AzureAAD
Transcript of AzureAAD
CCS Technology is a Microsoft Partner
Specializing in Infrasturcture Deployment,
Managed Services, Custom Cloud Solutions
and Custom Software Development
www.CCSTechnologyGroup.com
224.232.5500
Palatine, Illinois
ABOUT US
Huge infrastructure scale is the enabler19 Regions ONLINE…huge datacenter capacity around the world…and we’re growing
100+ datacenters
One of the top 3 networks in the world (coverage, speed, connections)
2 x AWS and 6x Google number of offered regions
G Series – Largest VM available in the market – 32 cores, 448GB Ram, SSD…
Operational Announced
Central USIowa
West USCalifornia
North EuropeIreland
East USVirginia
East US 2Virginia
US GovVirginia
North Central US
Illinois
US GovIowa
South Central US
Texas
Brazil SouthSao Paulo
West Europe
NetherlandsChina North *
Beijing
China South *Shanghai
Japan EastSaitama
Japan WestOsaka
India WestTBD
India EastTBD
East AsiaHong Kong
SE AsiaSingapore
Australia WestMelbourne
Australia EastSydney
* Operated by 21Vianet
A comprehensive identity and access management cloud solution.
It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers
It is available in 3 editions: free, Basic and Premium
What is Azure Active Directory?
Self-service Singlesign on
•••••••••••
Username
Identity as the control point
Simple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises Microsoft Azure Active Directory
Azure Active Directory Cloud App Discovery
10xSource: Help Net Security 2014
as many Cloud apps are in use than IT estimates
• SaaS app category
• Number of users
• Utilization volume
Comprehensivereporting
How Many SaaS apps are in use within your organization?
Protect your data
Enable your users
Consistent User Experience
Access & information protection
Single User
Identity
Mobile device & application
management
Microsoft Azure
Web Apps
(Azure Active Directory Application Proxy)
SaaS apps Integrated
custom apps
Other Directories
No Object Limit No Object Limit
No Limit
Advanced Security
Reports
Yes(Advanced)**
Premium
+ Basic
Features
Group-based access management/provisioning Yes Yes
Self-Service Password Reset for cloud users Yes Yes
Company Branding (Logon Pages/Access Panel customization) Yes Yes
SLA Yes Yes
Strengthening the authentication with Azure Multi-Factor
Authentication
What is multi-factor authentication?
Multi-factor authentication, also commonly referred to as two-factor authentication, is a best practice for securing user access. It works by requiring
any two or more of the following authentication factor:
A knowledge factor: something only you know (typically a password or a PIN).
A possession factor: something only you have (a trusted device that is not easily duplicated).
An inherence factor: something only you are (biometrics).
The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge
for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device.
As already introduced, Azure MFA is, as its name indicates, an Azure service that helps safeguard access to data and
applications by strengthening traditional sign-in approaches. In terms of applications, the service supports both cloud
applications that use or integrate with Azure AD as well as on-premises applications using the Multi-Factor Authentication
Server. With Azure MFA and the user’s telephone as the trusted device for a second or an additional factor of
authentication:
What is Azure Multi-Factor Authentication?
You must have AAD Premium to use MFA
Strengthening the authentication with Azure Multi-Factor
Authentication
How it Works
Azure MFA offers the additional security you demand using the phones your users already carry.
Multiple phone-based authentication methods are available, allowing users to choose the one that works best for them, and, support for multiple
methods ensures additional authentication is always available:
Multi-Factor Auth apps are available for Windows Phone, iOS phones and tablets, and Android devices.
Automated phone calls are placed by the Azure MFA online service to any phone, landline or mobile. The user simply answers the call and presses #
on the phone keypad to complete their sign in through a distinct channel.
Text messages are sent by the Multi-Factor Authentication service to any mobile phone. The text message contains a one-time passcode. The user is
prompted to either reply to the text message with the passcode or enter the passcode into the sign in screen.
The users always sign in with their existing username and password. After the user’s credentials are verified, Multi-Factor Authentication is initiated
using the above methods depending on the user’s enrollment.
Azure Multi-Factor Authentication enables compliance with regulatory requirements for multi-factor authentication such as the following ones to
name of few:
NIST 800-63 Electronic Authentication Guidelines for Level 3 Assurance,
HIPAA Requirements Relative to Electronic Protected Health Information (EPHI),
Payment Card Industry Data Security Standards (PCI DSS),
Criminal Justice Information System (CJIS) Security Policy,
Authentication in an Internet Banking Environment Guidance (FFIEC).
Self-service Singlesign on
•••••••••••
Username
Focus on Single Sign On
Simple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises Microsoft Azure Active Directory
Enable Directory SynchronizationEnable AAD SSO
Depending on your Sync Method, you will have
Single Sign On or Same Sign On
Dirsync will provide you with the same
UserName and Password
Dirsync With ADFS will authenticate with your
AD for Exact Same Sign On
Single Sign On vs. Same Sign OnWhat’s the difference?
