Azure Active Directory

The following is from Azure Administrator Training lab for AZ-103

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-baseddirectory and identity management service. For IT Admins, Azure ADprovides an affordable, easy to use solution to give employees and businesspartners single sign-on (SSO) access to thousands of cloud SaaS Applicationslike Office365, Salesforce.com, DropBox, and Concur.

For application developers, Azure AD lets you focus on building yourapplication by making it fast and simple to integrate with a world classidentity management solution used by millions of organizations around theworld.

Identity manage capabilities and integration

Azure AD also includes a full suite of identity management capabilitiesincluding multi-factor authentication, device registration, self-servicepassword management, self-service group management, privileged accountmanagement, role-based access control, application usage monitoring, richauditing and security monitoring, and alerting. These capabilities can helpsecure cloud-based applications, streamline IT processes, cut costs, and helpassure corporate compliance goals are met.

Additionally, Azure AD can be integrated with an existing Windows ServerActive Directory, giving organizations the ability to leverage their existingon-premises identity investments to manage access to cloud based SaaSapplications.

✔️ If you are an Office365, Azure or Dynamics CRM Online customer, youmight not realize that you are already using Azure AD. Every Office365,Azure and Dynamics CRM tenant is already an Azure AD tenant. Wheneveryou want you can start using that tenant to manage access to thousands ofother cloud applications Azure AD integrates with.

For more information, you can see:

Azure Active Directory Documentation – https://docs.microsoft.com/en-us/azure/active-directory/

Azure Active Directory Benefits

Azure AD has many benefits

  • Single sign-on to any cloud or on-premises web app. Azure ActiveDirectory provides secure single sign-on to cloud and on-premisesapplications including Microsoft Office 365 and thousands of SaaSapplications such as Salesforce, Workday, DocuSign, ServiceNow, andBox.
  • Works with iOS, Mac OS X, Android, and Windows devices. Users canlaunch applications from a personalized web-based access panel, mobileapp, Office 365, or custom company portals using their existing workcredentials—and have the same experience whether they’re working oniOS, Mac OS X, Android, and Windows devices.
  • Protect on-premises web applications with secure remote access.Access your on-premises web applications from everywhere and protectwith multi-factor authentication, conditional access policies, and group-based access management. Users can access SaaS and on-premises webapps from the same portal.
  • Easily extend Active Directory to the cloud. Connect Active Directoryand other on-premises directories to Azure Active Directory in just a fewclicks and maintain a consistent set of users, groups, passwords, anddevices across both environments.
  • Protect sensitive data and applications. Enhance application accesssecurity with unique identity protection capabilities that provide aconsolidated view into suspicious sign-in activities and potentialvulnerabilities. Take advantage of advanced security reports,notifications, remediation recommendations and risk-based policies toprotect your business from current and future threats.
  • Reduce costs and enhance security with self-service capabilities.Delegate important tasks such as resetting passwords and the creationand management of groups to your employees. Providing self-serviceapplication access and password management through verification stepscan reduce helpdesk calls and enhance security.

✔️ What reasons do you have for considering Azure Active Directory?

Azure Active Directory Differences

Active Directory Domain Services (AD DS)

AD DS is the traditional deployment of Windows Server-based ActiveDirectory on a physical or virtual server. Although AD DS is commonlyconsidered to be primarily a directory service, it is only one component of theWindows Active Directory suite of technologies, which also includes ActiveDirectory Certificate Services (AD CS), Active Directory LightweightDirectory Services (AD LDS), Active Directory Federation Services (AD FS),and Active Directory Rights Management Services (AD RMS). Although youcan deploy and manage AD DS in Azure virtual machines it’s recommendedyou use Azure AD instead, unless you are targeting IaaS workloads thatdepend on AD DS specifically.

Azure AD is different from AD DS

Although Azure AD has many similarities to AD DS, there are also manydifferences. It is important to realize that using Azure AD is different fromdeploying an Active Directory domain controller on an Azure virtual machineand adding it to your on-premises domain. Here are some characteristics ofAzure AD that make it different.

