Connect to the Microsoft Cloud

Connect to the Microsoft Cloud
James Golding
Modern Workspace Collaboration

How can my business connect to the
Microsoft Cloud?
Direct Authentication
• Cloud Identity – Manage your user accounts in Office 365 only. It is all done in the cloud.
• Synchronized Identity – Password hash synchronization with Seamless Single Sign-on (SSO)
• Pass-Through Identity – Pass-through authentication with Seamless Single Sign-on (SSO)
Identity Federation
• Federated Identity – Federated Single Sign-On (with Active Directory Federation Services (AD FS))

Microsoft’s
SASS Cloud
Azure Active Directory
Office 365
Password1
User 1
On-Premises Active Directory
User1 + Password1 = Identity 1
The Basics
On the local network, your identity is everything. Your identity includes your User ID and your Password. When you login to
the local area network you send your identity to the local active directory and local active directory authenticates that you
are who you say you are. That process is called “Authentication”.
Microsoft’s SASS Cloud also contains an active directory called “Azure active directory”. Azure AD’s job is to Authenticate
Identities in the Microsoft Cloud.

Microsoft’s
SASS Cloud
Azure Active Directory
Office 365
Password1
User 1
On-Premises Active Directory
User1 + Password1 = Identity 1
Claims based authentication is an industry standard security protocol to authenticate users. This is the underlying WS-*
standards that describe the usage of Security Assertion Mark-up Language (SAML) tokens. Claims-based authentication
requires these tokens, and by extension an entity that can issue the token. This is the Secure Token Service (STS). The STS
server can be based on Active Directory Federation Services (AD FS) or other platforms which provide this service.
At this time there are several options to choose where your identity is located and the methodology on how to authenticate
your organization to the cloud.
In the next few slides we will discuss how you may get your local identity authenticated to the Microsoft Cloud.

Connecting your organization to the Microsoft Modern Workplace Cloud: Where is the Identity?
On-premise Active Directory Azure Active Directoryconnect
The following identity frameworks will allow us to connect to the Microsoft Modern Workspace in the Cloud:
Direct Authentication
• Cloud Identity – Manage your user accounts in Office 365 only. No on-premises servers are required to manage users;
it's all done in the cloud.
• Synchronized Identity – Password hash synchronization with Seamless Single Sign-on (SSO) – Users are created and
managed in the on-premises directory and get synchronized up to Office 365 so they can access Office 365 resources.
Typically this means running the Azure Active Directory Connect (Azure AD Connect) appliance.
• Pass-Through Identity – Pass-through authentication with Seamless Single Sign-on (SSO) – Users are created and
managed in the on-premises directory. A simple agent runs to the cloud and all identities stay within the firewall onsite.
Identity Federation
• Federated Identity – Federated SSO (with Active Directory Federation Services (AD FS)) – Federation relies on directory
synchronization so that Azure AD is populated. When the authentication request is presented to Office 365, the service
will then contact the on-premises AD FS infrastructure so that AD is responsible for authenticating the request.
Remember to establish trust between your Azure AD tenant and your federated domains. Once the trust is established
federated domain users will have access to Azure AD Cloud resources within the tenant.

Cloud Identity – users are created and managed, in Windows Azure Active Directory (WAAD). No connection to any other
directory. This is the simplest model as there is no integration to any other directory. Each user has an account created in
the cloud which does not synchronize anywhere else.
In this model, you create and manage users in the Office 365 admin center and store the accounts in Azure AD. Azure AD
verifies the passwords. Azure AD is the cloud directory that is used by Office 365. No on-premises servers are required —
Microsoft manages all that for you. When identity and authentication are handled completely in the cloud, you can
manage user accounts and user licenses through the Office 365 admin center or Windows PowerShell cmdlets.
The following figure summarizes how to manage users in the cloud identity model.
In step 1, the admin connects to the Office 365 admin center in the Microsoft cloud platform to create or manage users.
In step 2, the create or manage requests are passed on to Azure AD.
In step 3, if this is a change request, the change is made and copied back to the Office 365 admin center.
In step 4, new user accounts and changes to existing user accounts are copied back to the Office 365 admin center.

