Home Cloud & Networking Microsoft 365 Security, Compliance, and Identity Administration

Microsoft 365 Security, Compliance, and Identity Administration

By Peter Rising
ai-assist-svg-icon Book + AI Assistant
eBook + AI Assistant $35.99 $24.99
Print $44.99 $26.98
Subscription $15.99 $10 p/m for three months
ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription.
ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription. $10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime! ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription.
What do you get with a Packt Subscription?
Gain access to our AI Assistant (beta) for an exclusive selection of 500 books, available during your subscription period. Enjoy a personalized, interactive, and narrative experience to engage with the book content on a deeper level.
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
Gain access to our AI Assistant (beta) for an exclusive selection of 500 books, available during your subscription period. Enjoy a personalized, interactive, and narrative experience to engage with the book content on a deeper level.
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Along with your eBook purchase, enjoy AI Assistant (beta) access in our online reader for a personalized, interactive reading experience.
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription. ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription. BUY NOW $10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime! ai-assist-svg-icon NEW: AI Assistant (beta) Available with eBook, Print, and Subscription.
eBook + AI Assistant $35.99 $24.99
Print $44.99 $26.98
Subscription $15.99 $10 p/m for three months
What do you get with a Packt Subscription?
Gain access to our AI Assistant (beta) for an exclusive selection of 500 books, available during your subscription period. Enjoy a personalized, interactive, and narrative experience to engage with the book content on a deeper level.
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
Gain access to our AI Assistant (beta) for an exclusive selection of 500 books, available during your subscription period. Enjoy a personalized, interactive, and narrative experience to engage with the book content on a deeper level.
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Along with your eBook purchase, enjoy AI Assistant (beta) access in our online reader for a personalized, interactive reading experience.
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
  1. Free Chapter
    Chapter 1: Planning for Hybrid Identity
About this book
The Microsoft 365 Security, Compliance, and Identity Administration is designed to help you manage, implement, and monitor security and compliance solutions for Microsoft 365 environments. With this book, you’ll first configure, administer identity and access within Microsoft 365. You’ll learn about hybrid identity, authentication methods, and conditional access policies with Microsoft Intune. Next, you’ll discover how RBAC and Azure AD Identity Protection can be used to detect risks and secure information in your organization. You’ll also explore concepts such as Microsoft Defender for endpoint and identity, along with threat intelligence. As you progress, you’ll uncover additional tools and techniques to configure and manage Microsoft 365, including Azure Information Protection, Data Loss Prevention (DLP), and Microsoft Defender for Cloud Apps. By the end of this book, you’ll be well-equipped to manage and implement security measures within your Microsoft 365 suite successfully.
Publication date:
August 2023
Publisher
Packt
Pages
630
ISBN
9781804611920

 

Planning for Hybrid Identity

This book aims to act as a general administration guide for security, compliance, identity, management, and privacy administrators of Microsoft 365 environments, whether they are cloud-only or hybrid. You will learn about umbrella terms for technology principles, such as Microsoft Defender, Microsoft Purview, and Microsoft Entra, and understand their purpose and how they relate to each other. You will see how to access, plan, and configure these technologies via administrative portals, as well as by using PowerShell. In this first chapter, we begin by focusing on identity.

Configuring a Microsoft 365 hybrid environment requires an understanding of your organization’s identity needs. This will enable you to plan and deploy the correct Azure Active Directory (AD) authentication and synchronization method within your environment. This chapter discusses how you can plan your identity methodology and describes the process of monitoring and understanding the events recorded by Azure AD Connect.

By the end of this chapter, you will be able to determine your business needs, analyze on-premises identity infrastructure, and develop a plan for hybrid identity. You will understand how to design and implement authentication and application management solutions, how to enhance data security through strong identity, and how to analyze events and configure alerts in Azure AD Connect.

This chapter covers the following topics:

  • Planning your hybrid environment
  • Authentication methods in Azure AD
  • Synchronization methods with Azure AD Connect
  • Azure AD Connect cloud sync
  • Event monitoring and troubleshooting in Azure AD Connect
 

Planning your hybrid environment

Identity is key when planning and implementing a Microsoft 365 environment. While the default identity method within Microsoft 365 is cloud-only, many organizations with reliance on legacy on-premises infrastructure and applications need to plan the deployment of hybrid identities when introducing Microsoft 365 to their organization.

