The question is- now is 2017 and just saw on azure.microsoft.com that AAD has now Domain Services, LDAP, AD domain join, NTLM, and Kerberos auth.
And there is a lots of publications(2014,15,16) that you can’t replace it traditional AD(server on-prem) with cloud solution based on Azure AD. If it possible to do so, then it’s changing everything. Then I would like to compare or contrast.
I’m just would like to understand globally without technical debates.
At the Marco level or high level- can be possible to replace AD with Azure AD?
No. AAD is not a replacement for AD, and doesn't have all it's capabilities.
Closest thing you have right now is AAD Domain Services. See a feature comparison here: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-comparison
Related
We have an Azure AD tenant and on-prem AD and use AD Connect to keep them in sync. I'm told that I can leverage Azure AD to implement PAM on-prem but can't find any approach on how to do this, step by step. We also do not want to use MIM since it's already at EOL and would like to avoid using another 3rd party tool.
On-prem it is no problem for us to set up the second bastion forest but we don't know how Azure AD would be able to work with this.
Thanks!
MIM (formerly Forefront Identity Manager, and Identity Lifecycle Manager before that) is a widely used service for managing user lifecycles and access rights in Active Directory.Right now, it is moving into well-earned retirement phase.
In simple terms, yes. It is no longer actively developed by Microsoft. Mainstream support for MIM ended in January 2021. Azure AD Premium customers can get extended support until 2026.
The closest replacement is, Azure AD. It has a range of features that enable simple identity and access management for internal and external users.
Azure AD is the closest substitute. By adding third-party tools you can easily replace all of MIM’s features, and add many new ones.
Note these functionalities are only available at the Azure AD Premium P2 license level.
Would suggest you follow this link to get it apply: https://www.predicagroup.com/blog/azure-ad-identity-governance/
Or you can reach out to their MS support for information or predicagorup support as well.
Here are the first steps to developing your MIM migration roadmap:
Review your MIM implementation. What are the key functionalities you use and need to migrate?
Reduce the dependency on MIM 2016 infrastructure by implementing the quick wins listed above
Consider Azure AD Identity Governance for simple governance of your cloud resources.
Enable SSO for on-premises and SaaS applications with Azure AD SSO
Evaluate Omada Identity for hybrid access governance. Start by introducing the key elements alongside your MIM implementation.
I am looking at a solution to secure on-premise applications using a centralized Identity and Access Management (IAM) solution instead of baking a custom IAM solution. These on-premise application could be deployed across several of our customers globally.
I have looked at using the Azure AD B2C for this purpose but it looks like it can only provide Authentication solution and not Authorization, at least not out of the box. I haven't found a single working sample with does both AuthZ and AuthN. I am also not sure if Azure AD B2C is the solution for implementing a centralized AuthZ and AuthN solution. I have looked at Azure B2B briefly and feel this could be right for our use cases, but it is a bit confusing as to when to choose B2C vs B2B.
I am hoping to get any guidance towards the right approach to have a centralized AuthN and AuthZ solution for on-premise applications.
B2B is for partners, B2C is for customers.
You can get authorisation in the application by the application looking at the claims that are returned.
A better way is to implement conditional access.
"Control access based on location, groups, and apps. Conditional Access can also be used to control non-risk based situations. For example, you can require MFA for customers accessing a specific app, or block access from specified geographies."
One of my customers would like to know what are all the implications and what all precautions one needs to take before migrating all their identities to Azure and use Azure AD as the main AD. Any kind of documentation on this would be really helpful.
I would also need to show the various workflows how the authentication for a user accessing a particular resource would work using Azure AD and use of various technologies like PIM, CA,Intune etc. Thanks
I have a little confusion about directory sync which is used for AD azure integration.
1) Can anyone let me know, whether we can integrate complete on premises AD to
windows azure AD using this? Or only users and groups?
2) If directory sync will not be helpful for complete AD integration what
method will be used?
Can anyone let me know, whether we can integrate complete on-premises AD to windows azure AD using this ? or only users and groups?
Yes, your on-premises AD can be integrated with Azure AD (AAD) with AAD Connect tool. The integration needs prerequisites you can refer here https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites. It means not all the cases can be done. For example, if you need to use password writeback functionality, your on-premises AD domain controller must be at least Windows Server 2008. Another prerequisite is that if your on-premises is using single label domain, it is not supported. Best to check the link above before the integration.
IF directory sync will not be helpful for complete AD integartion what methord will be used ?
AAD Connect provides set of features to help you build a comprehensive hybrid identity between on-premises AD and AAD. However, if this doesn't meet your requirement, you can build some extensions programmatically to interact with AAD. I don't know your preferred programming language, but here is the Authentication Library (ADAL) which is pretty much preferred for AAD development https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries
AAD not only supports user and group sync, but also for custom attributes, filtering, password sync & writeback or so on. Remember AAD Connect is purposely for synchronization. It does not offer too much for AAD interaction (saying that you need to manage, add more attributes or retrieve user attributes, 3rd integration...)
I am trying to make my way through a lot of Azure documentation on multitenant identity management, for a bespoke ASP.NET MVC SaaS site. It is difficult as it seems that a lot of the online examples and articles are now outdated and not applicable to latest VS templates, and other vague aspects, such as determining what is Preview and what is not. Also, MS tend to use the word "multitenant" when specifically dealing with partner companies who have their own Azure AD, which is not our case.
Our proposed system will offer a web application to different customers. The backend will have a separate db per customer (tenant). The front end will select which db connection (and probably use impersonation) depending on the logged in user. The identity management would preferably be offloaded to Azure ACS, so that in future if we want to integrate with corporations with their own Federation identity provider we can, but for those smaller companies that don't have their own domain, we want to create accounts on their behalf.
I am thinking that a good way to do this is by using Azure ACS (for federating with corporate customers) and a general Azure AD directory (for everyone else), where in the second case I create a group per tenant (customer). Then, in Azure ACS, I translate all claims, either the group from my own AD, or the company name from the federated identity provider, and use that in the MVC app to establish the tenant.
Is this an OK way to do it? Am I overlooking some standard, simple way that Azure already offers? Is this future proof wrt to the Azure roadmap?
for the latest multi tenant samples please see https://github.com/Azure-samples?utf8=%E2%9C%93&query=multiten. We are about to release more documentation on how to handle multi tenancy in Azure AD. I would strongly advise against using ACS in any new project, given that we are no longer adding any features and we are actively working on migrating functionality from ACS to Azure AD. See http://blogs.technet.com/b/ad/archive/2015/02/12/the-future-of-azure-acs-is-azure-active-directory.aspx for more details.