planning cloud & hybrid identity withnote.microsoft.com/rs/578-uyy-044/images/consalta - azure...

PA

GE

2

AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.WWW.CONSALTA.SI

PLANNING CLOUD & HYBRID IDENTITY WITH

MICROSOFT AZURE

AZURE SALES STAR PROGRAM IN CEE

IGOR SHASTITKO

FEB 2017

http://img1.wikia.nocookie.net/__cb20130225111158/elderscrolls/es/images/3/36/Microsoft.svg.png

PA

GE

3

AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.

Every business deserves an opportunity to grow! We support IT companies at growing their business

in the Cloud. We are the Cloud Business Enablers!

About Consalta

1000+ CLIENTS

200+ ONSITE ENGAGEMENTS

180+ WEBINARS

40+ COUNTRIES

4,84 RATING

CONSALTA


http://www.consalta.si/

PA

GE

4


• Senior Infrastructure/

Security Consultant

• Microsoft Partners

• Microsoft Learning

Centers

• Microsoft MCS

• Computer Science

• MCSE/MCT

• Geek

• Family

• Video Blogging

• Gadgets & technologies

ROLE WORK

BACKGROUND PLEASURE

IGOR SHASTITKO


https://sk.linkedin.com/in/iwalker2000

PA

GE

5


Azure Sales Star program – Sessions – 10AM (CET)

FEB 6, 2017

AZURE SECURITY

SCENARIOS -

OVERVIEW OF MAIN

SCENARIOS FOR

SECURITY PROJECTS

FEB 9, 2017

NEW PARTNER

OPPORTUNITIES TO

PLAN CLOUD/HYBRID

IDENTITY PROJECTS

FEB 13, 2017

FINE-TUNE THE

DETAILS OF PLANNING

HYBRID IDENTITY

PROTECTION

FEB 16, 2017

PROVIDE A FULL

MANAGEMENT

EXPERIENCE FOR

HYBRID

INFRASTRUCTURE

FEB 20, 2017

SECURE MOBILE USERS

PLANNING: MOBILE

DEVICE MANAGEMENT

(MDM) SCENARIOS

COMPARISON

FEB 23, 2017

IMPLEMENTING

MICROSOFT INTUNE

TO MDM

FEB 27, 2017

PLANNING DATA

ACCESS &

PROTECTION IN

HYBRID

INFRASTRUCTURE

MAR 2, 2017

PLANNING HYBRID

DATA PROTECTION AT

THE FILE LEVEL

MAR 6, 2017

PLANNING AZURE

INFRASTRUCTURE

SECURITY

MAR 9, 2017

PLANNING AZURE

INFRASTRUCTURE

SECURITY – DATA

PROTECTION IN

AZURE


PA

GE

6


Agenda for the following 45’

Customers Case Study

How to start fast

Identity Solutions’ Stack

Carefully identify needs

What is next

Webinars and resources

Security Discussion

& Identity Threats


PA

GE

7


Security Discussion & Identity Threats

1. THE RESEARCH

2. NEW IDEAS

3. THE GAP

4. THE PLAN

5. THE CHANGE

6. THE

EVALUATION


PA

GE

8


Defense-in-Depth MUST NECESSARILY BE implemented for on-premises infrastructure before any

other projects

STEP 0: before we start Hybrid Identity etc.

• Start any new security

project’s discussion with

Defense-in-Depth

methodology/strategy

• Cloud (and hybrid cloud

especially) solutions are

just reflection of customer

on-premises infra’s security

• Most common attacks to

the cloud start with on-

premises’ breaches


PA

GE

9


The cyber kill chain: It is most about identity

https://www.microsoft.com/security/sir/default.aspx


PA

GE

10


ATTACKS AGAINST CLOUD ADMINISTRATORS & CLOUD IDENTITY

New threats & security trends in “Cloud World”


PA

GE

11


Identity is the one of the key breaches of infra

• Azure IaaS is same to

customers local infra in

terms of vulnerabilities

• And it is not only about

VMs/LOBs protection, it is

also about new INFA

protection against modern

threats

INFRASTRUCTURE

• Get admin access/”gold

admin” is most used

hackers practice against

organisations

• “Cloud globalisation” of

identity systems and

accounts helps to use this

breach more effectively

• Requirements of the business demand more mobility from employees

• All confidential mobile data on user devices is potential threat for loss or disclosure

