20161103 Cloud Brew - Microsoft Azure Active Directory Premium

transcript

Scenario Based Overview

Azure AD Premium

Today’s session

• Scenario based overview of what Azure AD Premium has to offer

• Technical overview of presented scenario’s

• Demo of each of the scenario’s

• Q&A about Azure AD Premium

Scenario’s

1. Can I have a secure platform for all my SaaS applications?

2. How can I provide SSO for my users• For my internal users• In a BYOD world• For partners

3. Can leverage the platform for my current applications?

Scenario’s

4. Can I implement additional security to the platform?

5. Can I leverage the platform for my own applications and API’s?

6. How can I monitoring and audit trials for all my applications?

It’s all about your identity

Demo LAB

On Premise²

CLT01 (BYOD)

Azure AD

MGMT01(Azure AD Connect + PTA +

Legacy App)

SYNC Identities (+passwords)Self Servicing (Groups + Passwords)

SaaS Applications

Web Server(WordPress)

MGMT02(Azure AD Proxy)

Azure Domain Service

AD ServicesFor Azure

DS-TEST(Legacy AD Integrated App)

Can I have a secure platform for all my SaaS applications?

DEMO 1

How can I provide SSO for my users?

Sign-in Options Today

Complexity

Cloud only Accounts

AAD Connect+ AD FS

SSO + NO PWD

AAD ConnectCloud Accounts

AAD Connect+ PHS

Pass Trough Authentication

Contoso Corpnet

AAD STSAD App ProxyUser Name and

password

Username and password sent AAD

App Proxy

Connector notified of

request

Connector validates the credentials

against AD

Result returned back to AAD STSToken returned to use

or further proofs (MFA) are initiated

Connector

DC returns result

Connector returns result

Polling

5User sends ticket to AAD

DCContoso Corpnet

AAD STS

User enters their username

401 response to get a Kerberos ticket

User requests a Kerberos ticket

6 AAD STS returns token to the user

AD returns Kerberos ticket

Sign-in Options (Future)

Complexity

Cloud only Accounts

AAD Connect+ AD FS

SSOAAD Connect+ PTA and SSO

AAD Connect+ PHS and SSO

AAD ConnectCloud Accounts

AAD Connect+ PHS

SSO For BYOD

• User get’s Primary Refresh Token (PRT)• Contains user AND device claims• Can be checked using: dsregcmd.exe /status

• Limited browser support (Web Account Manager API)• Edge• Iexplore

• Works with Windows Hello for Business

SSO – Side note

• SSO in AAD always requires identification FIX: Use domain hints

- OpenID: add &domain_hint=demolab.be- WSFed: add &whr=demolab.be- SAML: Use AuthN- ADAL: Pass domain_hint

DEMO 2

Can leverage the platform for my current applications?

AD Services for Azure resources

• Drawbacks• Needs PHS• Flat structure (no OU’s)• Limited GPO’s• No trust between on-prem AD and cloud AD

• Will give you• LDAP/AD functionality for your (legacy) Azure workloads

Access on prem applications

Azure Active Directory

Resource ResourceResource

Corporate N

etwork

Connector

Application Proxyhttps://whoami.demolab.be

http://whoami

Connector

Resource ResourceResource

Corporate N

etwork

Connector

http://whoami.

Connector

Resource

Corporate N

etwork

Connector

http://whoami.

Connector

Domain Controller

SSO for on prem applications

Resource

Corporate N

etwork

Connector

http://whoami.

Connector

Domain Controller

Resource

Corporate N

etwork

Connector

http://whoami.

Connector

Domain Controller

Get token (KCD)

Resource

Corporate N

etwork

Connector

http://whoami.

Connector

Domain Controller

Get token (KCD)

Resource

Corporate N

etwork

Connector

http://whoami.

Connector

Domain Controller

Kerberos

Get token (KCD)

DEMO 3

Can I implement additional security to the platform?

AAD Premium

MFA Identity Protection

Conditional Access

Self Service PWD Reset

Governance Tooling

DEMO 4

Can I leverage the platform for my own applications and API’s?

DEMO 5

How can I have monitoring and audit trials for my (cloud) applications?

DEMO 6

Questions

Thank you

Robin Vermeirschrovr@xylos.comTwitter: rovr_xylos

20161103 Cloud Brew - Microsoft Azure Active Directory Premium

Presentations & Public Speaking