So, what is a hybrid identity? In simple terms, it is the process of providing your users with an identity in the cloud that is based on their on-premises identity. There are several ways in which this can be achieved and they will be explained in detail throughout this chapter.

The basic principles of hybrid identity in Microsoft 365 are shown in the following diagram:

Figure 1.1: Hybrid identity

Figure 1.1: Hybrid identity

We will now explain how you can start planning for hybrid identities in Microsoft 365.

You should start by establishing the correct identity type for the business needs of your organization. It is important, at this stage, to recognize who your stakeholders will be in this process, understand their current working tools and practices, and assess how Microsoft 365 could be used best enabling them to work more efficiently and securely.

The following are some examples of your possible stakeholders:

  • Users
  • Power users
  • IT team
  • Security team
  • Compliance team
  • Business owners

Each stakeholder will have their challenges that need to be considered. However, your users account for the highest percentage of your stakeholders. Therefore, your primary focus should be to ensure that the transition to new ways of working is seamless. This is because many users will be nervous about change. How you introduce them to new technologies and working practices is directly related to the success or failure of your project. If your users buy into the changes you are introducing and can realize the benefits, then the rest of your stakeholders are also more likely to follow suit.

While your main users will be focused on doing their job, the remaining stakeholders will have a deeper interest in how a Microsoft 365 hybrid environment meets business requirements. Some of the common business requirements are as follows:

  • The modernization of existing IT services and tools
  • Providing and securing cloud Software as a Service (SaaS) applications
  • Reducing risk by establishing a modern identity-based security perimeter

For addressing these requirements, a logical starting point is to examine how on-premises identities are currently configured. This will give you a better understanding of what you need to plan and implement for identity authentication in the cloud. You need to be aware of any current on-premises synchronization solutions that may be in place, including any third-party solutions. You will also need to consider any existing use of cloud applications in the organization. These will need to be identified and plans made for their continued use, integration, or possible replacement.

Note

Cloud App Discovery using Microsoft Defender for Cloud Apps can be used to analyze existing SaaS app usage within your organization. This will be covered in a later chapter of this book.

Understanding your on-premises identity infrastructure will help you to plan for modernization or digital transformation. So, what is modernization considered to be in the world of information technology? Essentially, it is based on the principle that IT users now wish and expect to be more mobile. They want quick and easy access to their emails, chats, and documents anywhere, anytime, and on any device.

This requirement creates the challenge of how to effectively secure and protect the services within the Microsoft 365 platform while simultaneously ensuring that they are easily available and accessible to users. How is this achieved? It is not possible to wrap a firewall around Microsoft 365 in the traditional sense. Instead, you need to look at the various modern authentication security methods that are available within Azure AD. Let’s discuss these methods in detail in the next section.

 

Authentication methods in Azure AD

Several approaches can be leveraged to authenticate your users to Azure AD. In this section, you will explore these methods and understand their use cases.

The authentication security methods available in Microsoft 365 are as follows:

  • Multi-factor authentication (MFA)
  • Self-service password reset (SSPR)
  • Conditional Access
  • Passwordless

The following sections will briefly introduce the principles of these methods; however, each of these will be explored in greater detail in Chapter 2, Authentication and Security, and Chapter 3, Implementing Conditional Access Policies.

Multi-factor authentication

MFA in Azure AD provides two-step verification for Microsoft services via a combination of approved authentication methods determined by Microsoft 365 administrators. The available methods can be based on the following:

  • Something you know, such as your password
  • Something you own, such as your mobile phone or an OAuth hardware token
  • Something you are, such as biometric identification (fingerprint or facial recognition)

When setting up MFA for users in your Microsoft 365 environment, users must first complete a registration process to provide information about themselves to Azure AD and set their authentication method preferences.

