Skip to content

Latest commit

 

History

History
257 lines (235 loc) · 13.4 KB

2.2.2. Governence - Azure AD - Hybrid Identities.md

File metadata and controls

257 lines (235 loc) · 13.4 KB
Raw

Hybrid Identities

  • Hybrid (common) identity = Cloud + On Premises identity
  • Connection is done through Azure AD connect

Four Pillars

  • Unified Development and DevOps: A common approach to building applications, and full flexibility to deploy in the cloud or on-premises
  • Integrated management and security: Built-in management and security solutions across full operational lifecycle from cloud to on-premises
  • Common Identity: Enable end-user productivity with single sign on to cloud and on premises applications while protecting corporate data
    • Single identity: Create and manage a single identity for each user across your hybrid enterprise, keeping users, groups and devices in sync
    • Single Sign-on: Provide single sign-on access to your application including thousands of pre-integrated SaaS apps
    • Conditional Access: Protect identities by enforcing risk-based conditional access policies and multi-factor authentication for both on-premises and cloud applications
    • Remote Access: Provide secure remote access to on-premises web applications through Azure AD Application Proxy
    • Self Service: Self service password reset and application access requests for directories in the datacenter an the cloud
    • High Availability
    • Collaboration: Enable vendors, contractors and partners to get risk-free access to in-house resources
    • Consistency: Truly consistent capabilities
  • Consistent Data Platform: Seamlessly distribute dat between cloud and on-premises, and enrich with analysis and deep learning

Azure AD Connect

  • Integrate your on-premises AD or LDAP directory to the cloud
  • Establish a single identity for your us ers to access on-premises and cloud-based resources
  • Connect your users to thousands of SaaS applications published through Azure
  • Preparing for Azure AD Connect
    • Create a new user in Azure AD as Global Administrator
    • Download Azure AD Connect and install it.
      • You need > Windows Server 2008
  • Install and configure Azure AD Connect
    • Installation settings:
      • Initially
        • Custom or Express installation
        • Installation location
        • Create an express SQL or use an existing SQL instance
        • Provide a service account or create a new one
          • Service account for SQL server
        • Custom sync groups
          • Fill: Administrators group, operators group, browser group, password reset groups
          • AD Connect groups not domain groups!
      • Then
        • How users will sign-in
          • One of them: Password synchronization, Pass-through authentication, Federation with AD FS
          • Enable sign on -> Yes, No
        • Forest and Azure credentials
          • Global administration username password
          • Select directory type (AD or LDAP)
            • Then type Forest name
          • Create new AD account or use existing AD account
          • Type domain username and password
            • 💡 Recommended to enter Enterprise Admin credentials
        • Select UPN for sign-in
          • E.g. azure-contoso.com
          • Select user name: e.g. userPrincipalName, treeName, unicodePwd
      • Then
        • Choose what domains and OUs get synchronized to the cloud
          • Sync all domains and OUs or sync selected domains and OUs
        • How to uniquely identify users
          • Identification:
            1. Users are represented only once across all directories.
            2. User identities exist across multiple directories.
              • Match using: mail attribute, specific attribute, etc.
          • Source anchor (ID)
            1. Let Azure manage the source anchor for me
            2. Specific attribute: objectGUID, pager, objectSid etc.
        • Filter users and devices by group
          1. Synchronize all users and devices
          2. Synchronize selected
        • Optional features
          • Exchange hybrid deployment, exchange mail public folders, azure AD app and attribute filtering, password synchronization, password writeback, group writeback, device writeback, directory extension attribute sync.
        • Enable single sign on
          • ❗ Requires domain administrator account
        • Choose staging mode or install it
          • Staging mode: Synchronization won't synchronize any data to Azure AD
      • Post installation
        • Install AzureAD powershell module
        • 💡 Then enable Azure AD recycle bin
  • Metaverse
    • What'll be synced in the next synchronization
      • Connectors to and from on-premises AD
      • Connectors to and from Azure AD
    • Controls what attributes from what objects from what location are available for synchronization
  • Manage in Azure AD Connect -> Synchronization Service
  • Adjust to business changes after Azure AD Connect is installed.
  • Change the service accounts
  • Add the Managers OU to be included in the synchronization

