Cloud & Networking
Reader small image

You're reading from  Azure Strategy and Implementation Guide, - Third Edition

Product typeBook
Published inJun 2020
PublisherPackt
ISBN-139781838986681
Edition3rd Edition
Tools
Azure
Concepts
Cloud Computing
Right arrow
Authors (3):
Peter De Tender
Peter De Tender
author image
Peter De Tender

Peter De Tender has 20 years of professional expertise in Microsoft Infrastructure consulting and architecting, with a main focus on Microsoft Cloud technologies (Azure, Enterprise Mobility Suite, Office 365...). After working for some of the top Microsoft partners in Belgium, he ran his own successful business for several years, mainly providing Infrastructure and Cloud Architect training and readiness in a passionate and enthusiastic way. Peter coached several Microsoft Partners all over the world in doing more Microsoft business, both from a technical and business angle. Just recently, as of June 2016 to be exact, Peter joined Microsoft Corp as an FTE Azure Architect and Program Manager in the global AzureCAT GSI team, part of Azure engineering, where his role consists of providing Azure-focused readiness training and cloud practice building coaching to the TOP Microsoft Global System Integrators. This role allows Peter to combine his two passions, working on the latest and greatest up-to-date technologies, and cooperating with people from all over the globe. His valued credentials are Microsoft Certified Trainer, Azure Certified Architect, and— before he joined Microsoft—Peter was also recognized as a Microsoft MVP for several years in a row. In his free time, Peter loves speaking at (inter)national conferences and community events, is a technical writer and courseware creator.
Read more about Peter De Tender

Greg Leonardo
Greg Leonardo
author image
Greg Leonardo

Greg Leonardo is currently a cloud architect helping organizations with cloud adoption and innovation. He has worked in the IT industry since his time in the military. He is a veteran, father, architect, teacher, speaker, and early adopter. Currently, he is a Certified Azure Solution Architect Expert, Microsoft Certified Trainer (MCT), and Microsoft Azure MVP, and he has worked in many facets of IT throughout his career. Additionally, he is president of TampaDev, a community meetup that runs #TampaCC, Azure User Group, Azure Medics, and various technology events throughout Tampa. He has also authored Hands-On Cloud Solutions with Azure and the previous two editions of Azure Strategy and Implementation Guide for Microsoft by Packt Publishing.
Read more about Greg Leonardo

Jason Milgram
Jason Milgram
author image
Jason Milgram

Jason Milgram is a Microsoft MVP since 2010 and the SVP, Azure Leader at OZ Digital, headquartered in Fort Lauderdale, FL. As a public speaker, Jason has given over 100 presentations at conferences and user groups on cloud computing, Microsoft Azure, Enterprise Mobility + Security, and launching a tech start-up. Prior to OZ, Jason was CTO, Financial Services at Hitachi Solutions in Irvine, CA, Chief Architect at i3 in Fairfax, VA, Chief Architect at SAIC in Reston, VA, 1st VP Cloud Solutions Architect at City National Bank of Florida in Miami, and VP Platform Architecture & Engineering at Champion Solutions Group in Boca Raton, FL.
Read more about Jason Milgram

View More author details
Right arrow

Identity and access control

Up until now, we have focused on the assessment and business justification side of your cloud migration projects, primarily from an application and data solutions perspective, but another important aspect to discuss is how you manage your identity and access control in the cloud. This is important for both end users and administrators.

Identity is the core component of all Azure cloud security: whenever any administrator wants to "do" something in the Azure platform, they need to authenticate and get authorization. No matter whether they are using the Azure portal, Azure command-line tools such as PowerShell or the Azure CLI, or using REST APIs. End users can also greatly benefit from Azure Active Directory. Solutions such as self-service password reset, Azure AD domain join for device management, conditional access, user risk, and many more will heavily optimize how users log on to cloud applications and how secure this log on is.

