Azure-in-bullet-points

Hybrid Identities

• Hybrid (common) identity = Cloud + On Premises identity
• Connection is done through Azure AD connect

Four Pillars

• Unified Development and DevOps: A common approach to building applications, and full flexibility to deploy in the cloud or on-premises
• Integrated management and security: Built-in management and security solutions across full operational lifecycle from cloud to on-premises
• Common Identity: Enable end-user productivity with single sign on to cloud and on premises applications while protecting corporate data
  • Single identity: Create and manage a single identity for each user across your hybrid enterprise, keeping users, groups and devices in sync
  • Single Sign-on: Provide single sign-on access to your application including thousands of pre-integrated SaaS apps
  • Conditional Access: Protect identities by enforcing risk-based conditional access policies and multi-factor authentication for both on-premises and cloud applications
  • Remote Access: Provide secure remote access to on-premises web applications through Azure AD Application Proxy
  • Self Service: Self service password reset and application access requests for directories in the datacenter an the cloud
  • High Availability
  • Collaboration: Enable vendors, contractors and partners to get risk-free access to in-house resources
  • Consistency: Truly consistent capabilities
• Consistent Data Platform: Seamlessly distribute dat between cloud and on-premises, and enrich with analysis and deep learning

Azure AD Connect

• Integrate your on-premises AD or LDAP directory to the cloud
• Establish a single identity for your us ers to access on-premises and cloud-based resources
• Connect your users to thousands of SaaS applications published through Azure
• Preparing for Azure AD Connect
  • Create a new user in Azure AD as Global Administrator
  • Download Azure AD Connect and install it.
    • You need > Windows Server 2008
• Install and configure Azure AD Connect
  • Installation settings:
    • Initially
      • Custom or Express installation
      • Installation location
      • Create an express SQL or use an existing SQL instance
      • Provide a service account or create a new one
        • Service account for SQL server
      • Custom sync groups
        • Fill: Administrators group, operators group, browser group, password reset groups
        • AD Connect groups not domain groups!
    • Then
      • How users will sign-in
        • One of them: Password synchronization, Pass-through authentication, Federation with AD FS
        • Enable sign on -> Yes, No
      • Forest and Azure credentials
        • Global administration username password
        • Select directory type (AD or LDAP)
          • Then type Forest name
        • Create new AD account or use existing AD account
        • Type domain username and password
          • 💡 Recommended to enter Enterprise Admin credentials
      • Select UPN for sign-in
        • E.g. azure-contoso.com
        • Select user name: e.g. userPrincipalName, treeName, unicodePwd
    • Then
      • Choose what domains and OUs get synchronized to the cloud
        • Sync all domains and OUs or sync selected domains and OUs
      • How to uniquely identify users
        • Identification:
          1. Users are represented only once across all directories.
          2. User identities exist across multiple directories.
             • Match using: mail attribute, specific attribute, etc.
        • Source anchor (ID)
          1. Let Azure manage the source anchor for me
          2. Specfic attribute: objectGUID, pager, objectSid etc.
      • Filter users and devices by group
        1. Synchronize all users and devices
        2. Synchronize selected
      • Optional features
        • Exchange hybrid deployment, exchange mail public folders, azure AD app and attribute filtering, password synchronization, password writeback, group writeback, device writeback, directory extension attribute sync.
      • Enable single sign on
        • ❗ Requires domain administrator account
      • Choose staging mode or install it
        • Staging mode: Synchronization won’t synchronize any data to Azure AD
    • Post installation
      • Install AzureAD powershell module
      • 💡 Then enable Azure AD recycle bin
• Metaverse
  • What’ll be synced in the next synchronization
    • Connectors to and from on-premises AD
    • Connectors to and from Azure AD
  • Controls what attributes from what objects from what location are available for synchronization
• Manage in Azure AD Connect -> Synchronization Service
• Adjust to business changes after Azure AD Connect is installed.
• Change the service accounts
• Add the Managers OU to be included in the synchronization

Hybrid Planning

Sign On

• Authentication and Authorization
  • How do users typically login to their on-premises environment?
  • How will users sign-on to the cloud?
  • Will you be allowing workers from partner networks access to cl oud and on-premises resources?
• Multi Factor Authentication
  • Do you currently implement multi-factor authentication?
  • What are the key scenarios that you want to enable MFA for?
  • Will you use MFA to secure Microsoft Apps?
  • Will you use MFA to secure remote access to on-premises apps?
• Delegation and Administration
  • Does your company have more than one user with elevated privilege to manage your identity system?
  • Does your company need to delegate access to users to manage specific resources?
  • Does each delegated user need the same access?

Synchronization

• Directory synchronization
  • Do you have a disaster recovery plan for the synchronization server?
  • Where will the synchronization server be located?
    • E.g. if it’s behind a firewall, you’ll need to open up some ports
  • Do you have any other directory on-premises like LDAP or an HR database?
  • Does your company use Microsoft Exchange?
• Multi Forest synchronization
  • Are the UPNs unique in your organization?
    • More than one forest -> You can call people samething as other people -> You won’t be able to do that in single Azure AD as they need unique UPNs.
  • Will the Azure AD Connect server be able to get to each forest?
  • Do you have an account with the correct permissions for all forests you want to synchronize with?
• Password synchronization
  • Do you have restrictions on storing passwords in the cloud?
  • Will your employees be able to reset their own passwords?
  • What account lockout policy does your company require?

Applications

• Applications
  • Will users be accessing on-premises applications? In the cloud? Or both?
  • Are there plans to develop new applications that will use cloud authentications?
    • If so, then make sure that authentication can use OAuth, certificates e.t.c.
  • Will cloud users be accessing applications on-premises?
  • Will on-premises urers be accessing applications in the cloud?
• Access Control
  • Does your acompany need to limit access to resources according to some conditions?
  • Does your company have any application that needs custom control access to some resources?
  • Does your company need to integrate access control capabilities between on-premises and cloud resources?
  • Does each user need the same access level?