• BYOD/unmanaged devices is threat for customer infra and identity

IDENTITY MOBILITY

“IAAS” IS NOT MEAN SECURE MOST USED PRACTICE LOST DEVICES, BYOD


PA

GE

12


Identity Solutions’ Stack in Microsoft Azure

1. THE RESEARCH

2. NEW IDEAS

3. THE GAP

4. THE PLAN

5. THE CHANGE

6. THE

EVALUATION


PA

GE

13


Quick overview

Cloud/Hybrid Identity Solutions

• “Pure” Cloud Identity –

Azure Active Directory

• Cloud Identity for Partners

– Azure AD B2B

• Cloud Identity for

Customers – Azure AD B2C

• Hybrid Identity – Cloud

Identity (Azure AD) + on-

premises Active Directory

etc.


PA

GE

14


Type of required Cloud Identity solution should be selected carefully

STEP 1: Determination of Customer needs

• Customers manage their accounts (create, delete, change password, etc.) and they are employees of the Organization (in some form) –skip next steps and go to “Pure” Cloud/Hybrid Identity solutions

• Employees of organizations/individuals who are contractors, partners, users of Customer’s organization –Azure Active Directory B2B

• Users (accounts) of Customer’s public websites for purchases, comments, subscriptions, funs, etc. – Azure Active Directory B2C


PA

GE

15


MICROSOFT AZURE ACTIVE

DIRECTORY B2B

Be wary of promises and Customer’s expectations, it is not “Silver Bullet” for interoperability

STEP 1.1A: Azure AD B2B

• Federated relationships

with other companies, with

its own Azure AD

authentication

• Delegation of authority to

access compliant SaaS

applications in Azure


PA

GE

16


MICROSOFT AZURE ACTIVE

DIRECTORY B2C

Be wary of promises and Customer’s expectations, it is required a lot of changes in code

STEP 1.1B: Azure AD B2C

• Universal system for

authenticating external

users for Customer’s

cloud/web-based solutions

• Used as THE LIBRARY FOR

DEVELOPERS! Can not be

used "as is" for a turnkey

solution!


PA

GE

17


Clear classification of solution (for yourself and Customer) is a very important aspect of the project

STEP 1.2: “Pure” Cloud/Hybrid Identity

• Cloud identities: these are identities that exist solely in the cloud. In the case of Azure AD, they would reside specifically in your Azure AD directory.

• Synchronized: these are identities that exist on-premises and in the cloud. Using Azure AD Connect, these users are either created or joined with existing Azure AD accounts.

• Federated: these identities exist both on-premises and in the cloud. Using Azure AD Connect, these users are either created or joined with existing Azure AD accounts.


PA

GE

18


STEP 2: SELECT RIGHT SCENARIO

Сценарий PROS CONS

Cloud identities • Easier to manage for small

organization.

• Nothing to install on-premises

• No additional hardware needed

• Easily disabled if the user leaves

the company

• Users will need to sign-in when accessing

workloads in the cloud

• Passwords may or may not be the same for

cloud and on-premises identities

Synchronized • On-premises password will

authenticate both on-premises

and cloud directories.

• Easier to manage for small,

medium or large organizations

• Users can have single sign-on

(SSO) for some resources

• Microsoft preferred method for

synchronization

• Easier to manage

• Some customers may be reluctant to

synchronize their directories with the cloud

due specific company’s police

Federated • Users can have single sign-on

(SSO)

• If a user is terminated or leaves,

the account can be immediately

disabled and access revoked

• Supports advanced scenarios that

cannot be accomplished with

synchronized

• More steps to setup and configure

• Higher maintenance

• May require additional hardware for the STS

infrastructure

• May require additional hardware to install

the federation server.

• Additional software is required if AD FS is

used

• Require extensive setup for SSO

• Critical point of failure, if the federation

server is down, users won’t be


PA

GE

19


Most required feature for Hybrid Identity solution, KEY differentiator for Federated Identity

STEP 2: SINGLE SIGN-ON SCENARIES


PA

GE

20


• Azure AD/on-premises Microsoft Active Directory synchronization planning

• A lot of technical parameters to discuss:

– Single forest, single Azure AD tenant

– Multiple forests, single Azure AD tenant:

• separate topologies

• match users

• full mesh

• Account-Resource Forest

– Multiple Azure AD tenants

– Account filtering

– Password Sync/Write-Back, Group/Device Write-Back Requirements

• HA Microsoft Azure AD Connect infra, Staging server

Main topics for project

STEP 3.1A: Hybrid Identity with Synchronized AD


PA

GE

21


Have to be discussed, some scenarios do not work

STEP 3.1B: ADs’ synchronization scenarios


PA

GE

22


• Group based: Filtering based on a single group can only be configured on initial

install using the installation wizard. It is not further covered in this topic.

