Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019


Published on

การเพิ่มความปลอดภัยของการ Authentication ในรูปแบบต่างๆ โดย Azure Active Directory (AAD)
เช่น MFA (Multi Factor Authentication), Conditional Access and Windows Hello for Business
โดยคุณธัญพล ษณะนาคินทร์
Microsoft MVP (Azure)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019

  1. 1. Extending and Securing Enterprise Applications in Microsoft Azure Thanyapon Sananakin MCT, MVP (Microsoft Azure)
  2. 2. 3 AGENDA Azure Active Directory Azure AD Domain Service Windows Hello for Business Identity in Enterprise Security
  3. 3. 4 Identity in Enterprise Security •Identity • Set of data that uniquely describes a person or an object • Saved in an identity store known as a directory database • Used mainly to access the resource
  4. 4. 5 Identity in Enterprise Security •Authentication • Process that verifies a user’s identity through: ➢ Credentials, at least two components are required • Multifactor authentication increases security
  5. 5. 6 Identity in Enterprise Security •Authorization • Process that determines whether to grant or deny a user a requested level of access to a resource • components are required for authorization: ➢Resource ➢Access request ➢Security token
  6. 6. 7 Identity in Enterprise Security •Current Reality Windows Server Active Directory Extending to cloud How to Managed Identity in On-premise and cloud ?
  7. 7. 8 Identity in Enterprise Security •Design for Cloud/Hybrid Identity
  8. 8. 9 Azure Active Directory (AAD) What is Azure Active Directory ? • Microsoft’s cloud-based identity and access management service • A multi-tenant service that provides enterprise-level identity and access management for the cloud. • Built to support global scale, reliability and availability. • Backed by a 99.99% SLA for Azure AD Premium or Basic • Pricing and Features • directory/
  9. 9. 10 Azure Active Directory (AAD) Benefits of AAD Self-service Single sign on ••••••••••• Username Simple connection Microsoft Azure Active Directory
  10. 10. 11 Azure Active Directory (AAD) •Seamless User Authentication Experience including a password hash, Azure Active Directory Authentication is passed back through federation Windows Server Active Directory
  11. 11. 12 Azure Active Directory (AAD) Conditional access with multi-factor authentication is provided on a per- application basis, leveraging user identity, device registration & network location Organizations can federate with partners and other organizations for seamless access to shared resources Organizations can connect to SaaS applications running in Azure, Office 365 and 3rd party providers Enhancements to AD FS include simplified deployment and management Published applications •Active Directory Federation Service (ADFS)
  12. 12. 13 Azure Active Directory (AAD) •Federation Account Benefits 13 Unified Programming Model Reduced development efforts Decouple AuthN & AuthZ Policies from code Interoperability DEVELOPER PERSPECTIVE Stronger authentication methods (MFA) Enforce AuthN and AuthZ policies Granular control over resources trough Conditional Access Control assets SECURITY PERSPECTIVE Fewer Accounts to manage Authentication Flexibility Authorization Control Claims extensibility IT PERSPECTIVE Single Sign-On Reduced Credentials USER PERSPECTIVE
  13. 13. 14 Azure Active Directory (AAD) •Identity Choice Identity Type AAD Subscription Required AAD Connect Required AD DS Required AD FS Required Microsoft Federation Gateway Required Cloud Identity YES NO NO NO NO Synced Identity YES YES YES NO NO Federated Identity YES YES YES YES YES
  14. 14. Demo 01# Azure Active Directory
  15. 15. 16 Azure AD Domain Service • Provides managed domain services such as • Domain join, • Group policy, • LDAP, • Kerberos/NTLM authentication • Fully compatible with Windows Server Active Directory
  16. 16. 17 Azure AD Domain Service •Usage Scenario • Azure AD Domain Services for cloud-only organizations
  17. 17. 18 Azure AD Domain Service •Usage Scenario • Azure AD Domain Services for hybrid organizations
  18. 18. 19 Azure AD Domain Service •Benefits Simple • simple click Integrated • Azure AD • cloud-based enterprise directory Compatible • Windows Server Active Directory • Not all features available in Windows Server AD are currently available in Azure AD Domain Services Cost-effective • avoid the infrastructure and management burden
  19. 19. 20 Azure AD Domain Service •Deployment Scenarios and use-cases • Secure, easy administration of Azure virtual machines
  20. 20. 21 Azure AD Domain Service •Deployment Scenarios and use-cases • Lift-and-shift an on-premises application that uses LDAP bind authentication to Azure Infrastructure Services
  21. 21. 22 Azure AD Domain Service •Deployment Scenarios and use-cases • Migrate an on-premises service or daemon application to Azure Infrastructure Services
  22. 22. Demo 02# Azure Active Directory Domain Service
  23. 23. 24 Windows Hello for Business • Replaces passwords with strong two-factor authentication on PCs and mobile devices • Consists of a new type of user credential that is tied to a device and uses a biometric or PIN. • Lets user authenticate to an Active Directory or Azure Active Directory account
  24. 24. 25 Windows Hello for Business •Resolve the following problems: • Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. • Server breaches can expose symmetric network credentials (passwords). • Passwords are subject to replay attacks. • Users can inadvertently expose their passwords due to phishing attacks.
  25. 25. 26 Windows Hello for Business • Biometric Sign-in • Facial recognition • Special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person • False Accept Rate (FAR): <0.001% • False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% • Effective, real world FRR with Anti-spoofing or liveness detection: <10% • Fingerprint recognition • Uses a capacitive fingerprint sensor to scan your fingerprint
  26. 26. 27 Windows Hello for Business •Windows Hello VS Windows Hello for Business • Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, however it is not backed by asymmetric (public/private key) or certificate-based authentication. • Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
  27. 27. 28 Windows Hello for Business •How does it work ??
  28. 28. 29 Windows Hello for Business •Features • Conditional access • Dynamic lock • PIN reset • Dual Enrollment • Remote Desktop with Biometrics
  29. 29. 30 Windows Hello for Business •Deployment and Trust Model • Key-trust model • For enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. • Certificate-trust model • For enterprise that do want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
  30. 30. 31 Windows Hello for Business •Deployment Requirements Guidelines Hybrid Azure AD joined Key Trust Hybrid Azure AD joined Certificate Trust Directories two directories: 1) on-premises Active Directory 2) cloud Azure Active Directory two directories: 1) on-premises Active Directory 2) cloud Azure Active Directory (Azure Active Directory premium) domain functional and forest Windows Server 2008 r2 Windows Server 2008 r2 Require Active Directory 2016 Schema Number of Windows Server 2016 DCs Need sizing for adequate number of Windows DCs Public Key Infrastructure Enterprise certificate authority Windows Server 2012 • Enterprise certificate authority Windows Server 2012 • Windows Server 2016 Active Directory Federation Services Directory Synced Required Required Federation Both federated and non-federated Required federated.
  31. 31. 32 Windows Hello for Business •Deployment Requirements Guidelines
  32. 32. Demo 03# Windows Hello
  33. 33. 34 Resources • Azure Active Directory • directory/fundamentals/active-directory-whatis • Azure Active Directory Domain Service • • Tutorial: Authenticate and authorize users end-to-end in Azure App Service • tutorial-auth-aad • Windows Hello for Business • protection/hello-for-business/hello-identity-verification