Once set, users will be challenged with an MFA prompt when accessing Microsoft 365 services and applications using their Azure AD credentials, as shown in the following diagram:

Figure 1.2: Azure MFA

Figure 1.2: Azure MFA

MFA can also be configured to work in conjunction with Conditional Access, with trusted locations that you define by entering the IP ranges of your business operating units so that users will not be issued an MFA challenge when working in these locations. Conditional Access with MFA also enables you to apply another layer of security by ensuring that any access requests to specific apps and resources can be secured and protected, by requiring the requesting user to complete an MFA challenge before being granted the access they require.

Note

It is recommended that you configure MFA for all privileged user accounts within your Microsoft 365 environment, except for your permanent break-glass accounts, which should be cloud-only accounts with the domain suffix of the .onmicrosoft.com domain name. Alternative authentication protection should be applied to these break-glass accounts. Break-glass accounts will be covered in more detail in Chapter 3, Implementing Conditional Access Policies.

Self-service password reset

Whilst not strictly an authentication method in itself, SSPR is a user feature designed to remove the requirement of IT staff to respond to user requests to reset their passwords in Azure AD. An initial registration process is required at https://aka.ms/SSPRSetup for each user to set up SSPR, during which time they must provide authentication methods to verify their identity.

Note

To reset the password, the user visits https://passwordreset.microsoftonline.com.

SSPR can be used for both cloud-only and hybrid identity users. If the user is cloud-only, then their password is always stored encrypted in Azure AD, whereas hybrid users have their password written back to on-premises AD. This is achieved using a feature that can be enabled in Azure AD Connect called password writeback.

The basic principles of SSPR are illustrated in the following diagram:

Figure 1.3: Self-service password reset

Figure 1.3: Self-service password reset

The process of registering your users for SSPR is now combined with that of the MFA registration process. Previously, there were two separate registration processes for these technologies.

When SSPR is enabled on your Azure AD environment, you can assist your users by configuring notifications that make them aware when their passwords have been reset. You can also increase security by setting administrator notifications to monitor and alert whenever an administrator changes a password. It is also possible to customize a helpdesk email or URL to provide immediate guidance to users who experience problems when attempting to reset their passwords.

Note

When using SSPR with password writeback for your hybrid identities, you will require Azure AD Premium P1 licenses.

Conditional Access

Conditional Access is a powerful feature of Azure AD Premium P1 that allows Microsoft 365 administrators to control access to applications and resources within your organization. With Conditional Access, you can automate the process of controlling the level of access that users will have to these applications and resources by setting Conditional Access policies. Azure AD will then make decisions on whether to grant or deny access based on the conditions that you set in these policies. The basic principles are shown in the following diagram:

Figure 1.4: Conditional Access

Figure 1.4: Conditional Access

While it is possible to apply some default security settings to your Microsoft 365 environment with security defaults (auto-applied on newer tenants), you will undoubtedly need to plan and define custom policies with specific conditions and exceptions. For example, you would not wish to force MFA on your permanent break-glass global administrator account. We will examine Conditional Access in greater detail in Chapter 3, Implementing Conditional Access Policies.

Note

Conditional Access settings frequently require some additional features of Azure AD to be configured, for example, Azure AD Identity Protection. This will have an impact on your decision-making process as it relates to licensing. While Conditional Access is a feature of Azure AD Premium P1, the use of Azure AD Identity Protection features would necessitate Azure AD Premium P2 licenses.

Passwordless authentication

Passwords are more vulnerable than ever before and can be exploited and compromised by malicious actors using techniques such as phishing, spray attacks, and social engineering attacks. Switching to a passwordless authentication method helps mitigate such risks.

Microsoft provides three types of passwordless authentication for Azure AD. These are as follows:

  • Microsoft Authenticator: Can enable iOS or Android phones to be used as passwordless credentials by providing numerical challenges.
  • FIDO2-compliant security keys: Hardware keys provided by a number of third-party manufacturers; ideal for highly privileged identities or shared machines in kiosks.
  • Windows Hello for Business: Available on Windows computers and ideal for users with their own designated Windows device. Biometric and PIN credentials are directly configured on the device to prevent access from anyone but the authorized user.

Note

Links to further resources on Microsoft Authenticator, FIDO2-compliant security keys, and Windows Hello for Business can be found in the Further reading section at the end of this chapter.

Now that you understand the available authentication methods, let’s explore the directory synchronization methods supported by Azure AD Connect.

