A Hitchhiker's Guide to Azure Active Directory - @theCloudSherpa - Now Micro
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
A Hitchhiker's Guide to Azure Active Directory Max Fritz Senior Systems Consultant, Now Micro @theCloudSherpa
Max Fritz
Senior Consultant
MCSA Office 365, MCSE Productivity
Founder of Minnesota Office 365 User Group
Working with Office 365 for over 7 years
Contact Details
Specialize in the Education Industry Email : maxf@nowmicro.com
Twitter : @TheCloudSherpa
Focus in Azure AD, Exchange, and SharePoint Blog: maxafritz.com
Online LinkedIn : in/maxafritz
Now Micro is a Consulting & Device Life Cycle Management
company
Now Micro’s Consulting Practice focuses on helping organization
deliver the best end user experience by designing and
implementing the most robust Systems Management, Cloud
Productivity, and Identity Management solutions available.
Enterprise Mobility
Office 365 Windows 10
+ Security
Vision: Unified management across users, devices, apps and services.
What is Azure Active Directory?
Identity management in the cloud.
Based on the Active Directory we all already
know, but integrated with numerous first and
third party cloud services.
Backbone of Office 365
On-premises / Private cloud
Partners
Customers
Public cloud
Commercial Azure
IdPs
Microsoft Azure
Consumer Active Directory
IdPs
Windows Server Azure AD
Active Directory ConnectAzure AD B2B Provisioning- Conditional
Connect collaboration Deprovisioning Access
Self-Service Connect Health Multi-Factor
SSO to SaaS
capabilities Authentication
Addition of Identity
Access Dynamic Groups
custom cloud Protection
Panel/MyApps
apps
Remote Access Privileged
Azure AD Group-Based
I[dev
need
want
use
to
mycase]
provide
quickly
customers,
deploy
my employees
partners,
applications
and
secure
users
to to to on-premises B2C Licensing
Identity
want to protect
I need comply access to my regulation
with industry apps Management
and easy
access
devices,
the
do
access
apps
morethey
towith
every
need
lessapplication
and
fromautomate
everywhere
resources
and from
national advanced
data threats
protection laws
fromcollaborate
and
Join/Move/Leave
any locationseamlessly
processes
and any device
Microsoft MDM-auto
Authenticator - enrollment / Security
Azure AD Join Enterprise State Reporting
Password-less
Access Roaming
Office 365 App HR App
Azure AD DS Access Reviews
Launcher IntegrationCloud identity. Manage your user accounts in Office 365 only. Synchronized identity. Synchronize on-premises directory with Office 365 and manage your users on-premises. Federated identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. Authenticate with federation servers on premises or third party IdaaS.
Office 365 Identity Management options
Password Hash Sync Pass-through
Federated Identity 3rd Party Federated
Authentication
•`
Pros: Cloud based authentication Pros: Cloud based authentication Pros: Windows Integrated Desktop Pros: 3rd party tools and services pre-
with same password as on-premises. with PW validation on prem. SSO, Certificate Based Auth, 3rd Party tested for basic auth scenarios with
Quickest and Easiest to deploy. Minimal on prem footprint MFA integration WS-Fed
Seamless SSO. Seamless SSO
Can be used with PTA and ADFS. Cons: On premises deployment. Cons: Only basic scenarios. Second
Cons: Legacy Office clients not DMZ deployment. directory store in cloud.
