A Hitchhiker's Guide to Azure Active Directorys Guide to Azure...MCSA Office 365, MCSE Productivity...
Transcript of A Hitchhiker's Guide to Azure Active Directorys Guide to Azure...MCSA Office 365, MCSE Productivity...
@theCloudSherpa
A Hitchhiker's Guide to Azure Active DirectoryMax Fritz
Senior Systems Consultant, Now Micro
Max Fritz
Email : [email protected]
Twitter : @TheCloudSherpa
Blog: maxafritz.com
LinkedIn : in/maxafritz
Senior Consultant
MCSA Office 365, MCSE Productivity
Founder of Minnesota Office 365 User Group
Working with Office 365 for over 7 years
Specialize in the Education Industry
Focus in Azure AD, Exchange, and SharePoint Online
Contact Details
Now Micro is a Consulting & Device Life Cycle Management company
Now Micro’s Consulting Practice focuses on helping organization deliver the best end user experience by designing and
implementing the most robust Systems Management, Cloud Productivity, and Identity Management solutions available.
Office 365 Windows 10Enterprise Mobility
+ Security
Vision: Unified management across users, devices, apps and services.
Identity management in the cloud.
Based on the Active Directory we all already know, but integrated with numerous first and third party cloud services.
Backbone of Office 365
What is Azure Active Directory?
Windows Server
Active Directory
Azure
Public cloud
Microsoft Azure Active Directory
CommercialIdPs
ConsumerIdPs
PartnersCustomers
Azure AD
Connect
I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers, partners, and users to
access the apps they need from everywhere
and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
[dev use case]I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic GroupsIdentity
Protection
Azure AD DSOffice 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access ReviewsHR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access
Cloud identity.
Manage your user accounts in Office 365 only.
Synchronized identity.
Synchronize on-premises directory with Office 365 and
manage your users on-premises.
Federated identity.
Synchronize on-premises directory objects with Office 365
and manage your users on-premises. Authenticate with
federation servers on premises or third party IdaaS.
Office 365 Identity Management options
Password Hash Sync
Pros: Cloud based authentication
with same password as on-premises.
Quickest and Easiest to deploy.
Seamless SSO.
Can be used with PTA and ADFS.
Cons: Disabling or editing user on
prem needs sync cycle to complete
• `
Federated Identity
Pros: Windows Integrated Desktop
SSO, Certificate Based Auth, 3rd Party
MFA integration
Cons: On premises deployment.
DMZ deployment.
3rd Party Federated
Pros: 3rd party tools and services pre-
tested for basic auth scenarios with
WS-Fed
Cons: Only basic scenarios. Second
directory store in cloud.
Multiple support channels
Provisioning only using PowerShell and
Graph API
Pass-through Authentication
Pros: Cloud based authentication
with PW validation on prem.
Minimal on prem footprint
Seamless SSO
Cons: Legacy Office clients not
supported.
https://blogs.msdn.microsoft.com/samueld/2017/06/13/choosing-the-right-sign-in-option-to-connect-to-azure-ad-office-365/
Connects to Active Directory On Premise
Synchronizes Users, Groups, and Contacts
Allows for writes in both directions
Uses SQL express (or Full) to manage
synchronization
Continuously evolving productAutomatic upgrades are possible (Set-ADSyncAutoUpgrade)
Synchronizing with Azure AD:Azure Active Directory ConnectFormerly known as “DirSync”
Identity + Password Hash synchronization
Azure Active Directoryauthenticates user
On-premises
Microsoft Azure Active Directory
ON PREMISES
Overview
Microsoft AzureActive Directory
agent
agent
Active Directory
Secure and compliant
Passwords remain on-premises
No DMZ and no inbound firewall
requirements
Easy to administer
Agent-based deployment
High availability out-of-the-box
