Azure AD Hybrid Identity

By Ashwin Venugopal -
 


Azure AD Connect

It can integrate your on-premises directories with Azure Active Directory. Azure AD Connect provides the following features:

  • Password Hash Synchronization- It is a sign-in method that synchronizes a hash of the users on-premises AD password with Azure AD.

  • Pass-through Authentication- This sign-in method allows users to use the same password on-premises and in the cloud, but it doesn't require the additional infrastructure of a federated environment.

  • Federation integration- Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure.

  • Synchronization- It is responsible for creating users, group, and other objects as well as making sure that identity information for your on-premises users and groups is matching the cloud while including password hashes.

  • Health Monitoring- It can provide robust monitoring and a central location in the Azure portal to view this activity. 

When you integrate your on-premises directories with Azure AD, your users are more productive because there is a common identity to access both cloud and on-premises resources. With the help of Azure AD Connect the key data you need is easily accessible and you can view and act on alerts, setup email notifications for critical alerts, and view performance data.

Authentication Options

You can choose cloud authentication with Azure AD password hash synchronization and Azure AD Pass-through Authentication or federated authentication in which Azure AD hands off the authentication process to a separate trusted authentication system to validate the user's password.

Choosing an Azure AD Authentication method is an important task as it is one of the first important decisions when moving to the cloud as it will be the foundation of your cloud environment and it will be difficult to change it at a later date.

Password Hash Synchronization

Password Hash Synchronization or PHS is a feature used to synchronize user passwords from an on-premises Active Directory instance to a cloud-based Azure AD instance. You can sign-in to your selected service by using the same password you always use to sign-in to your on-premises Active Directory instance. PHS helps you to improve the productivity of your users as well as reduce your helpdesk costs.

How does this work?

When a user signs-in to an Azure service, the sign-in challenge dialog box generates a hash of the user's password and passes that hash back to Azure; which in turn compares the hash with the one in that user's account. If the two hashes match, then the two passwords also match and the user receives access to the resource. The dialog box also provides the facility to save the credentials so that whenever the user accesses the Azure resource the next time, he/she will not be prompted.

This solution offers a simple alternative to an AD FS implementation.

Pass-through Authentication (PTA)

PTA is an alternative to Azure AD PHS and the same benefit of cloud authentication to organizations.

Feature Benefits

  • It supports user sign-in into all web browser-based applications and  Microsoft Office client applications that use modern authentication.
  • Sign-in user names can be either the on-premises default username or another attribute configured in Azure AD Connect.
  • It works seamlessly with conditional access features such as Multi-Factor Authentication to help secure your users.
  • It is integrated with cloud-based self-service password management, including password writeback to on-premises AD and password protection by banning commonly used passwords.
  • Multi-forest environments are supported if there are forest trust between your AD forests and name suffix routing is also correctly configured.
  • PTA is a free feature, and you don't need any paid editions of Azure AD to use it.
  • PTA can be enabled via Azure AD Connect.
  • PTA uses a lightweight on-premises agent that listens for and respond to password validation requests.
  • Installing multiple agents provides high availability of sign-in requests.
  • PTA protects your on-premises accounts against brute force password attack in the cloud.      

This feature can be configured without using a federation service so that any organization, regardless of size, can implement a hybrid identity solution.

Federation with Azure AD

Federation is a collection domains that have established trust. A typical federation might include a number of organizations that have established trust for shared access to a set of resources. You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization. This method allows administrators to implement more rigorous levels of access control.

Password Writeback

Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time. It offers following services:

  • Enforcement of on-premises AD domain services password policies- when the users resets their password it is checked to ensure that it meets your on-premises AD Domain Services policies before committing it to the directory.

  • Zero-delay feedback- Password Writeback is a synchronous operation and your users are notified immediately if their password do not meet the policy or could not be reset or changed for any reason.

  • Supports password changes from the access panel and Microsoft 365- When the federated or password hash synchronized users come to change their expired or non-expired passwords, those passwords are written back to your local AD Domain Services environment.

  • Supports password writeback when an admin resets them from the Azure portal- Whenever an admin resets a user's password in the Azure portal, and that user is federated or password hash synchronized, the password is written back to on-premises.

  • Doesn't require any inbound firewall rules- Password writeback uses an Azure Service Bus relay as an underlying communication channel. All communication is outbound over port 443. 

Azure active Directory external Identities Decision Tree

Different types of azure AD that allows you to work with "external identities" are:

  • Azure AD or Azure AD B2E (Business to Enterprise)- while writing applications for Azure AD, you can target users of a single organization or any other organization that already has an Azure AD tenant.

  • Azure AD B2B (Business to Business)- In this one, you can invite external users into your own tenant as "guest" users then you can assign permissions for authorization while still allowing them to keep using their existing credentials inside their own organization.

  • Azure AD B2C (Business to Consumer, Customer, or Citizen)- This is a separate directory service which enables you to customize and control how customers can signup, sign-in, and manage their profiles while using your applications.

To choose the appropriate Azure AD flavor project, there are a number of decision factors that come into play.


















Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more