Office 365 and Azure Active Directory Identities In-depth

Similar documents
Single Sign-On Showdown

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

/

Tech Dive: Microsoft Azure Identity Management and Office 365

Overview What is Azure Multi-Factor Authentication? How it Works Get started Choose where to deploy MFA in the cloud MFA on-premises MFA for O365

Identity as the core of enterprise mobility

Extranet Identity Management and Authentication for SharePoint On Premise, Office 365 and Beyond

Deploying F5 with Microsoft Active Directory Federation Services

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Exam : Implementing Microsoft Azure Infrastructure Solutions

Deploying F5 with Microsoft Active Directory Federation Services

Real4Test. Real IT Certification Exam Study materials/braindumps

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Ten most common Mistakes with AD FS and Hybrid Identity. Sander Berkouwer MVP, DirTeam.com

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Developing Microsoft Azure Solutions (70-532) Syllabus

BraindumpsQA. IT Exam Study materials / Braindumps

SAP Security in a Hybrid World. Kiran Kola

Extranets in SharePoint and SSO for Claims Apps. January 18, 2017

Developing Microsoft Azure Solutions (70-532) Syllabus

Microsoft Managing Office 365 Identities and Requirements. Download Full version :

Hybrid Identity de paraplu in de cloud

Centrify Identity Services for AWS

O365 Solutions. Three Phase Approach. Page 1 34

Use EMS to protect your mobile data and mobile app

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

Extranets in SharePoint and Office 365 May 17, 2017

Microsoft Azure Course Content

Developing Microsoft Azure Solutions (70-532) Syllabus

Architecting Microsoft Azure Solutions (proposed exam 535)

Sentinet for Microsoft Azure SENTINET

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

Microsoft Architecting Microsoft Azure Solutions.

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Course Outline 20742B

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

News and Updates June 1, 2017

M20742-Identity with Windows Server 2016

AD FS v3. Deployment Guide

Course 10993A: Integrating On-Premises Identity Infrastructure with Microsoft Azure

Integrating On-Premises Identity Infrastructure with Microsoft Azure

User Directories. Overview, Pros and Cons

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)


Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Partner Center: Secure application model

Administering Jive Mobile Apps for ios and Android

Cloud Operations Using Microsoft Azure. Nikhil Shampur

20742: Identity with Windows Server 2016

Identity with Windows Server 2016

RSA SecurID Access Configuration for Microsoft Office 365 STS (Secure Token Service)

Identity with Windows Server 2016

METHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Vendor: Microsoft. Exam Code: Exam Name: Administering Office 365. Version: DEMO

SAML-Based SSO Solution

Exam Code: Exam Code: Exam Name:Managing Office 365 Identities and Requirements.

Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory

Object of this document

CMB-207-1I Citrix Desktop Virtualization Fast Track

OpenIAM Identity and Access Manager Technical Architecture Overview

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

COURSE OUTLINE IT TRAINING

MOC 20417C: Upgrading Your Skills to MCSA Windows Server 2012

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Azure Active Directory from Zero to Hero

ENABLING AND MANAGING OFFICE 365

WELCOME! Using Microsoft Office 365 for a Robust Mail and Conferencing System

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Five9 Plus Adapter for Agent Desktop Toolkit

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Developing Microsoft Azure Solutions

Planning and Operating Azure Stack. How to handle a unicorn?

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER

SHAREPOINT 2016 ADMINISTRATOR BOOTCAMP 5 DAYS

Introduction. The Safe-T Solution

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

70-532: Developing Microsoft Azure Solutions

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Vendor: Microsoft. Exam Code: Exam Name: Managing Office 365 Identities and Requirements. Version: Demo

Active Directory Services with Windows Server

Active Directory Services with Windows Server

At Course Completion After completing this course, students will be able to:

Identity as the Entrée to the Microsoft Cloud

ArcGIS Online A Security, Privacy, and Compliance Overview. Andrea Rosso Michael Young

Assess Remediate Enable Migrate

Setting Up Resources in VMware Identity Manager

Integrating AirWatch and VMware Identity Manager

Installing and Configuring vcloud Connector

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

Configuring a Windows Server 2008 Applications Infrastructure

MOC 20417B: Upgrading Your Skills to MCSA Windows Server 2012

The Modern Web Access Management Platform from on-premises to the Cloud

Overview SENTINET 3.1

Microsoft Azure Architect Technologies (beta)

MB Microsoft Dynamics CRM 2016 Online Deployment.

