CCS Technology is a Microsoft Partner

Specializing in Infrasturcture Deployment,

Managed Services, Custom Cloud Solutions

and Custom Software Development

www.CCSTechnologyGroup.com

224.232.5500

Palatine, Illinois

ABOUT US

Why consider the cloud?

Cloud innovation presents

challenges for IT

WHAT IS AZURE..?

Microsoft Azure delivers.

Enterprise ready by design.

Huge infrastructure scale is the enabler19 Regions ONLINE…huge datacenter capacity around the world…and we’re growing

100+ datacenters

One of the top 3 networks in the world (coverage, speed, connections)

2 x AWS and 6x Google number of offered regions

G Series – Largest VM available in the market – 32 cores, 448GB Ram, SSD…

Operational Announced

Central USIowa

West USCalifornia

North EuropeIreland

East USVirginia

East US 2Virginia

US GovVirginia

North Central US

Illinois

US GovIowa

South Central US

Texas

Brazil SouthSao Paulo

West Europe

NetherlandsChina North *

Beijing

China South *Shanghai

Japan EastSaitama

Japan WestOsaka

India WestTBD

India EastTBD

East AsiaHong Kong

SE AsiaSingapore

Australia WestMelbourne

Australia EastSydney

* Operated by 21Vianet

Control Your Identity

Empower Enterprise Mobility

Extend Your Infrastructure

A comprehensive identity and access management cloud solution.

It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers

It is available in 3 editions: free, Basic and Premium

What is Azure Active Directory?

IT professional

Self-service Singlesign on

•••••••••••

Username

Identity as the control point

Simple connection

Cloud

SaaSAzure

Office 365Publiccloud

Other Directories

Windows ServerActive Directory

On-premises Microsoft Azure Active Directory

Devices Apps Data

The current reality…

Azure Active Directory Cloud App Discovery

10xSource: Help Net Security 2014

as many Cloud apps are in use than IT estimates

• SaaS app category

• Number of users

• Utilization volume

Comprehensivereporting

How Many SaaS apps are in use within your organization?

Devices Apps Data

Protect your data

Enable your users

Consistent User Experience

Access & information protection

Single User

Identity

Mobile device & application

management

Microsoft Azure

Web Apps

(Azure Active Directory Application Proxy)

SaaS apps Integrated

custom apps

Other Directories

Rich standards-based platform for developers

No Object Limit No Object Limit

No Limit

Advanced Security

Reports

Yes(Advanced)**

Premium

+ Basic

Features

Group-based access management/provisioning Yes Yes

Self-Service Password Reset for cloud users Yes Yes

Company Branding (Logon Pages/Access Panel customization) Yes Yes

SLA Yes Yes

Strengthening the authentication with Azure Multi-Factor

Authentication

What is multi-factor authentication?

Multi-factor authentication, also commonly referred to as two-factor authentication, is a best practice for securing user access. It works by requiring

any two or more of the following authentication factor:

A knowledge factor: something only you know (typically a password or a PIN).

A possession factor: something only you have (a trusted device that is not easily duplicated).

An inherence factor: something only you are (biometrics).

The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge

for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device.

As already introduced, Azure MFA is, as its name indicates, an Azure service that helps safeguard access to data and

applications by strengthening traditional sign-in approaches. In terms of applications, the service supports both cloud

applications that use or integrate with Azure AD as well as on-premises applications using the Multi-Factor Authentication

Server. With Azure MFA and the user’s telephone as the trusted device for a second or an additional factor of

authentication:

What is Azure Multi-Factor Authentication?

You must have AAD Premium to use MFA

Strengthening the authentication with Azure Multi-Factor

Authentication

How it Works

Azure MFA offers the additional security you demand using the phones your users already carry.

Multiple phone-based authentication methods are available, allowing users to choose the one that works best for them, and, support for multiple

methods ensures additional authentication is always available:

Multi-Factor Auth apps are available for Windows Phone, iOS phones and tablets, and Android devices.

Automated phone calls are placed by the Azure MFA online service to any phone, landline or mobile. The user simply answers the call and presses #

on the phone keypad to complete their sign in through a distinct channel.

Text messages are sent by the Multi-Factor Authentication service to any mobile phone. The text message contains a one-time passcode. The user is

prompted to either reply to the text message with the passcode or enter the passcode into the sign in screen.

The users always sign in with their existing username and password. After the user’s credentials are verified, Multi-Factor Authentication is initiated

using the above methods depending on the user’s enrollment.

Azure Multi-Factor Authentication enables compliance with regulatory requirements for multi-factor authentication such as the following ones to

name of few:

NIST 800-63 Electronic Authentication Guidelines for Level 3 Assurance,

HIPAA Requirements Relative to Electronic Protected Health Information (EPHI),

Payment Card Industry Data Security Standards (PCI DSS),

Criminal Justice Information System (CJIS) Security Policy,

Authentication in an Internet Banking Environment Guidance (FFIEC).