When would you use cloud identity? Cloud identity is a good choice if:
You have no other on-premises user directory.
You have a very complex on-premises directory and simply want to avoid the work to integrate with it.
You have an existing on-premises directory, but you want to run a trial or pilot of Office 365. Later, you can
match the cloud users to on-premises users when you are ready to connect to your on-premises directory.
Cloud Identity

If the Cloud Identity choice is not appropriate for your organization then you need to connect on-premise
identities to the cloud. You may synchronize a password-hash, use pass-through-authentication, or federate a
local identity through ADFS. All roads go through a common tool called “Microsoft Azure Active Directory
Connect”

Synchronized Identity via Password (hash) sync – Users are created and managed in the on-premises directory and get
synchronized up to Office 365 so they can access Office 365 resources. Typically this means running the Azure Active
Directory Connect (Azure AD Connect) appliance to synchronize local active directory accounts and, optionally, passwords
to the cloud. The user enters the same password on-premises as he or she does in the cloud, and at sign-in, the password
is verified by Azure AD. This model uses a directory synchronization tool to synchronize the on-premises identity to Office
365.
To configure the synchronized identity model, you have to have an on-premises directory to synchronize from, and you
need to install a directory synchronization tool. You'll run a few consistency checks on your on-premises directory before
you sync the accounts.
What is Password Hash Sync?
At its simplest, cocktail-party-napkin-sketch level, password (hash) sync (a more accurate description, which I’ll explain
below) copies the user’s password from AD to Azure AD every two minutes. This allows users to login to Azure AD with the
same userid and password they use for their AD login. Microsoft calls this pattern same sign on. It’s distinct from single sign
on because with password (hash) sync, users will be prompted to login to Azure AD in addition to any corporate login
they’ve done.
How secure is password (hash) sync?
Note that I describe this feature as password (hash) sync – not password sync. It’s an important distinction. Cleartext
passwords are not synchronized between AD DS and Azure AD. Not only is it not a good idea, it’s not even technically
possible because Active Directory doesn’t have the cleartext passwords. When a user creates or updates their password in
AD, it is stored as a one-way MD5 hash on the domain’s DCs. This hash is what’s synchronized to Azure AD and stored in
the service’s credentials store.

Connecting your organization to the Microsoft Cloud: identity federation vs direct authentication
How does Password Hash Sync work exactly?
I’ve compiled the following steps from Alex Simon’s blog post AAD Password Sync, Encryption, and FIPS Compliance and a few
other sources:
User passwords are stored as a non-reversible hash in Windows Server Active Directory Domain Controllers (DCs). When the
password sync agent on AD Connect attempts to synchronize the password hash, the DC encrypts the hash. The encryption is
performed with a key derived from the RPC session key by salting it. The key derivation is as follows [where
SaltedEncryptionKey = MD5 (RPC session Key, 128 bit random salt)]. The DC also passes the salt to the sync agent using the
replication protocol.
The original password hash is replicated (using the DC replication protocol) from the DC to the Password Sync Agent.
The Password Sync Agent decrypts the encrypted hash by deriving the key as described above. The password sync agent uses
MD5 to perform the key derivation, as the derivation has to be identical to the derivation the DC performed (when it
encrypted the data). And MD5 is the highest level available for this action in the DC replication protocol of existing Windows
Server Active directory deployments.
Once the decryption is done, the sync agent takes the resulting original password hash and re-hashes it to a SHA256 hash by
using PKDF2 key derivation algorithm as defined in RFC 2898.
The Password Sync Agent then syncs that SHA256 hashed password hash over the wire (an encrypted Service Bus relay
dedicated to the Azure AD tenant) to Azure AD.
Once the SHA256 hashed copy of the original password hash reaches Azure AD, Azure AD encrypts the hash with the AES
algorithm before storing it in the cloud database.
The only thing that crosses the wire on the way to Azure AD is a SHA256 hashed copy of the original password hash. The
password sync agent’s use of MD5 is strictly for replication protocol compatibility with the DC, and is only used, on premises,
between the DC and the password sync agent.

Connecting your organization to the Microsoft Cloud: direct authentication vs identity federation
When must you use Password Hash Sync?:
There is one use case when you must use password hash sync: if you choose to implement Azure AD Domain Services. This
feature creates a domain controller as a service that Azure applications (such as VMs running AD-dependent applications) can
use. For these DCs to be functionally equivalent to on-premises DCs, however, they must have user password hashes, and thus
require password hash sync to get them into Azure.
Conclusion
Password hash sync is a popular solution for integrating your on-premises identities with Azure AD. It’s not as elegant as using
identity federation, but it’s simpler. As with any design decision, be sure you’ve though through this solution’s strengths and
weaknesses and how they apply to your situation.

Synchronized Identity with Password (hash) sync
The following diagram shows a synchronized identity scenario with a password synchronization. The synchronization tool
keeps your on-premises and in-the-cloud corporate user identities synchronized.
In step 1, you install a Microsoft Azure Active Directory Connect.
In steps 2 and 3, you create new users in your on-premises directory. The synchronization tool will periodically check your
on-premises directory for any new identities you have created. Then it provisions these identities into Azure AD, links the
on-premises and cloud identities to one another, synchronizes passwords, and makes them visible to you through the
Office 365 admin center.
In step 4, as you make changes to the users in the on-premises directory, those changes are synchronized to Azure AD and
made available to you through the Office 365 admin center.