Azure Active Directory as a cloud identity solution

From an identity perspective, there is no way around Azure Active Directory. This cloud identity solution comes in different flavors:

  • Azure Active Directory: The core identity component in Azure, offering cloud users, groups, applications, and service principal objects
  • Azure Active Directory Domain Services: An emulated Active Directory service, offering Kerberos and NTLM, similar to your on-premises Active Directory domain controllers
  • Azure Active Directory B2B: Business-to-business concept, whereby organizations can invite users from each other's Azure AD tenant
  • Azure Active Directory B2C: Business-to-consumer concept, whereby organizations allow user authentication from social media identity providers (such as Facebook, Twitter, LinkedIn, and so on)

Besides the different flavors mentioned here, Azure Active Directory itself also comes in different editions:

Azure Active Directory Edition Core Features and Capabilities

FREE EDITION
  • Provides core identity services, storing users, groups, applications, and service principal objects
  • Can synchronize with your on-premises Active Directory using Azure AD Connect
  • Provides basic security reports

BASIC EDITION
  • All features from the free edition

    +

  • Company branding
  • Application proxy toward on-premises web applications
  • Self-service password reset
  • Group management

PREMIUM P1 EDITION
  • All features from the basic edition

    +

  • Self-service group management
  • On-premises password write-back
  • Two-way device write-back
  • Conditional access for optimized security

PREMIUM P2 EDITION
  • All features from the Premium P1 edition

    +

  • Identity protection
  • Privileged identity management

Table 1: Azure Active Directory tiers

Just based on the rich feature set and advanced security features that come with it, any organization should consider Azure AD Premium P1 for most of their cloud-enabled users, extended with Azure AD Premium P2 for key users such as C-level management, administrators, security officers, and other key persons within the organization with high visibility.

Cloud authentication with Azure Active Directory

Most organizations already have an identity solution in place in their on-premises datacenter, often being Microsoft Active Directory. In this scenario, the recommended topology would be building out a hybrid identity architecture, starting from your Active Directory source environment. Azure AD Connect synchronizes the user and group objects (all or select ones based on filters you define). As such, a user account with the User Principal Name (UPN) peter@company.com from the on-premises Active Directory will authenticate with the same alias in Azure Active Directory.

However, there are three distinct authentication scenarios:

  • Azure AD Password Hash Sync (PHS)
  • Azure AD Federation using ADFS or third-party federation (ADFS)
  • Azure AD Pass-through Authentication (PTA)

The easiest (and most recommended) approach is Azure AD PTA. In this scenario, your Active Directory objects are synchronized to Azure AD using AD Connect, including the domain's password hash. This allows users to log on to cloud apps using their Azure AD credentials, which are identical to the on-premises credentials.

Unfortunately, storing passwords (or the password hash) is a no-go for a lot of organizations, who want to keep control of the credentials from an on-premises perspective. In this scenario, you need to deploy a federation infrastructure, which can be Active Directory Federation Service (ADFS) or a non-Microsoft alternative (Okta is a popular one). While you still need to synchronize AD objects to Azure AD, the password is never stored in the cloud directory. Upon user authentication, Azure AD forwards the request to the ADFS infrastructure, which is typically running in the on-premises datacenter. ADFS sends the received credentials to Active Directory for validation. If these are accepted, the user can authenticate.

Whereas ADFS is the "typical" design to follow when deploying identity in a hybrid cloud model, it also comes with some drawbacks. ADFS servers run on-premises, which means there is a dependency on internet connectivity, as a highly available topology is needed to guarantee that users can always log on to cloud apps whenever needed. ADFS is also complex to manage, and your ADFS proxy server in the DMZ is public internet-facing all the time.

To accommodate the strengths and ease of use of password hash sync, together with the need to keep credentials management in the on-premises Active Directory, Microsoft came up with a third scenario, PTA. Again, you start by synchronizing users and groups with AD Connect. Next, instead of deploying a complex ADFS infrastructure, you deploy Passthrough Agents on your on-premises Active Directory Domain Controllers. These listen on port 443, but only to Azure AD services endpoints public IP addresses. Other requests will be denied. When a user logs on to Azure AD, the request gets passed on to the PTA agent, who sends along the credentials to the on-premises Active Directory, which is still responsible for validating the credentials.

