In this chapter, we will need to have an additional Azure AD, configured with Office 365, to test the different features. You already know how to create this configuration from Chapter 1, Building and Managing Azure Active Directory. Build this additional tenant with a minimum set of configurations. Basically, you'll need to have a custom domain verified and registered, and nothing else. Furthermore, you will need to install Visual Studio 2017 Community with the ASP.NET and web development workload on your administrative workstation:

Lab environment overview

To configure the Azure AD Domain Services LDAPS use case, you need to provide a public SSL certificate. You can use the procedure from Chapter 7, Deploying Solutions on Azure AD and AD FS, to generate certificates for your needs with Let's Encrypt solution. We'll start with the Azure AD B2B functionality.

Azure AD B2B solves the problem of collaboration between business partners. It allows users to share business applications between partners, without going through inter-company federation relationships and internally-managed partner identities. With Azure AD B2B, you can create cross-company relationships by inviting and authorizing users from partner companies to access your resources. With this process, each company federates once, with Azure AD, and each user is then represented by a single Azure AD account. This option also provides a higher security level, because if a user leaves the partner organization, access is automatically disallowed. Inside of Azure AD, the user will be handled as a guest, and they won't be able to traverse other users in the directory. Permissions of the invited user will be provided over the correct associated group membership.

The following figure shows the process of enabling business partners to access your applications:

Azure AD...

Azure AD B2C builds a complete identity-management framework for developers and supports signing in to your application using social networks, such as Facebook, Google, or LinkedIn, and creating developed accounts with usernames and passwords specifically for your company-owned application. Self-service password management and profile management are also provided. Additionally, Azure MFA introduces a higher grade of security to the solution. Principally, this feature allows for small, medium, and large companies to hold their customers in a separate Azure Active Directory, with all the capabilities, and more, in a similar way to the corporate-managed Azure Active Directory. With different verification options, you are also able to provide the necessary identity assurance required for more sensible transactions. Azure AD B2C takes care of all of the IAM tasks for your own development activities.

Basically, the minimum architecture with the usage of Azure AD B2C looks...

Azure AD Domain Services helps you to move your on-premise applications, depending on traditional authentication methods, such as Kerberos and NTLM, to the cloud. This cloud-based service allows you to join your IaaS virtual machines to a managed domain without the need to provide domain controllers on virtual machines. With this solution, you can integrate your applications directly in your Azure Active Directory services and benefit from the rich feature set. With the synchronization of the Azure AD users to Azure AD DS, you can use identities to provide authentication and authorization. You're also able to connect by Lightweight Directory Access Protocol (LDAP/S) to the directory service. 

The following diagram shows the integration scenario, from the perspective of an application installed on an IaaS virtual machine:

Azure AD Domain Services overview

This service provides you with a flat organizational unit structure and...

Authenticating users in multi-forest environments is just a bit more complex than doing it in a typical single-forest deployment. You should already be aware of the basics of the different authentication protocols and AD FS, thanks to previous chapters. The configuration of the integration with Office 365 is a straightforward process; with the Convert-MsolDomainToFederated command, you can create everything that's needed in your AD FS configuration. With the SupportMultipleDomain switch, you can define whether you're using a multi-forest scenario.

Next, we'll start with the supported and possible scenarios in the case of using multiple forests and Office 365. We'll focus on the AD FS server deployment. Furthermore, you can always attach an AD FS proxy/WAP to these scenarios.

This section will cover the following scenarios:

In this chapter, you worked through the different Azure AD identity services, such as Azure AD B2B/B2C and the Domain Services. You also explored different options with AD FS as an identity service, in order to get the whole picture of a hybrid identity and the access-management world.

In the next chapter, we'll dive into different application types and deployment methods, including more details about conditional access and other features that we can use.