Self-service Singlesign on

•••••••••••

Username

Focus on Single Sign On

Simple connection

Cloud

SaaSAzure

Office 365Publiccloud

Other Directories

Windows ServerActive Directory

On-premises Microsoft Azure Active Directory

Enable Directory SynchronizationEnable AAD SSO

Depending on your Sync Method, you will have

Single Sign On or Same Sign On

Dirsync will provide you with the same

UserName and Password

Dirsync With ADFS will authenticate with your

AD for Exact Same Sign On

Single Sign On vs. Same Sign OnWhat’s the difference?

Do you really need AD FS? Office 365 doesn’t require every customer to deploy directory synchronization

services or Active Directory Federation Services (AD FS). In reality, most organizations

require only cloud identities, where users receive cloud credentials for signing in to

Office 365 services. The cloud ID password policy is stored in the cloud with the Office

365 service. Cloud credentials are separate from other desktop or corporate

credentials.

Using cloud identities, one optional server may be deployed to support directory

synchronization from your on-premises Active Directory. In environments with just a

few users, directory synchronization isn’t required. Users may be provisioned

manually through the Office 365 portal.

Federated identities, on the other hand, enable users to sign in to Office 365 services

by using their Active Directory credentials. The corporate Active Directory

authenticates the users, and then stores and controls the password policy.

Deploying AD FS requires additional expertise, introduces complexity, and has higher operational costs.

Office 365 single sign on using AD FS and DirSync Office 365 same sign on using DirSync + Password Sync

1. The user logs on to a corporate network, and is

authenticated to Windows Server Active Directory.

2. The user tries to access Office 365 (I am

@contoso.com).

3. Office 365 redirects the user to Azure AD.

4. Since Azure AD can’t authenticate the user and

understands there is a trust with AD FS on-premises, it

redirects the user to AD FS

5. The user sends a Kerberos ticket to the AD FS STS.

6. AD FS transforms the Kerberos ticket to the required

token format/claims and redirects the user to Azure

AD.

7. The user authenticates to Azure AD (another

transformation occurs).

8. Azure AD redirects the user to Office 365.

9. The user is silently signed on to Office 365

1. The user logs on to a corporate network, and is

authenticated to Windows Server Active Directory.

2. The user tries to access Office 365 (I am @contoso.com).

3. Office 365 redirects the user to Azure AD.

4. Azure AD can’t accept Kerberos tickets directly and no trust

relationship exists so it requests that the user enter

credentials.

5. The user enters the same on-premises password, and

Azure AD validates them against the user name and

password that was synchronized by DirSync.

6. Azure AD redirects the user to Office 365.

7. The user can sign on to Office 365 and OWA using the

Azure AD token.

Extending Active Directory

Domain Services to Azure is

the first step to support line-

of-business applications in

Azure IaaS.

Supports cloud-based

solutions that require NTLM

or Kerberos authentication,

or domain-joined virtual

machines.

Adds additional integration

potential for cloud services

and applications and can be

added at any time.

This configuration is a hybrid deployment of

Active Directory on-premises and in Azure.

It requires:

• A virtual network in Azure IaaS.

• A VPN connection or ExpressRoute

connection.

• Extending your on-premises IP address

range to virtual machines in the virtual

network.

• Deploying one or more domain

controllers to Azure designated as a

global catalog server (reduces egress

traffic across the VPN connection).This

identity architecture supports a different

set of solutions and applications

compared to synchronization with Azure

Active Directory.

Authentication is directed

to the ADFS via the Web

Application Proxy

All On Premise at your

location or your Hosted

Datacenter

When you lose

connectivity or have an

outage, your cloud

authentication is out too

Traditional on-premises AD FS deployment

The Azure AD Sync tool can be hosted in the cloud

using Azure IaaS.

• Potentially faster provisioning and lower cost of

operations

• Increased availability

The architecture illustrated on the right details how

you can configure Azure AD Sync Tool on IaaS.

This solution works with with:

• Office 365 services

• Applications in Azure that are available over the

Internet

• Business applications in Azure that are available

from on-premises environments through the secure

VPN

Azure Active Directory Sync Tool

If you haven t already deployed AD FS on-premises,

consider whether the benefits of deploying this workload to

Azure makes sense for you organization.

• Provides autonomy for authentication to cloud services

(no on-premises dependencies).

• Reduces servers and tools hosted on-premises.

• Uses a site-to-site VPN gateway on a two-node failover

cluster to connect to Azure (new).

• Use ACLs to ensure that Web Application Proxy servers

can only communicate with AD FS, not domain

controllers or other servers directly.

This solution works with:

• Applications that require Kerberos

• All of Microsoft s SaaS services

• Applications in Azure that are Internet-facing

• Applications in Azure IaaS or PaaS that require

authentication with your corporate Active Directory

Domain Services

AD FS + AD Sync Tool

AD FS + Sync Tool

Full DR deployment

Aim for consistency of the user

experience for:

• The authentication process

• Required credentials

Utilizing Windows credentials, whether

against Active Directory on-premises or

by SAML authentication with Azure

Active Directory, ensures that users

can quickly authenticate and focus on

their tasks.

Build your Applications for AAD

CCS TECHNOLOGY GROUP, LLC

1540 E. Dundee Road, Suite 104

Palatine, IL 60074

224.232.5500

www.ccstechnologygroup.com

@CCS4IT

THANK YOU