This document discusses Microsoft Azure and identity management solutions from CCS Technology Group. It provides an overview of Azure Active Directory, Azure Multi-Factor Authentication, extending Active Directory to Azure, and deploying Active Directory Federation Services in Azure or on-premises. CCS Technology Group is a Microsoft partner that offers infrastructure deployment, managed services, custom cloud solutions, and custom software development.
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
AzureAAD
1.
2. CCS Technology is a Microsoft Partner
Specializing in Infrasturcture Deployment,
Managed Services, Custom Cloud Solutions
and Custom Software Development
www.CCSTechnologyGroup.com
224.232.5500
Palatine, Illinois
ABOUT US
6. Huge infrastructure scale is the enabler
19 Regions ONLINE…huge datacenter capacity around the world…and we’re growing
100+ datacenters
One of the top 3 networks in the world (coverage, speed, connections)
2 x AWS and 6x Google number of offered regions
G Series – Largest VM available in the market – 32 cores, 448GB Ram, SSD…
Operational Announced
Central US
Iowa
West US
California
North
Europe
Ireland
East US
Virginia
East US 2
Virginia
US Gov
Virginia
NorthCentralUS
Illinois
US Gov
Iowa
SouthCentralUS
Texas
Brazil South
Sao Paulo
West
Europe
Netherlands
China North *
Beijing
China South *
Shanghai
Japan East
Saitama
Japan
West
Osaka
India West
TBD
India East
TBD
East Asia
HongKong
SE Asia
Singapore
Australia West
Melbourne
Australia East
Sydney
* Operated by 21Vianet
10. A comprehensive identity and access
management cloud solution.
It combines directory services,
advanced identity governance,
application access management and
a rich standards-based platform for
developers
It is available in 3 editions: free, Basic
and Premium
What is Azure Active Directory?
13. Self-service Single
sign on
•••••••••••
Username
Identity as the control point
Simple
connection
Cloud
SaaS
Azure
Office 365Public
cloud
Other
Directories
Windows Server
Active Directory
On-premises Microsoft Azure Active Directory
16. Azure Active Directory
Cloud App Discovery
10x
Source: Help Net Security 2014
as many Cloud apps are in use
than IT estimates
• SaaS app category
• Number of users
• Utilization volume
Comprehensive
reporting
How Many SaaS apps are in use within your organization?
23. No Object Limit No Object Limit
No Limit
Advanced Security
Reports
Yes(Advanced)**
Premium
+ Basic
Features
Group-based access management/provisioning Yes Yes
Self-Service Password Reset for cloud users Yes Yes
Company Branding (Logon Pages/Access Panel customization) Yes Yes
SLA Yes Yes
24. Strengthening the authentication with Azure Multi-Factor
Authentication
What is multi-factor authentication?
Multi-factor authentication, also commonly referred to as two-factor authentication, is a best practice for securing user access. It works by requiring
any two or more of the following authentication factor:
A knowledge factor: something only you know (typically a password or a PIN).
A possession factor: something only you have (a trusted device that is not easily duplicated).
An inherence factor: something only you are (biometrics).
The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge
for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device.
As already introduced, Azure MFA is, as its name indicates, an Azure service that helps safeguard access to data and
applications by strengthening traditional sign-in approaches. In terms of applications, the service supports both cloud
applications that use or integrate with Azure AD as well as on-premises applications using the Multi-Factor Authentication
Server. With Azure MFA and the user’s telephone as the trusted device for a second or an additional factor of
authentication:
What is Azure Multi-Factor Authentication?
You must have AAD Premium to use MFA
25. Strengthening the authentication with Azure Multi-Factor
Authentication
How it Works
Azure MFA offers the additional security you demand using the phones your users already carry.
Multiple phone-based authentication methods are available, allowing users to choose the one that works best for them, and, support for multiple
methods ensures additional authentication is always available:
Multi-Factor Auth apps are available for Windows Phone, iOS phones and tablets, and Android devices.
Automated phone calls are placed by the Azure MFA online service to any phone, landline or mobile. The user simply answers the call and presses #
on the phone keypad to complete their sign in through a distinct channel.