 

Synchronization methods with Azure AD Connect

Having covered the concept of hybrid identity and authentication, you will now go through the process that makes hybrid identity possible—directory synchronization. The tool used to configure directory synchronization is called Azure AD Connect (previously known as Azure AD Sync Service and DirSync). Azure AD Connect consists of, or can leverage, the following components:

  • Synchronization services
  • Active Directory Federation Services (AD FS)—an optional component
  • Health monitoring

Azure AD Connect supports multiple AD forests and multiple Exchange organizations to a single Microsoft 365 tenant. It leverages a one-way process, where it synchronizes users, groups, and contact objects from your on-premises AD to Microsoft 365.

Although this is almost exclusively a one-way process, there are some writeback capabilities that can be leveraged if chosen or required, which will allow attributes from passwords and groups set in Microsoft 365 to be written back to an on-premises AD.

The principles of Azure AD Connect are shown in the following diagram:

Figure 1.5: Azure AD Connect

Figure 1.5: Azure AD Connect

Once Azure AD Connect is configured and in place, the source of authority for these newly synchronized objects remains with the on-premises AD. Therefore, these objects must be managed by on-premises tools, such as AD Users and Computers or PowerShell. Microsoft 365 administrators will, therefore, not be able to make changes to cloud objects in the Microsoft 365 portal that are synchronized from the on-premises AD.

When setting up Azure AD Connect for the first time, the installation wizard will guide you to select either an Express Settings installation or a customized settings installation. The Express Settings installation is the default setting for Azure AD Connect and is designed for use with password hash synchronization from a single AD forest. The installation dialog is shown in the following screenshot:

Figure 1.6: Express settings

Figure 1.6: Express settings

The custom settings installation provides a richer selection of optional features that can be configured to provide enhanced functionality if required. You can start a custom settings installation by clicking on Customize:

Figure 1.7: Custom settings

Figure 1.7: Custom settings

With the custom settings installation, you are provided with the following options to extend your on-premises identities in the cloud using Azure AD Connect:

  • Password hash synchronization
  • Pass-through authentication
  • Federation with AD FS
  • Federation with PingFederate
  • Enable single sign-on
  • Do not configure

The following sections will explain how to configure the first five of these options in detail.

Password hash synchronization

Password hash synchronization is the simplest method to establish a hybrid identity with Azure AD. Also commonly known as same sign-on, password hash synchronization can be set up using Azure AD Connect. This will synchronize a hash of the user passwords to Azure AD from your on-premises AD.

With password hash synchronization, users logging onto their cloud accounts via the Microsoft 365 portal will authenticate directly to Microsoft 365 cloud services as opposed to leveraging on-premises authentication and security:

Figure 1.8: Password hash synchronization

Figure 1.8: Password hash synchronization

How does this work? Here is the process in a few simple steps:

  1. The password synchronization agent within Azure AD Connect will request the stored password hashes at 2-minute intervals from a domain controller. In response to this, the domain controller will encrypt the hash. This encryption is executed with a key that is acquired from the Remote Procedure Call (RPC) session key and then salted. Salting is a process pertaining to password hashing. Essentially it involves adding a unique value to the end of the password to create a different hash value. This provides an additional layer of security and helps protect against brute-force attacks.
  2. The domain controller will then send the result, along with the salt, to the sync agent using RPC. The agent can now decrypt the envelope. It is important to point out that the sync agent never has any access to the password in cleartext.
  3. Once decrypted, the sync agent performs a re-hash on the original password hash, changing it to a SHA256 hash by imputing this into the PKDF2 function.
  4. The agent will then sync the resulting SHA256-hashed password hash from Azure AD Connect to Azure AD using SSL.
  5. When Azure AD receives the hash, it will be encrypted with an AES algorithm and then stored in the Azure AD database.

Therefore, when a user signs into Azure AD with their on-premises AD username and password, the password is taken through this process. If the hash result is a match for the hash stored in Azure AD, the user will be successfully authenticated.

