20161103 Cloud Brew - Microsoft Azure Active Directory Premium
-
Upload
robin-vermeirsch -
Category
Presentations & Public Speaking
-
view
80 -
download
5
Transcript of 20161103 Cloud Brew - Microsoft Azure Active Directory Premium
![Page 1: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/1.jpg)
Scenario Based Overview
Azure AD Premium
![Page 2: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/2.jpg)
Today’s session
• Scenario based overview of what Azure AD Premium has to offer
• Technical overview of presented scenario’s
• Demo of each of the scenario’s
• Q&A about Azure AD Premium
![Page 3: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/3.jpg)
Scenario’s
1. Can I have a secure platform for all my SaaS applications?
2. How can I provide SSO for my users• For my internal users• In a BYOD world• For partners
3. Can leverage the platform for my current applications?
![Page 4: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/4.jpg)
Scenario’s
4. Can I implement additional security to the platform?
5. Can I leverage the platform for my own applications and API’s?
6. How can I monitoring and audit trials for all my applications?
![Page 5: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/5.jpg)
It’s all about your identity
![Page 6: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/6.jpg)
Demo LAB
On Premise²
CLT01 (BYOD)
Azure AD
MGMT01(Azure AD Connect + PTA +
Legacy App)
SYNC Identities (+passwords)Self Servicing (Groups + Passwords)
DC01
SaaS Applications
Web Server(WordPress)
MGMT02(Azure AD Proxy)
Azure
Azure Domain Service
AD ServicesFor Azure
DS-TEST(Legacy AD Integrated App)
![Page 7: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/7.jpg)
Can I have a secure platform for all my SaaS applications?
![Page 8: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/8.jpg)
DEMO 1
![Page 9: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/9.jpg)
How can I provide SSO for my users?
![Page 10: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/10.jpg)
Sign-in Options Today
Complexity
Valu
e
Cloud only Accounts
AAD Connect+ AD FS
SSO + NO PWD
AAD ConnectCloud Accounts
AAD Connect+ PHS
![Page 11: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/11.jpg)
Pass Trough Authentication
DC
Contoso Corpnet
AAD STSAD App ProxyUser Name and
password
Username and password sent AAD
App Proxy
Connector notified of
request
Connector validates the credentials
against AD
Result returned back to AAD STSToken returned to use
or further proofs (MFA) are initiated
1 2
3
4
5
6
78
Connector
DC returns result
Connector returns result
2
Polling
![Page 12: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/12.jpg)
5User sends ticket to AAD
STS
SSO
DCContoso Corpnet
AAD STS
User enters their username
1
401 response to get a Kerberos ticket
2
User requests a Kerberos ticket
3
6 AAD STS returns token to the user
4
AD returns Kerberos ticket
![Page 13: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/13.jpg)
Sign-in Options (Future)
Complexity
Valu
e
Cloud only Accounts
AAD Connect+ AD FS
SSOAAD Connect+ PTA and SSO
AAD Connect+ PHS and SSO
AAD ConnectCloud Accounts
AAD Connect+ PHS
![Page 14: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/14.jpg)
SSO For BYOD
• User get’s Primary Refresh Token (PRT)• Contains user AND device claims• Can be checked using: dsregcmd.exe /status
• Limited browser support (Web Account Manager API)• Edge• Iexplore
• Works with Windows Hello for Business
![Page 15: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/15.jpg)
SSO – Side note
• SSO in AAD always requires identification FIX: Use domain hints
- OpenID: add &domain_hint=demolab.be- WSFed: add &whr=demolab.be- SAML: Use AuthN- ADAL: Pass domain_hint
![Page 16: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/16.jpg)
DEMO 2
![Page 17: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/17.jpg)
Can leverage the platform for my current applications?
![Page 18: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/18.jpg)
AD Services for Azure resources
![Page 19: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/19.jpg)
AD Services for Azure resources
• Drawbacks• Needs PHS• Flat structure (no OU’s)• Limited GPO’s• No trust between on-prem AD and cloud AD
• Will give you• LDAP/AD functionality for your (legacy) Azure workloads
![Page 20: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/20.jpg)
Access on prem applications
Azure Active Directory
Resource ResourceResource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami
Connector
![Page 21: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/21.jpg)
Access on prem applications
Azure Active Directory
Resource ResourceResource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
![Page 22: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/22.jpg)
Access on prem applications
Azure Active Directory
Resource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
SAML
Domain Controller
![Page 23: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/23.jpg)
SSO for on prem applications
Azure Active Directory
Resource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
SAML
Domain Controller
![Page 24: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/24.jpg)
SSO for on prem applications
Azure Active Directory
Resource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
SAML
Domain Controller
Get token (KCD)
![Page 25: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/25.jpg)
SSO for on prem applications
Azure Active Directory
Resource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
SAML
Domain Controller
Get token (KCD)
![Page 26: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/26.jpg)
SSO for on prem applications
Azure Active Directory
Resource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
SAML
Domain Controller
Kerberos
Get token (KCD)
![Page 27: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/27.jpg)
DEMO 3
![Page 28: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/28.jpg)
Can I implement additional security to the platform?
![Page 29: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/29.jpg)
AAD Premium
MFA Identity Protection
Conditional Access
Self Service PWD Reset
Governance Tooling
![Page 30: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/30.jpg)
DEMO 4
![Page 31: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/31.jpg)
Can I leverage the platform for my own applications and API’s?
![Page 32: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/32.jpg)
DEMO 5
![Page 33: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/33.jpg)
How can I have monitoring and audit trials for my (cloud) applications?
![Page 34: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/34.jpg)
DEMO 6
![Page 35: 20161103 Cloud Brew - Microsoft Azure Active Directory Premium](https://reader031.fdocuments.in/reader031/viewer/2022011722/58cf03e11a28ab5f2b8b475b/html5/thumbnails/35.jpg)
Questions