20161103 cloud brew - microsoft azure active directory premium
TRANSCRIPT
Scenario Based Overview
Azure AD Premium
Today’s session
• Scenario based overview of what Azure AD Premium has to offer
• Technical overview of presented scenario’s
• Demo of each of the scenario’s
• Q&A about Azure AD Premium
Scenario’s
1. Can I have a secure platform for all my SaaS applications?
2. How can I provide SSO for my users• For my internal users• In a BYOD world• For partners
3. Can leverage the platform for my current applications?
Scenario’s
4. Can I implement additional security to the platform?
5. Can I leverage the platform for my own applications and API’s?
6. How can I monitoring and audit trials for all my applications?
It’s all about your identity
Demo LAB
On Premise²
CLT01 (BYOD)
Azure AD
MGMT01(Azure AD Connect + PTA +
Legacy App)
SYNC Identities (+passwords)Self Servicing (Groups + Passwords)
DC01
SaaS Applications
Web Server(WordPress)
MGMT02(Azure AD Proxy)
Azure
Azure Domain Service
AD ServicesFor Azure
DS-TEST(Legacy AD Integrated App)
Can I have a secure platform for all my SaaS applications?
DEMO 1
How can I provide SSO for my users?
Sign-in Options Today
Complexity
Valu
e
Cloud only Accounts
AAD Connect+ AD FS
SSO + NO PWD
AAD ConnectCloud Accounts
AAD Connect+ PHS
Pass Trough Authentication
DC
Contoso Corpnet
AAD STSAD App ProxyUser Name and
password
Username and password sent AAD
App Proxy
Connector notified of
request
Connector validates the credentials
against AD
Result returned back to AAD STSToken returned to use
or further proofs (MFA) are initiated
1 2
3
4
5
6
78
Connector
DC returns result
Connector returns result
2
Polling
5User sends ticket to AAD
STS
SSO
DCContoso Corpnet
AAD STS
User enters their username
1
401 response to get a Kerberos ticket
2
User requests a Kerberos ticket
3
6 AAD STS returns token to the user
4
AD returns Kerberos ticket
Sign-in Options (Future)
Complexity
Valu
e
Cloud only Accounts
AAD Connect+ AD FS
SSOAAD Connect+ PTA and SSO
AAD Connect+ PHS and SSO
AAD ConnectCloud Accounts
AAD Connect+ PHS
SSO For BYOD
• User get’s Primary Refresh Token (PRT)• Contains user AND device claims• Can be checked using: dsregcmd.exe /status
• Limited browser support (Web Account Manager API)• Edge• Iexplore
• Works with Windows Hello for Business
SSO – Side note
• SSO in AAD always requires identification FIX: Use domain hints
- OpenID: add &domain_hint=demolab.be- WSFed: add &whr=demolab.be- SAML: Use AuthN- ADAL: Pass domain_hint
DEMO 2
Can leverage the platform for my current applications?
AD Services for Azure resources
AD Services for Azure resources
• Drawbacks• Needs PHS• Flat structure (no OU’s)• Limited GPO’s• No trust between on-prem AD and cloud AD
• Will give you• LDAP/AD functionality for your (legacy) Azure workloads
Access on prem applications
Azure Active Directory
Resource ResourceResource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami
Connector
Access on prem applications
Azure Active Directory
Resource ResourceResource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
Access on prem applications
Azure Active Directory
Resource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
SAML
Domain Controller
SSO for on prem applications
Azure Active Directory
Resource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
SAML
Domain Controller
SSO for on prem applications
Azure Active Directory
Resource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
SAML
Domain Controller
Get token (KCD)
SSO for on prem applications
Azure Active Directory
Resource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
SAML
Domain Controller
Get token (KCD)
SSO for on prem applications
Azure Active Directory
Resource
Corporate N
etwork
DMZ
Connector
Application Proxyhttps://whoami.demolab.be
http://whoami.
Connector
SAML
Domain Controller
Kerberos
Get token (KCD)
DEMO 3
Can I implement additional security to the platform?
AAD Premium
MFA Identity Protection
Conditional Access
Self Service PWD Reset
Governance Tooling
DEMO 4
Can I leverage the platform for my own applications and API’s?
DEMO 5
How can I have monitoring and audit trials for my (cloud) applications?
DEMO 6
Questions