Skip to content

Latest commit

 

History

History
286 lines (258 loc) · 13.6 KB

2.2.2. Governance - Azure AD - Hybrid Identities.md

File metadata and controls

286 lines (258 loc) · 13.6 KB

Hybrid Identities

  • Hybrid (common) identity = Cloud + On Premises identity
  • Connection is done through Azure AD connect

Four Pillars

  • Unified Development and DevOps
    • A common approach to building applications, and full flexibility to deploy in the cloud or on-premises
  • Integrated management and security
    • Built-in management and security solutions across full operational lifecycle from cloud to on-premises
  • Common Identity
    • Enable end-user productivity with single sign on to cloud and on premises applications while protecting corporate data
    • Single identity
      • Create and manage a single identity for each user across your hybrid enterprise, keeping users, groups and devices in sync
    • Single Sign-on
      • Provide single sign-on access to your application including thousands of pre-integrated SaaS apps
    • Conditional Access
      • Protect identities by enforcing risk-based conditional access policies and multi-factor authentication for both on-premises and cloud applications
    • Remote Access
      • Provide secure remote access to on-premises web applications through Azure AD Application Proxy
    • Self Service
      • Self service password reset and application access requests for directories in the datacenter an the cloud
    • High Availability
    • Collaboration
      • Enable vendors, contractors and partners to get risk-free access to in-house resources
    • Consistency
      • Truly consistent capabilities
  • Consistent Data Platform
    • Seamlessly distribute data between cloud and on-premises
    • Enrich with analysis and deep learning

Azure AD Connect

  • Integrate your on-premises AD or LDAP directory to the cloud
  • Establish a single identity for your us ers to access on-premises and cloud-based resources
  • Connect your users to thousands of SaaS applications published through Azure
  • Manage in Azure AD Connect → Synchronization Service
  • Adjust to business changes after Azure AD Connect is installed.
  • Change the service accounts
  • Add the Managers OU to be included in the synchronization

Preparing for Azure AD Connect

  • Create a new user in Azure AD as Global Administrator
  • Download Azure AD Connect and install it.
    • You need > Windows Server 2008

Install and configure Azure AD Connect

  • Installation settings
    • Initially
      • Custom or Express installation
      • Installation location
      • Create an express SQL or use an existing SQL instance
      • Provide a service account or create a new one
        • Service account for SQL server
      • Custom sync groups
        • Fill: Administrators group, operators group, browser group, password reset groups
        • AD Connect groups not domain groups!
    • Then
      • How users will sign-in
        • One of them: Password synchronization, Pass-through authentication, Federation with AD FS
        • Enable sign on → Yes, No
      • Forest and Azure credentials
        • Global administration username password
        • Select directory type (AD or LDAP)
          • Then type Forest name
        • Create new AD account or use existing AD account
        • Type domain username and password
          • 💡 Recommended to enter Enterprise Admin credentials
      • Select UPN for sign-in
        • E.g. azure-contoso.com
        • Select user name: e.g. userPrincipalName, treeName, unicodePwd
    • Then
      • Choose what domains and OUs get synchronized to the cloud
        • Sync all domains and OUs or sync selected domains and OUs
      • How to uniquely identify users
        • Identification:
          1. Users are represented only once across all directories.
          2. User identities exist across multiple directories.
            • Match using: mail attribute, specific attribute, etc.
        • Source anchor (ID)
          1. Let Azure manage the source anchor for me
          2. Specific attribute: objectGUID, pager, objectSid etc.
      • Filter users and devices by group
        1. Synchronize all users and devices
        2. Synchronize selected
      • Optional features
        • Exchange hybrid deployment
        • Exchange mail public folders
        • Azure AD app and attribute filtering
        • Password synchronization
        • Password writeback
        • Group writeback
        • Device writeback
        • Directory extension attribute sync.
      • Enable single sign on
        • ❗ Requires domain administrator account
      • Choose staging mode or install it
        • Staging mode: Synchronization won't synchronize any data to Azure AD
    • Post installation
      • Install AzureAD powershell module
      • 💡 Then enable Azure AD recycle bin

