AZURE 214X. Module 5. Synchronization with Azure AD Connect

Synchronization with Azure AD Connect

RSS
Follow by Email
Facebook
Google+
Twitter

Azure AD Connect allows you to synchronize your on-premises Active Directory directories with Azure AD. This will then allow you to use a common identity for your users to use with Office 365, Microsoft Intune, and other SaaS applications and on-premises applications, providing a single credential to be across both, allowing for Single-Sign-On (SSO).

Azure AD Connect also provides administrative benefits, providing for alerts and monitors, as well as password synchronization.

Using Azure AD Connect is the simplest way to extend your on-premises directories to Azure to provide SSO with SaaS applications such as Office 365.

Categories: Курсы

AZURE 214X. Module 5. Implementing Hybrid AD Solutions

Implementing Hybrid AD Solutions

RSS
Follow by Email
Facebook
Google+
Twitter

There are a number of ways that you can extend your on-premises infrastructure into Azure. As such you need to analyze what your business requirements are, what are you trying to achieve by extending your infrastructure into Microsoft Azure, and what are the needs of the  those various elements such as users, internal and customers, applications and your infrastructure.

Extend on-premises AD into Azure

  • Involves running a Domain Controller in Azure in a virtual machine using Azure IaaS
  • Would typically be done .to support some applications in Azure, to fulfill a requirement to have  Domain Controller availability in a remote part of the world, or perhaps  to run a secondary site for recovery operations

Synchronize Active Directory  Domain Services (AD DS) with Azure AD

  • Will put a copy of your credentials in Azure
  • Would typically be when investing in Office 365, Microsoft Intune or Microsoft Dynamics and to allow users login into those cloud based apps with their domain credentials.

Implement a federated Trust relationship with Azure AD

  • Credentials only exists in your on-premises AD and Azure AD trusts your on-premises credentials using claims.
  • Requires the installation of Active directory federation Services (AD FS)
  • Create a direct trust relationship with Azure AD and on-premises Active Directory using ADFS
  • Probably the most complex implementation, and we won’t look at it in detail in this course, but would retain all your credentials in your on-premises environment, giving you the greatest level of isolation.

Categories: Курсы

AZURE 214X. Module 5. Multi-Factor Authentication (MFA)

What is Multi-Factor Authentication (MFA)

RSS
Follow by Email
Facebook
Google+
Twitter

Multi-Factor Authentication (MFA) is the ability to require additional authentication for on-premises or cloud services and applications. It requires the use of more than one verification system:

  • Something you know (typically a password)
  • Something you have (a trusted device, such as a phone or smartcard)
  • Something you are (biometrics)

In addition to your traditional user name and password MFA will require additional authentication associated with one of the following from the user looking to access the service or application.

  • mobile application,
  • a phone call
  • a text message
  • an email message
  • Third party OAth token

Azure Multi-Factor Authentication is available as a stand-alone service with per user and per authentication billing options, or bundled with Azure Active Directory Premium, Enterprise Mobility Suite or Enterprise Cloud Suite.

Categories: Курсы

AZURE 214X. Module 5. Managing Multiple AAD Directories and tenants

Managing Multiple AAD Directories and tenants

RSS
Follow by Email
Facebook
Google+
Twitter

Its possible to have more than 1 directory.  There is no parent child relationship between directories, and each directory is a fully independent of any other directories that you may manage in terms of resources, administration, and synchronization. There is also no parent child relationship between the subscription and the directory. So if you cancel or allow your Azure subscription to expire, you can still access your directory data using Azure PowerShell, Azure CLI, the Azure Graph API, or other interfaces such as the Office 365 Admin Center. You can also associate another subscription with the directory.

For example, Michael Smith might have an Office 365 subscription for Contoso.com. He also has an Azure subscription that he signed up for by using his Microsoft account, msmith@hotmail.com. In this case, he manages two directories.

In order for Michael Smith to manage both directories while he is signed in to Azure as msmith@hotmail.com, he must add msmith@hotmail.com as a global administrator in the Contoso directory.

Categories: Курсы

AZURE 214X. Module 5. Manage Users and Groups in Azure AD

Manage Users and Groups in Azure AD

RSS
Follow by Email
Facebook
Google+
Twitter

There are several tasks and tools that you can use to manage users and groups in Azure AD. General tasks for users and /or groups include

  • creation
  • editing
  • deletion
  • managing group member ship
  • resetting user passwords.

Tools that can be used to accomplish these tasks include

  • Azure Portal
  • Classic Portal
  • Windows PowerShell
  • Bulk creation and editing using .csv file
  • The new Azure Portal is currently in Preview mode, however while it is not fully released it still has a lot of functionality that can be completed successfully in the new Portal, such as to manage users, groups, applications, and directory settings. Not all functionality may be available in this portal at this time however. The Azure classic portal is still capable of completing all tasks in the meantime.

