Download presentation
Presentation is loading. Please wait.
Published byLucas May Modified over 9 years ago
1
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory
2
Module Overview Overview of Windows Azure AD Managing Windows Azure AD Accounts
3
Lesson 1: Overview of Windows Azure AD Extending AD DS Into the Cloud What Is Windows Azure AD? Windows Azure AD Authentication Multifactor Authentication for Cloud-Based Users Multifactor Authentication for Federated Users What Is Windows Azure AD Access Control?
4
Extending AD DS Into the Cloud Cloud-based applications need highly available authentication Considerations for hosting AD DS in Windows Azure: Create virtual machines to provide services Requires one domain controller, one federation server, and one federation server proxy Create a VPN for replication Benefits of hosting AD DS data in Windows Azure AD: Simplified management Reduced data in the cloud
5
What Is Windows Azure AD? Windows Azure AD provides identity as a service You can use Windows Azure AD for: Office 365 Windows Intune Your cloud-based applications for internal users Your cloud-based or on-premises applications for external users Cloud-based applications from vendors Windows Azure AD is platform independent
6
Windows Azure AD Authentication SSO: Requires an STS Authentication is performed on-premises User name and password match on-premises identity store Cloud-based user: Authentication is performed by Windows Azure AD User name and password may not match on-premises identity store Web identity providers: Authentication is performed by a web-based identity provider User name and password match a web-based identity store
7
Multifactor Authentication for Cloud-Based Users Multi-factor authentication increases security Cloud-based applications and mobile device credentials are more vulnerable Windows Azure Active Authentication: Multi-factor authentication for cloud-based user accounts Code provided by: Phone call Text message Active Authentication app The Active Authentication app is available for Windows Phone, iOS, and Android
8
Multifactor Authentication for Federated Users Multi-factor authentication with AD FS provides: Web-based applications and services only Built-in smart card support Access to third-party modules Multi-factor authentication with VPN: Uses multifactor authentication Provides application access only after VPN connectivity Supports all application types
9
What Is Windows Azure AD Access Control? Access Control: Provides authentication services for applications Simplifies application development Provides a security token to web applications Authentication support: AD FS Microsoft account Google Yahoo! Facebook WS-Trust OpenID Cross-platform support for web applications
10
Lesson 2: Managing Windows Azure AD Accounts Account Management for Small Organizations What Is Directory Sync? How Directory Sync Synchronization Works Considerations for Password Sync Directory Sync Topologies Using Windows PowerShell to Manage Accounts What Is Windows Azure AD Graph?
11
Account Management for Small Organizations Manual creation of cloud-based users in a web console: Is simple but not scalable May be possible in a web-based console provided by an application The user name and password might not match an on-premises user account
12
What Is Directory Sync? Directory Sync synchronizes user accounts from on-premises AD DS to Windows Azure AD Cloud-based users with Password Sync eliminates password confusion for users Federated users: Uses an STS to perform authentication Eliminates password confusion for users
13
How Directory Sync Synchronization Works Initial synchronization: Creates a new account if none exists Sets a source anchor attribute Performs a fuzzy match by using primary SMTP attribute With synchronization control: Synchronized attributes cannot be controlled Scope can be modified Synchronization occurs every three hours Default accounts and system objects are not synchronized Synchronization can be disabled Recovering a deleted user in AD DS also recovers the user in Windows Azure AD
14
Considerations for Password Sync Password Sync prevents user confusion due to different passwords Password Sync scope is: Performed for all cloud-based users Not performed for federated users In the Password Sync process: Password hashes are synchronized Passwords synchronize from AD DS to Windows Azure AD Password Sync agent runs every two minutes For password policies, consider that: AD DS password policies are applied to synchronized passwords Password change is prompted only for on-premises AD DS
15
Directory Sync Topologies With one AD DS forest and multiple tenants: Each identity is limited to one tenant Each tenant is associated with a UPN Multiple instances of Directory Sync are required Directory Sync scope must be modified FIM-specific topologies: Multiple AD DS forests to a single tenant Non-AD DS directory Microsoft Exchange Server account and resource forests: Can use Directory Sync in a resource forest Can use AD FS in an account forest if required
16
Using Windows PowerShell to Manage Accounts Windows Azure AD Module for Windows PowerShell: Manages Windows Azure AD features Creates and manage objects Requirements for installation: Windows 7, Window 8, Windows Server 2008 R2, or Windows Server 2012 Microsoft.NET Framework 3.5.1 Microsoft Online Service Sign-in Assistant Example code for connectivity: $mycredential=Get-Credential Connect-MsolService –Credential $mycredential
17
What Is Windows Azure AD Graph? Windows Azure AD Graph: Provides programmatic access to Windows Azure AD Is a REST API Uses RBAC to control permissions Uses Windows Azure AD for authentication
18
Lab: Implementing Windows Azure AD Exercise 1: Implementing Windows Azure AD for Office 365 Exercise 2: Implementing Windows Azure AD for a Cloud-Based Application Estimated Time: 30 minutes
19
Lab Scenario A. Datum Corporation is exploring how to integrate its on-premises implementation of AD DS with cloud ‑ based applications. The local implementation of AD DS has a single domain named Adatum.com. All users have a UPN based on this domain name that matches their email address.
20
Lab Review There are no review questions for this lab.
21
Module Review and Takeaways Review Questions
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.