3. Webinar outline – 1 hour
• Overview of Azure Active Directory
• Understanding the identity models
- Cloud identity
- Synchronized identity.
- Federated identity
• Azure Active Directory Domain Services
4. Upcoming Webinars
Understanding Azure Backup for Backup solution
Wednesday September 5th
Understanding the Office365 features for GDPR compliance
Thursday September 20th
Introduction to PowerShell
Friday September 21st
***Understanding Azure AD
Friday October 5th
Understanding the migration paths to Azure
Thursday October 18th
6. Overview of Azure AD
Azure Apps
subscription 1
subscription 2
Azure AD is Microsoft’s multi-tenant, cloud based directory
and identity management service. Azure AD combines core
directory services, advanced identity governance, and
application access management.
7. Overview of Azure AD
• Microsoft-managed
• Provide single sign-on
• Supports users, groups, applications, and devices
• Includes built-in MFA (Multi-factor Authentication)
• A maximum of 500,000 objects - Free edition
• No organizational units / flat structure
• No GPO (Group Policy Objct0
• No support for LDAP
• etc
8. Azure AD editions
• Azure Active Directory (free)
• Azure Active Directory Basic
• Azure Active Directory Premium P1
• Azure Active Directory Premium P2
9. Managing Azure AD users, groups, and devices
• Azure AD users:
• Cloud identities
• Directory-synchronized identities
Management interfaces:
• Azure portal
• Windows PowerShell
• Office 365 admin Center
12. Cloud identity
Pros:
Very Simple
No Servers on-premises
Single place for user management
No configuration on-premises
Cons:
Doesn’t support Win7 computer join
Doesn’t support computer management via GPO
etc
Azure /
Azure /
13. Synchronized identity
Pros:
Simple
No big changes on-prem AD
On-prem is the user “master copy”
Users use the same password for on-premfor and
Azure resources (“Same SignOn”)
Cons:
Might need a new server or VM
2 places for user management*
Need to make sure the replication is always working
Azure AD
Connect
Azure /
15. Installing and configuring Azure AD Connect
• Use express settings for:
• Single Active Directory forest
• Default synchronization settings
• Use customized settings for:
• Multiple forests with duplicate identities
• Federation scenarios
• Custom synchronization settings, for example writeback
• Installing Azure AD Connect with express settings:
• Installs the synchronization engine
• Configures Azure AD Connector
• Configures the on-premises AD DS connector
• Enables password synchronization
• Configures synchronization services
• Configures synchronization services for Exchange hybrid deployment
(optional)
16. Federated identity
Pros:
Full single sign-on
Audit all logons locally
On-prem AD does the authentication
Passwords don’t need to be synched
Better option for advanced scenarios
Immediate account disable and password changes
Supports sign-in restrictions by network location, client
or work hours.
Cons:
More Complex
Needs more servers
Needs Active Directory Federation Services (AD FS)
On-prem DCs, AD FS servers and internet link must be
highly available
Require a public certificate and solid domain name
Azure D
Connect
17. Federated identity - Authentication
The security token
contains claims about the
user, such as user name,
group membership, User
Principal Name (UPN), email
address, manager details,
phone number, and other
attribute values.
Azure Active Directory
Office 365
Azure Apps
Azure AD
Connect
Federation with Azure AD or O365
enables users to authenticate using
on-premises credentials and access
all resources in cloud.
21. Understanding the identity models
Azure / Azure / Azure /
Note:
Use the simplest identity model that meets your needs.
Is possible to switch between the models when needed
23. Planning to deploy Active Directory domain
controllers on Azure virtual machines
• Reasons for placing domain controllers in Azure:
Keeping authentication requests from Azure-based services
within Azure
Extending on-premises Active Directory to Azure
Enhancing resiliency of directory synchronization and
federation deployments
24. Azure AD Domain Services
• Supports:
• LDAP
• Azure Active Directory domain join
• NTLM
• Kerberos
• Group Policy
• OUKey points:
• Avoids domain controllers in Azure
• Is highly-available service
• SLA —guarantee at least 99.9%
• Minimises the traffic from Azure VM to your on-prem DC
• Supports your traditional directory-aware apps alongside your modern
cloud apps
• Must be connected to a VNET and has an IP, (client DNS)
• UPN format is recommended – Jackson@nh.ie instead nhjackson
• Supports On-prem AD synchronization with Azure AD connect
25. Azure AD Domain Services – Replication
Azure AD and Azure AD Domain Services
26. Azure AD Domain Services – Replication
On-premises AD, Azure AD and Azure AD Domain Services
28. Azure AD Domain Services – Limitations
• Cannot use Azure AD Domain Services with federated Azure
AD
• You cannot add domain controllers to the managed domain
• You cannot connect to “domain controllers” using Remote
Desktop.
• You are not granted Domain Administrator or Enterprise
Administrator privileges
• No control over the synchronization (+-20 minutes)
• AD domain/forest trusts
• You cannot extend the schema
• Password lifetime policy, password-does-not-expire and user-
must-change-password-at-next-logon are not synchronized
from your Azure AD
• …