Text messages are sent by the Multi-Factor Authentication service to any mobile phone. The text message contains a one-time passcode. The user is
prompted to either reply to the text message with the passcode or enter the passcode into the sign in screen.
The users always sign in with their existing username and password. After the user’s credentials are verified, Multi-Factor Authentication is initiated
using the above methods depending on the user’s enrollment.
Azure Multi-Factor Authentication enables compliance with regulatory requirements for multi-factor authentication such as the following ones to
name of few:
NIST 800-63 Electronic Authentication Guidelines for Level 3 Assurance,
HIPAA Requirements Relative to Electronic Protected Health Information (EPHI),
Payment Card Industry Data Security Standards (PCI DSS),
Criminal Justice Information System (CJIS) Security Policy,
Authentication in an Internet Banking Environment Guidance (FFIEC).
26. Self-service Single
sign on
•••••••••••
Username
Focus on Single Sign On
Simple
connection
Cloud
SaaS
Azure
Office 365Public
cloud
Other
Directories
Windows Server
Active Directory
On-premises Microsoft Azure Active Directory
Enable Directory SynchronizationEnable AAD SSO
27.
28.
29. Depending on your Sync Method, you will have
Single Sign On or Same Sign On
Dirsync will provide you with the same
UserName and Password
Dirsync With ADFS will authenticate with your
AD for Exact Same Sign On
Single Sign On vs. Same Sign On
What’s the difference?
30. Do you really need AD FS?
Office 365 doesn’t require every customer to deploy directory synchronization
services or Active Directory Federation Services (AD FS). In reality, most organizations
require only cloud identities, where users receive cloud credentials for signing in to
Office 365 services. The cloud ID password policy is stored in the cloud with the Office
365 service. Cloud credentials are separate from other desktop or corporate
credentials.
Using cloud identities, one optional server may be deployed to support directory
synchronization from your on-premises Active Directory. In environments with just a
few users, directory synchronization isn’t required. Users may be provisioned
manually through the Office 365 portal.
Federated identities, on the other hand, enable users to sign in to Office 365 services
by using their Active Directory credentials. The corporate Active Directory
authenticates the users, and then stores and controls the password policy.
Deploying AD FS requires additional expertise, introduces complexity, and has higher
operational costs.
31. Office 365 single sign on using AD FS and DirSync Office 365 same sign on using DirSync + Password Sync
1. The user logs on to a corporate network, and is
authenticated to Windows Server Active Directory.
2. The user tries to access Office 365 (I am
@contoso.com).
3. Office 365 redirects the user to Azure AD.
4. Since Azure AD can’t authenticate the user and
understands there is a trust with AD FS on-premises, it
redirects the user to AD FS
5. The user sends a Kerberos ticket to the AD FS STS.
6. AD FS transforms the Kerberos ticket to the required
token format/claims and redirects the user to Azure
AD.
7. The user authenticates to Azure AD (another
transformation occurs).
8. Azure AD redirects the user to Office 365.
9. The user is silently signed on to Office 365
1. The user logs on to a corporate network, and is
authenticated to Windows Server Active Directory.
2. The user tries to access Office 365 (I am @contoso.com).
3. Office 365 redirects the user to Azure AD.
4. Azure AD can’t accept Kerberos tickets directly and no trust
relationship exists so it requests that the user enter
credentials.
5. The user enters the same on-premises password, and
Azure AD validates them against the user name and
password that was synchronized by DirSync.
6. Azure AD redirects the user to Office 365.
7. The user can sign on to Office 365 and OWA using the
Azure AD token.
32. Extending Active Directory
Domain Services to Azure is
the first step to support line-
of-business applications in
Azure IaaS.
Supports cloud-based
solutions that require NTLM
or Kerberos authentication,
or domain-joined virtual
machines.
Adds additional integration
potential for cloud services
and applications and can be
added at any time.
This configuration is a hybrid deployment of
Active Directory on-premises and in Azure.
It requires:
• A virtual network in Azure IaaS.
• A VPN connection or ExpressRoute
connection.