Pass-through authentication

Pass-through authentication is an alternative to password hash synchronization. This method is commonly used when Microsoft 365 administrators require users to authenticate their Microsoft 365 logins on-premises as opposed to directly to Azure AD:

Figure 1.9: Pass-through authentication

Figure 1.9: Pass-through authentication

Unlike password hash synchronization, pass-through authentication does not synchronize passwords from on-premises AD to Microsoft 365. Instead, it allows users to log on to both on-premises and cloud applications and services using the same password. This provides a far more cohesive experience for users, with the added benefit that on-premises passwords are never stored in the cloud in any form.

A lightweight agent is all that is needed to set this up with Azure AD Connect and this agent is automatically installed on the Azure AD Connect server when you run the initial setup for pass-through authentication. To provide resiliency to your pass-through authentication solution, the agent can be installed onto additional servers in your on-premises AD sites. The agents should ideally be installed on servers close to your domain controllers to improve sign-in latency. Servers on which the agent is installed should also be security hardened to the same extent that you would protect domain controllers.

Note

It is recommended to configure a minimum of three authentication agents in your environment. The maximum number of agents that can be installed is 40. It is generally good practice to have at least one agent deployed to each of your AD sites to make pass-through authentication resilient and highly available.

The authentication agents must be able to make outbound requests to Azure AD over the following ports in order to function:

Port

Requirement

80

SSL certificate validation and certificate revocation list download

443

Provides outbound communication for the service

8080

While this port is optional and not required for user sign-ins, it is useful to configure this as authentication agents will report status through port 8080 at 10-minute intervals.

Table 1.1: Azure AD ports

Federation

Federation, in simple terms, can be described as domains that trust each other. They share access to resources across organizations, with authentication and authorization settings configured to control the trust.

It is possible to federate your on-premises AD environment with Azure AD to provide authentication and authorization. As is the case with pass-through authentication, a federated sign-in method enforces all user authentication via on-premises methods as opposed to the cloud.

The main benefits of federation are that it provides enhanced access controls to administrators. However, the drawback of this method is that additional infrastructure will inevitably need to be provisioned and maintained.

In Azure AD Connect, there are two methods available to configure federation with Azure AD. These are AD FS and the more recently added PingFederate.

To explain the infrastructure requirements in more detail, AD FS can be used as an example. In order to configure AD FS in line with Microsoft’s best practices, you will need to install and configure a minimum of two on-premises AD FS servers on your AD environment and two web application proxy servers on your perimeter network.

This configuration provides the necessary security principles to ensure that both internal and (especially) remote users authenticate to the services within your hybrid environment in a manner that provides appropriate authentication and authorization. The process of federation is shown in the following diagram:

Figure 1.10: Federation

Figure 1.10: Federation

So, how does federation actually work? Well, there are two main principles that you need to understand. These are claims-based authentication and federated trusts. The following sections will explain each of these in detail.

Claims-based authentication

Claims-based authentication works on the principle of users making statements about themselves in order to authenticate and gain access to applications by using industry-standard security protocols. User claims rely on the claims issuer, which is the Security Token Service (STS). The STS can be configured on your AD FS server. The statements provided by users can relate to name, identity, key, group, privilege, or capability.

A claim is issued by the user to the claims issuer. It is then assigned values and packaged into a security token by the claims issuer (the STS). This security token is essentially an envelope that contains the claims relating to the user. The token is sent back to the user and then passed to the application that the user wishes to access.

The claim relies on the explicit trust that is established with the issuer. The application that the user wishes to access will only trust the user’s claim if it subsequently trusts the claims issuer (the STS).

With claims-based authentication, you can configure a number of authentication methods. The most commonly used ones are as follows:

  • Kerberos authentication
  • Forms authentication
  • X.509 certificates
  • Smart cards

Although many older applications do not support claims-based authentication, the main use-case argument for applications that do support it is that it simplifies the process of trust for those target applications. Instead of having to place their trust directly in the user making the claim, they can be secure in the knowledge that they can absolutely trust the claims issuer instead.

Federated trust

Federated trusts expand on the capabilities of claims-based authentication by enabling your issuer to accept security tokens from other issuers as opposed to a user having to directly authenticate. In this scenario, the issuer can both issue and accept security tokens from other trusted issuers utilizing the federation trust. This process essentially establishes a business relationship or partnership between two organizations.