• Domain-based: This option enables you to select which domains that

synchronize to Azure AD. It also allows you to add and remove domains from the

sync engine configuration if you make changes to your on-premises

infrastructure after you installed Azure AD Connect sync.

• Organizational-Unit–based: This filtering option enables you to select which

OUs synchronize to Azure AD. This option is for all object types in selected OUs.

• Attribute–based: This option allows you to filter objects based on attribute

values on the objects. You can also have different filters for different object

types.

Some Customers really care (F.U.D.) about what will be synchronized with Azure AD

STEP 3.1C: Filtering options


https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom#sync-filtering-based-on-groups

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-configure-filtering#domain-based-filtering

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-configure-filtering#organizational-unitbased-filtering

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-configure-filtering#attribute-based-filtering

PA

GE

23


• An Azure subscription or an Azure trial subscription.

• Add and verify the domain you plan to use in Azure AD.

• An Azure AD tenant allows by default 50k objects. When domain is verified, the limit is increased to 300k objects. For 500k objects license such as Office 365, Azure AD Basic, Azure AD Premium, or Enterprise Mobility Suite is required.

• The AD schema version and forest functional level must be Windows Server 2003 or later.

• Domain Controllers must be on Windows Server 2008 (with latest SP) or later if feature password writeback is planned.

• Azure AD Connect cannot be installed on Small Business Server or Windows Server Essentials.

• Azure AD Connect must be installed on Windows Server 2008 or later.

• If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later.

• If Active Directory Federation Services is being deployed, SSL Certificates needed.

Please! Please! Make assessment before set customer expectation

STEP 3.1D: HW/SW requirements


PA

GE

24


• Deployment and security planning AD

FS publications

• Planning the deployment of Microsoft

Web Publishing Service Application

Proxy

https://technet.microsoft.com/en-

us/library/jj205462.aspx

https://docs.microsoft.com/en-

us/azure/active-directory/active-directory-

aadconnect-ports

STEP 3.2А: Federated Identity & Single Sign-On


https://technet.microsoft.com/en-us/library/jj205462.aspx

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnect-ports

PA

GE

25


Customer Case Studies

1. THE RESEARCH

2. NEW IDEAS

3. THE GAP

4. THE PLAN

5. THE CHANGE

6. THE

EVALUATION


PA

GE

26


• The company has grown rapidly by acquisition and by performing well in key global automotive markets.

• It employs more than 15,000 people at approximately 60 locations worldwide and earned revenues of about €2.68 billion (US$3 billion) in 2013.

• MANN+HUMMEL depends on Microsoft Exchange Server 2010 for email messaging and Microsoft SharePoint Server 2013 for collaboration. But it wanted to augment those core capabilities with Microsoft Lync Server 2013 to take advantage of presence, videoconferencing, instant messaging, and desktop sharing.

• The company decided instead to deploy Microsoft Lync Online, a cloud-based version of Lync Server 2013 that is part of Microsoft Office 365, but it didn’t know how to authenticate employees in a cloud environment.

The MANN+HUMMEL Group is a global leader in the design, manufacture, and distribution of liquid

and air filter systems

Customer Case Study - MANN+HUMMEL Group

Source: Microsoft Customer Stories


PA

GE

27


SOLUTION



• Microsoft invited MANN+HUMMEL to test its beta release of a new synchronization service called Microsoft Azure Active Directory Sync.

• Azure AD Sync makes it possible for organizations to synchronize multiforest Active Directory environments without needing a full-blown identity management product such as Microsoft Forefront Identity Manager 2010 R2.

• Azure AD Sync makes multiforest and non-Active Directory on-boarding to Azure Active Directory and Office 365 much easier and includes precisely the capabilities that MANN+HUMMEL needs, such as attribute filtering.


PA

GE

28


BENEFITS



• After deploying Azure AD Sync, which took just two weeks, MANN+HUMMEL was able to instantly turn on Lync Online for thousands of employees.

