1 / 21

Module 13

Module 13. Implementing Windows Azure Active Directory . Module Overview. Overview of Windows Azure AD Managing Windows Azure AD Accounts. Lesson 1 : Overview of Windows Azure AD.

devon
Download Presentation

Module 13

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 13 Implementing Windows Azure Active Directory

  2. Module Overview • Overview of Windows Azure AD Managing Windows Azure AD Accounts

  3. Lesson 1: Overview of Windows Azure AD • Extending AD DS Into the Cloud What Is Windows Azure AD? Windows Azure AD Authentication Multifactor Authentication for Cloud-Based Users Multifactor Authentication for Federated Users What Is Windows Azure AD Access Control?

  4. Extending AD DS Into the Cloud • Cloud-based applications need highly available authentication • Considerations for hosting AD DS in Windows Azure: • Create virtual machines to provide services • Requires one domain controller, one federation server, and one federation server proxy • Create a VPN for replication • Benefits of hosting AD DS data in Windows Azure AD: • Simplified management • Reduced data in the cloud

  5. What Is Windows Azure AD? • Windows Azure AD provides identity as a service • You can use Windows Azure AD for: • Office 365 • Windows Intune • Your cloud-based applications for internal users • Your cloud-based or on-premises applications for external users • Cloud-based applications from vendors • Windows Azure AD is platform independent

  6. Windows Azure AD Authentication • SSO: • Requires an STS • Authentication is performed on-premises • User name and password match on-premises identity store • Cloud-based user: • Authentication is performed by Windows Azure AD • User name and password may not match on-premises identity store • Web identity providers: • Authentication is performed by a web-based identity provider • User name and password match a web-based identity store

  7. Multifactor Authentication for Cloud-Based Users • Multi-factor authentication increases security • Cloud-based applications and mobile device credentials are more vulnerable • Windows Azure Active Authentication: • Multi-factor authentication for cloud-based user accounts • Code provided by: • Phone call • Text message • Active Authentication app • The Active Authentication app is available for Windows Phone, iOS, and Android

  8. Multifactor Authentication for Federated Users • Multi-factor authentication with AD FS provides: • Web-based applications and services only • Built-in smart card support • Access to third-party modules • Multi-factor authentication with VPN: • Uses multifactor authentication • Provides application access only after VPN connectivity • Supports all application types

  9. What Is Windows Azure AD Access Control? • Access Control: • Provides authentication services for applications • Simplifies application development • Provides a security token to web applications • Authentication support: • AD FS • Microsoft account • Google • Yahoo! • Facebook • WS-Trust • OpenID • Cross-platform support for web applications

  10. Lesson 2: Managing Windows Azure AD Accounts • Account Management for Small Organizations What Is Directory Sync? How Directory Sync Synchronization Works Considerations for Password Sync Directory Sync Topologies Using Windows PowerShell to Manage Accounts What Is Windows Azure AD Graph?

  11. Account Management for Small Organizations • Manual creation of cloud-based users in a web console: • Is simple but not scalable • May be possible in a web-based console provided by an application • The user name and password might not match an on-premises user account

  12. What Is Directory Sync? • Directory Sync synchronizes user accounts from on-premises AD DS to Windows Azure AD • Cloud-based users with Password Sync eliminates password confusion for users • Federated users: • Uses an STS to perform authentication • Eliminates password confusion for users

  13. How Directory Sync Synchronization Works • Initial synchronization: • Creates a new account if none exists • Sets a source anchor attribute • Performs a fuzzy match by using primary SMTP attribute • With synchronization control: • Synchronized attributes cannot be controlled • Scope can be modified • Synchronization occurs every three hours • Default accounts and system objects are not synchronized • Synchronization can be disabled • Recovering a deleted user in AD DS also recovers the user in Windows Azure AD

  14. Considerations for Password Sync • Password Sync prevents user confusion due to different passwords • Password Sync scope is: • Performed for all cloud-based users • Not performed for federated users • In the Password Sync process: • Password hashes are synchronized • Passwords synchronize from AD DS to Windows Azure AD • Password Sync agent runs every two minutes • For password policies, consider that: • AD DS password policies are applied to synchronized passwords • Password change is prompted only for on-premises AD DS

  15. Directory Sync Topologies • With one AD DS forest and multiple tenants: • Each identity is limited to one tenant • Each tenant is associated with a UPN • Multiple instances of Directory Sync are required • Directory Sync scope must be modified • FIM-specific topologies: • Multiple AD DS forests to a single tenant • Non-AD DS directory • Microsoft Exchange Server account and resource forests: • Can use Directory Sync in a resource forest • Can use AD FS in an account forest if required

  16. Using Windows PowerShell to Manage Accounts • Windows Azure AD Module for Windows PowerShell: • Manages Windows Azure AD features • Creates and manage objects • Requirements for installation: • Windows 7, Window 8, Windows Server 2008 R2, or Windows Server 2012 • Microsoft .NET Framework 3.5.1 • Microsoft Online Service Sign-in Assistant • Example code for connectivity: • $mycredential=Get-Credential • Connect-MsolService –Credential $mycredential

  17. What Is Windows Azure AD Graph? • Windows Azure AD Graph: • Provides programmatic access to Windows Azure AD • Is a REST API • Uses RBAC to control permissions • Uses Windows Azure AD for authentication

  18. Lab: Implementing Windows Azure AD • Exercise 1: Implementing Windows Azure AD for Office 365 Exercise 2: Implementing Windows Azure AD for a Cloud-Based Application Estimated Time: 30 minutes

  19. Lab Scenario A. Datum Corporation is exploring how to integrate its on-premises implementation of AD DS with cloud‑based applications. The local implementation of AD DS has a single domain named Adatum.com. All users have a UPN based on this domain name that matches their email address.

  20. Lab Review • There are no review questions for this lab.

  21. Module Review and Takeaways • Review Questions

More Related