Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. Organizations can register for an Azure AD tenant, where they can store and use the information on their identities.

Hybrid identity is Microsoft Marketing speak for connecting an on-premises Active Directory environment to Azure AD. When done correctly, the hybrid identity implementation allows end users to authenticate to both on-premises and cloud-based applications, systems, and services:

• When accessing Windows NT Lan Manager (NTLM)-based, lightweight directory access protocol (LDAP)-based, and Kerberos-integrated applications, systems, and services, the on-premises Active Directory takes care of authentication and authorization. These protocols are designed for safe networks and have been offering Single Sign-On (SSO) for decades.
• When accessing cloud-based applications, systems...

This recipe shows how to choose the right authentication method between Active Directory and the Azure AD tenant.

Getting ready

To make a choice, you'll need to understand the following characteristics of your organization:

• Is your organization OK with synchronizing secrets to the (public) cloud for end users?
• Does your organization already have a federation solution and use claims-based applications inside your organization or cloud-based applications, systems, and/or services?
• Does your organization rely on on-premises multi-factor authentication solutions?
• Is your organization's Security Incident and Event Monitoring (SIEM) solution cloud-aware?
• Do people in your organization use Internet Explorer, Edge, or another browser as their default browser?

How to do it...

Use the following flowchart to choose the proper authentication method for your organization:

Figure 14.1...

The recipes in this chapter are based on Azure AD. If your organization doesn't have an Azure AD tenant, use this recipe to create one.

Getting ready

You'll need a valid email address and phone number to sign up for Azure AD.

How to do it

Sign up for Azure AD by following the steps on the Microsoft website:

https://signup.microsoft.com/Signup?OfferId=B07A1127-DE83-4a6d-9F85-2C104BDAE8B4.

Provide a valid email address.

How it works…

The preceding link creates a non-expiring tenant with a 30-day Microsoft Office 365 E3 trial license. You specify an account with the Global administrator role during the process of signing up.

The URL in this recipe includes a form. It provides a way to name the Azure AD tenant. This is a plus because many other signup methods base the tenant's name on the domain name in the email address of the person signing up.

Note that you will not receive unsolicited email messages from...

Any hybrid identity journey starts with verifying your DNS domain name in Azure AD. This recipe explains how to do this.

Getting ready

If the organization uses the Azure AD Privileged Identity Management (PIM) feature, activate the Global administrator role or the Domain Name administrator role in advance.

How to do it...

Perform the following steps in the Azure AD Tenant:

1. Navigate to https://aad.portal.azure.com in your browser.
2. Sign in with an account that has the Global administrator role or the Domain Name administrator role assigned to it.
3. Perform multi-factor authentication when prompted.
4. In the left-hand navigation pane, click Azure Active Directory.
5. In the Azure AD pane, click Custom domain names:

Figure 14.2 – Custom domain names in the Azure Active Directory admin center window

6. In the top-level bar, click + Add custom domain. The Custom domain name blade appears on...

This recipe shows you how to configure PHS as the authentication method toward Azure AD, using Azure AD Connect Express Settings.

This recipe assumes your organization already possesses an Active Directory domain and Azure AD tenant.

Getting ready

Dedicate at least one domain-joined Windows Server system on the internal network as the host for Azure AD Connect for your organization. As this Windows Server will have a SQL Server Express database hosted on it, be sure not to combine this role with sensitive or overburdened hosts.

Ensure all accounts in the on-premises Active Directory are configured with a publicly routable userPrincipalName suffix, such as lucernpub.com. Ensure the DNS domain name(s) that are part of the userPrincipalName attributes for user accounts are owned by your organization on the internet and configured as verified DNS domain name(s) in your organization's Azure AD tenant.

Additionally, ensure that the...

This recipe shows how to configure Azure AD Connect with PTA and Seamless SSO.

Getting ready

To implement PTA, you'll need to sign in with an account that is a local administrator on the server dedicated to Azure AD Connect. As part of the steps of this recipe, you'll need to enter the credentials for the following accounts:

• An account in Active Directory that is a member of the Enterprise Admins group
• An account in Azure AD that has the Global administrator role assigned

Ensure the Windows Server that will run Azure AD Connect meets the following requirements:

• It can communicate with the internet without passing proxies.
• It is running Windows Server 2016 or later.
• It is domain-joined.
• It has the IE ESC feature turned off.