Metaverse

  • What'll be synced in the next synchronization
    • Connectors to and from on-premises Active Directory
    • Connectors to and from Azure Active Directory
  • Controls what attributes from what objects from what location are available for synchronization

Hybrid Planning

Sign On

  • Authentication and Authorization
    • How do users typically login to their on-premises environment?
    • How will users sign-on to the cloud?
    • Will you be allowing workers from partner networks access to cl oud and on-premises resources?
  • Multi Factor Authentication
    • Do you currently implement multi-factor authentication?
    • What are the key scenarios that you want to enable MFA for?
    • Will you use MFA to secure Microsoft Apps?
    • Will you use MFA to secure remote access to on-premises apps?
  • Delegation and Administration
    • Does your company have more than one user with elevated privilege to manage your identity system?
    • Does your company need to delegate access to users to manage specific resources?
    • Does each delegated user need the same access?

Synchronization

  • Directory synchronization
    • Do you have a disaster recovery plan for the synchronization server?
    • Where will the synchronization server be located?
      • E.g. if it's behind a firewall, you'll need to open up some ports
    • Do you have any other directory on-premises like LDAP or an HR database?
    • Does your company use Microsoft Exchange?
  • Multi Forest synchronization
    • Are the UPNs unique in your organization?
      • More than one forest → You can call people same thing as other people → You won't be able to do that in single Azure AD as they need unique UPNs.
    • Will the Azure AD Connect server be able to get to each forest?
    • Do you have an account with the correct permissions for all forests you want to synchronize with?
  • Password synchronization
    • Do you have restrictions on storing passwords in the cloud?
    • Will your employees be able to reset their own passwords?
    • *What account lockout policy does your company require?

Applications

  • Applications
    • Will users be accessing on-premises applications? In the cloud? Or both?
    • Are there plans to develop new applications that will use cloud authentications?
      • If so, then make sure that authentication can use OAuth, certificates e.t.c.
    • Will cloud users be accessing applications on-premises?
    • Will on-premises users be accessing applications in the cloud?
  • Access Control
    • Does your a company need to limit access to resources according to some conditions?
    • Does your company have any application that needs custom control access to some resources?
    • Does your company need to integrate access control capabilities between on-premises and cloud resources?
    • Does each user need the same access level?

Domain Structure

  • Domain Name
    • What name will your organization use for your domain in the cloud?
    • Does your organization have a custom domain name?
    • Is your domain public and easily verifiable via DNS?
  • Directory Structure
    • How many AD forests do you have?
    • How many Azure AD directories?
    • Will you filter what user accounts are synchronized with the Azure AD?
    • Do you have multiple Azure AD Connect servers planned?
    • Do you have different directory that users authenticate against?
  • Federation
    • Will you use the Azure Federation or on-premises AD FS?
      • An option is moving on-premises AD FS to Azure Federation.
    • More federation services for identities are provided now through Azure
    • Does your organization use smart cards for Multi Factor Authentication