• Extending your on-premises IP address
range to virtual machines in the virtual
network.
• Deploying one or more domain
controllers to Azure designated as a
global catalog server (reduces egress
traffic across the VPN connection).This
identity architecture supports a different
set of solutions and applications
compared to synchronization with Azure
Active Directory.
33. Authentication is directed
to the ADFS via the Web
Application Proxy
All On Premise at your
location or your Hosted
Datacenter
When you lose
connectivity or have an
outage, your cloud
authentication is out too
Traditional on-premises AD FS deployment
34.
35. The Azure AD Sync tool can be hosted in the cloud
using Azure IaaS.
• Potentially faster provisioning and lower cost of
operations
• Increased availability
The architecture illustrated on the right details how
you can configure Azure AD Sync Tool on IaaS.
This solution works with with:
• Office 365 services
• Applications in Azure that are available over the
Internet
• Business applications in Azure that are available
from on-premises environments through the secure
VPN
Azure Active Directory Sync Tool
36. If you haven t already deployed AD FS on-premises,
consider whether the benefits of deploying this workload to
Azure makes sense for you organization.
• Provides autonomy for authentication to cloud services
(no on-premises dependencies).
• Reduces servers and tools hosted on-premises.
• Uses a site-to-site VPN gateway on a two-node failover
cluster to connect to Azure (new).
• Use ACLs to ensure that Web Application Proxy servers
can only communicate with AD FS, not domain
controllers or other servers directly.
This solution works with:
• Applications that require Kerberos
• All of Microsoft s SaaS services
• Applications in Azure that are Internet-facing
• Applications in Azure IaaS or PaaS that require
authentication with your corporate Active Directory
Domain Services
AD FS + AD Sync Tool
38. Aim for consistency of the user
experience for:
• The authentication process
• Required credentials
Utilizing Windows credentials, whether
against Active Directory on-premises or
by SAML authentication with Azure
Active Directory, ensures that users
can quickly authenticate and focus on
their tasks.
Build your Applications for AAD
39.
40. CCS TECHNOLOGY GROUP, LLC
1540 E. Dundee Road, Suite 104
Palatine, IL 60074
224.232.5500
www.ccstechnologygroup.com
@CCS4IT
THANK
YOU
Notas del editor
In the last few years, we have seen an explosive growth in the use of the public cloud. While most of the initial adoption was seen by startups and smaller orgs, most of the new growth will come from larger organizations adopting the public cloud.
Why?
SPEED: Provision Servers and Services IN Minutes. Want to try something? Spin it up, work on it, and if it works, great. If not, turn it off. All done. That alone is driving Innovation. Help your business move forward against the competition. In fact, it is the speed and agility that traditional IT hasn’t been able to provide that is causing droves of business units to use their credit cards to procure computing resources outside of the purview of the IT.
SCALE: Cloud gives you an almost infinite set of computing resources. Your applications will enjoy massive global scale, and can easily scale up or down depending on the demand. That means, you never have to worry about running out of capacity or worry about overprovisioning. You use just enough resources for your needs - nothing more, nothing less.
ECONOMICS: And of course, you’re paying only for what you use in the Cloud. This in itself saves you money for any app that has variable computing needs. For some organizations, there is also an additional benefit of changing CapEX to OpEX, which frees up capital from infrastructure investments so it can be put to other uses.
We have two opposing forces both looking to the cloud for solutions.
Business Innovation vs. IT. Departments want to try things, IT is responsible to guard, protect and support. It’s not a fair fight.
Windows Azure is a true enterprise ready platform that can help both sides. IT can put the controls in place, and Departments can have freedom to try things.
Microsoft has delivered a huge infrastructure around the globe.
Azure is the most complete cloud offering available. You can build IaaS with VMs, virtual networks and storage. PaaS with Web Sites and SQL Databases, SaaS with Office 365 and Dynamics CRM. Azure supports more than Microsoft software and tools.
Let’s focus on what Azure brings to the IT PRO to put you back in the good graces of your Line of Business Managers.
