yes Synchronized user No Yes Native AAD account No Yes Guest AAD account Yes Yes (B2B) Can be Azure admin Yes Yes Can be Azure AD admin Yes Yes
25. None

26. https://graphexplorer.azurewebsites.net/ https://developer.microsoft.com/en-us/graph/graph-explorer

27. View and launch applications from: Office 365 MyApps.microsoft.com MyApps mobile

    app for iPhone, iPad and Android devices Direct sign in to the SaaS web applications and mobile apps such as Salesforce1 and Workday Company-branded sign-in page and app launchers Create custom portals and app launching experiences Integrated self-service and approval workflows User Profile management including passwords and Multi- factor Authentication methods. End User experience

28. Azure Active Directory Connect and Connect Health * MIM *

    Microsoft Azure Active Directory HR apps OTHER DIRECTORIES PowerShell SQL (ODBC) LDAP v3 Web Services ( SOAP, JAVA, REST) Connect and sync on-premises directories with Azure Active Directory

29. Web apps (Azure Active Directory Application Proxy) Integrated custom apps

    SaaS apps OTHER DIRECTORIES 2700+ pre-integrated popular SaaS apps and self-service integration via templates Connect and sync on-premises directories with Azure Easily publish on-premises web apps via Application Proxy + custom apps Microsoft Azure
30. None

31. Microsoft Azure Active Directory Cloud app discovery as many Cloud

    apps are in use than IT estimates • a feature of Azure Active Directory (AD) Premium that enables you to discover cloud applications being used by the people in your organization. With Cloud App Discovery, you can: • Find the cloud applications being used and measure that usage by number of users, volume of traffic or number of web requests to the application. • Identify the users that are using an application. • Export data for offline analysis. • Bring these applications under IT control and enable single sign on for user management.
32. None

33. Corporate network Microsoft Azure Active Directory Connectors are deployed usually

    on corpnet next to resources Multiple connectors can be deployed for redundancy, scale, multiple sites, and different resources Users connect to the cloud service that routes their traffic to resources via the connectors A connector that auto-connects to the cloud service DMZ https://app1- contoso.msappproxy.net/ Application Proxy http://app1
34. None
35. None