Hybrid Planning

Sign On

  • Authentication and Authorization
    • How do users typically login to their on-premises environment?
    • How will users sign-on to the cloud?
    • Will you be allowing workers from partner networks access to cl oud and on-premises resources?
  • Multi Factor Authentication
    • Do you currently implement multi-factor authentication?
    • What are the key scenarios that you want to enable MFA for?
    • Will you use MFA to secure Microsoft Apps?
    • Will you use MFA to secure remote access to on-premises apps?
  • Delegation and Administration
    • Does your company have more than one user with elevated privilege to manage your identity system?
    • Does your company need to delegate access to users to manage specific resources?
    • Does each delegated user need the same access?

Synchronization

  • Directory synchronization
    • Do you have a disaster recovery plan for the synchronization server?
    • Where will the synchronization server be located?
      • E.g. if it's behind a firewall, you'll need to open up some ports
    • Do you have any other directory on-premises like LDAP or an HR database?
    • Does your company use Microsoft Exchange?
  • Multi Forest synchronization
    • Are the UPNs unique in your organization?
      • More than one forest -> You can call people same thing as other people -> You won't be able to do that in single Azure AD as they need unique UPNs.
    • Will the Azure AD Connect server be able to get to each forest?
    • Do you have an account with the correct permissions for all forests you want to synchronize with?
  • Password synchronization
    • Do you have restrictions on storing passwords in the cloud?
    • Will your employees be able to reset their own passwords?
    • What account lockout policy does your company require?

Applications

  • Applications
    • Will users be accessing on-premises applications? In the cloud? Or both?
    • Are there plans to develop new applications that will use cloud authentications?
      • If so, then make sure that authentication can use OAuth, certificates e.t.c.
    • Will cloud users be accessing applications on-premises?
    • Will on-premises users be accessing applications in the cloud?
  • Access Control
    • Does your a company need to limit access to resources according to some conditions?
    • Does your company have any application that needs custom control access to some resources?
    • Does your company need to integrate access control capabilities between on-premises and cloud resources?
    • Does each user need the same access level?

Domain Structure

  • Domain Name
    • What name will your organization use for your domain in the cloud?
    • Does your organization have a custom domain name?
    • Is your domain public and easily verifiable via DNS?
  • Directory Structure
    • How many AD forests do you have?
    • How many Azure AD directories?
    • Will you filter what user accounts are synchronized with the Azure AD?
    • Do you have multiple Azure AD Connect servers planned?
    • Do you have different directory that users authenticate against?
  • Federation
    • Will you use the Azure Federation or on-premises AD FS?
      • An option is moving on-premises AD FS to Azure Federation.
    • More federation services for identities are provided now through Azure
    • Does your organization use smart cards for Multi Factor Authentication

