Implication and Precautions for Azure AD Migration from On Prem AD - azure

One of my customers would like to know what are all the implications and what all precautions one needs to take before migrating all their identities to Azure and use Azure AD as the main AD. Any kind of documentation on this would be really helpful.
I would also need to show the various workflows how the authentication for a user accessing a particular resource would work using Azure AD and use of various technologies like PIM, CA,Intune etc. Thanks

Related

Implementing PAM for both on-prem and Azure AD

We have an Azure AD tenant and on-prem AD and use AD Connect to keep them in sync. I'm told that I can leverage Azure AD to implement PAM on-prem but can't find any approach on how to do this, step by step. We also do not want to use MIM since it's already at EOL and would like to avoid using another 3rd party tool.
On-prem it is no problem for us to set up the second bastion forest but we don't know how Azure AD would be able to work with this.
Thanks!
MIM (formerly Forefront Identity Manager, and Identity Lifecycle Manager before that) is a widely used service for managing user lifecycles and access rights in Active Directory.Right now, it is moving into well-earned retirement phase.
In simple terms, yes. It is no longer actively developed by Microsoft. Mainstream support for MIM ended in January 2021. Azure AD Premium customers can get extended support until 2026.
The closest replacement is, Azure AD. It has a range of features that enable simple identity and access management for internal and external users.
Azure AD is the closest substitute. By adding third-party tools you can easily replace all of MIM’s features, and add many new ones.
Note these functionalities are only available at the Azure AD Premium P2 license level.
Would suggest you follow this link to get it apply: https://www.predicagroup.com/blog/azure-ad-identity-governance/
Or you can reach out to their MS support for information or predicagorup support as well.
Here are the first steps to developing your MIM migration roadmap:
Review your MIM implementation. What are the key functionalities you use and need to migrate?
Reduce the dependency on MIM 2016 infrastructure by implementing the quick wins listed above
Consider Azure AD Identity Governance for simple governance of your cloud resources.
Enable SSO for on-premises and SaaS applications with Azure AD SSO
Evaluate Omada Identity for hybrid access governance. Start by introducing the key elements alongside your MIM implementation.

Using Azure B2C/B2B to secure on-premise web application

I am looking at a solution to secure on-premise applications using a centralized Identity and Access Management (IAM) solution instead of baking a custom IAM solution. These on-premise application could be deployed across several of our customers globally.
I have looked at using the Azure AD B2C for this purpose but it looks like it can only provide Authentication solution and not Authorization, at least not out of the box. I haven't found a single working sample with does both AuthZ and AuthN. I am also not sure if Azure AD B2C is the solution for implementing a centralized AuthZ and AuthN solution. I have looked at Azure B2B briefly and feel this could be right for our use cases, but it is a bit confusing as to when to choose B2C vs B2B.
I am hoping to get any guidance towards the right approach to have a centralized AuthN and AuthZ solution for on-premise applications.
B2B is for partners, B2C is for customers.
You can get authorisation in the application by the application looking at the claims that are returned.
A better way is to implement conditional access.
"Control access based on location, groups, and apps.  Conditional Access can also be used to control non-risk based situations. For example, you can require MFA for customers accessing a specific app, or block access from specified geographies."

Azure AD B2C and organizational groups

Consider the following case, for my application:
I have a website
The website sits on top of an azure api and gets data from cosmos DB
The data from cosmos DB is specific for different organizations
Different organizations should be able to have an "admin" appointed by me
The organization "admin" should be able to add his colleagues under the same organization
The users within a particular organization should only be able to view the data specific to their organization
Considering the above use-case, I have thought about using Azure B2C because:
Everything is already inside azure
I don't want to do security myself
However, I am unsure, if it is actually possible to achieve this with azure B2C? I can't seem to find any similar use-cases in the AD documentation. Hence why I start to think, that I'm going in a wrong direction...?
Therefore, can Azure AD B2C offer, what I want to achieve? (do I need a tenant for each Organization)
In case, Azure AD does not offer support for my use-case, what would you then recommend me to do?
As a white-label service, Azure AD B2C cannot be used as a built-in security provider for other Azure services without writing custom code to translate whatever authorization model you maintain in Azure AD B2C into access patterns for CosmosDB or other Azure services.
CosmosDB does have it's own in-built notion of users and permissions which you might map in some way (using custom code) to Azure AD B2C users. https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data#users
You could also use CosmosDB's integration with Azure AD (not B2C) for RBAC controls: https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control
Finally, Azure AD B2C does not provide any out-of-the-box administrative tooling for the kind of delegated user administration model you described. Again this would need to be a custom coded admin UI or you'd need to use a third-party solution such as Saviynt for delegated administration: https://learn.microsoft.com/en-us/azure/active-directory-b2c/partner-saviynt

Microsoft Azure Active Directory cloud and on-prem AD

The question is- now is 2017 and just saw on azure.microsoft.com that AAD has now Domain Services, LDAP, AD domain join, NTLM, and Kerberos auth.
And there is a lots of publications(2014,15,16) that you can’t replace it traditional AD(server on-prem) with cloud solution based on Azure AD. If it possible to do so, then it’s changing everything. Then I would like to compare or contrast.
I’m just would like to understand globally without technical debates.
At the Marco level or high level- can be possible to replace AD with Azure AD?
No. AAD is not a replacement for AD, and doesn't have all it's capabilities.
Closest thing you have right now is AAD Domain Services. See a feature comparison here: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-comparison

Azure AD as a multitenant identity provider

I am trying to make my way through a lot of Azure documentation on multitenant identity management, for a bespoke ASP.NET MVC SaaS site. It is difficult as it seems that a lot of the online examples and articles are now outdated and not applicable to latest VS templates, and other vague aspects, such as determining what is Preview and what is not. Also, MS tend to use the word "multitenant" when specifically dealing with partner companies who have their own Azure AD, which is not our case.
Our proposed system will offer a web application to different customers. The backend will have a separate db per customer (tenant). The front end will select which db connection (and probably use impersonation) depending on the logged in user. The identity management would preferably be offloaded to Azure ACS, so that in future if we want to integrate with corporations with their own Federation identity provider we can, but for those smaller companies that don't have their own domain, we want to create accounts on their behalf.
I am thinking that a good way to do this is by using Azure ACS (for federating with corporate customers) and a general Azure AD directory (for everyone else), where in the second case I create a group per tenant (customer). Then, in Azure ACS, I translate all claims, either the group from my own AD, or the company name from the federated identity provider, and use that in the MVC app to establish the tenant.
Is this an OK way to do it? Am I overlooking some standard, simple way that Azure already offers? Is this future proof wrt to the Azure roadmap?
for the latest multi tenant samples please see https://github.com/Azure-samples?utf8=%E2%9C%93&query=multiten. We are about to release more documentation on how to handle multi tenancy in Azure AD. I would strongly advise against using ACS in any new project, given that we are no longer adding any features and we are actively working on migrating functionality from ACS to Azure AD. See http://blogs.technet.com/b/ad/archive/2015/02/12/the-future-of-azure-acs-is-azure-active-directory.aspx for more details.

Resources