Do you really need AD FS? Office 365 doesn’t require every customer to deploy directory synchronization
services or Active Directory Federation Services (AD FS). In reality, most organizations
require only cloud identities, where users receive cloud credentials for signing in to
Office 365 services. The cloud ID password policy is stored in the cloud with the Office
365 service. Cloud credentials are separate from other desktop or corporate
credentials.
Using cloud identities, one optional server may be deployed to support directory
synchronization from your on-premises Active Directory. In environments with just a
few users, directory synchronization isn’t required. Users may be provisioned
manually through the Office 365 portal.
Federated identities, on the other hand, enable users to sign in to Office 365 services
by using their Active Directory credentials. The corporate Active Directory
authenticates the users, and then stores and controls the password policy.
Deploying AD FS requires additional expertise, introduces complexity, and has higher operational costs.
Office 365 single sign on using AD FS and DirSync Office 365 same sign on using DirSync + Password Sync
1. The user logs on to a corporate network, and is
authenticated to Windows Server Active Directory.
2. The user tries to access Office 365 (I am
@contoso.com).
3. Office 365 redirects the user to Azure AD.
4. Since Azure AD can’t authenticate the user and
understands there is a trust with AD FS on-premises, it
redirects the user to AD FS
5. The user sends a Kerberos ticket to the AD FS STS.
6. AD FS transforms the Kerberos ticket to the required
token format/claims and redirects the user to Azure
AD.
7. The user authenticates to Azure AD (another
transformation occurs).
8. Azure AD redirects the user to Office 365.
9. The user is silently signed on to Office 365
1. The user logs on to a corporate network, and is
authenticated to Windows Server Active Directory.
2. The user tries to access Office 365 (I am @contoso.com).
3. Office 365 redirects the user to Azure AD.
4. Azure AD can’t accept Kerberos tickets directly and no trust
relationship exists so it requests that the user enter
credentials.
5. The user enters the same on-premises password, and
Azure AD validates them against the user name and
password that was synchronized by DirSync.
6. Azure AD redirects the user to Office 365.
7. The user can sign on to Office 365 and OWA using the
Azure AD token.
Extending Active Directory
Domain Services to Azure is
the first step to support line-
of-business applications in
Azure IaaS.
Supports cloud-based
solutions that require NTLM
or Kerberos authentication,
or domain-joined virtual
machines.
Adds additional integration
potential for cloud services
and applications and can be
added at any time.
This configuration is a hybrid deployment of
Active Directory on-premises and in Azure.
It requires:
• A virtual network in Azure IaaS.
• A VPN connection or ExpressRoute
connection.
• Extending your on-premises IP address
range to virtual machines in the virtual
network.
• Deploying one or more domain
controllers to Azure designated as a
global catalog server (reduces egress
traffic across the VPN connection).This
identity architecture supports a different
set of solutions and applications
compared to synchronization with Azure
Active Directory.
Authentication is directed
to the ADFS via the Web
Application Proxy
All On Premise at your
location or your Hosted
Datacenter
When you lose
connectivity or have an
outage, your cloud
authentication is out too
Traditional on-premises AD FS deployment
The Azure AD Sync tool can be hosted in the cloud
using Azure IaaS.
• Potentially faster provisioning and lower cost of
operations
• Increased availability
The architecture illustrated on the right details how
you can configure Azure AD Sync Tool on IaaS.
This solution works with with:
• Office 365 services
• Applications in Azure that are available over the
Internet
• Business applications in Azure that are available
from on-premises environments through the secure
VPN
Azure Active Directory Sync Tool
If you haven t already deployed AD FS on-premises,
consider whether the benefits of deploying this workload to
Azure makes sense for you organization.
• Provides autonomy for authentication to cloud services
(no on-premises dependencies).
• Reduces servers and tools hosted on-premises.
• Uses a site-to-site VPN gateway on a two-node failover
cluster to connect to Azure (new).
• Use ACLs to ensure that Web Application Proxy servers
can only communicate with AD FS, not domain
controllers or other servers directly.
This solution works with:
• Applications that require Kerberos
• All of Microsoft s SaaS services
• Applications in Azure that are Internet-facing
• Applications in Azure IaaS or PaaS that require
authentication with your corporate Active Directory
Domain Services
AD FS + AD Sync Tool
Aim for consistency of the user
experience for:
• The authentication process
• Required credentials
Utilizing Windows credentials, whether
against Active Directory on-premises or
by SAML authentication with Azure
Active Directory, ensures that users
can quickly authenticate and focus on
their tasks.
Build your Applications for AAD