can someone explain how access management on Azure differs from local on-prem Active Directory - DC? For example, on DC and AD we can have local security groups for application authentication and authorization and for share folders, but how this thing works in Azure for their SaaS and onedrive? Does Azure have the same security groups like AD has? Where can I learn more about this specific architecture?
Thanks!
Yep, it's called Azure Active Directory (AAD). Documentation is here. You can set up groups and policies similarly to how you would in an on-prem AD.
Here's a comparison of the two.
Related
we have an Infrastructure for one customer in Azure which require many configurations like MFA with VPN and Remote Desktop (this one is the reason why I'm confused with Azure AD).
The installation should be only in Azure, that's mean there is no local AD which could be synced to it.
I've created an seperated Azure Directory for them and configured an AD DS inside it so I can join the Azure VMs to it.
My problem here is I was asked to configure MFA for remote desktop users along with the VPN connection. The requirement the MFA that I should install an local NPS with MFA Extenstion and the local AD users should be synced with Azure AD. Which in my case it's not possible to do it since there is no local Network for this customer.
This problem as I understood is because that we don't have permissions to administrate Azure AD DS Active Directory and by this we can't register the NPS with MFA Extension with it. here are some Links related to this topic:
Request to Support NPS/RADIUS for Azure AD Domain Services
Integrate Remote Desktop Gateway with Azure MFA
Integrate VPN with Azure MFA
My question here is:
1) the seperated Azure AD for this tenant is a good Idea? Is it not better to just create an Azure AD Domain Services inside our Company Azure AD and sync the required groups to it? what is the best practice for this situation?
2) In order to use the Azure MFA here, what should I do? is there any other option in Azure to implement such a scenario?
I will be glad for any help or explaination.
I'm somewhat confused about the relationship between office 365 authentication and azure and specifically azure AD. What if a company also own an azure subscription, is the azure AD that authenticates when accessing the azure subscription the same? Is it different? Can it be different? Also what if your azure hosted application needs to authenticate and authorize a different set of users from those enabled to the azure subscription, is there an "application mode" active directory for this? I would appreciate some help in clarifying the relationships and better define the boundaries.
Office 365 accounts are backed by Azure Active
Directory. i.e. when you sign into your Office 365 account, you are
using an identity stored in Azure Active Directory. Read more...
An Azure Active Directory Tenant can have multiple Azure
Subscriptions within it. You can use the same Azure Active Directory
account to access these different Azure Subscriptions assuming they
are all contained within the same tenant. Read more...
It is possible for a user to be a part of multiple
tenants and subscriptions using guest accounts. Read more...
Azure Active Directory Applications support multi-tenant authentication, which means that it can automatically handle users from multiple different tenants without much effort. Read more...
I have a little confusion about directory sync which is used for AD azure integration.
1) Can anyone let me know, whether we can integrate complete on premises AD to
windows azure AD using this? Or only users and groups?
2) If directory sync will not be helpful for complete AD integration what
method will be used?
Can anyone let me know, whether we can integrate complete on-premises AD to windows azure AD using this ? or only users and groups?
Yes, your on-premises AD can be integrated with Azure AD (AAD) with AAD Connect tool. The integration needs prerequisites you can refer here https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites. It means not all the cases can be done. For example, if you need to use password writeback functionality, your on-premises AD domain controller must be at least Windows Server 2008. Another prerequisite is that if your on-premises is using single label domain, it is not supported. Best to check the link above before the integration.
IF directory sync will not be helpful for complete AD integartion what methord will be used ?
AAD Connect provides set of features to help you build a comprehensive hybrid identity between on-premises AD and AAD. However, if this doesn't meet your requirement, you can build some extensions programmatically to interact with AAD. I don't know your preferred programming language, but here is the Authentication Library (ADAL) which is pretty much preferred for AAD development https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries
AAD not only supports user and group sync, but also for custom attributes, filtering, password sync & writeback or so on. Remember AAD Connect is purposely for synchronization. It does not offer too much for AAD interaction (saying that you need to manage, add more attributes or retrieve user attributes, 3rd integration...)
What am I missing here? I'm thinking of moving my data center to Azure. I've created a corporate virtual network that has my ADs, my certificates, basically the family jewels of the company that I'm trying to build in the cloud. I've plugged up every obvious security hole that I can think of except one: the login to the Azure Portal is just a simple user id/password. If someone picked off my Microsoft Live user id, all they need is a password cracker. And a disgruntled or dismissed employee could easily cause havoc. Is there some way to lock down the portal? Does anyone in the security business think these Azure web sites are secure?
You can use Azure AD to properly secure the portal authentication. Azure AD is designed to securely authenticate applications in the cloud and it is supported by the majority of Microsoft solutions like Azure Portal. It will provide features like MFA, access control, self-service password reset, etc.
Although Microsoft Accounts also support some of these features, you can't force your users to specific policies, that's why Azure AD is important for enterprise level security.
Once you create a directory for your company through Azure Portal and synchronize your AD objects with Azure AD using the AAD Connect tool you will be able to login to Azure Portal using your corporate credentials and force users to use Multi-factor authentication or even apply other policies.
Azure Active Directory features and capabilities
Azure Active Directory Hybrid Identity Design Considerations
Integrating your on-premises identities with Azure Active Directory
I am a developer working on a think client application. One of our customers wants us to provide hosting for the application and I have set up azure remote app for this. The customer is asking if it will work with single sign on.
From what I can see it can work if I have access to their directory. For example if I could join their domain or change my default directory to be their directory it should work. Is this good practice though? From what I see the only way to do this is give their administrators access to my subscription.
Is there another way?
Azure Remote App offers two deployment options
- RemoteApp cloud deployment enables user logon with Microsoft account or corporate credentials federated with Azure Active Directory
- RemoteApp hybrid deployment enables full access to on-premises network, and user logon with corporate credentials federated with Azure Active Directory
So in both cases, you may have single sign on for your customer application, provided his current identity provider (for example On premise Active Directory) is federated with Azure Active Directory
Hope this helps
Best regards
Stéphane