Azure Active Directory, Practical Guide
•Download as PPTX, PDF•
7 likes•2,923 views
Discover the capabilities of Azure AD today. Learn how to set up a new AAD, synchronize it with an on-premise Active Directory and configure it as an identity service in greenfield applications.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (19)
Similar to Azure Active Directory, Practical Guide
Similar to Azure Active Directory, Practical Guide (20)
Recently uploaded
Recently uploaded (20)
Azure Active Directory, Practical Guide
- 1. Azure Active Directory The Practical Guide Sasha Rosenbaum @DivineOps September 2015
- 2. The “What”
- 3. Where did it all start?
- 4. Windows Active Directory •Centralized storage of information about all network objects (users, computers, etc.) •Authentication •Access control providing permission levels •Audit trail for monitoring network activity @DivineOps
- 7. Azure Active Directory Identity as a Service •Identity Management •Directory Services •Application Access Management @DivineOps
- 9. The “Why”
- 10. When should you choose Identity as a Service
- 11. You already have! Every Azure, Office365, Microsoft Intune and Dynamics CRM tenant is an AAD tenant @DivineOps
- 17. Tiers TIER FREE BASIC PREMIUM Directory as a Service Yes Yes Yes User and Group Management Yes Yes Yes Device registration Yes Yes Yes Directory Objects 1 500 K Unlimited Unlimited End User Access Panel Yes Yes Yes SSO for SaaS Apps 10 Apps / User 2 10 Apps / User 2 Unlimited Directory Synchronization Yes Yes Yes User-based Access Management and Provisioning Yes Yes Yes Basic Security Reports Yes Yes Yes @DivineOps
- 18. Tiers TIER FREE BASIC PREMIUM Logon/Access Panel Branding Customization -- Yes Yes Group-based Access Management and Provisioning -- Yes Yes Self-Service Password Reset for Cloud Users -- Yes Yes Secure Remote Access and SSO to on- premises web applications -- Yes Yes Self-Service Password Reset for Users w/ writeback to on-premises directories -- -- Yes Self-service group management for cloud users -- -- Yes @DivineOps
- 19. Tiers TIER FREE BASIC PREMIUM Multi-Factor Authentication (for cloud and on-premises applications) -- -- Yes Advanced Usage and Security Reports -- -- Yes Connect Health -- -- Yes Cloud App Discovery -- -- Yes Microsoft Identity Manager User CAL -- -- Yes Service Level Agreement -- 99.9% 99.9% @DivineOps
- 20. Scenarios •Green field applications • Web • Mobile @DivineOps
- 21. ADAL • Web Browser to Web Application (.Net) • Single Page Application (JavaScript, .Net) • Native Application to Web API (.Net, ObjC, Java) • Web Application to Web API (.Net, Nodejs) • Calling Azure AD Graph API (.Net, Java, PHP) @DivineOps
- 22. Scenarios •SaaS Applications • Over 2500 apps, including @DivineOps
- 23. Scenarios •On-Premise Applications • Integration with Local AD @DivineOps
- 24. The “How”
- 25. How do you get started?
- 26. Demo Active Directory Sync Azure AD Connect Demo Slides
- 28. Azure AD Connect •Azure AD Global Administrator account •Enterprise Administrator account for your local Active Directory •SQL Server database to store identity data •Meet server version and hardware requirements @DivineOps
- 29. Demo Greenfield Application Development AAD with new MVC app Demo Slides
- 30. The “Where” are we headed?
- 31. What’s New •Azure AD Connect with Connect Health is GA •Multi-Factor Authentication per app •Dynamic groups for applications and licenses •Out-of-the-box dedicated user group “All Users” •Azure Active Directory Application Proxy updates •Password write-back from AAD to AD is GA @DivineOps
- 32. B2C AAD As of September 2015 Business to Consumer AAD is in public preview! •Self-registration •Registration with social accounts •Customer defined UX •Security and scalability of Azure Cloud B2C AAD Overview @DivineOps
Editor's Notes
- A directory is similar to a database, but typically contains more descriptive, attribute-based data; that is, data read more often than it is written. Directories are tuned to respond quickly to high-volume lookup or search operations.
- BYOD Eliminate the need to plan, purchase, and maintain hardware and infrastructure by managing mobile devices from the cloud with Intune. Secure corporate data, including Exchange email, Outlook email, and OneDrive for Business documents, based on the enrollment status of the device and the compliance policies set by the administrator.
- OAuth 2.0 – One of the most popular authorization protocols of today. Some of the benefits of this protocol is its smaller token format, JSON Web Token (JWT), and application scenarios it simplifies such as accessing Web API’s from a native client with an access token. OpenID Connect – This is a protocol that adds an authentication layer on top of the existing OAuth 2.0 protocol. WS-Federation – This is arguably one of the most well-known and used protocol today for authenticating users of web applications. The token format used in this protocol is SAML. SAML-P – This is also a widely adopted protocol. The token format used in this protocol is SAML.
- Synchronization - This part is made up of the the components and functionality previously released as Dirsync and AAD Sync. AD FS - This is an optional part of Azure AD Connect and can be used to setup a hybrid environment using an on-premises AD FS infrastructure, to address complex deployments that include such things as domain join SSO, enforcement of AD login policy etc. Health Monitoring - For complex deployments using AD FS, Azure AD Connect Health can provide robust monitoring of your federation servers and provide a central location in the Azure portal to view this activity.
- By default a SQL Server 2012 Express LocalDB (a light version of SQL Server Express) is installed and the service account for the service is created on the local machine. SQL Server Express has a 10GB size limit that enables you to manage approximately 100.000 objects. Azure AD Connect must be installed on Windows Server 2008 or later. This server may be a domain controller or a member server. The AD schema version and forest level must be Windows Server 2003 or later. The domain controllers can run any version as long as the schema and forest level requirements are met. If Active Directory Federation Services is being deployed, the servers where AD FS will be installed must be Windows Server 2012 R2 or later.
- Multiple criteria can be defined to automatically populate a group. Think geographical location, department, etc. Only AAD groups today, not AD. Security policies can be applied immediately. Base level configuration out-of-the-box. On-premises apps can now join My Apps. More robust usage. Replacing DirSync and AADSync, Azure AD Connect will continue to enhance the experience of sharing identities securely with AAD.