  • Identity solution. Azure AD is primarily an identity solution, and it isdesigned for Internet-based applications by using HTTP and HTTPScommunications.
  • REST API Querying. Because Azure AD is HTTP/HTTPS based, itcannot be queried through LDAP. Instead, Azure AD uses the REST APIover HTTP and HTTPS.
  • Communication Protocols. Because Azure AD is HTTP/HTTPS based, itdoes not use Kerberos authentication. Instead, it uses HTTP and HTTPSprotocols such as SAML, WS-Federation, and OpenID Connect forauthentication (and OAuth for authorization).
  • Federation Services. Azure AD includes federation services, and manythird-party services (such as Facebook).
  • Flat structure. Azure AD users and groups are created in a flatstructure, and there are no Organizational Units (OUs) or Group PolicyObjects (GPOs).

✔️ Azure AD is a managed service. You only manage the users, groups, andpolicies. Deploying AD DS with virtual machines using Azure means that youmanage the deployment, configuration, virtual machines, patching, and otherbackend tasks. Do you see the difference?

Azure Active Directory Editions

Azure Active Directory comes in four editions—Free, Basic, Premium P1,and Premium P2. The Free edition is included with an Azure subscription.The Azure Active Directory Basic, Premium P1, and Premium P2 editions arebuilt on top of your existing free directory, providing enterprise classcapabilities spanning self-service, enhanced monitoring, security reporting,Multi-Factor Authentication (MFA), and secure access for your mobileworkforce.

  • Azure Active Directory Free – Provides user and group management,on-premises directory synchronization, basic reports, and single sign-onacross Azure, Office 365, and many popular SaaS apps.
  • Azure Active Directory Basic – In addition to the Free features, Basicalso provides cloud-centric app access, group-based accessmanagement, self-service password reset for cloud apps, and Azure ADApplication Proxy, which lets you publish on-premises web apps usingAzure AD.
  • Azure Active Directory Premium P1 – In addition to the Free and Basicfeatures, P1 also lets your hybrid users access both on-premises andcloud resources. It also supports advanced administration, such asdynamic groups, self-service group management, Microsoft IdentityManager (an on-premises identity and access management suite) andcloud write-back capabilities, which allow self-service password resetfor your on-premises users.
  • Azure Active Directory Premium P2 – In addition to the Free, Basic,and P1 features, P2 also offers Azure Active Directory IdentityProtection to help provide risk-based conditional access to your appsand critical company data and Privileged Identity Management to helpdiscover, restrict, and monitor administrators and their access toresources and to provide just-in-time access when needed.

✔️ The Azure Active Directory Pricing page has detailed information onwhat is included in each of the editions. Based on the feature list whichedition does your organization need?

Azure AD Directories (Tenants)

A tenant is a dedicated instance of an Azure AD directory which is createdwhenever you sign up for a Microsoft cloud service, such as Office 365 orAzure. It is important to note; a tenant is not the same as a subscription. Asubscription is typically tied to a credit card for billing, where a tenant is aninstance of Active Directory. You can have multiple tenants in yourorganization, such as Contoso1.com and Contoso2.com .

Each tenant or Azure AD instance is separate and distinct from the otherAzure AD directories in your organization. These different tenants couldallow for different functions. For example: You could have a tenant for Office365, another tenant a for testing environment, and then another tenant forMicrosoft Intune. A tenant houses the users in a company and the informationabout them – their passwords, user profile data, permissions, and so on. Italso contains groups, applications, and other information pertaining to anorganization and its security.

Why would you need multiple tenants

Resource independence

  • If you create or delete a resource in one tenant, it has no impact on anyresource in another tenant, with the partial exception of external users.
  • If you use one of your domain names with one tenant, it cannot be usedwith any other tenant.

Administrative independence

If a non-administrative user of tenant ‘Contoso’ creates a test tenant ‘Test,’then:

  • By default, the user who creates a tenant is added as an external user inthat new tenant and assigned the global administrator role in thattenant.
  • The administrators of tenant ‘Contoso’ have no direct administrativeprivileges to tenant ‘Test,’ unless an administrator of ‘Test’ specificallygrants them these privileges.

Synchronization independence. You can configure each Azure AD tenantindependently to get data synchronized from a single instance of either: TheAzure AD Connect tool or the Forefront Identity Manager Azure ActiveTenant Connector.