Cons: Disabling or editing user on supported. Multiple support channels
prem needs sync cycle to complete Provisioning only using PowerShell and
https://blogs.msdn.microsoft.com/samueld/2017/06/13/choosing-the-right-sign-in-option-to-connect-to-azure-ad-office-365/ Graph APISynchronizing with Azure AD:
Azure Active Directory Connect
Formerly known as “DirSync”
Connects to Active Directory On Premise
Synchronizes Users, Groups, and Contacts
Allows for writes in both directions
Uses SQL express (or Full) to manage
synchronization
Continuously evolving product
Automatic upgrades are possible (Set-ADSyncAutoUpgrade)Microsoft Azure
Active Directory
Identity +
Password Hash
synchronization
Azure Active Directory
authenticates user
On-
premisesOverview
ON PREMISES
Microsoft Azure
Active Directory
agent
Active
agent Directory
Cloud-based authentication Secure and compliant Easy to administer
Same passwords for cloud-based and Passwords remain on-premises Agent-based deployment
on-premises apps
Integrated with Smart Lockout, Identity No DMZ and no inbound firewall High availability out-of-the-box
Protection and Conditional Access requirements
No complex on-premises deployments
or network configIdentity synchronization + Pass-through authentication with Seamless SSO
Azure AD completes sign-in
Microsoft Azure Credentials encrypted and queued
Session sent to Azure AD for sign-in Active Directory
User provides credentials
Identity synchronization
PTA picks up
using Azure AD Connect
Attempt to If sign-in is successful, queued request
sign in to app access the app
PTA responds to Azure AD
ON-PREMISES
PTA decrypts uses private
key to decrypt credentials
Azure AD completes sign-in
App
PTA validates credentials with Active Directory
Pass-through
authentication
agent Active
DirectoryOverview
ON PREMISES
Microsoft Azure
Active Directory
Active
Directory
Easy to integrate Easy to administer Great user experience
Works with both Password Hash No additional on-premises infrastructure Single sign-on experience for cloud
Synchronization and Pass-through apps from Active Directory domain-
Authentication Register non-Windows 10 devices joined devices within your corpnet
Supports Alternate Login ID without AD FSHow seamless SSO works with Pass-through authentication and Password hash synchronization
Office 365, SaaS, and LoB apps
Microsoft Azure
Active Directory
Identity synchronization and
managed authentication
using Azure AD Connect
User signs in from Active
Directory domain-joined PC
CONTOSO CORPNET
Azure AD does Kerberos Authentication
against Windows Server Active Directory
Active
Domain-joined DirectoryAzure AD Connect Health • One-stop shop for viewing the health of your identity infrastructure • Azure AD Connect • AD FS • On-premises AD • Agents installed on identity infrastructure components • Monitoring and alerts • Email notification of critical alerts • Trends in performance data • Usage reports • Requires a P1 license
How to get Azure AD Feature/Plan Basic (incl. with O365) Premium P1 Premium P2 Directory Object Limit Unlimited Unlimited Unlimited Single Sign-On 10 per user Unlimited Unlimited Reports Basic Advanced Advanced Self-Service ✓ ✓ Multi-Factor Auth. ✓ ✓ Cloud App Discovery ✓ ✓ Conditional Access* ✓ ✓ Identity Protection ✓ Privileged Identity ✓ Management
How to get Azure AD Groups Feature/Plan Basic (incl. with O365) Premium P1 Premium P2 Group activities report ✓ ✓ ✓ Soft-delete & restore ✓ ✓ ✓ Hidden membership ✓ ✓ ✓ Dynamic group ✓ ✓ membership Self-Service group ✓ ✓ management Group creation permissions ~ ✓ ✓ Groups naming convention ✓ ✓ Groups expiration ✓ ✓ Usage guidelines ✓ ✓ Default classification ✓ ✓
New Azure Portal Old Azure Portal PowerShell From Office 365 • portal.azure.com • manage.windowsazure.com • portal.office.com
New Azure Portal Legacy Azure Portal
• portal.azure.com • manage.windowsazure.co
(aad.portal.azure.com) m
• Fully working and • Will stop working at a
generally available future date
New Azure Portal Old Azure Portal PowerShell From Office 365
• portal.azure.com • manage.windowsazure.com • portal.office.comAzure AD PowerShell – Version Madness
Version 1.1.166 Version 2.x Version 2.x
(MSOnline) (AzureAD) (AzureADPreview)
• Full Release from • Fully supported • Preview
August 2016 • Not full functionality • Allows for
• Supported of 1.x (but close) modification of
• No new • Operates on O365 Group Policies
functionality Microsoft Graph • Cannot coexist with
• Still useful • Cannot coexist with any other 2.x
any other 2.x
New Azure Portal Old Azure Portal PowerShell From Office 365
• portal.azure.com • manage.windowsazure.com • portal.office.comAzure AD Features
Azure Multi-Factor Authentication
Prevents unauthorized access to Azure AD
by providing an additional level of
authentication
Prompts users for a second form of
authentication (besides password) to verify
identity
Free for users with admin privileges in
Office 365 (use it!)Azure Multifactor Authentication
Mobile Phone Text
apps calls messagesFor more than 10
Single sign-on to any app
apps per user
OTHER DIRECTORIES
Microsoft Azure
Convenience: Don’t remember
multiple username and passwords
Security: Password only stored in
identity provider (Azure AD)
Management: Centrally manage
Integrated
authentication processes SaaS apps Web apps
(Azure Active Directory custom apps
Application Proxy)Google Apps
Workday
ServiceNow
Cornerstone OnDemand
