I have an on-premises Windows server 2022, which is running AD DS, NPS and DHCP. I also have Azure AD subscription, where my users are located. I would like to keep my users database (AD) in the cloud, since currently, I do not have any backup solutions and it is easier for me to manage. I want to have ieee 801.x on premises, as well as VPN service. Is it possible to force the NPS to authenticate against the Azure AD, where all my users are located? If yes, how can this be done?
I know that Azure AD Connect provides hybrid integration, but from what I read, it is only one way, i.e from on-premises AD to cloud synchronization, but not the other way around.
Yes, you are correct that the synchronization is only one-way and the workarounds currently are to use use PowerShell export/import or use a third-party tool. In the NPS article you linked, the on-premises users ultimately authenticate against Azure MFA. The NPS extension acts as an adapter between RADIUS and cloud-based Azure AD Multi-Factor Authentication to provide MFA for the federated or synced users. Your cloud users would just use regular Azure MFA without needing that adapter.
The most common workaround for the user writeback scenario is to create a PowerShell script that scans Azure AD regularly, finds the users in Azure, and then creates an on-premises user with the attributes in Azure AD.
The regular user writeback feature is on the roadmap and actively being worked on though. I've asked for an update from the PG and will edit this post once it is available.
For cloud VPN options, see: Azure AD Authentication - Open VPN.
Related
From their docs - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-how-it-works
As a pre-requisite for Pass-through Authentication to work, users need to be provisioned into Azure AD from on-premises Active Directory using Azure AD Connect. Pass-through Authentication does not apply to cloud-only users.
Doesn't this defeat the whole point of pass-through. If users need to be provisioned in AAD (using AD connect), what's the point of pass through? Or is it just that USERNAMES are provisioned and no passwords..?
Very confusing. Please only respond if you have actually implemented this.
We use this at my work. It's better described here: What is Azure Active Directory Pass-through Authentication?
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.
To use cloud-based services, the account must exist in Azure AD. To use on-premises services, the account must exist on-premises. So everyone's account is actually duplicated between on-premises and Azure AD.
The only purpose of using pass-through authentication is being able to use both cloud and on-premises applications with the same password. Therefore, the password is not stored in Azure AD and Azure AD defers to the on-premises environment to perform the authentication.
we have an Infrastructure for one customer in Azure which require many configurations like MFA with VPN and Remote Desktop (this one is the reason why I'm confused with Azure AD).
The installation should be only in Azure, that's mean there is no local AD which could be synced to it.
I've created an seperated Azure Directory for them and configured an AD DS inside it so I can join the Azure VMs to it.
My problem here is I was asked to configure MFA for remote desktop users along with the VPN connection. The requirement the MFA that I should install an local NPS with MFA Extenstion and the local AD users should be synced with Azure AD. Which in my case it's not possible to do it since there is no local Network for this customer.
This problem as I understood is because that we don't have permissions to administrate Azure AD DS Active Directory and by this we can't register the NPS with MFA Extension with it. here are some Links related to this topic:
Request to Support NPS/RADIUS for Azure AD Domain Services
Integrate Remote Desktop Gateway with Azure MFA
Integrate VPN with Azure MFA
My question here is:
1) the seperated Azure AD for this tenant is a good Idea? Is it not better to just create an Azure AD Domain Services inside our Company Azure AD and sync the required groups to it? what is the best practice for this situation?
2) In order to use the Azure MFA here, what should I do? is there any other option in Azure to implement such a scenario?
I will be glad for any help or explaination.
I have a little confusion about directory sync which is used for AD azure integration.
1) Can anyone let me know, whether we can integrate complete on premises AD to
windows azure AD using this? Or only users and groups?
2) If directory sync will not be helpful for complete AD integration what
method will be used?
Can anyone let me know, whether we can integrate complete on-premises AD to windows azure AD using this ? or only users and groups?
Yes, your on-premises AD can be integrated with Azure AD (AAD) with AAD Connect tool. The integration needs prerequisites you can refer here https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites. It means not all the cases can be done. For example, if you need to use password writeback functionality, your on-premises AD domain controller must be at least Windows Server 2008. Another prerequisite is that if your on-premises is using single label domain, it is not supported. Best to check the link above before the integration.
IF directory sync will not be helpful for complete AD integartion what methord will be used ?
AAD Connect provides set of features to help you build a comprehensive hybrid identity between on-premises AD and AAD. However, if this doesn't meet your requirement, you can build some extensions programmatically to interact with AAD. I don't know your preferred programming language, but here is the Authentication Library (ADAL) which is pretty much preferred for AAD development https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries
AAD not only supports user and group sync, but also for custom attributes, filtering, password sync & writeback or so on. Remember AAD Connect is purposely for synchronization. It does not offer too much for AAD interaction (saying that you need to manage, add more attributes or retrieve user attributes, 3rd integration...)
What am I missing here? I'm thinking of moving my data center to Azure. I've created a corporate virtual network that has my ADs, my certificates, basically the family jewels of the company that I'm trying to build in the cloud. I've plugged up every obvious security hole that I can think of except one: the login to the Azure Portal is just a simple user id/password. If someone picked off my Microsoft Live user id, all they need is a password cracker. And a disgruntled or dismissed employee could easily cause havoc. Is there some way to lock down the portal? Does anyone in the security business think these Azure web sites are secure?
You can use Azure AD to properly secure the portal authentication. Azure AD is designed to securely authenticate applications in the cloud and it is supported by the majority of Microsoft solutions like Azure Portal. It will provide features like MFA, access control, self-service password reset, etc.
Although Microsoft Accounts also support some of these features, you can't force your users to specific policies, that's why Azure AD is important for enterprise level security.
Once you create a directory for your company through Azure Portal and synchronize your AD objects with Azure AD using the AAD Connect tool you will be able to login to Azure Portal using your corporate credentials and force users to use Multi-factor authentication or even apply other policies.
Azure Active Directory features and capabilities
Azure Active Directory Hybrid Identity Design Considerations
Integrating your on-premises identities with Azure Active Directory
I understand that the Graph API can be used in Azure AD to create,update users, groups etc but can these changes be synced back to the on-premises AD that the Azure AD is integrated with ?
I believe password writebacks were enabled in some recent versions but are writebacks for creating new users, groups supported with a sync from Azure AD to the on prem AD ?
Yes, you can "writeback" users and groups from Azure AD to your on-premises Server AD. Azure AD Connect is the recommended tool to use when configuring synchronization.
Download the latest public preview of the tool here.
http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=53949
There is a document included in the download that explains how and where to setup user and group writeback.