azure active directory
TRANSCRIPT
Azure Active Directoryfor software as a service providers
By : ThuruDate : 14th May 2015@thurutweetshttp://thuruinhttp.wordpress.com
The big NOs of Azure AD• Azure AD is NOT part of or a child service of Microsoft Azure
• Azure AD is NOT a Domain Controller
You get an Azure ADWhen you sign up for any Microsoft cloud service offering – documented as following service
• Microsoft Azure• Office 365• Microsoft Intune
You need an Azure AD account to access these services.
https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx
Demo• Azure AD trusts Microsoft consumer Identity system• Login using MS account• Login using Azure AD account• Details in Power Shell
• Directory Integration with an on premise AD• Login using Local AD
Single Sign OnScenario 1 – Local AD is synced with Azure AD with passwords and no federation in Local AD
MassRover
1. MassRover application is registered as a multi tenant enabled app in the MassRover’s Azure AD2. Bank ABC has an internal domain controller that is synced with Bank ABC’s Azure AD3. A user from Bank ABC’s Azure AD global admin role will sign up for the MassRover application. 4. Now tom can sign in to MassRover with [email protected] – authentication.5. Authorization for Tom is handled by the MassRover application6. The above scenario is very the common one in most organizations
Things to Note : Tom never becomes the user of the MassRover’s Azure AD. Tom could be placed in MassRover application database for the authorization
Bank ABCAzureOn premise
abc\tom [email protected]
Ban ABC’s Azure AD trusts MassRover.this could be revoked by Bank ABC admins any time and MassRover has no control over this
Single Sign OnScenario 2 – Local AD is synced with Azure AD with / without passwords and Local AD has federation
MassRover
1. MassRover application is registered as a multi tenant enabled Azure AD app.2. Bank ABC has an internal domain controller that is synced with Bank ABC’s Azure AD and ADFS enabled.3. A user with Azure AD global admin role will sign up for the MassRover application. During the process Bank ABC’s AD
tries to contact the synced and federated local AD in order to complete the authentication4. After the sync tom can login to the application – each login will make Bank ABC’s Azure AD to call local AD to
complete the authentication.
Bank ABC
AzureOn premise
abc\tom [email protected]
Ban ABC’s Azure AD trusts MassRover. this could be revoked by Bank ABC adminsany time and MassRover has no control over this
Bank ABC local AD is synced and federated with Azure AD. And local AD should be connected to Internet in order to handle authentication requests from Azure AD