Have a look at the following link for all details on Azure identity and access management documentation:

https://azure.microsoft.com/en-us/product-categories/identity/

lock icon
The rest of the page is locked
Previous Page
Chapter 1 of 5, Page 7
Next Page
You have been reading a chapter from
Azure Strategy and Implementation Guide, - Third Edition
Published in: Jun 2020Publisher: PacktISBN-13: 9781838986681
© 2020 Packt Publishing Limited All Rights Reserved

Authors (3)

author image
Peter De Tender

Peter De Tender has 20 years of professional expertise in Microsoft Infrastructure consulting and architecting, with a main focus on Microsoft Cloud technologies (Azure, Enterprise Mobility Suite, Office 365...). After working for some of the top Microsoft partners in Belgium, he ran his own successful business for several years, mainly providing Infrastructure and Cloud Architect training and readiness in a passionate and enthusiastic way. Peter coached several Microsoft Partners all over the world in doing more Microsoft business, both from a technical and business angle. Just recently, as of June 2016 to be exact, Peter joined Microsoft Corp as an FTE Azure Architect and Program Manager in the global AzureCAT GSI team, part of Azure engineering, where his role consists of providing Azure-focused readiness training and cloud practice building coaching to the TOP Microsoft Global System Integrators. This role allows Peter to combine his two passions, working on the latest and greatest up-to-date technologies, and cooperating with people from all over the globe. His valued credentials are Microsoft Certified Trainer, Azure Certified Architect, and— before he joined Microsoft—Peter was also recognized as a Microsoft MVP for several years in a row. In his free time, Peter loves speaking at (inter)national conferences and community events, is a technical writer and courseware creator.
Read more about Peter De Tender

author image
Greg Leonardo

Greg Leonardo is currently a cloud architect helping organizations with cloud adoption and innovation. He has worked in the IT industry since his time in the military. He is a veteran, father, architect, teacher, speaker, and early adopter. Currently, he is a Certified Azure Solution Architect Expert, Microsoft Certified Trainer (MCT), and Microsoft Azure MVP, and he has worked in many facets of IT throughout his career. Additionally, he is president of TampaDev, a community meetup that runs #TampaCC, Azure User Group, Azure Medics, and various technology events throughout Tampa. He has also authored Hands-On Cloud Solutions with Azure and the previous two editions of Azure Strategy and Implementation Guide for Microsoft by Packt Publishing.
Read more about Greg Leonardo

author image
Jason Milgram

Jason Milgram is a Microsoft MVP since 2010 and the SVP, Azure Leader at OZ Digital, headquartered in Fort Lauderdale, FL. As a public speaker, Jason has given over 100 presentations at conferences and user groups on cloud computing, Microsoft Azure, Enterprise Mobility + Security, and launching a tech start-up. Prior to OZ, Jason was CTO, Financial Services at Hitachi Solutions in Irvine, CA, Chief Architect at i3 in Fairfax, VA, Chief Architect at SAIC in Reston, VA, 1st VP Cloud Solutions Architect at City National Bank of Florida in Miami, and VP Platform Architecture & Engineering at Champion Solutions Group in Boca Raton, FL.
Read more about Jason Milgram

Other recommended products

Related to this chapter

Azure Strategy and Implementation Guide

Azure Strategy and Implementation Guide

This book will teach you to migrate your organization’s business operations from local data centers to the Azure cloud platform and manage them to enhance overall efficiency.

BookMay 2021228 pages
Implementing Hybrid Cloud with Azure Arc

Implementing Hybrid Cloud with Azure Arc

Azure Arc helps in simplifying the governance and monitoring of your infrastructure and gives you a single pane view across hybrid architectures deployed over multiple clouds or on-premises. If you are new to multi-cloud or cloud with Edge infrastructure, this book will provide a comprehensive introduction and get you up-to-speed in no time.

BookJul 2021242 pages
Microsoft Azure Administrator – Exam Guide AZ-103

Microsoft Azure Administrator – Exam Guide AZ-103

Microsoft Azure Administrator- Exam Guide AZ-103 is a complete guide that will help you master topics related to Azure administrator practices. Using this guide, you will have all the information required to ace the AZ-103 exam and become a Microsoft Azure administrator expert.

BookMay 2019452 pages
Migrating Linux to Microsoft Azure

Migrating Linux to Microsoft Azure

Migrating Linux to Microsoft Azure is your guide to maximizing the existing investments in Linux and becoming sustainable with efficient migration of existing Linux workloads to Azure.

BookJul 2021210 pages
Hands-On Cloud Solutions with Azure

Hands-On Cloud Solutions with Azure

Building and running your solutions on Azure helps the business maximize your return on investment and minimize their total cost of ownership. This book will arm you with all the tools and knowledge you need to properly plan and build your solution on Azure, whether it’s a brand-new project or a migration project.

