Module 13
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

Module 13 PowerPoint PPT Presentation


  • 118 Views
  • Uploaded on
  • Presentation posted in: General

Module 13. Implementing Windows Azure Active Directory. Module Overview. Overview of Windows Azure ADManaging Windows Azure AD Accounts. Lesson 1 : Overview of Windows Azure AD.

Download Presentation

Module 13

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Module 13

Module 13

Implementing Windows Azure Active Directory


Module overview

Module Overview

  • Overview of Windows Azure ADManaging Windows Azure AD Accounts


Lesson 1 overview of windows azure ad

Lesson 1: Overview of Windows Azure AD

  • Extending AD DS Into the CloudWhat Is Windows Azure AD?Windows Azure AD AuthenticationMultifactor Authentication for Cloud-Based UsersMultifactor Authentication for Federated UsersWhat Is Windows Azure AD Access Control?


Extending ad ds into the cloud

Extending AD DS Into the Cloud

  • Cloud-based applications need highly available authentication

  • Considerations for hosting AD DS in Windows Azure:

    • Create virtual machines to provide services

    • Requires one domain controller, one federation server, and one federation server proxy

    • Create a VPN for replication

  • Benefits of hosting AD DS data in Windows Azure AD:

    • Simplified management

    • Reduced data in the cloud


What is windows azure ad

What Is Windows Azure AD?

  • Windows Azure AD provides identity as a service

  • You can use Windows Azure AD for:

    • Office 365

    • Windows Intune

    • Your cloud-based applications for internal users

    • Your cloud-based or on-premises applications for external users

    • Cloud-based applications from vendors

  • Windows Azure AD is platform independent


Windows azure ad authentication

Windows Azure AD Authentication

  • SSO:

    • Requires an STS

    • Authentication is performed on-premises

    • User name and password match on-premises identity store

  • Cloud-based user:

    • Authentication is performed by Windows Azure AD

    • User name and password may not match on-premises identity store

  • Web identity providers:

    • Authentication is performed by a web-based identity provider

    • User name and password match a web-based identity store


Multifactor authentication for cloud based users

Multifactor Authentication for Cloud-Based Users

  • Multi-factor authentication increases security

  • Cloud-based applications and mobile device credentials are more vulnerable

  • Windows Azure Active Authentication:

    • Multi-factor authentication for cloud-based user accounts

    • Code provided by:

      • Phone call

      • Text message

      • Active Authentication app

    • The Active Authentication app is available for Windows Phone, iOS, and Android


Multifactor authentication for federated users

Multifactor Authentication for Federated Users

  • Multi-factor authentication with AD FS provides:

    • Web-based applications and services only

    • Built-in smart card support

    • Access to third-party modules

  • Multi-factor authentication with VPN:

    • Uses multifactor authentication

    • Provides application access only after VPN connectivity

    • Supports all application types


What is windows azure ad access control

What Is Windows Azure AD Access Control?

  • Access Control:

    • Provides authentication services for applications

    • Simplifies application development

    • Provides a security token to web applications

  • Authentication support:

    • AD FS

    • Microsoft account

    • Google

    • Yahoo!

    • Facebook

    • WS-Trust

    • OpenID

  • Cross-platform support for web applications


Lesson 2 managing windows azure ad accounts

Lesson 2: Managing Windows Azure AD Accounts

  • Account Management for Small OrganizationsWhat Is Directory Sync?How Directory Sync Synchronization WorksConsiderations for Password SyncDirectory Sync TopologiesUsing Windows PowerShell to Manage AccountsWhat Is Windows Azure AD Graph?


Account management for small organizations

Account Management for Small Organizations

  • Manual creation of cloud-based users in a web console:

    • Is simple but not scalable

    • May be possible in a web-based console provided by an application

  • The user name and password might not match an on-premises user account


What is directory sync

What Is Directory Sync?

  • Directory Sync synchronizes user accounts from on-premises AD DS to Windows Azure AD

  • Cloud-based users with Password Sync eliminates password confusion for users

  • Federated users:

    • Uses an STS to perform authentication

    • Eliminates password confusion for users


How directory sync synchronization works

How Directory Sync Synchronization Works

  • Initial synchronization:

    • Creates a new account if none exists

    • Sets a source anchor attribute

    • Performs a fuzzy match by using primary SMTP attribute

  • With synchronization control:

    • Synchronized attributes cannot be controlled

    • Scope can be modified

    • Synchronization occurs every three hours

    • Default accounts and system objects are not synchronized

    • Synchronization can be disabled

  • Recovering a deleted user in AD DS also recovers the user in Windows Azure AD


Considerations for password sync

Considerations for Password Sync

  • Password Sync prevents user confusion due to different passwords

  • Password Sync scope is:

    • Performed for all cloud-based users

    • Not performed for federated users

  • In the Password Sync process:

    • Password hashes are synchronized

    • Passwords synchronize from AD DS to Windows Azure AD

    • Password Sync agent runs every two minutes

  • For password policies, consider that:

    • AD DS password policies are applied to synchronized passwords

    • Password change is prompted only for on-premises AD DS


Directory sync topologies

Directory Sync Topologies

  • With one AD DS forest and multiple tenants:

    • Each identity is limited to one tenant

    • Each tenant is associated with a UPN

    • Multiple instances of Directory Sync are required

    • Directory Sync scope must be modified

  • FIM-specific topologies:

    • Multiple AD DS forests to a single tenant

    • Non-AD DS directory

  • Microsoft Exchange Server account and resource forests:

    • Can use Directory Sync in a resource forest

    • Can use AD FS in an account forest if required


Using windows powershell to manage accounts

Using Windows PowerShell to Manage Accounts

  • Windows Azure AD Module for Windows PowerShell:

    • Manages Windows Azure AD features

    • Creates and manage objects

  • Requirements for installation:

    • Windows 7, Window 8, Windows Server 2008 R2, or Windows Server 2012

    • Microsoft .NET Framework 3.5.1

    • Microsoft Online Service Sign-in Assistant

  • Example code for connectivity:

    • $mycredential=Get-Credential

    • Connect-MsolService –Credential $mycredential


What is windows azure ad graph

What Is Windows Azure AD Graph?

  • Windows Azure AD Graph:

    • Provides programmatic access to Windows Azure AD

    • Is a REST API

    • Uses RBAC to control permissions

    • Uses Windows Azure AD for authentication


Lab implementing windows azure ad

Lab: Implementing Windows Azure AD

  • Exercise 1: Implementing Windows Azure AD for Office 365Exercise 2: Implementing Windows Azure AD for a Cloud-Based Application

Estimated Time: 30 minutes


Lab scenario

Lab Scenario

A. Datum Corporation is exploring how to integrate its on-premises implementation of AD DS with cloud‑based applications. The local implementation of AD DS has a single domain named Adatum.com. All users have a UPN based on this domain name that matches their email address.


Lab review

Lab Review

  • There are no review questions for this lab.


Module review and takeaways

Module Review and Takeaways

  • Review Questions


  • Login