SuccessFactors
272,000
Salesforce
Clever
Workplace by Facebook
Active applications
Canvas
Zscaler TwoCloud apps
4 I want to protect access to my
resources from advanced threats
Conditions
SSO to SaaS Conditional
Access Allow access
User
group
Location
Remote Access Identity
(IP range)
to on-premises Protection Enforce
Device
apps state MFA
Risk On-premises
Block access applications
Privileged
Multi-Factor Wipe device
Identity
Authentication Management
Security
On-
Reporting premises
MFAConditions Controls
10TB
Allow access
Users Session
Risk
Machine
learning 3
Require MFA
Devices
On-premises apps
Force
Real time ****** password reset
Evaluation
Engine
Location
Deny access
Policies Effective
Apps policy Web apps
Limit accessDiscover, restrict, and monitor privileged identities
User Administrator Administrator User
privileges expire after
a specified interval
Enforce on-demand, just-in-time
administrative access when needed
Ensure policies are met with alerts,
audit reports and access reviews
Manage admins access in Azure AD
and also in Azure RBACAdministrative tasks with Azure AD
Premium • Conditional Access incl different policy for each Office 365 service
Protect • Identity Protection
• Privileged ID Management (JIT)
• Password Writeback to AD
Manage users • MFA for All apps
• SSO to other SaaS and On-premises apps
• Dynamic membership
• Writeback O365 Groups to AD
Manage Groups
• Manage access, provisioning users to SaaS apps
• Auto Expiration of Office 365 Groups
Operating identity
• Azure AD Connect Health
bridgeEnd User Experiences With Azure AD Premium
• Reset password and unlock user account
• I can request access to new applications
Don’t have to call
• Can add applications to my launcher
helpdesk as often
• Quickly get connected and productive with new device or PC
• Can create and manage both Office 365 Groups and Security Groups
• Less authentication prompts
• Access other SaaS and on-premises applications into Office launcher
• Don’t need to launch VPN to get access to main web apps on
Simplifies my daily work
premises
• Single Sign on and single multifactor service across cloud and on
premises
• Realtime protection of your account
My Identity is protected
• MFA when needed and not all the timeOk let’s take a breath, and show some real stuff
(and don’t forget to bring a towel)5 [relatively] simple things you can do using Azure AD to improve Office 365
• Affects any Azure AD or Office 365 Sign in:
• Portal.office.com
• Mobile Apps
• Office Pro Plus
• Etc…
Organizational • Different from the branding within the Office
365 portal and SharePoint branding
Sign-in • Great way to make Office 365 your own
Branding • Help provide sign in instructions to users
• Reassure your users that they are signing
into the right page
• Make your marketing department happy ☺Organizational Sign-in Branding
Before After• As mentioned, this is free for
Office 365 Admins
• Admin accounts are a huge
security vulnerability
• If an admin account is
breached, your entire
Setup Multi-
Factor organization can be
Authentication considered breached
for Admins • Supported by all PowerShell
Modules
• Skype will hate you• To be honest, this one is less simple
• Requires Azure AD PowerShell Preview
• Group Creation used to be controlled by
Exchange Online
• With Planner, Teams, SharePoint Team
Sites, PowerBI and more able to create
Restrict Office Groups, it is now controlled through
Azure AD
365 Group
• Policy can be created in Azure AD that only
Creation allows certain groups of users access to
create Groups
• Any other attempts will result in error
(error messages can get strange)
• Policy created through PowerShell
• Or through thepPortal if you have AAD
Premium1. Import-Module AzureADPreview
2. Connect-AzureAD
3. $Template = Get-
AzureADDirectorySettingTemplate | where
{$_.DisplayName -eq 'Group.Unified’}
4. $Setting = $Template.CreateDirectorySetting()
5. New-AzureADDirectorySetting -DirectorySetting
$Setting
6. $Setting = Get-AzureADDirectorySetting -Id
Restrict Office (Get-AzureADDirectorySetting | where -
Property DisplayName -Value "Group.Unified" -
365 Group EQ).id
Creation 7. Setting["EnableGroupCreation"] = $False
8. $Setting["GroupCreationAllowedGroupId"] =
(Get-AzureADGroup -SearchString "").objected
9. Set-AzureADDirectorySetting -Id (Get-
AzureADDirectorySetting | where -Property
DisplayName -Value "Group.Unified" -EQ).id -
DirectorySetting $Setting
https://support.office.com/en-us/article/manage-who-can-create-office-
365-groups-4c46c8cb-17d0-44b5-9776-005fced8e618• Assign licenses based on
Group Membership
• Automatically removes and
adds licenses when users join
or leave groups
Automatically
Assign • No more licensing scripts!
Licenses
• In preview
• Only works for security groups
• Requires separate Azure AD
License (for now)• Admin Center now supports
“Azure Active Directory
❺ Administrative Units” (preview)
• Delegate and restrict
Scope Admin
Roles administrative permissions
• Enable administration by
department, business unit, etc.
• Requires Azure AD Premium
• PowerShell based setup (Azure
AD Powershell)
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-
administrative-units-management❺
Scope Admin
RolesQuestions
Thank you!
Come ask me questions! Join me next for:
Microsoft Enterprise Mobility &
Leave feedback Security
Stay in touch!
Email : maxf@nowmicro.com
Twitter : @TheCloudSherpa
Website/Blog: maxafritz.comYou can also read