No complex on-premises deployments
or network config
Cloud-based authentication
Same passwords for cloud-based and
on-premises apps
Integrated with Smart Lockout, Identity
Protection and Conditional Access
ON-PREMISES
Identity synchronization + Pass-through authentication with Seamless SSO
PTA picks up
queued request
Active Directory
Pass-through
authentication
agent
Microsoft AzureActive Directory
App
User provides credentials
Session sent to Azure AD for sign-in
Azure AD completes sign-inCredentials encrypted and queued
PTA responds to Azure AD
PTA validates credentials with Active Directory
Azure AD completes sign-in
PTA decrypts uses private
key to decrypt credentials
Attempt to
sign in to app
If sign-in is successful,
access the app
Identity synchronization using Azure AD Connect
ON PREMISES
Overview
Microsoft AzureActive Directory
Active Directory
Easy to administer
No additional on-premises infrastructure
Register non-Windows 10 devices
without AD FS
Great user experience
Single sign-on experience for cloud
apps from Active Directory domain-
joined devices within your corpnet
Easy to integrate
Works with both Password Hash
Synchronization and Pass-through
Authentication
Supports Alternate Login ID
How seamless SSO works with Pass-through authentication and Password hash synchronization
CONTOSO CORPNET
Active DirectoryDomain-joined
Identity synchronization and managed authentication using Azure AD Connect
Microsoft Azure Active Directory
Office 365, SaaS, and LoB apps
Azure AD does Kerberos Authentication
against Windows Server Active Directory
User signs in from Active
Directory domain-joined PC
Azure AD Connect Health
• One-stop shop for viewing the health of your identity infrastructure
• Azure AD Connect
• AD FS
• On-premises AD
• Agents installed on identity infrastructure components
• Monitoring and alerts
• Email notification of critical alerts
• Trends in performance data
• Usage reports
• Requires a P1 license
How to get Azure AD
Feature/Plan Basic (incl. with O365) Premium P1 Premium P2
Directory Object Limit Unlimited Unlimited Unlimited
Single Sign-On 10 per user Unlimited Unlimited
Reports Basic Advanced Advanced
Self-Service ✓ ✓
Multi-Factor Auth. ✓ ✓
Cloud App Discovery ✓ ✓
Conditional Access* ✓ ✓
Identity Protection ✓
Privileged Identity
Management
✓
How to get Azure AD
Groups Feature/Plan Basic (incl. with O365) Premium P1 Premium P2
Group activities report ✓ ✓ ✓
Soft-delete & restore ✓ ✓ ✓
Hidden membership ✓ ✓ ✓
Dynamic group
membership ✓ ✓
Self-Service group
management ✓ ✓
Group creation permissions ~ ✓ ✓
Groups naming convention ✓ ✓
Groups expiration ✓ ✓
Usage guidelines ✓ ✓
Default classification ✓ ✓
New Azure Portal
• portal.azure.com
Old Azure Portal
• manage.windowsazure.com
PowerShell From Office 365
• portal.office.com
New Azure Portal
• portal.azure.com
(aad.portal.azure.com)
• Fully working and
generally available
Legacy Azure Portal
• manage.windowsazure.co
m
• Will stop working at a
future date
New Azure Portal
• portal.azure.com
Old Azure Portal
• manage.windowsazure.com
PowerShell From Office 365
• portal.office.com
Azure AD PowerShell – Version MadnessVersion 1.1.166
(MSOnline)
• Full Release from
August 2016
• Supported
• No new
functionality
• Still useful
Version 2.x
(AzureAD)
• Fully supported
• Not full functionality
of 1.x (but close)
• Operates on
Microsoft Graph
• Cannot coexist with
any other 2.x
Version 2.x
(AzureADPreview)
• Preview
• Allows for
modification of
O365 Group Policies
• Cannot coexist with
any other 2.x
New Azure Portal
• portal.azure.com
Old Azure Portal
• manage.windowsazure.com
PowerShell From Office 365
• portal.office.com
Azure Multi-Factor Authentication
Prevents unauthorized access to Azure AD by providing an additional level of authentication
Prompts users for a second form of authentication (besides password) to verify identity
Free for users with admin privileges in Office 365 (use it!)