Copyright

Transcription:

Office 365 and Azure Active Directory Identities In-depth Jethro Seghers Program Director SkySync #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

Agenda Introduction Identities Different forms of authentication Azure Active Directory Premium QA #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

Today s identity challenges #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

Management portal(s) PowerShell GRAPH APIs Synchronise users from your AD DS Azure subscriptions Office365 Your apps Partner apps Users signed-in to Azure AD have SSO to all applications Application gallery

1. MS Online IDs Appropriate for Smaller organizations without AD on-premise Pros No servers required on-premise Cons No SSO 2 sets of credentials to manage with differing password policies Users and groups mastered in the cloud Different Identities 2. MS Online IDs + AADConnect Appropriate for Orgs with AD on-premise Pros No servers required on-premise Users and groups mastered onpremise Enables co-existence scenarios Several SSO options Cons Single server deployment (?) 3. Federated IDs + AADConnect Appropriate for Larger enterprise organizations with AD on-premise Pros SSO with corporate cred Full control over authentication Support for non-ad systems Cons High availability server deployments required #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

Identity architecture: Identity options 1. Microsoft Online IDs 2. Microsoft Online IDs + AADConnect 3. Federated IDs + AADConnect Microsoft Office 365 Services Bronze Sky customer premises Trust Federation Gateway Active Directory Federation Server Authentication platform IdP IdP AD AADConnect Provisioning platform Directory Store Service connector Admin Portal #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

What is AADConnect? is a Directory Synchronization engine based on Forefront Identity Manager (FIM) that will synchronize a subset of your on-premise Active Directory with Windows Azure Active Directory (Office 365). #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

On-premises Azure AD Synchronise users, groups and devices Requires immutable ID Enable write-back for passwords, devices and groups

AD account to access AD AD account should only have the privileges necessary to perform required tasks Service account to run Azure AD Connect Continuously evolving product Automatic upgrades are possible Set-ADSyncAutoUpgrade Sync Engine ++ Azure AD account to access Azure AD SQL Server 2012 Express LocalDB or SQL Server 2008 or higher

How does AADConnect work? AADConnect Active Directory METAVERSE

Demo: AAD Connect #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

AD Connect replaces earlier tools, upgrades are possible DirSync Azure AD Sync FIM and the Azure AD Connector ++ more than just a synchronization engine Manages user sign-in options Write-back for password, devices and groups Tools to support AD FS Simple UI experience to update AD FS SSL certificates Fix trust Login testing Azure AD Connect Health agent, reports status to the Azure AD Connect Health Portal https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-installprerequisites

One-stop shop for viewing the health of your identity infrastructure Azure AD Connect AD FS On-premises AD Agents installed on identity infrastructure components Monitoring and alerts Email notification of critical alerts Trends in performance data Usage reports Requires a P1 license

AuthN agent Username and password validated against AD WAP AD FS Username and password validated against AD

Identity Synchronization with password (hash) sync Microsoft Azure User attributes are synchronized using Identity Synchronization services including a password hash, Authentication is completed against Azure Active Directory

Identity Synchronization Microsoft Azure User attributes are synchronized using Identity Synchronization tools, Authentication is passed back through federation and completed against Windows Server Active Directory AD FS

Identity Synchronization Active Directory Pass Through Agent Microsoft Azure User attributes are synchronized using Identity Synchronization tools, Authentication is completed against Windows Server Active Directory using the Passthrough Agent

AuthN agent Username and password validated against AD WAP AD FS Username and password validated against AD

Claims-aware app Directory Synchronization Your AD FS Your AD Browse app Not authenticated App trusts Azure AD Azure AD Trusts your AD FS Redirect to your Azure AD Home realm discovery via UPN Redirected to your AD FS Return ST for consumption by Azure AD Authenticate Redirected to Azure AD Return new ST Process token Send Token Return cookies and page Retrieve full user details if required

