Microsoft Azure AD architecture and features

Partner Practice Enablement - Overview This session introduces Microsoft Azure Active Directory and then progress into some key features of the service such as configuring access to SaaS applications, supporting multi-factor a uthentication and then compare and contrast premium features of the service. The module will also cover running Windows Server AD workloads in Azure Virtual Machines. Audience: IT Professionals and Architects Module 1 – Introduction to Microsoft Azure Module 2 – Microsoft Azure Virtual Machines Module 3 – Microsoft Azure Networking Module 4 – Microsoft Azure Active Directory Module 5 - Cloud Services and Websites Module 6 - SQL Server and SharePoint Module 7 - Management and Monitoring

CEO & Co-Founder of Opsgility, Experts in Instructor-Led Microsoft Azure Training. Prior to starting Opsgility Michael was a Principal Cloud Architect with a leading Solution Integrator and a fifteen year Microsoft veteran. While at Microsoft Michael's roles included being a Senior Program Manager on the Microsoft Azure Runtime team and a Senior Technical Evangelist for Microsoft Azure Infrastructure Services. Michael was the original developer of the Microsoft Azure PowerShell Cmdlets and is a globally recognized speaker for conferences such as TechEd and BUILD. About the Instructor Michael Washam Microsoft Azure Trainer http://www.opsgility.com Twitter: @ MWashamTX [email protected]

Microsoft Azure Active Directory

Agenda Microsoft Azure Active Directory Introduction Application Access Azure AD Application Proxy Multi-Factor Authentication (MFA) Company Branding Directory Integration Running Windows Server AD / AD FS on Azure VM’s

Microsoft Azure Active Directory Introduction

Microsoft Azure Active Directory What is it? A multi-tenant service that provides enterprise-level identity and access management for the cloud. Built to support global scale, reliability and availability. Backed by a 99.99 % SLA for Azure AD Premium or Basic What can I do with it? Manage users and access to cloud resources. Extend your on premise Active Directory to the cloud. Provide single-sign-on (SSO) across your cloud applications. Reduce risks by enabling multi-factor authentication. Support development’s need to build secure directory integrated applications for the enterprise. 6

Similarities between Active Directory & Microsoft Azure Active Directory

Identities Everywhere Consumer Identity P roviders PCs and Devices Microsoft Azure Active Directory Windows Server Active Directory Microsoft Cloud Applications 3 rd Party Cloud Apps

Azure AD Features by SKU

Azure AD Features by SKU continued

LAB 6 Microsoft Azure Active Directory

Application Access using Microsoft Azure AD

Application Access Overview Software-as-a-Service (SaaS) Applications Organizations increasingly rely on SaaS applications to support business activities. Microsoft Azure AD enables easy integration to many of today’s popular SaaS applications, such as Salesforce, Box, Google Apps, DocuSign , DropBox . etc. Tenets of Integrating SaaS Apps w/Microsoft Azure AD Single Sign-On (SSO) enables users to access their applications using their organizational ID. Account synchronization enables user provisioning/de-provisioning into application based on changes in Windows Server AD and/or Microsoft Azure AD. Centralized application access management. Unified monitoring and reporting. 13

Support for Single Sign-On Federation-based Single Sign-On Users are automatically signed in to applications using their credentials from Microsoft Azure AD . Password-based Single Sign-On Users are automatically signed in to applications using their credentials from the 3 rd party application.

Access Panel http://myapps.microsoft.com This is where users can discover the applications they have access to. Features of the Access Panel Users can change the password associated with their organizational account. Users can edit multi-factor authentication-related contact and preference settings. Users can view details about their account.

Access Panel for iOS 7 Provides SSO to Apps integrated with your Azure Active Directory Supports iPad and iPhone devices Full parity with the web-based Application Access Panel Install “ My Apps – Azure Active Directory ” from the Apple App Store

Public-Facing Application Gallery Discover Available SaaS Applications Without Signing into the Azure Management Portal http://azure.microsoft.com/en-us/gallery/active-directory/

LAB 7 Application Access with Azure Active Directory and Password-Based Single Sign-On

DEMO Application Access with Azure Active Directory and Federation-Based Single Sign-On

Cloud App Discovery

Cloud App Discovery Visibility Gain visibility into which cloud applications are being used within an organization. Assess Risk and Remediate See usage graphs based on users, requests, volume of data exchanged. Identify top cloud applications being used in the organization. Proceed with application integration (if appropriate). Get Started By General Availability (GA), will be integrated into the Azure Management Portal. Until then, sign up at https ://appdiscovery.azure.com / . Install Agent on machines in the organization.