AD Connect

Azure AD Connect

Azure AD Connect will integrate your on-premises directories with AzureActive Directory. This allows you to provide a common identity for your usersfor Office 365, Azure, and SaaS applications integrated with Azure AD.

Azure AD Connect provides the following features:

  • Password hash synchronization. A sign-in method that synchronizes ahash of a users on-premises AD password with Azure AD.
  • Pass-through authentication. A sign-in method that allows users to usethe same password on-premises and in the cloud, but doesn’t require theadditional infrastructure of a federated environment.
  • Federation integration. Federation is an optional part of Azure ADConnect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS managementcapabilities such as certificate renewal and additional AD FS serverdeployments.
  • Synchronization. Responsible for creating users, groups, and otherobjects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronizationalso includes password hashes.
  • Health Monitoring. Azure AD Connect Health can provide robustmonitoring and provide a central location in the Azure portal to viewthis activity.

For more information, you can see:

Integrate your on-premises directories with Azure Active Directory –https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect

Authentication Options

Choosing an Azure AD Authentication method is important as it is one of thefirst important decisions when moving to the cloud as it will be the foundationof your cloud environment and is difficult to change at a later date.

You can choose cloud authentication which includes: Azure AD passwordhash synchronization and Azure AD Pass-through Authentication. You canalso choose federated authentication where Azure AD hands off theauthentication process to a separate trusted authentication system, such ason-premises Active Directory Federation Services (AD FS), to validate theuser’s password.

Summary

  1. Do you need on-premises Active Directory integration? If the answer isNo, then you would use Cloud-Only authentication.
  2. If you do need on-premises Active Directory integration, then do youneed to use cloud authentication, password protection, and yourauthentication requirements are natively supported by Azure AD? If theanswer is Yes, Then you would use Password Hash Sync + SeamlessSSO.
  3. If you do need on-premises Active Directory integration, but you do notneed to use cloud authentication, password protection, and yourauthentication requirements are natively supported by Azure AD, thenyou would use Pass-through Authentication Seamless SSO.
  4. if you need on-premises Active Directory integration, have an existingfederation provider and your authentication requirements are NOTnatively supported by Azure AD, then you would use Federationauthentication.

Pass-through Authentication

Azure AD Pass-through Authentication (PTA) is an alternative to Azure ADPassword Hash Synchronization, and provides the same benefit of cloudauthentication to organizations. PTA allows users to sign in to both on-premises and cloud-based applications using the same user account andpasswords. When users sign-in using Azure AD, Pass-through authenticationvalidates the users’ passwords directly against an organizations on-premiseActive Directory.

Feature benefits

  • Supports user sign-in into all web browser-based applications and intoMicrosoft Office client applications that use modern authentication.
  • Sign-in usernames can be either the on-premises default username (userPrincipalName) or another attribute configured in Azure ADConnect (known as Alternate ID).
  • Works seamlessly with conditional access features such as Multi-FactorAuthentication to help secure your users.
  • Integrated with cloud-based self-service password management,including password writeback to on-premises Active Directory andpassword protection by banning commonly used passwords.
  • Multi-forest environments are supported if there are forest trusts betweenyour AD forests and if name suffix routing is correctly configured.
  • PTA is a free feature, and you don’t need any paid editions of Azure ADto use it.
  • PTA can be enabled via Azure AD Connect.
  • PTA uses a lightweight on-premises agent that listens for and respondsto password validation requests.
  • Installing multiple agents provides high availability of sign-in requests.
  • PTA protects your on-premises accounts against brute force passwordattacks in the cloud.

✔️ This feature can be configured without using a federation service so thatany organization, regardless of size, can implement a hybrid identity solution.Pass-through authentication is not only for user sign-in but allows anorganization to use other Azure AD features, such as password management,role-based access control, published applications, and conditional accesspolicies.

Federation with Azure AD

Federation is a collection of domains that have established trust. The level oftrust may vary, but typically includes authentication and almost alwaysincludes authorization. A typical federation might include a number oforganizations that have established trust for shared access to a set ofresources.

You can federate your on-premises environment with Azure AD and use thisfederation for authentication and authorization. This sign-in method ensuresthat all user authentication occurs on-premises. This method allowsadministrators to implement more rigorous levels of access control.