• Now MANN+HUMMEL is able to synchronize user identities quickly and simply with the cloud, without violating any internal data protection rules.

• With the company’s previous manual process for synchronizing user identities across applications, there were many opportunities for mistakes. With the process automated by Azure AD Sync, MANN+HUMMEL knows that user information is correct across all applications.

• By using the Azure AD Sync multiforest sync capability, MANN+HUMMEL can more easily integrate acquisitions.


PA

GE

29


What’s NEXT?

1. THE RESEARCH

2. NEW IDEAS

3. THE GAP

4. THE PLAN

5. THE CHANGE

6. THE

EVALUATION


PA

GE

30


Azure Sales Star program – Sessions

FEB 6, 2017

AZURE SECURITY

SCENARIOS -

OVERVIEW OF MAIN

SCENARIOS FOR

SECURITY PROJECTS

FEB 9, 2017

NEW PARTNER

OPPORTUNITIES TO

PLAN CLOUD/HYBRID

IDENTITY PROJECTS

FEB 13, 2017

FINE-TUNE THE

DETAILS OF PLANNING

HYBRID IDENTITY

PROTECTION

FEB 16, 2017

PROVIDE A FULL

MANAGEMENT

EXPERIENCE FOR

HYBRID

INFRASTRUCTURE

FEB 20, 2017

SECURE MOBILE USERS

PLANNING: MOBILE

DEVICE MANAGEMENT

(MDM) SCENARIOS

COMPARISON

FEB 23, 2017

IMPLEMENTING

MICROSOFT INTUNE

TO MDM

FEB 27, 2017

PLANNING DATA

ACCESS &

PROTECTION IN

HYBRID

INFRASTRUCTURE

MAR 2, 2017

PLANNING HYBRID

DATA PROTECTION AT

THE FILE LEVEL

MAR 6, 2017

PLANNING AZURE

INFRASTRUCTURE

SECURITY

MAR 9, 2017

PLANNING AZURE

INFRASTRUCTURE

SECURITY – DATA

PROTECTION IN

AZURE

NEXT


PA

GE

31


Azure Sales Star program - Resources

CHECK ALL THE SESSIONS AND

ANNOUNCEMENTS

https://partner.microsoft.com/pl-

pl/training/AzureSalesStarProgram#kic

k_off-session

…AND REGISTER SOON!

CHECK OUR LATEST THINKING –

AZURE SALES STAR BLOG

https://partner.microsoft.com/pl-

pl/training/azuresalesstarprogram/secu

rity-can-be-the-primary-reason-for-

cloud-adoption

…AND MORE TO COME!


https://partner.microsoft.com/pl-pl/training/AzureSalesStarProgram#kick_off-session

https://partner.microsoft.com/pl-pl/training/azuresalesstarprogram/security-can-be-the-primary-reason-for-cloud-adoption

PA

GE

32


Cloud/Hybrid Identity Resources

• Azure Active Directory Proof

of Concept Playbook -

http://aka.ms/aadpocplaybook

• Microsoft Hybrid Identity

Design Considerations Guide

-

https://docs.microsoft.com/en-

us/azure/active-

directory/active-directory-

hybrid-identity-design-

considerations-overview


http://aka.ms/aadpocplaybook

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-hybrid-identity-design-considerations-overview

PA

GE

33


Brought to you by Consalta

1. THE RESEARCH

2. NEW IDEAS

3. THE GAP

4. THE CHANGE

5. THE PLAN

6. THE

EVALUATION


PA

GE

34


DAVID BALAZICe: [email protected]

m: +386 31 699 622

Skype: davidb-consalta

Thank you for your attention!

SAMO

KANELLOPULOSe: [email protected]

m: +386 41 781 761

Skype: samok-consalta

IGOR SHASTITKOe: [email protected]

m: +421 949 88 78 36

Skype: iwalker2012


https://www.facebook.com/Consalta

https://twitter.com/consaltaonline

http://www.linkedin.com/company/2097206

skype:davidb-consalta?call

https://plus.google.com/u/0/b/106526072772729705193/+ConsaltaSi

http://si.linkedin.com/in/davidbalazic/

http://si.linkedin.com/in/samokanellopulos/

https://sk.linkedin.com/in/iwalker2000

http://www.consalta.si/

planning cloud & hybrid identity withnote.microsoft.com/rs/578-uyy-044/images/consalta - azure...

Documents