Cloud App Discovery Salesforce.com force.com Amazon.com AWS Private cloud EC2 System Center How it works

Cloud App Discovery AD Agent Logs Active Directory Cloud App Discovery How it works

Azure AD Application Proxy

Azure AD Application Proxy Reverse-Proxy as a Service Builds on the Web Application Proxy capabilities in Windows Server 2012 R2. Supports browser-based applications - http(s). Cloud Connector Pattern Simpler On-Premises Deployment Connectors can be redundant for HA Stateless Architecture (as compared to WAP with AD FS) PREVIEW

Azure AD Application Proxy On-Premises Network Expense App Benefits App Connector Connector Microsoft Azure Azure AD Application Proxy Service Request/Response Queue How it works https://benefits-contoso.cwap.net PREVIEW

Multi-Factor Authentication

Multi-Factor Authentication (MFA) What is it? A method of authentication requiring the use of more than one verification method to authenticate a user. Mobile Application Automated Phone Call Text Message How it works? Requiring any two or more verification methods Something you know (typically a password) Something you have (a trusted device that is not easily duplicated, like a phone) 28 1. Login using username and password 2. Microsoft Azure MFA Challenge 3. Response to challenge from device

LAB 8 Multi-Factor Authentication

Company Branding

Azure AD Company Branding Requirements Azure Active Directory Premium or Basic (both require an EA) Pages that can be custom branded Sign-in page Access Panel page Components that can be changed Banner Logo Large Illustration (left of Sign-in page) Background Color Sign-in page text

Directory Integration with Azure Active Directory

Directory Sync Synchronizes Users, Groups, and Contacts to Windows Azure AD. Users will have a different password in Windows Azure AD than they have for the on-premise AD.

Directory Sync w/Password Sync An extension of ‘Directory Sync’ that also synchronizes a “hash” of the user’s password . Enables users to sign-in to cloud applications using their same on-premise password .

Directory Sync w/Single Sign-On Users won’t be challenged to enter username/password when accessing cloud applications . Authentication occurs in the on-premise directory. Requires an on-premises STS, such as ADFS.

Writeback Capability (“ DirSync ”) Self-Services Password Reset with Writeback Writeback capability enables password resets to be persisted back to on-premises Server AD A feature of the Azure Active Directory “DirSync” Tool Only available in Azure AD Premium

Enabling Password Writeback

Synchronization with DirSync DirSync Intervals Directory Sync runs on 3 hour intervals. Password Sync runs on 2 minute intervals. Password Writeback’s occur instantly. DirSync On-Demand Start- OnlineCoexistenceSync (PowerShell)

Monitoring DirSync Directory Synchronization logs events in the Windows Application Event Log. Event Source: “Directory Synchronization” Synchronization Service Manager for a UI Experience C :\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\ UIShell \miisclient.exe Create Security Group “ MIISAdmins ” on the DirSync Server and add the logged in user to the group. Reference: http://support.microsoft.com/kb/2791422

Azure Active Directory Sync (“AAD Sync”) Azure Active Directory Sync (“AAD Sync”) New “One Sync” Tool, replaces DirSync General availability and available for download Features Onboard Multi-Forest Server AD Deployments to Azure AD Advanced provisioning, mapping and filtering rules Map multiple on-premises Exchange organizations to a single Azure AD tenant

DirSync Demo Configuration Virtual Network (PPE-VNET) AD-Subnet PPE-DC Apps-Subnet PPE- DirSync ppelabs.onmicrosoft.com

DEMO Directory Sync w/Password Sync

Running Windows Server AD on Azure Virtual Machines

Why Server AD in a Azure VM? Business Drivers Support for pre-requisites for existing applications, such as SharePoint. High Availability Solutions for SQL Server Databases using Always-On Availability Groups. Disaster Recovery solution for branch offices and a limited set of VM’s. Dev/Test Workloads.

Azure VM Considerations From an Existing Physical Machine P2V a physical machine and move to Windows Azure Move the DC’s VHD file to Windows Azure Create the VM from the VHD Starting with a new Virtual Machine Build a new Virtual Machine and replicate directory to Windows Azure

Azure VM Considerations (continued…) Attach data disk (caching turned off) Don’t use D:\ ( temporary physical disk) Put logs and account DB on attached disk to avoid data loss

Azure VM Considerations (continued…) IP Addressing Microsoft Azure VM’s require use of a DHCP leased IP address. The lease is an infinite ‘dynamic’ lease, but not the same as ‘static assigned’ address that you would expect to use in and on-premises environment. The leased IP address is routable for the duration of the lease, which is determined by the life time of the service (or VM). Set a Static IP in the Virtual Network using the Set- AzureStaticVNetIP cmdlet .

Azure VM Considerations (continued…) Deploy DNS on the Domain Controller The Windows Azure DNS does not cover the AD DNS records needed. Register the DNS server in the Virtual Network.

Running AD FS on Azure Virtual Machines

Running AD FS on Azure VM’s ADFS Best Practices call for Load balancing the AD FS Proxy and STS endpoints for high availability. If running this workload in Azure, use the Azure Internal Load Balancer. Requires Regional Virtual Network

Typical AD FS d eployment on-premises…

Example Cloud Based Architecture FSP1 FSP2 Cloud Service Federation Server Proxies FS1 FS2 Cloud Service Federation Server Farm On-Premises Environment Internal Load Balancer

Running ADFS On-Premises Deploy AD FS Proxy Servers in Azure. Establish a site-to-site VPN or Express Route between the on-premises network and the Azure Virtual Network. Ideal for Production Environments.

Running only AD FS Proxy Servers in Microsoft Azure

Summary Microsoft Azure Active Directory Introduction Application Access Azure AD Application Proxy Multi-Factor Authentication (MFA ) Company Branding Directory Integration Running Windows Server AD / AD FS on Azure VM’s

Coming Up Next . . . Cloud Services and Websites

Thank You

Microsoft Azure AD architecture and features

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Microsoft Azure AD architecture and features

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......