✔️ If you decide to use Federation with Active Directory Federation Services (AD FS), you can optionally set up password hash synchronization as abackup in case your AD FS infrastructure fails.

Password Writeback

Having a cloud-based password reset utility is great but most companies stillhave an on-premises directory where their users exist. How does Microsoftsupport keeping traditional on-premises Active Directory (AD) in sync withpassword changes in the cloud?

Password writeback is a feature enabled with Azure AD Connect that allowspassword changes in the cloud to be written back to an existing on-premisesdirectory in real time.

Password writeback provides:

  • Enforcement of on-premises Active Directory password policies. Whena user resets their password, it is checked to ensure it meets your on-premises Active Directory policy before committing it to that directory.This review includes checking the history, complexity, age, passwordfilters, and any other password restrictions that you have defined in localActive Directory.
  • Zero-delay feedback. Password writeback is a synchronous operation.Your users are notified immediately if their password did not meet thepolicy or could not be reset or changed for any reason.
  • Supports password changes from the access panel and Office 365.When federated or password hash synchronized users come to changetheir expired or non-expired passwords, those passwords are writtenback to your local Active Directory environment.
  • Supports password writeback when an admin resets them from theAzure portal. Whenever an admin resets a user’s password in the Azureportal, if that user is federated or password hash synchronized, thepassword is written back to on-premises. This functionality is currentlynot supported in the Office admin portal.
  • Doesn’t require any inbound firewall rules. Password writeback usesan Azure Service Bus relay as an underlying communication channel. Allcommunication is outbound over port 443.

✔️ To use SSPR you must have already configured Azure AD Connect in yourenvironment.

Azure AD Connect Health

When you integrate your on-premises directories with Azure AD, your usersare more productive because there’s a common identity to access both cloudand on-premises resources. However, this integration creates the challenge ofensuring that this environment is healthy so that users can reliably accessresources both on premises and in the cloud from any device.

Azure Active Directory (Azure AD) Connect Health provides robustmonitoring of your on-premises identity infrastructure. It enables you tomaintain a reliable connection to Office 365 and Microsoft Online Services.This reliability is achieved by providing monitoring capabilities for your keyidentity components. Also, it makes the key data points about thesecomponents easily accessible. Azure AD Connect Health helps you:

  • Monitor and gain insights into AD FS servers, Azure AD Connect, andAD domain controllers.
  • Monitor and gain insights into the synchronizations that occur betweenyour on-premises AD DS and Azure AD.
  • Monitor and gain insights into your on-premises identity infrastructurethat is used to access Office 365 or other Azure AD applications

With Azure AD Connect the key data you need is easily accessible. You canview and act on alerts, setup email notifications for critical alerts, and viewperformance data.

✔️ Using AD Connect Health works by installing an agent on each of youron-premises sync servers.

AD Join

Device Management

Azure Active Directory (Azure AD) enables single sign-on to devices, apps,and services from anywhere. The proliferation of devices – including BringYour Own Device (BYOD) – empowers end users to be productive whereverand whenever. But, IT administrators must ensure corporate assets areprotected and that devices meet standards for security and compliance.

To get a device under the control of Azure AD, you have two options:

  • Registering a device to Azure AD enables you to manage a device’sidentity. When a device is registered, Azure AD device registrationprovides the device with an identity that is used to authenticate thedevice when a user signs-in to Azure AD. You can use the identity toenable or disable a device.
  • Joining a device is an extension to registering a device. This means, itprovides you with all the benefits of registering a device and in additionto this, it also changes the local state of a device. Changing the localstate enables your users to sign-in to a device using an organizationalwork or school account instead of a personal account.

✔️ Registration combined with a mobile device management (MDM) solutionsuch as Microsoft Intune, provides additional device attributes in Azure AD.This allows you to create conditional access rules that enforce access fromdevices to meet your standards for security and compliance.

For more information, you can see:

Introduction to device management – https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction

Azure AD Joined Devices

Azure AD Join is designed provide access to organizational apps andresources and to simply Windows deployments of work-owned devices. ADJoin has these benefits.

