2. Today’s session
• Scenario based overview of what Azure AD Premium has to offer
• Technical overview of presented scenario’s
• Demo of each of the scenario’s
• Q&A about Azure AD Premium
3. Scenario’s
1. Can I have a secure platform for all my SaaS applications?
2. How can I provide SSO for my users
• For my internal users
• In a BYOD world
• For partners
3. Can leverage the platform for my current applications?
4. Scenario’s
4. Can I implement additional security to the platform?
5. Can I leverage the platform for my own applications and API’s?
6. How can I monitoring and audit trials for all my applications?
6. Demo LAB
On Premise
²
CLT01 (BYOD)
Azure AD
MGMT01
(Azure AD Connect + PTA +
Legacy App)
SYNC Identities (+passwords)
Self Servicing (Groups + Passwords)
DC01
SaaS Applications
Web Server
(WordPress)
MGMT02
(Azure AD Proxy)
Azure
Azure Domain Service
AD Services
For Azure
DS-TEST
(Legacy AD Integrated App)
7. Can I have a secure platform for
all my SaaS applications?
14. SSO For BYOD
• User get’s Primary Refresh Token (PRT)
• Contains user AND device claims
• Can be checked using: dsregcmd.exe /status
• Limited browser support (Web Account Manager API)
• Edge
• Iexplore
• Works with Windows Hello for Business
15. SSO – Side note
• SSO in AAD always requires identification
FIX: Use domain hints
- OpenID: add &domain_hint=demolab.be
- WSFed: add &whr=demolab.be
- SAML: Use AuthN
- ADAL: Pass domain_hint
19. AD Services for Azure resources
• Drawbacks
• Needs PHS
• Flat structure (no OU’s)
• Limited GPO’s
• No trust between on-prem AD and cloud AD
• Will give you
• LDAP/AD functionality for your (legacy) Azure workloads
20. Access on prem applications
Azure Active Directory
Corporate
Network
DMZ
Connector
Application Proxy
https://whoami.demolab.be
http://whoami
Connector
21. Access on prem applications
Azure Active Directory
Corporate
Network
DMZ
Connector
Application Proxy
https://whoami.demolab.be
http://whoami.
Connector
22. Access on prem applications
Azure Active Directory
Corporate
Network
DMZ
Connector
Application Proxy
https://whoami.demolab.be
http://whoami.
Connector
SAML
Domain
Controller
23. SSO for on prem applications
Azure Active Directory
Corporate
Network
DMZ
Connector
Application Proxy
https://whoami.demolab.be
http://whoami.
Connector
SAML
Domain
Controller
24. SSO for on prem applications
Azure Active Directory
Corporate
Network
DMZ
Connector
Application Proxy
https://whoami.demolab.be
http://whoami.
Connector
SAML
Domain
Controller
Get token (KCD)
25. SSO for on prem applications
Azure Active Directory
Corporate
Network
DMZ
Connector
Application Proxy
https://whoami.demolab.be
http://whoami.
Connector
SAML
Domain
Controller
Get token (KCD)
26. SSO for on prem applications
Azure Active Directory
Corporate
Network
DMZ
Connector
Application Proxy
https://whoami.demolab.be
http://whoami.
Connector
SAML
Domain
Controller
Kerberos
Get token (KCD)
AAD brings you secure to access cloud and on premise applications with:
Single identity
Self service capabilities
SSO experience
In a secure way - according to today’s enterprise standards
User Enters username into the login box. Optionally domain or User can be populated via accelerators
User gets a 401 Challenge
User contacts the DC for a Kerberos ticket for the SPN
DC returns Kerberos ticket
Client sends the Kerberos ticket to AAD STS
AAD Validates the Kerberos ticket and returns a token