Synchronized Identity via Password (hash) sync

Pass-Through-Identity
Why use it? What is it?
• When security and compliance policies in certain organizations don't permit these organizations to send users'
passwords, even in a hashed form, outside their internal boundaries, pass-through Authentication is the right solution.
• Users are created and managed in the on-premises directory.
• On-premises passwords are never stored in the cloud in any form.
• The agent only makes outbound connections from within your network. Therefore, there is no requirement to install
the agent in a perimeter network, also known as a DMZ.
• Protects your user accounts by working seamlessly with Azure AD Conditional Access policies, including Multi-Factor
Authentication (MFA), and by filtering out brute force password attacks.

Pass-Through-Identity –
Key Benefits
• Great user experience
• Users use the same passwords to sign into both on-premises and cloud-based applications.
• Users spend less time talking to the IT helpdesk resolving password-related issues.
• Users can complete self-service password management tasks in the cloud.
• Easy to deploy & administer
• No need for complex on-premises deployments or network configuration.
• Needs just a lightweight agent to be installed on-premises.
• No management overhead. The agent automatically receives improvements and bug fixes.
• Secure
• On-premises passwords are never stored in the cloud in any form.
• The agent only makes outbound connections from within your network. Therefore, there is no requirement to install
the agent in a perimeter network, also known as a DMZ.
• Protects your user accounts by working seamlessly with Azure AD Conditional Access policies, including Multi-Factor
Authentication (MFA), and by filtering out brute force password attacks.
• Highly available
• Additional agents can be installed on multiple on-premises servers to provide high availability of sign-in requests.

Pass-Through-Identity
Feature Highlights
• Supports user sign-in into all web browser-based applications and into Microsoft Office client applications that use
modern authentication.
• Sign-in usernames can be either the on-premises default username (userPrincipalName) or another attribute configured
in Azure AD Connect (known as Alternate ID).
• The feature works seamlessly with conditional access features such as Multi-Factor Authentication (MFA) to help secure
your users.
• Integrated with cloud-based self-service password management, including password writeback to on-premises Active
Directory and password protection by banning commonly used passwords.
• Multi-forest environments are supported if there are forest trusts between your AD forests and if name suffix routing is
correctly configured.
• It is a free feature, and you don't need any paid editions of Azure AD to use it.
• It can be enabled via Azure AD Connect.
• It uses a lightweight on-premises agent that listens for and responds to password validation requests.
• Installing multiple agents provides high availability of sign-in requests.
• It protects your on-premises accounts against brute force password attacks in the cloud.

Pass-through-identity-authentication

Federated Identity – Identity Federation relies on directory synchronization so that Azure AD is populated. When the
authentication request is presented to Office 365, the service will then contact the on-premises AD FS infrastructure so
that AD is responsible for authenticating the request.
Identity federation with a federation service such as AD FS or other compliant service provides single sign on to Azure AD
by redirecting users from the cloud service back to their local AD for authentication.
Advantages of Identity Federation: There’s one identity in the local Active Directory. All Identities stay local within the
firewall. Disadvantages of Identity Federation: Requires a (highly-available) federation service to process authentications
in the cloud.

Federated Identity with Single Sign-On for Hybrid On-Premise and Cloud deployment
The following diagram shows a scenario of federated identity with a hybrid on-premises and cloud deployment. The on-
premises directory in this example is AD FS. The synchronization tool keeps your on-premises and in-the-cloud corporate
user identities synchronized.
In step 1, you install Azure Active Directory Connect .The synchronization tool helps to keep Azure AD up-to-date with the
latest changes you make in your on-premises directory.
For instructions, see Set up directory synchronization in Office 365. Specifically, you will need to use a custom install of
Azure AD Connect to set up single sign-on.
In steps 2 and 3, you create new users in your on-premises Active Directory. The synchronization tool will periodically check
your on-premises Active Directory server for any new identities you have created. Then it provisions these identities into
Azure AD, links the on-premises and cloud identities to one another, and makes them visible to you through the Office 365
admin center.
In steps 4 and 5, as changes are made to the identity in the on-premises Active Directory, those changes are synchronized
to the Azure AD and made available to you through the Office 365 admin center.
In steps 6 and 7, your federated users sign in with your AD FS. AD FS generates a security token and that token is passed to
Azure AD. The token is verified and validated and the users are then authorized for Office 365.

4. Federated Identity

Synchronization,
Pass-Through-Authentication or
Identity Federation will authenticate your
organization to the Microsoft Cloud.

Thank You.
If you have further questions please contact Microsoft immediately.

Connect to the Microsoft Cloud

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Connect to the Microsoft Cloud

Similar to Connect to the Microsoft Cloud (20)

Recently uploaded

Recently uploaded (20)

Connect to the Microsoft Cloud