Federated trusts enable trusted issuers to represent the users on their side of the trust. The benefit of this configuration is that should you need to revoke the trust, you can do so through a single action. Rather than revoking a trust with many individual external users, you can simply terminate the trust with the issuer.

A good example of how this works in practice would be that if you need to authenticate remote users to your environment, a federated trust will remove the requirement to provide direct authentication for those users. Instead, you will have a trust relationship with the remote user from their organization. This enables these remote users to continue using their own single sign-on methodology and provides an efficient, decentralized way for them to authenticate to your organization.

Note

An alternative method of providing many of the features that federation offers is to use pass-through authentication in conjunction with the rich features of Azure AD Premium, such as Conditional Access and Identity Protection.

Although additional licensing may be required within Azure AD to deploy these features, this method offers simplified setup and administration and also removes the requirement for any additional infrastructure.

Azure AD Seamless Single Sign-On

Azure AD Seamless Single Sign-On (Azure AD Seamless SSO) is a free-to-use feature of Azure AD that provides a single set of credentials for your users to authenticate to applications within Azure AD, when connecting to your organization’s network using a business desktop device. This means that once connected to your organization’s network on their Windows 10/11 domain-joined devices, they will not be asked to provide further credentials when opening any Azure AD applications. The principles of Seamless SSO are shown in the following diagram:

Figure 1.11: Seamless SSO

Figure 1.11: Seamless SSO

Seamless SSO is configured via the Azure AD Connect wizard or PowerShell and can be used in conjunction with password hash synchronization and pass-through authentication. It is not compatible with federations such as AD FS or PingFederate.

There are some prerequisites to be aware of when planning to implement Seamless SSO. These include the following:

  • If you are using Azure AD Connect with password hash sync, ensure that you are using Azure AD Connect Version 1.1.644.0 or later. Further, if possible, ensure that your firewall or proxy is set to allow connections to the *.msappproxy.net URLs over port 443. Alternatively, allow access to the Azure data center IP ranges.
  • Be aware of the supported topologies that are shown at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies.
  • Ensure that modern authentication is enabled on your tenant.
  • Ensure that the version of your users’ Office desktop clients is a minimum of 16.0.8730.xxxx or above.

Note

Although at the time of writing this book, version 1.1.644.0 is still listed as the minimum required version of Azure AD Connect when using Seamless SSO with password hash synchronization, it is important to be aware that version 1 of AD Connect was retired by Microsoft at the end of August 2022. Further details of this can be found in the Further reading section at the end of the chapter.

Once you have verified these prerequisites, you can go ahead and enable the feature. This is most commonly done when setting up Azure AD Connect for the first time by performing a custom installation using the Azure AD Connect wizard and, from the User sign-in page, ensuring that the Enable single sign-on option is selected:

Figure 1.12: User sign-in methods

Figure 1.12: User sign-in methods

It is also possible to use PowerShell to set up Seamless SSO. This is a particularly useful method if you need to specify a particular domain(s) in your AD forest to use the feature.

If you need to enable the feature when you already have Azure AD Connect deployed, then you can rerun the setup wizard and choose the Change user sign-in option under the Additional tasks section:

Figure 1.13: Additional tasks

Figure 1.13: Additional tasks

Note

You will need domain administrator credentials to complete setting up Seamless SSO. However, these credentials are only required to enable the feature and will not be required after the setup is complete.

To verify that the setup of Seamless SSO has been completed successfully, log on as a global administrator to https://portal.azure.com and navigate to Azure Active Directory | Azure AD Connect.

From this page, you will be able to verify that Seamless SSO has the status Enabled:

Figure 1.14: User sign-in settings

Figure 1.14: User sign-in settings

Finally, when completing your custom settings installation of Azure AD Connect, you are presented with several additional Optional features, as shown in the following screenshot:

Figure 1.15: Optional features

Figure 1.15: Optional features

The most commonly used features are Exchange hybrid deployment and Password writeback. Further information on all of the available optional features can be viewed at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom#optional-features.

To deploy the Azure AD Seamless single sign-on feature for your users, you need to ensure that the following URL is added to the required user’s Intranet Zone settings by using Group Policy: https://autologon.microsoftazuread-sso.com.