Forest to Azure AD Topology

  • ❗ Restrictions
    • One to one relation between Azure AD and AD Connect
      • Multiple AD Connect can not connect to Single azure AD
      • Azure AD Connect cannot connect to multiple Azure AD directories
    • The same user account cannot sync to multiple Azure AD directories
    • Users in one Azure AD cannot appear as contacts in another Azure AD directory
  • Single Forest to Single Azure AD
    • Single Forest → Single AD Connect → One Multiple AD
    • Most common topology
    • 💡 Recommended by Microsoft
    • Expected topology when using Azure AD Connect Express installation
    • Supports multiple domains
  • Single Forest to Multiple Azure AD
    • Single Forest → Multiple AD Connects → One Multiple AD
    • Useful when e.g. some users passwords cannot be written back to the cloud but another department can do it.
    • ❗ Azure AD Connect sync servers must be configured for mutually exclusive filtering.
    • ❗ Users in one Azure AD will only be able to see users from their own Azure AD instance.
    • ❗ A DNS domain can only be registered in a single Azure AD directory.
    • ❗ Some write-back features not supported with this topology
      • No group / device writeback
  • Multiple Forest to Single Azure AD
    • Multiple Forest → One AD Connect → One Azure AD
    • ❗ Users must have only one identity across all forests
    • The user authenticates to the forest in which their identity is located.
    • All forests are accessible by Azure AD Connect
    • ❗ Users have only one mailbox
  • Multiple Forest to Multiple Azure AD
    • Multiple Forest → Multiple AD Connects → Multiple Azure ADs
    • Useful especially if you need isolation for different forests.
    • For each instance of Azure AD, you'll need an installation of Azure AD Connect
    • Users in one Azure AD will only be able to see users from their AAD instance.

Register domain name

  • Add Azure AD Domain Name
    • Create directory where organization name is contoso.local.
    • Add domain name azure-contoso.com and verify through TXT DNS entry.
  • Add UPN Suffix
    • On-prem resources has [email protected] but you'll need [email protected] to allow e.g. SSO.
    • Flow:
      1. Add azure-contoso.com as an alternative UPN Suffix through Active Directory Domains and Trusts
      2. Add azure-contoso.com to all user accounts as the preferred UPN suffix.

Single Sign On

  • Password synchronization
    • A copy of password and usernames is synchronized to the cloud.
  • Pass through authentication
    • You don't store passwords in cloud
    • User is authenticated using pass through authentication agent that connects with on-premises AD
    • Works seamlessly with Azure Multi-Factor authentication
  • Seamless SSO
    • Works with Azure AD Join or the desktop is previously joined to your AD domain
    • Requires Azure service endpoints to be added to the client browser's Intranet zone.
      • This way the browser can send the Kerberos ticket to the website.
    • Flow:
      1. Client from a joined device tries to access to a resource in cloud.
      2. Local client goes to AD DC and gets an access token.
      3. Client forwards access token to Azure AD.
        • If MFA is enabled, it'll prompt user.

Making cloud apps available

  • Cloud apps are registered as Enterprise Application
  • Configured in portal
    • Azure AD → Enterprise Applications
    • 4 categories
      1. Gallery applications
      2. Applications you're developing, integrated with Azure AD
      3. On-premises applications with Azure AD Application Proxy
        • Azure AD Application Proxy
          • Allows Azure to reach on-premises resources.
          • Consistent access to private resources without a VPN.
          • Install App Proxy & Connector on-premises
            • ❗ Cannot be installed on a server with the Pass Through Authentication connector
            • ❗ You need to configure a CNAME on DNS for the particular domain work for it to work.
          • Set-up on Azure
            • Add applications
            • Assign to users
            • Configure SSO
            • Provision just like any SaaS app
          • Flow for Azure user reaching on-premises resource:
            1. Azure AD gives a token to user
            2. User sends that token to Azure App Proxy
            3. Proxy takes UPN and SPN and gives it to connector
            4. Connector goes to on-prem AD and gets Kerberos ticket.
            5. It forwards it to actual on-prem application, it verifies the ticket and ticket is assigned to the cloud user.
      4. Non-gallery applications
  • Manage permission
    • Azure AD → Enterprise Applications → In application → Users and groups
  • Configure SSO
    1. Configure SSO for the new application
      • Manage permission
        • Azure AD → Enterprise Applications → In application → Single sign-on
      • Sign-on types:
        • Password-based Sign-on
        • Linked Sign-on
        • SAML
          • Provides step by step guide for federation between application and Azure AD manually
    2. Click on the new application new in the Azure AD MyApps access panel
      • Access panel is reached at myapps.microsoft.com
      • It prompts you to install a browser extension
    3. Install Access Panel Extension
    4. Log into application so that password is stored for SSO