Forest to Azure AD Topology

  • ❗ Restrictions
    • One to one relation between Azure AD and AD Connect
      • Multiple AD Connect can not connect to Single azure AD
      • Azure AD Connect cannot connect to multiple Azure AD directories
    • The same user account cannot sync to multiple Azure AD directories
    • Users in one Azure AD cannot appear as contacts in another Azure AD directory
  • Single Forest to Single Azure AD
    • Single Forest -> Single AD Connect -> One Multiple AD
    • Most common topology
    • 💡 Recommended by Microsoft
    • Expected topology when using Azure AD Connect Express installation
    • Supports multiple domains
  • Single Forest to Multiple Azure AD
    • Single Forest -> Multiple AD Connects -> One Multiple AD
    • Useful when e.g. some users passwords cannot be written back to the cloud but another department can do it.
    • ❗ Azure AD Connect sync servers must be configured for mutually exclusive filtering.
    • ❗ Users in one Azure AD will only be able to see users from their own Azure AD instance.
    • ❗ A DNS domain can only be registered in a single Azure AD directory.
    • ❗ Some write-back features not supported with this topology
      • No group / device writeback
  • Multiple Forest to Single Azure AD
    • Multiple Forest -> One AD Connect -> One Azure AD
    • ❗ Users must have only one identity across all forests
    • The user authenticates to the forest in which their identity is located.
    • All forests are accessible by Azure AD Connect
    • ❗ Users have only one mailbox
  • Multiple Forest to Multiple Azure AD
    • Multiple Forest -> Multiple AD Connects -> Multiple Azure ADs
    • Useful especially if you need isolation for different forests.
    • For each instance of Azure AD, you'll need an installation of Azure AD Connect
    • Users in one Azure AD will only be able to see users from their AAD instance.

Register domain name

  • Add Azure AD Domain Name
    • Create directory where organization name is contoso.local.
    • Add domain name azure-contoso.com and verify through TXT DNS entry.
  • Add UPN Suffix
    • On-prem resources has [email protected] but you'll need [email protected] to allow e.g. SSO.
    • Flow:
      1. Add azure-contoso.com as an alternative UPN Suffix through Active Directory Domains and Trusts
      2. Add azure-contoso.com to all user accounts as the preferred UPN suffix.

Single Sign On

  • Password synchronization
    • A copy of password and usernames is synchronized to the cloud.
  • Pass through authentication
    • You don't store passwords in cloud
    • User is authenticated using pass through authentication agent that connects with on-premises AD
    • Works seamlessly with Azure Multi-Factor authentication
  • Seamless SSO
    • Works with Azure AD Join or the desktop is previously joined to your AD domain
    • Requires Azure service endpoints to be added to the client browser's Intranet zone.
      • This way the browser can send the Kerberos ticket to the website.
    • Flow:
      1. Client from a joined device tries to access to a resource in cloud.
      2. Local client goes to AD DC and gets an access token.
      3. Client forwards access token to Azure AD.
        • If MFA is enabled, it'll prompt user.

Making cloud apps available

  • Azure AD -> Enterprise Applications
  • 4 Categories:
    1. Gallery applications
    2. Applications you're developing, integrated with Azure AD
    3. On-premises applications with Azure AD Application Proxy
      • Azure AD Application Proxy
        • Allows Azure to reach on-premises resources.
        • Consistent access to private resources without a VPN.
        • Install App Proxy & Connector on-premises
          • ❗ Cannot be installed on a server with the Pass Through Authentication connector
          • ❗ You need to configure a CNAME on DNS for the particular domain work for it to work.
        • Set-up on Azure:
          • Add applications
          • Assign to users
          • Configure SSO
          • Provision just like any SaaS app
        • Flow for Azure user reaching on-premises resource:
          1. Azure AD gives a token to user
          2. User sends that token to Azure App Proxy
          3. Proxy takes UPN and SPN and gives it to connector
          4. Connector goes to on-prem AD and gets Kerberos ticket.
          5. It forwards it to actual on-prem application, it verifies the ticket and ticket is assigned to the cloud user.
    4. Non-gallery applications
  • Manage permission: Azure AD -> Enterprise Applications -> In application -> Users and groups
  • Configure SSO:
    1. Configure SSO for the new application
      • Manage permission: Azure AD -> Enterprise Applications -> In application -> Single sign-on
      • Sign-on types:
        • Password-based Sign-on
        • Linked Sign-on
        • SAML
          • Provides step by step guide for federation between application and Azure AD manually
    2. Click on the new application new in the Azure AD MyApps access panel
      • Access panel is reached at myapps.microsoft.com
      • It prompts you to install a browser extension
    3. Install Access Panel Extension
    4. Log into application so that password is stored for SSO