One of the advantages of deploying this setting with Group Policy is that you can roll out Seamless SSO to groups of users at your own pace.

A more recent alternative to Azure AD Connect to accomplish hybrid identity goals is Azure AD Connect cloud sync, which we will discuss in the next section.

 

Azure AD Connect cloud sync

Instead of the Azure AD Connect application, a cloud provisioning agent can be used. However, Azure AD Connect cloud sync can also be leveraged along with Azure AD Connect sync to enable the synchronization of data to a tenant from a multi-forest disconnected AD forest environment, which is a functionality that is often used in merger and acquisition scenarios. It also facilitates simplified installation using lightweight provisioning agents, with the management of all sync configuration taking place in the cloud. In addition, it offers multiple provisioning agents to simplify high-availability deployments. Azure AD Connect cloud sync is controlled by Microsoft Online services. Locally, only a lightweight agent needs to be deployed, which acts as a bridge between the on-premises AD and Azure AD.

A detailed comparison of features between Azure AD Connect and Azure AD Connect cloud sync can be viewed at https://learn.microsoft.com/en-us/azure/active-directory/cloudsync/what-is-cloud-sync#comparison-between-azure-ad-connect-and-cloud-sync.

While Azure AD Connect cloud sync does include some powerful features, it also has some limitations. The most notable one is no support for Exchange hybrid writeback, which prevents many organizations still relying on Exchange on-premises from leveraging this technology.

Note

Federation is becoming less used in favor of pass-through authentication, but it is still important to understand AD FS scenarios.

Next, we will look at the monitoring and troubleshooting methods for Azure AD Connect.

 

Event monitoring and troubleshooting in Azure AD Connect

Now that you have your hybrid identity method configured, it should all run smoothly. However, occasionally, you may still encounter some problems. This is where the ability to assess and troubleshoot Azure AD Connect with tools from the Microsoft 365 portal can assist administrators in quickly identifying and resolving issues. Administrators will be able to perform the following tasks as part of troubleshooting in Azure AD Connect:

  1. Review and interpret synchronization errors by accessing the Microsoft 365 admin center via https://admin.microsoft.com and examining the Azure AD Connect directory sync status. Here, you will see an overview of all directory synchronization errors. A common example may be a duplicate proxy address or UPNs causing conflicts and preventing an object from syncing. The following screenshot shows the Azure AD Connect tile in the admin center. Any issues with synchronization will be shown here by using red circles for critical warnings or yellow triangles for lesser warnings. A green circle means all is OK and healthy:

Figure 1.16: Azure AD Connect sync status

Figure 1.16: Azure AD Connect sync status

The preceding figure shows a sync status of only 37 minutes ago, which results in a yellow warning. Figure 1.17 shows more serious red warnings when sync has not completed for 3 days:

Figure 1.17: Azure AD Connect status

Figure 1.17: Azure AD Connect status

  1. If you scroll down further, you will see additional details about your Directory sync status, as shown in the following screenshot. One of the tools you can download from here is IdFix. You can run this tool from any domain-joined workstation in your environment. It provides detailed information on synchronization issues and guidelines on how to resolve them:

Figure 1.18: Directory sync status

Figure 1.18: Directory sync status

  1. Receive and act on email notifications relating to an unhealthy identity synchronization. These email alerts are configured by default to alert only the technical contact defined in your Microsoft 365 tenant under the organization profile. The technical contact will continue receiving these emails until the issue is resolved.
  2. Check Synchronization Service Manager on the Azure AD Connect server to confirm that the operations required for successful synchronization have been completed. If any errors occur, they will be displayed here with explanations for why the operation failed:

Figure 1.19: Synchronization Service Manager

Figure 1.19: Synchronization Service Manager

  1. Directory synchronization occurs every 30 minutes by default. However, you can generate a synchronization on demand by opening the Connectors tab and manually starting the process, as shown in the following screenshot:
Figure 1.20: Synchronization Service Manager