Domain Structure

• Domain Name
  • What name will your organization use for your domain in the cloud?
  • Does your organization have a custom domain name?
  • Is your domain public and easily verifiable via DNS?
• Directory Structure
  • How many AD forests do you have?
  • How many Azure AD directories?
  • Will you filter what user accounts are synchronized with the Azure AD?
  • Do you have multiple Azure AD Connect servers planned?
  • Do you have different directory that users authenticate against?
• Federation
  • Will you use the Azure Federation or on-premises AD FS?
    • An option is moving on-premises AD FS to Azure Federation.
  • More federation services for identities are provided now through Azure
  • Does your organization use smart cards for Multi Factor Authentication

Forest to Azure AD Topology

• ❗ Restrictions
  • One to one relation between Azure AD and AD Connect
    • Multiple AD Connect can not connect to Single azure AD
    • Azure AD Connect cannot connect to multiple Azure AD directories
  • The same user account cannot sync to multiple Azure AD directories
  • Users in one Azure AD cannot appear as contacts in another Azure AD directory
• Single Forest to Single Azure AD
  • Single Forest -> Single AD Connect -> One Multiple AD
  • Most common topology
  • 💡 Recommended by Microsoft
  • Expected topology when using Azure AD Connect Express installation
  • Supports multiple domains
• Single Forest to Multiple Azure AD
  • Single Forest -> Multiple AD Connects -> One Multiple AD
  • Useful when e.g. some users passwords cannot be written back to the cloud but another departmant caa do it.
  • ❗ Azure AD Connect sync servers must be configured for mutually exclusive filtering.
  • ❗ Users in one Azure AD will only be able to see users from their own Azure AD instance.
  • ❗ A DNS domain can only be registered in a single Azure AD directory.
  • ❗ Some write-back features not supported with this topology
    • No group / device writeback
• Multiple Forest to Single Azure AD
  • Multiple Forest -> One AD Connect -> One Azure AD
  • ❗ Users must have only one identity across all forests
  • The user authenticates to the forest in which their identity is located.
  • All forests are accessible by Azure AD Connect
  • ❗ Users have only one mailbox
• Multiple Forest to Multiple Azure AD
  • Multiple Forest -> Multiple AD Connects -> Multiple Azure ADs
  • Useful especially if you need isolation for different forests.
  • For each instance of Azure AD, you’ll need an installation of Azure AD Connect
  • Users in one Azure AD will only be able to see users from their AAD instance.

Register domain name

• Add Azure AD Domain Name
  • Create directory where organiatison name is contoso.local.
  • Add domain name azure-contoso.com and verify through TXT DNS entry.
• Add UPN Suffix
  • On-prem resources has name@contoso.local but you’ll need name@azure-contoso.com to allow e.g. SSO.
  • Flow:
    1. Add azure-contoso.com as an alternative UPN Suffix through Active Directory Domains and Trusts
    2. Add azure-contoso.com to all user accounts as the preferred UPN suffix.

Single Sign On

• Password synchronization
  • A copy of password and usernames is synchronized to the cloud.
• Pass through authentication
  • You don’t store passwords in cloud
  • User is authenticated using pass through authentication agent that connects with on-premises AD
  • Works seamlessly with Azure Multi-Factor authentication
• Seamless SSO
  • Works with Azure AD Join or the desktop is previously joined to your AD domain
  • Requires Azure service endpoints to be added to the client browser’s Intranet zone.
    • This way the browser can send the kerberos ticket to the website.
  • Flow:
    1. Client from a joined device tries to access to a resource in cloud.
    2. Local client goes to AD DC and gets an access token.
    3. Client forwards access token to Azure AD.
       • If MFA is enabled, it’ll prompt user.

Making cloud apps available

• Azure AD -> Enterprise Applications
• 4 Categories:
  1. Gallery applications
  2. Applications you’re developing, integrated with Azure AD
  3. On-premises applications with Azure AD Application Proxy
     • Azure AD Application Proxy
       • Allows Azure to reach on-premises resources.
       • Consisten access to private resources without a VPN.
       • Install App Proxy & Connector on-premises
         • ❗ Cannot be installed on a server with the Pass Through Authentication connector
         • ❗ You need to configure a CNAME on DNS for the particular domain work for it to work.
       • Set-up on Azure:
         • Add applications
         • Assign to users
         • Configure SSO
         • Provision just like any SaaS app
       • Flow for Azure user reaching on-premises resource:
         1. Azure AD gives a token to user
         2. User sends that token to Azure App Proxy
         3. Proxy takes UPN and SPN and gives it to connector
         4. Connector goes to on-prem AD and gets Kerberos ticket.
         5. It forwards it to actual on-prem application, it verifies the ticket and ticket is assigned to the cloud user.
  4. Non-gallery applications
• Manage permission: Azure AD -> Enterprise Applications -> In application -> Users and groups
• Configure SSO:
  1. Configure SSO for the new application
     • Manage permission: Azure AD -> Enterprise Applications -> In application -> Single sign-on
     • Sign-on types:
       • Password-based Sign-on
       • Linked Sign-on
       • SAML
         • Provides step by step guide for fedaration between application and Azure AD manually
  2. Click on the new application new in the Azure AD MyApps access panel
     • Access panel is reached at myapps.microsoft.com
     • It promts you to insall a browser extension
  3. Install Access Panel Extension
  4. Log into application so that password is stored for SSO

This site is open source. Improve this page.