  • Single-Sign-On (SSO) to your Azure managed SaaS apps and services.Your users don’t see additional authentication prompts when accessingwork resources. The SSO functionality is available even when users arenot connected to the domain network.
  • Enterprise compliant roaming of user settings across joined devices.Users don’t need to connect to a Microsoft account (for example,Hotmail) to see settings across devices.
  • Access to Windows Store for Business using an Azure AD account. Yourusers can choose from an inventory of applications pre-selected by theorganization.
  • Windows Hello support for secure and convenient access to workresources.
  • Restriction of access to apps from only devices that meet compliancepolicy.
  • Seamless access to on-premise resources when the device has line ofsight to the on-premises domain controller.

✔️ Although AD Join is intended for organizations that do not have on-premises Windows Server Active Directory infrastructure it can be used forother scenarios like branch offices.

Hybrid AD Joined Devices

If your environment has an on-premises AD footprint and you also want tobenefit from the capabilities provided by Azure Active Directory, you canimplement hybrid Azure AD joined devices. These are devices that are joinedboth to your on-premises Active Directory and your Azure Active Directory.

Joining devices to both directories allows:

  • IT departments to manage work-owned devices from a central location.
  • Users to sign in to their devices with their Active Directory work orschool accounts.

Here is a comparison of Registered, AD Joined, and Hybrid AD Joineddevices.

RegisteredDevices Azure ADJoined Devices Hybrid ADJoined Devices
Device Type Personal Organizationowned Organizationowned
Registration Manual Manual Automatic
OperatingSystem Windows 10 Windows 10 Windows 7, 8,and 10

✔️ Are you understanding the different types of joined devices? Which do youthink your organization needs?

For more information, you can see:

Hybrid Azure AD joined devices – https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#hybrid-azure-ad-joined-devices

Configuring Azure AD Join

To manage your devices using the Azure portal, your devices need to be eitherregistered or joined to Azure AD. As an administrator, you can fine-tune theprocess of registering and joining devices by configuring the device settings.

Users may join devices to Azure AD – This setting enables you to select theusers who can join devices to Azure AD. The default is All. This setting is onlyapplicable to Azure AD Join on Windows 10.

Additional local administrators on Azure AD joined devices – You can selectthe users that are granted local administrator rights on a device. Users addedhere are added to the Device Administrators role in Azure AD. Globaladministrators in Azure AD and device owners are granted localadministrator rights by default. This option is a premium edition capabilityavailable through products such as Azure AD Premium or the EnterpriseMobility Suite (EMS).

Users may register their devices with Azure AD – You need to configure thissetting to allow devices to be registered with Azure AD. If you select None,devices are not allowed to register when they are not Azure AD joined orhybrid Azure AD joined. Enrollment with Microsoft Intune or Mobile DeviceManagement (MDM) for Office 365 requires registration. If you haveconfigured either of these services, ALL is selected and NONE is notavailable.

Require Multi-Factor Auth to join devices – You can choose whether usersare required to provide a second authentication factor to join their device toAzure AD. The default is No. We recommend requiring multi-factorauthentication when registering a device. Before you enable multi-factorauthentication for this service, you must ensure that multi-factorauthentication is configured for the users that register their devices. For moreinformation on different Azure multi-factor authentication services, seegetting started with Azure multi-factor authentication. This setting does notimpact hybrid join for Windows 10 or Windows 7. This is only applicable toAzure AD Join on Windows 10 and BYO device registration for Windows 10,iOS, and Android.

Maximum number of devices – This setting enables you to select themaximum number of devices that a user can have in Azure AD. If a userreaches this quota, they are not be able to add additional devices until one ormore of the existing devices are removed. The device quote is counted for alldevices that are either Azure AD joined or Azure AD registered today. Thedefault value is 20.

Users may sync settings and app data across devices – By default, this settingis set to NONE. Selecting specific users or groups or ALL allows the user’ssettings and app data to sync across their Windows 10 devices. Learn more onhow sync works in Windows 10. This option is a premium capability availablethrough products such as Azure AD Premium or the Enterprise Mobility Suite (EMS).

References

Azure Administrator Course
https://github.com/MicrosoftLearning/AZ-103-MicrosoftAzureAdministrator