A Hitchhiker's Guide to Azure Active Directory Max Fritz Senior Systems Consultant, Now Micro @theCloudSherpa
Thank You Sponsors for participating in SPS St. Louis 2017! You can use the hashtag #SPSSTL & follow us @SPSStlouis Gold Sponsors Silver Sponsors
Max Fritz Senior Consultant MCSA Office 365, MCSE Productivity Working with Office 365 for over 5 years Specialize in the Education Industry Focus in Azure AD, Exchange, and SharePoint Online Contact Details Email : maxf@nowmicro.com Twitter : @TheCloudSherpa Blog: maxafritz.com LinkedIn : in/maxafritz
Max Fritz Senior Consultant MCSA Office 365, MCSE Productivity Working with Office 365 for over 5 years Specialize in the Education Industry Focus in Azure AD, Exchange, and SharePoint Online Contact Details Email : maxf@nowmicro.com Twitter : @TheCloudSherpa Website/Blog: maxafritz.com LinkedIn : in/maxafritz
Now Micro is a Consulting & Device Life Cycle Management company Now Micro’s Consulting Practice focuses on helping organization deliver the best end user experience by designing and implementing the most robust Systems Management, Cloud Productivity, and Identity Management solutions available.
What is Azure Active Directory? Identity management in the cloud. Based on the Active Directory we all already know, but integrated with numerous first and third party cloud services. Backbone of Office 365
The Office 365 and Azure AD Story
The Office 365 and Azure AD Story
The Office 365 and Azure AD Story
The Office 365 and Azure AD Story
Azure AD Basics
Synchronizing with Azure AD: Azure Active Directory Connect 5/7/2018 Synchronizing with Azure AD: Azure Active Directory Connect Formerly known as “DirSync” Connects to Active Directory On Premise Synchronizes Users, Groups, and Contacts Allows for writes in both directions Uses SQL express to manage synchronization © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure Active Directory Connect Functionality 5/7/2018 Identity Bridge On-premises Azure AD Connect Salesforce Box DropBox Google … Office 365 Your apps AD DS AD FS (optional) Sync engine Health © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
How to get Azure AD Feature/Plan Basic (incl. with O365) Premium P1 Directory Object Limit Unlimited Single Sign-On 10 per user Reports Basic Advanced Self-Service Multi-Factor Auth. Cloud App Discovery Conditional Access* Identity Protection Privileged Identity Management There is a free tier as well not covered here
How to get access to Azure AD Has someone already setup Azure AD? Yes: Are you an Office 365 Admin? Yes: You have access No: Someone with access needs to give it to you No: Are you an Office 365 Admin? Yes: Click on Azure AD in the Office 365 Admin Center No: An Office 365 Admin will need to set it up
Accessing Azure AD Admin Controls New Azure Portal portal.azure.com Old Azure Portal manage.windowsazure.com Powershell From Office 365 portal.office.com
Accessing Azure AD Admin Controls New Azure Portal portal.azure.com Azure Active Directory controls are in public preview May not always work, and not everything is there Old Azure Portal manage.windowsazure.com Azure Active Directory controls are fully functional Dated look to the portal, all other Azure items are in the new portal
Azure AD Powershell – Version Madness Preview Allows for modification of O365 Group Policies My recommended version Version 1.1.166 Full Release Only version supported by MS Version 2.x Super-preview Few commands available Advanced users only New Azure Portal portal.azure.com Old Azure Portal manage.windowsazure.com Powershell From Office 365 portal.office.com
Azure AD Features
Azure Multi-Factor Authentication Prevents unauthorized access to Azure AD by providing an additional level of authentication Prompts users for a second form of authentication (besides password) to verify identity Free for users with admin privledges in Office 365 (use it!)
Azure Multifactor Authentication Mobile apps Phone calls Text messages
Single sign-on to any app Windows Server Management Marketing 5/7/2018 Single sign-on to any app Microsoft Azure OTHER DIRECTORIES Security: Password only stored in identity provider (Azure AD) Convenience: Don’t remember multiple username and passwords Management: Centrally manage authentication processes Web apps (Azure Active Directory Application Proxy) Integrated custom apps SaaS apps © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Thousands of pre-integrated apps and growing! Build 2012 5/7/2018 Thousands of pre-integrated apps and growing! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Windows Server Management Marketing 5/7/2018 Azure Active Directory Identity Protection Identity Protection at its best Infected devices Leaked credentials Gain insights from a consolidated view of machine learning based threat detection Configuration vulnerabilities Brute force attacks Suspicious sign-in activities Risk-based policies Remediation recommendations MFA Challenge Risky Logins Block attacks Change bad credentials Machine-Learning Engine Risk severity calculation Risk-based conditional access automatically protects against suspicious logins and compromised credentials © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Privileged Identity Management Global Administrator Billing Administrator SharePoint Administrator User Administrator Password Administrator Privileged Identity Management Discover, restrict, and monitor privileged identities Enforce on-demand, just-in-time administrative access when needed Provides more visibility through alerts, audit reports and access reviews
Privileged Identity Management Windows Server Management Marketing 5/7/2018 Privileged Identity Management How time-limited activation of privileged roles works SECURITY ADMIN Users need to activate their privileges to perform a task ALERT MFA is enforced during the activation process Configure Privileged Identity Management Alerts inform administrators about out-of-band changes Identity verification Read only ADMIN PROFILES Monitor Users will retain their privileges for a pre- configured amount of time Billing Admin Global Admin Audit USER MFA Service Admin Access reports Security admins can discover all privileged identities, view audit reports and review everyone who has is eligible to activate via access reviews PRIVILEGED IDENTITY MANAGEMENT © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Ok let’s take a breath, and show some real stuff (and don’t forget to bring a towel)
3 simple things you can do using Azure AD to improve Office 365
Organizational Sign-in Branding Affects any Azure AD or Office 365 Sign in: Portal.office.com Mobile Apps Office Pro Plus Etc… Different from the branding within the Office 365 portal and SharePoint branding Great way to make Office 365 your own Help provide sign in instructions to users Reassure your users that they are signing into the right page Make your marketing department happy Organizational Sign-in Branding
Organizational Sign-in Branding Before After
Setup Multi-Factor Authentication for Admins As mentioned, this is free for Office 365 Admins Admin accounts are a huge security vulnerability If an admin account is breached, your entire organization can be considered breached Only downside: SharePoint Online PowerShell does not support MFA Recommendation: Enable MFA anyways, and temporarily disable when using SharePoint PowerShell Setup Multi-Factor Authentication for Admins
Restrict Office 365 Group Creation To be honest, this one is less simple Requires Azure AD PowerShell Version 1.1.130 (not higher or lower) Group Creation used to be controlled by Exchange Online With Planner, Teams, SharePoint Team Sites, PowerBI and more able to create Groups, it is now controlled through Azure AD Policy can be created in Azure AD that only allows certain groups of users access to create Groups Any other attempts will result in error (error messages can get strange) Policy created through PowerShell Restrict Office 365 Group Creation
Questions ?
Thank you! Come ask me questions! Stay in touch! Email : maxf@nowmicro.com Twitter : @TheCloudSherpa Website/Blog: maxafritz.com LinkedIn : in/maxafritz