It provides the framework to
Control the Identity (user access control)
Extend your Infrastructure, quickly, low cost, low investment
Empowering the mobile workforce as we break the binds of the Office and the Server Room.
An average user already deals with a bunch of usernames and passwords for his on-premises applications, and [Click] cloud based applications are piling up with an increasing pace. There are already enterprises that have many cloud based applications in their environment. (There are more than 20.000 SaaS apps in the market already according to IDC)
Huge amounts of money have been invested in on premises identity and access management solution without actually having the problem of Single Sign On solved. Help centers and IT departments all over the world can confirm that.
If you add personal cloud applications' identities into the mix along with the desire to access applications from different devices, you get many frustrated users who voice their unhappiness and place pressure on IT for simpler solutions.
The challenge for IT in today’s world of many devices, on premises apps, cloud apps, and hybrid apps is that they are not always aware of all the cloud-based applications their users are accessing. IT has not purchased or deployed these apps and in most cases they have no visibility into how they were purchased or if they are being managed. With the dramatic increase in cloud applications and the ease of sign up and free trials, Management and users are asking from IT departments to provide single sign on from everywhere to everything…
A solution to this problem could be a federation with each and every one of those cloud-based applications. But not all of them are using the same protocols or standards when it comes to identity management, which can make federation a very difficult task.
Instead, organizations need a hub that can sync their on-premises Active Directory, seamlessly connect with many cloud applications, can integrate with various protocols and can scale around the globe to authenticate users everywhere from any device in a way that integrates simply with their existing identities. With more than 95% of fortune 1000 organizations using Windows Server Active Directory on premise, they would prefer not to reinvent the wheel or recreate all of their identities. The good news is that they don’t have to.
That’s exactly what Windows Azure Active Directory provides. And it does that in a secure and comprehensive manner.
Multi0factor authentication can provide an additional way to increase access protection even more
With a central management interface, the IT Pro can grant or revoke access to resources in the office or in the cloud
We are designing a way for IT to easily stay in control of User Access, provide true Single Sign On to both internal and cloud applications, and even extend Self Service features to the Users.
Users want to use their choice of devices and Apps to get at the data they want. IT can be viewed as a roadblock, or an enabler.
LOOK Familiar?!
10 X more than you think!
IT can get back in the game and be the enabler
Azure Active Directory is the central control, extending your local ID to the cloud and providing the control over the explosion of Web Apps.
How Many? As of October 2014, there were 2400+ apps supported
IT Developers can easily build the integration using any number of standard methods
Of course, once you set up VPN connectivity, you’re treating the virtual network in Azure almost as if it were an extension of your on-prem datacenter. You can domain join your VMs with an AD running on-premises or an AD running inside of the virtual network. You can have hybrid multi-tier apps with perhaps the presentation and logic tiers running in Azure, and the database tier running on-premises for compliance reasons.
<From IaaS scenario for AD>
Identity with AD in Virtual Machines
Hybrid apps and hybrid IT: When apps live both in the cloud and on-premises, and need to synch with on-premises directory, simply bring DirSync into Virtual Machines.
Specific AD capabilities in the cloud: When applications in need of on-premises optimized AD capabilities are moving to cloud and Windows Azure Active Directory is not the solution, bring your AD into Virtual Machines. Same AD, same skill sets and same trustworthy capabilities.
Identity synch with Office 365: When you need to synch identity with O365 and want to minimize your on premise identity infrastructure, rely on running AD in Virtual Machines. Even when you have an on-premises identity infrastructure synching with Office 365, simply build your high availability copy in Virtual Machines and keep working when internet connectivity is down.
You must have AAD Premium to use MFA
How do we make the user experience manageable? What if we can eliminate all the username and password clutter?
WE CAN with SSO!
Get an Azure Active Directory, if you are using Office 365 or Azure, you already have one.
Assuming you already have a Windows Server Active Directory, we deploy Synch.
Then Turn on the SSO features in the Azure AAD to manage the cloud apps.
Run the AD Cartoon 0-3:00 for base information
3:05 for AAD information
5:45 to describe how applications work with AAD
9:46 to end for developer