Perimeter network Web Application Proxy farm Intranet AD FS farm Firewall & Load Balancer Firewall & Load Balancer Active Directory Internet Configuration database

Federation gives you SSO via on premises AD credentials Seamlessly authenticate to AD FS when the client is attached to the corporate network Now supported by Seamless SSO for PHS and PTA Passwords remain on-premises Now supported via PTA On-premises authentication policies Now supported via PTA On-premises authentication methods (multi-factor) Conditional access via AD FS Capabilities++ provided by Azure AD Federation requires On-premises AD FS infrastructure with high-availability High-availability for the company s Internet connection Remote workers will not be able to authenticate to Azure AD If the link is down Planned recovery from the loss of AD FS availability

Federation may require manual certificate rollover Auto renewal possible for most configurations (AD FS auto certificate rollover enabled) Federation doesn t give you Cloud authentication scalability Identity Protection Requires P2 license PHS & PTA Cloud authentication Cloud scalability Identity protect PTA Simple deployment of agents Automatic update of on-premises agents Automatic rollover of certificates Requires high-availability for the company s Internet connection

AuthN agent Username and password validated against AD WAP AD FS Username and password validated against AD

Azure AD Connect Sync Engine ++ MD4 hash of password stored in unicodepwd attribute Encrypts MD4 with salt and MD5 hash of RPC session key Sends result & salt Requests unicodepwd attribute values via MS-DRSR replication protocol Decrypts to obtain MD4 hash of password Password stored as original MD4 after processing with salt + PBKDF2 + HMAC-SHA256 Note: The on-premises Azure AD Connect AD account requires AD permissions: Replicate Directory Changes Replicate Directory Changes All Sign in PBKDF = password based Key Derivation Function (RFC 2898) MD4 hash expanded, salt added input to PBKDF2 function 1000 interactions of HMAC-SHA256 Result sent to Azure AD Does supplied password value, after processing with MD4, with salt, PBKDF2 and HMAC-SHA256, match stored value for user?

Password synchronization facts On-premises password complexity applies to synchronized users If an administrator changes the cloud password using PowerShell the Azure AD password policy applies An locked out on-premises AD account can still be active in the cloud The cloud password for a PHS user is set to never expire A disabled on-premises AD account will not be reflected in Azure AD until the next sync cycle Potentially 30 mins delay PHS can be used in addition to federation and used as a fall-back #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

AuthN agent Username and password validated against AD WAP AD FS Username and password validated against AD

Credentials validated against on-premises AD Sign in Gather user name and password The pass-through authentication agent (AuthN agent) only requires outbound firewall ports Port 80 and 443 Multiple agents can be deployed for fault tolerance and performance Three agents should provide required performance All communications via mutually authenticated HTTPS

Sync Engine ++ Deploys 1 st AuthN agent on same server as Azure AD Connect AuthN agent generates key pair and sends certificate request to Azure AD Global admin access token and certificate request including public key Creates certificate and stores public key & certificate in SQL AuthN agent associates private key with the certificate Certificate returned Each agent has its own unique certificate and private key Azure AD periodically triggers the renewal of certificates and keys

AuthN agents(s) HTTPS outbound persistent connection mutual authentication via certificates No on-premises passwords Return key for Azure Service Bus Access outbound persistent connection Azure Service Bus Queue AuthN agent removes username and password from queue, decrypts the password with its private key and attempts authentication against AD using Win32 LogonUser API Sign in Returns results: success, username/password incorrect, account locked out User name and password gathered via Azure AD sign in page Azure Service Bus Queue Password encrypted with each AuthN agent s public key User name and encrypted passwords added to queue If successful: user authenticated and MFA possible

Pass-through authentication the facts No on premises passwords in the cloud All on-premises password policies operational Account lockout/disabled operational Does not support on-premises MFA Azure AD MFA supported Works with Alternate ID Does not provide SSO for on-premises credentials Requires Seamless SSO Requires high-availability for the company s Internet connection Remote workers will not be able to authenticate to Azure AD If the link is down Currently does not support legacy auth #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

AAD Premium introduction: Demo #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

Q&A #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback