Plan Your Identity & Authentication Solution (part 1)

By Ashwin Venugopal -

 



To read part 2, please click here
To read part 3, please click here



Microsoft 365 Identity Models

If you want to plan for user account, you have to understand the two identity models through which you can either maintain your organization's identities only in cloud or you can maintain your on-premises Active Director Domain Services (AD DS) identities to use them for authentication whenever a user access Microsoft 365 cloud services.

Cloud-only Identity

It uses users accounts that exist in Azure AD only and is generally used by small organizations not having an on-premises servers or don't use AD DS to manage local identities. You can easily manage a cloud identity with the help of tools like the Microsoft 365 admin center and Windows PowerShell. 

Hybrid Identity

It is known for using accounts that originates in an on-premises AD DS and have a copy in the Azure AD tenant of a Microsoft 365 subscription. Azure AD connect offers synchronization to an ongoing account while running on an on-premises server, checking for changes in AD DS, and forwarding those changes to Azure AD.

While implementing hybrid identity, you should know that your on-premises AD DS is your authoritative source for account information i.e. the administrative tasks are mostly done on-premises, which are then synchronized to Azure AD and as the original as well as authoritative user accounts are always stored in the on-premises AD DS, you can easily manage your identities with the help of the same tools as AD DS like AD Users and Computers tool instead of using the Microsoft 365 admin center or Office 365 PowerShell to manage the synchronized user accounts in Azure AD.

Authentication for Hybrid Identity

There are two types of authentications for hybrid identity model: 

  1. Managed Authentication- It is handled by Azure AD with the help of a locally-stored hashed version of the password and then sending the credentials to an on-premises software agent to be authenticated by the on-premises AD DS.
  2. Federated Authentication- The client computer requesting authentication can be redirected to another identity provider.  

Managed Authentication

The two types of managed authentication are- Password Hash Synchronization (PHS), where Azure AD performs the authentication itself; and Pass-through Authentication(PTA), where AD DS performs the authentication.

  • Password Hash Synchronization- Here, you can easily synchronize your AD DS user accounts with Microsoft 365 and manage your users on-premises. The user passwords' hashes are synchronized to Azure AD from your AD DS so that the user can have the same password on-premises as well as in the cloud. This is the simplest way know to authenticate AD DS identities in Azure AD and some of the premium features of Azure AD like Identity Protection requires PHS regardless of any selected authentication method.

  • Pass-through Authentication (PTA)- It offers a simple password validation for Azure AD authentication services with the help of a software agent running on one or more on-premises servers to validate the users directly with your AD DS. It permits the users to sign in to on-premises, Microsoft 365 resources, and the applications using their on-premises account as well as password. This configuration can validate users passwords directly against your on-premises AD DS without storing password hashes in Azure AD and can be used for the organizations having security requirements to immediately enforce on-premises user account states, password policies, and logon hours. 

Federated Authentication

It is generally used for large enterprise organizations having more complex authentication requirements where users accounts are managed on-premises and AD DS identities are synchronized with Microsoft 365. Here also, users can have same password on-premises and in the cloud without having to sign-in again to use Microsoft 365.

Federated authentication is also capable of supporting additional authentication requirements like smartcard-based authentication or a third-party multi-factor authentication and is generally used if organizations have an authentication requirement not natively supported by Azure AD.  











To read part 2, please click here
To read part 3, please click here













  

Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more