Categories: Курсы

AZURE 214X. Module 5. Azure Domain Names

Azure Domain Names

RSS
Follow by Email
Facebook
Google+
Twitter

Every Azure AD comes with an initial domain name in the form » + onmicrosoft.com«, where is the name of your email address used to sign up for the subscription and «onmicrosoft.com» is a standard domain name that is always added when you sign up in azure AD.  So if we take the example “contoso.onmicrosoft.com,” was established when the directory was created, typically by the admin, bob@contoso.com, who created the subscription directory. This initial domain name for a directory can’t be changed or deleted.

A custom domain name is a domain name that is owned and used by that organization, such as “contoso.com,” for uses such as hosting its web site. This domain name is a familiar format for people and helps simplify the sign in process.

It is possible to use a custom domain name in Azure AD. Before a custom domain name can be used by Azure AD, the custom domain name must be added to your directory, in the Domain Names setting in the new portal, and verified.

 

Categories: Курсы

AZURE 214X. Module 5. Azure AD Subscription Models

Azure AD Subscription Models

RSS
Follow by Email
Facebook
Google+
Twitter

Azure AD effectively comes in four different subscription models, the free edition which is available by default when you sign up for one of several services. We will call out some of the features available per edition below. A full list of features per edition along with licensing details is available in the URL included in the note at the end of the topic.

    • Free:
    • Basic:
    • Premium P1
    • Premium P2

Azure AD Editions

 

Categories: Курсы

AZURE 214X. Module 5. Azure Active Directory (AAD)

Azure Active Directory (AAD) Overview

RSS
Follow by Email
Facebook
Google+
Twitter

Azure Active Directory is a multi tenant, cloud based directory and identity management system.

It is a Platform as a Service (PaaS) Offering and facilitates a lot of different functionality,  some of which are

  • Single-Sign-On across multiple applications in Software-as-a-Service (SaaS) offerings
  • Multi-Factor Authentication
  • Role-based access control (RBAC)
  • Device Registration

It is not the same platform as on-premises Active Directory Domain Services (AD DS). It does not have

  • Group Policy for managing users and computers
  • Does not have Organizational Units. It is a flat organizational structure
  • There are no forests or trusts. Federation is used to allow outside of boundary authentication and authorization

It is possible to integrate AAD into your On-premises Active Directory and provide a hybrid infrastructure, thus leveraging some of the benefits of cloud based identities within your organization, such as facilitating single-sign-on with Office 365.

Authentication

Azure Active Directory (Azure AD) supports several of the most widely used authentication and authorization protocols. However, as authentication takes place over the internet and via browsers or applications, some on-premises Active Directory protocols will not be applicable, such as Kerberos authentication. Instead, Azure Active directory can use a variety of different authentication protocols such as OAuth 2.0OpenID Connect, WS-Federation, or SAML 2.0.

Categories: Курсы

AZURE 214X. Module 4. Securing Storage

Securing Storage

RSS
Follow by Email
Facebook
Google+
Twitter

We can think in terms of separating out the securing of storage into two components

Data Security:

We can secure our data in a number of ways

  • Data in transit can be secured using client side encryption, HTTPS or SMB 3.0
  • Data at rest can be secured using Storage service Encryption
  • OS and Data disks for azure virtual machines can be encrypted using Azure Disk Encryption

Management Security:

We can control and audit access to storage in a number of ways

  • Storage Access Policy: can define policies that can be granular, time-limited and that are able to be revoked.
  • Role-Based access control: can use default and custom defined roles
  • Audit and monitor authorization : we can use storage analytic logs to store information on access and authentication

We can also use storage account access keys and Shared Access Signatures (SAS) to secure data access

Categories: Курсы

AZURE 214X. Module 4. Import and Export Service

Import and Export Service

RSS
Follow by Email
Facebook
Google+
Twitter

When it comes to transferring very large amounts of data to or from the cloud you will want to consider using the Azure import and export service. The Azure Import/Export Service allows you to:

  • Import. Securely transfer large amounts of data to Azure blob storage by shipping hard disk drives to an Azure data center.
  • Export.Transfer data from Azure blob storage to hard disk drives and ship to your on-premises site.

This service is suitable in situations where you want to transfer several TBs of data to or from Azure, but uploading or downloading over the network is not feasible due to limited bandwidth or high network costs. Scenarios where this would be useful include:

  • Migrating data to the cloud. Move large amounts of data to Azure quickly and cost effectively.
  • Content distribution. Quickly send data to your customer sites.
  • Backup. Take backups of your on-premises data to store in Azure blob storage.
  • Data recovery. Recover large amount of data stored in blob storage and have it delivered to your on-premises location.

Categories: Курсы