If proxies need passing, take appropriate measures by making a proxy exception or configuring a proxy for Azure AD Connect in its configuration file.

Ensure that...

This recipe shows how to configure an AD FS farm, consisting of one AD FS server and one publicly available Web Application Proxy for SSO.

Getting ready

While the recipes in Chapter 13, Managing Federation, showed how to build an AD FS farm, for this recipe, we'll use the built-in capability of Azure AD Connect to configure two Windows Server 2022 installations as an AD FS server and Web Application Proxy, respectively.

You'll need one domain-joined Windows Server installation running Windows Server 2016 or a newer version of Windows Server to install Azure AD Connect. Ensure this Windows Server can communicate with the internet without having to pass proxies, is domain-joined, and has IE ESC turned off. If proxies need passing, take the appropriate measures by making a proxy exception or configuring a proxy for Azure AD Connect in its configuration file.

For this recipe, you'll need two domain-joined Windows Server installations...

This recipe explores how to manage an AD FS farm with Azure AD Connect.

Getting ready

For this recipe, you'll need the following:

• A properly configured AD FS farm running Windows Server 2012 R2 or a newer version of Windows Server
• A properly configured Azure AD Connect installation, capable of communicating with the AD FS server(s) and Web Application Proxy server(s) in the AD FS farm using TCP 5985

Sign in to the Windows Server installation with Azure AD Connect with an account that is a member of the local Administrators group.

If the organization uses the Azure AD PIM feature, activate the Global administrator role or the Hybrid Identity administrator role in advance.

How to do it...

First, perform the following steps:

1. Open Azure AD Connect from the desktop.
2. In the Welcome to Azure AD Connect screen, click Configure.
3. In the Additional tasks screen, select the Manage federation ribbon.
...

This recipe shows how to implement a geo-redundant AD FS deployment consisting of two AD FS servers and two Web Application Proxies, equally distributed over two geographically dispersed data centers.

Getting ready

For this recipe, we'll assume that an Active Directory domain exists with domain controllers in a networking environment consisting of two separate, geographically dispersed data centers. Each data center is defined as an Active Directory site. The traffic required for Active Directory replication is allowed, as is TCP 80 between the AD FS servers.

Perform the steps from the Installing the AD FS server role recipe in Chapter 13, Managing Federation, to install the AD FS server role on two Windows Server installations, each running in a separate, geographically dispersed data center. Perform the steps from the Setting up an AD FS farm with Windows Internal Database recipe in Chapter 13, Managing Federation...

This recipe shows how to change the sign-in method from federation with AD FS to PTA and Seamless SSO.

Getting ready

Ensure the organization has not implemented heavy customizations to the onload.js page of the AD FS sign-in pages or relies on on-premises multi-factor authentication solutions.

To configure the sign-in method within Azure AD Connect, you'll need to sign in with an account that is a local administrator on the server dedicated to Azure AD Connect. As part of the following steps, you'll need to enter the credentials for these accounts:

• An account in Active Directory that is a member of the Enterprise Admins group
• An account in Azure AD that has the Global Administrator role or the Hybrid Identity Administrator role assigned

Ensure the Windows Server running Azure AD Connect can communicate with the internet without having to pass proxies and has IE ESC turned off.

If the organization...

This recipe shows how to install additional PTA agents to make PTA (geo)redundant.

Getting ready

To register additional PTA agents with Azure AD, you'll need to sign in with an account that is a local administrator on the Windows Server installation you plan to run the PTA agent on. As part of the following steps, you'll need to enter the credentials for these accounts:

• An account in Active Directory that is a member of the Enterprise Admins group
• An account in Azure AD that has the Global administrator role assigned

Ensure the Windows Server running the additional PTA agent is domain-joined, able to communicate with the internet without having to pass proxies, is running Windows Server 2016 or a newer version of Windows Server, and has IE ESC turned off.

Download the PTA agent from the following URL:

aka.ms/getauthagent

If the organization uses the Azure AD PIM feature, activate the Global administrator role in...