BookOct 2018224 pages
Microsoft Operations Management Suite Cookbook

Microsoft Operations Management Suite Cookbook

Microsoft OMS is a one stop IT management solution used to gain visibility and control over hybrid environments with simplified operations management and security. With Microsoft-based solutions in Azure, OMS helps organizations make the most of their IT investments. This book offers practical and hands-on recipes to gather real-time operational intelligence of your entire hybrid environment.

BookApr 2018448 pages
Implementing Microsoft Azure Infrastructure Solutions: Exam Guide 70-533

Implementing Microsoft Azure Infrastructure Solutions: Exam Guide 70-533

This book focuses on skills and knowledge for provisioning and managing services in Microsoft Azure. This includes implementing infrastructure components such as virtual networks, virtual machines, containers, web and mobile apps, storage, planning and managing Azure AD and configuring Azure AD integration with on-premises Active Directory domains.

BookAug 2018516 pages
Learning Microsoft Azure Storage

Learning Microsoft Azure Storage

Microsoft Azure Storage is the bedrock of Microsoft's core storage solution offering in Azure. No matter what solution you are building for the cloud, you'll find a compelling use for Azure Storage. This book will help you get up-to-speed quickly on Microsoft Azure Storage by teaching you how to use the different storage services. You will be able to leverage secure design patterns based on real-world scenarios and develop a strong storage foundation for Azure virtual machines.

BookNov 2017276 pages
Microsoft Azure Architect Technologies: Exam Guide AZ-300

Microsoft Azure Architect Technologies: Exam Guide AZ-300

Microsoft Azure Architect Technologies: Exam Guide AZ-300 is a complete guide that will help you master topics related to Azure architect practices. Using this guide, you will have all the information required to take the AZ-300 exam and become a Microsoft Azure Architect expert.

BookJan 2020540 pages
Migrating Applications to the Cloud with Azure

Migrating Applications to the Cloud with Azure

The cloud is no longer just a buzzword, but a proven technology, and companies are moving there fast. One of the problems many teams face is how to move their legacy applications to the cloud. This book offers the perfect solution to strategize and plan your app modernization journey by taking advantage of the Azure ecosystem using the .NET and Java technologies.

BookDec 2019494 pages
SAP on Azure Implementation Guide

SAP on Azure Implementation Guide

There are typically two main reasons why you may consider migrating SAP to Azure: You need to replace the infrastructure that is currently running SAP, or you want to migrate SAP to a new database. This book will guide you through migrating your SAP data to Azure simply and successfully.

BookFeb 2020242 pages
Implementing Microsoft Azure Architect Technologies: AZ-303 Exam Prep and Beyond

Implementing Microsoft Azure Architect Technologies: AZ-303 Exam Prep and Beyond

Microsoft Azure Architect - Exam Guide AZ-303 is a complete guide to mastering topics related to Azure Architect practices. With detailed coverage of concepts and techniques, you’ll gain the knowledge and skills required to take and pass the AZ-303 exam and become a Microsoft Azure Architect expert.

BookDec 2020548 pages

Personalised recommendations for you

Based on your interests and search pattern

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.

BookAug 2023524 pages
Microsoft 365 Security, Compliance, and Identity Administration

Microsoft 365 Security, Compliance, and Identity Administration

The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.

BookAug 2023630 pages
Zero Trust Overview and Playbook Introduction

Zero Trust Overview and Playbook Introduction

Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.

BookOct 2023240 pages
The Self-Taught Cloud Computing Engineer

The Self-Taught Cloud Computing Engineer

This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.

BookSep 2023472 pages
Technology Operating Models for Cloud and Edge

Technology Operating Models for Cloud and Edge

This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.

BookAug 2023228 pages
Azure Architecture Explained

Azure Architecture Explained

Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.

BookSep 2023446 pages
Pentesting Active Directory and Windows-based Infrastructure

Pentesting Active Directory and Windows-based Infrastructure

This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.

BookNov 2023360 pages
Practical Ansible

Practical Ansible

In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.

BookSep 2023420 pages
Windows 11 for Enterprise Administrators

Windows 11 for Enterprise Administrators

Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.

BookOct 2023286 pages
The Linux DevOps Handbook

The Linux DevOps Handbook

This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.

BookNov 2023428 pages2