Single sign-on to any app
Web apps
(Azure Active Directory Application Proxy)
Integrated
custom appsSaaS apps
OTHER DIRECTORIES
Security: Password only stored in
identity provider (Azure AD)
Convenience: Don’t remember
multiple username and passwords
Management: Centrally manage
authentication processes
Microsoft Azure
For more than 10
apps per user
Zscaler Two
Canvas
Workplace by Facebook
Clever
SuccessFactors
ServiceNow
Workday
Salesforce
Cornerstone OnDemand
Google Apps
Active applications
272,000
On-premises
applicationsBlock access
Wipe device
Enforce
MFA
Conditions
MFA
Location (IP range)
Device state
Risk
User group
Allow access
Multi-Factor
Authentication
Conditional
Access
Privileged
Identity
Management
Identity
Protection
Remote Access
to on-premises
apps
SSO to SaaS
Security
Reporting
I want to protect access to my
resources from advanced threats4Cloud apps
On-premises
Require MFA
Allow access
Deny access
Force password reset******
Limit access
Controls
On-premises apps
Web apps
Users
Devices
Location
Apps
Conditions
Machinelearning
Policies
Real timeEvaluationEngine
SessionRisk
3
10TB
Effectivepolicy
Enforce on-demand, just-in-time
administrative access when needed
Ensure policies are met with alerts,
audit reports and access reviews
Manage admins access in Azure AD
and also in Azure RBAC
User Administrator
Discover, restrict, and monitor privileged identities
UserAdministrator privileges expire after
a specified interval
Administrative tasks with Azure AD Premium
Protect
• Conditional Access incl different policy for each Office 365 service
• Identity Protection
• Privileged ID Management (JIT)
Manage users
• Password Writeback to AD
• MFA for All apps
• SSO to other SaaS and On-premises apps
Manage Groups
• Dynamic membership
• Writeback O365 Groups to AD
• Manage access, provisioning users to SaaS apps
• Auto Expiration of Office 365 Groups
Operating identity
bridge• Azure AD Connect Health
End User Experiences With Azure AD Premium
Don’t have to call
helpdesk as often
• Reset password and unlock user account
• I can request access to new applications
• Can add applications to my launcher
• Quickly get connected and productive with new device or PC
• Can create and manage both Office 365 Groups and Security Groups
Simplifies my daily work
• Less authentication prompts
• Access other SaaS and on-premises applications into Office launcher
• Don’t need to launch VPN to get access to main web apps on
premises
• Single Sign on and single multifactor service across cloud and on
premises
My Identity is protected• Realtime protection of your account
• MFA when needed and not all the time
Organizational
Sign-in Branding
• Affects any Azure AD or Office 365 Sign in:• Portal.office.com• Mobile Apps• Office Pro Plus• Etc…
• Different from the branding within the Office 365 portal and SharePoint branding
• Great way to make Office 365 your own
• Help provide sign in instructions to users
• Reassure your users that they are signing into the right page
• Make your marketing department happy ☺
Setup Multi-
Factor Authentication
for Admins
• As mentioned, this is free for Office 365 Admins
• Admin accounts are a huge security vulnerability
• If an admin account is breached, your entire organization can be considered breached
• Supported by all PowerShell Modules
• Skype will hate you
Restrict Office
365 Group Creation
• To be honest, this one is less simple
• Requires Azure AD PowerShell Preview
• Group Creation used to be controlled by Exchange Online
• With Planner, Teams, SharePoint Team Sites, PowerBI and more able to create Groups, it is now controlled through Azure AD
• Policy can be created in Azure AD that only allows certain groups of users access to create Groups
• Any other attempts will result in error (error messages can get strange)
• Policy created through PowerShell• Or through thepPortal if you have AAD
Premium
Restrict Office
365 Group Creation
1. Import-Module AzureADPreview
2. Connect-AzureAD
3. $Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified’}
4. $Setting = $Template.CreateDirectorySetting()
5. New-AzureADDirectorySetting -DirectorySetting$Setting
6. $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
7. Setting["EnableGroupCreation"] = $False
8. $Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "<Name of your security group>").objected
9. Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
https://support.office.com/en-us/article/manage-who-can-create-office-
365-groups-4c46c8cb-17d0-44b5-9776-005fced8e618
Automatically
Assign Licenses
•Assign licenses based on Group Membership
•Automatically removes and adds licenses when users join or leave groups
•No more licensing scripts!
• In preview• Only works for security groups
• Requires separate Azure AD License (for now)
❺Scope Admin
Roles
• Admin Center now supports “Azure Active Directory Administrative Units” (preview)
• Delegate and restrict administrative permissions
• Enable administration by department, business unit, etc.
• Requires Azure AD Premium
• PowerShell based setup (Azure AD Powershell)
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-
administrative-units-management
Thank you!
Email : [email protected]
Twitter : @TheCloudSherpa
Website/Blog: maxafritz.com
Stay in touch!
Come ask me questions!
Leave feedback
Join me next for:Microsoft Enterprise Mobility &
Security