Figure 1.20: Synchronization Service Manager

  1. Click on Actions and select Run:

Figure 1.21: Connector actions

Figure 1.21: Connector actions

  1. You will be able to run the desired connectors from here, as shown:

Figure 1.22: Connector options

Figure 1.22: Connector options

  1. It is also possible, and far simpler, to run a manual synchronization process using PowerShell from your AD Connect server with the following commands:
    • To initiate a full synchronization:
      Start-ADSyncSyncCycle -PolicyType Initial
    • To initiate a delta synchronization
      Start-ADSyncSyncCycle -PolicyType Delta

In this section, we examined event monitoring and troubleshooting techniques in Azure AD Connect. We learned how to review, interpret, and respond to synchronization errors in the Office 365 portal and by checking the Synchronization Service Manager tool. We also explored how you can manually trigger the synchronization process from the Synchronization Service Manager tool and by using PowerShell.

 

Summary

This chapter presented the steps and considerations for planning and implementing hybrid identity in Microsoft 365. You should now have an understanding of the synchronization methods available and how to choose the correct one for your environment, along with the principles of additional security authentication. You also learned how to troubleshoot events and alerts when required.

The next chapter will dive deeper into security and authentication features within Microsoft 365, including MFA and SSPR. You will also take a look at Azure AD dynamic groups and managing B2B and Office 365 external sharing.

 

Questions

  1. Which of the following is not one of the identity methods available with Azure AD?
    1. Pass-through authentication
    2. Federation
    3. MFA
    4. Password hash sync
  2. Your organization needs to synchronize an on-premises Active Directory with Azure AD. Users must authenticate to the on-premises infrastructure while connecting to services with their Microsoft 365 credentials. You need to recommend an identity methodology that accomplishes the goal but minimizes costs and complexity. What should you recommend?
    1. Cloud-only identity
    2. Pass-through authentication
    3. Active Directory Federation Services
    4. Password hash synchronization
  3. True or false? Azure AD Connect Cloud sync includes support for Exchange hybrid writeback.
    1. True
    2. False
  4. Which of the following Microsoft 365 licenses allows users to use SSPR (choose two)?
    1. Azure AD Premium P2
    2. Intune
    3. Azure Information Protection P1
    4. Azure AD Premium P1
  5. Which of the following PowerShell commands could you use to run a full Azure AD Connect sync manually?
    1. Start-ADSyncSyncCycle -PolicyType Initial
    2. Start-ADSyncSyncCycle -PolicyType Delta
    3. Start-ADSyncSyncCycle -PolicyType Full
    4. Start-ADSyncSyncCycle -PolicyType Immediate
  6. True or false? Self-service password reset is automatically enabled for Global Administrator accounts in Microsoft 365.
    1. True
    2. False
  7. What is the maximum number of authentication agents that can be configured in Azure AD for pass-through authentication?
    1. 5
    2. 10
    3. 30
    4. 40
  8. How frequently (by default) does Azure AD Connect automatically synchronize on-premises AD changes to Azure AD?
    1. Every 20 minutes
    2. Once an hour
    3. Every 30 minutes
    4. Every 15 minutes
  9. Which of the following could be a possible cause for Azure AD Connect synchronization issues or errors?
    1. A duplicate proxy address is detected.
    2. SSPR has been incorrectly configured.
    3. You are using password hash sync rather than pass-through authentication.
    4. The AD Connect wizard was run with express installation settings rather than a customized installation.
  10. When deploying federation with AD FS, what is the minimum number of web application proxy servers you should configure on your perimeter network?
    1. 5
    2. 2
    3. 3
    4. 7
 

Further reading

Please refer to the following links for more information:

About the Author
  • Peter Rising

    Peter Rising has over 25 years' experience in IT. He has worked for several IT solutions providers and private organizations in a variety of technical and leadership roles, with a focus on Microsoft technologies. Since 2014, Peter has specialized in the Microsoft 365 platform, focusing most recently on security and compliance in his role as a Consulting Services Manager for Insight. Peter is heavily involved in the wider Microsoft community and has been recognized by Microsoft as an MVP. He holds several Microsoft certifications, including MCSE: Productivity; Microsoft 365 Certified: Enterprise Administrator Expert; and Microsoft 365: Cybersecurity Architect Expert.

    Browse publications by this author
Latest Reviews (1 reviews total)
Pubblicazioni interessanti scritti con il giusto livello tecnico ma soprattutto in modo chiaro.