Technology Blog

Microsoft Azure AD Identity Solution – Part-3 !!!


Microsoft Identity as a Service (IDaaS) for Enterprise Architects

What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS

Brief Introduction

In my previous article “Microsoft Azure AD Identity Solution – Part-2 !!!”, we discussed about Microsoft Azure AD as an identity solution in detail and how Azure identity (IDaaS) solution provides seamless SSO and MFA solution for SaaS and on-premises apps. Apart from that, we also discussed on how an Azure AD collaborates with B2B and B2C scenarios and then finally we talk about the use cases of Azure AD application proxy for accessing on-premises hosted applications.

In this article, we will talk about specific industry use cases scenarios such as identity authentication & authorization for applications hosted in IaaS cloud platform. Here we will discuss on how on-premises Active Directory Domain Services (generally called corporate or enterprise AD DS) and Active directory Federation Services (AD FS) are getting extended into IaaS platform and provides authentication and authorization to applications/workloads hosted in Infrastructure as a Service (IaaS).

In case of customer does not have the on-premises AD DS or AD FS exist into their corporate landscape then customer can leverage the Microsoft managed Azure Active Directory Domain Services (Azure AD DS) for providing authentication and authorization to applications or workloads hosted in Infrastructure as a Service (IaaS).

These are most common scenario used in industry for legacy and modern apps which are either migrated from on-premises into IaaS or directly hosted in IaaS as a fresh build.

Azure AD domain service (Azure AD DS)

Azure AD domain service is a cloud-based domain services that’s completely managed by Microsoft and provide below features:

  • This cloud-based domain services provide certain features of on-premises AD such as domain join, group policy, LDAP & Kerberos/NTLM authentication in Azure laaS
  • Remember that Azure AD DS has certain limitations as compare to on-Premises AD
  • Customer can join their Azure VMs to a domain without deploying DC’s because Azure AD DS is part of customer existing Azure AD tenant and users can login using the same credentials, they use for Azure AD.

Note: This Azure AD managed domain is a standalone domain and is not an extension of on-premises AD domain/forest infra. However, all user accounts, group memberships, and credentials from on-premises AD are available in this via Azure AD tenant

Below figure shows how an Azure AD domain services provides the authentication and other domain services to customer line of business applications running under Azure infrastructure as a service (IaaS)

Figure-1: Azure AD Domain Services

Synchronize on-premises AD accounts to Azure AD

This solution provides access to all of Microsoft SaaS and cloud-based identity options for Azure PaaS & laaS apps, two below approaches are recommended, choose either one

A. Directory & password synchronization

B. Identity federation

Directory and password synchronization
This is a simplest and recommended option for most enterprise organizations, below figure shows how an Azure AD directory, password sync and MFA can be achieved Azure AD connect tool:

  • User accounts are synchronized from customer’s on premises directory to their Azure AD tenant. The on promises directory remains the authoritative source for accounts
Figure-2: Azure AD Connect (directory and password sync)
  • Azure AD performs all authentication for cloud-based services and applications
  • Supports multi-forest synchronization

Note: Using cloud-only accounts is not recommended for enterprise-scale customer unless Windows AD is not already used on premises

Password synchronization: Users enter the same password for cloud services as they do on-premises. user’s passwords are never sent to Azure AD instead a hash of each password is synchronized

Multi-factor authentication (MFA): Apps in Azure can take advantage of the Azure MFA service whereas directory sync does not provide integration with on-premises MFA solutions

Identity federation

Federation provides additional enterprise capabilities, but It is also more complex & introduces more dependencies for access to cloud services as shown in figure below:

  • All authentication to Azure AD is performed against the on-premises directory via Active Directory federation services (AD FS) or another federated identity provider
  • Works with non-Microsoft identity providers
  • Password hash sync adds the capability to act as a sign-in backup for federated sign-in (f the federation solution fails)
Figure-3: Azure AD identity federation

Use identity federation if
AD FS s already deployed or using a third-party identity provider

Having an on-premises integrated smart card or other MFA solution

Require sign-in audit and/or disablement of accounts

Compliance with Federal Information Processing Standards (FIPS)

Federated authentication requires a greater investment in infrastructure on premises

  • The on-premises servers must be Internet-accessible through a corporate firewall Microsoft recommends the use of federated proxy servers deployed in a perimeter network, screened subnet, or DMZ
  • Requires hardware, licenses, and operations for AD FS servers, AD FS proxy or web application proxy servers, firewalls, and load balancers
  • Availability and performance are important to ensure users can access cloud applications

Placing directory components in Azure IaaS

Consider the benefits of deploying directory components i.e. AAD Connect/AD DS/AD FS to Azure laaS, as shown in figure, especially if customer plan to extend their on-premises AD to Azure virtual machines for their line of business apps

If customer hasn’t already deployed AD FS on-premises, consider whether the benefits of deploying this workload to Azure makes sense for the organization –

  • Provides autonomy for authentication to cloud services (no on-premises dependencies) and reduces servers and tools hosted on-premises
  • Use a S2S VPN gateway on a two-node duster or ExpressRoute to connect Azure
  • Uses ACLs to ensure that Web App Proxy servers can only communicate with AD FS, not AD DCs or others server directly
Figure-4: Placement of on-premises AD components in Azure IaaS

Extending On-premises AD to virtual machines into Azure IaaS

Refer to the figure which shows the configuration of hybrid deployment on-Premises AD extension to Azure AD and It requires:

  • A virtual network (VNet) in Azure laaS
  • A S2S VPN or ExpressRoute connection.
  • Extending customer on-premises to virtual machines in the virtual network
  • Deploying one or more DC in Azure VNet designated as a GC to reduces egress traffic

When to use this solution?

  • Schema extensibility and need to write to existing directory identities.
  • Support for apps in Azure VNet where network isolation is a requirement
  • Support across multiple Azure subscriptions.
  • Certificate or smartcard-based authentication for apps
Figure-5: on-premises AD extension to Azure IaaS

Note: On-Premises AD extension covers lots of limitation of Azure AD DS Below Microsoft FAQ covers features and limitations of Azure AD DS as compare to on premises AD DS: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/faqs

To have further more insight on my previous articles on “Microsoft Azure AD Identity Solution – Part-1 & 2!!!” , Refer to below article:

Microsoft Azure AD Identity Solution – Part-1 !!!

Microsoft Azure AD Identity Solution – Part-2 !!!

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

Microsoft Azure AD Identity Solution – Part-2 !!!


Microsoft Identity as a Service (IDaaS) for Enterprise Architects

What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS

Brief Introduction

In my previous article “Microsoft Azure AD Identity Solution – Part-1 !!!”, we discussed about Microsoft Azure AD as an identity solution in detail and how Azure identity (IDaaS) solution effectively address the challenges on seamless access & integration with a wide range of legacy apps and modern SaaS services in a multi-hybrid cloud environment such as AWS, Azure and Google cloud.

In this article, we will focus on some more industry use cases of Azure identify solution and its integration capabilities. These industry use cases are such as seamless solution on single sign-on (SSO) and multifactor authentication (MFA), Azure AD collaboration with business-to-business (B2B) partners and business-to-consumer (B2C) and then finally talk about Azure AD application proxy

Seamless SSO and MFA solution to SaaS and on-premise applications

An Azure AD integration with hybrid cloud provides a seamless single sign-on (SSO) and multi-factor authentication (MFA) capability to SaaS and on-premises apps. Refer to the below figure on how Azure AD tenant connects to Azure SaaS apps such as office365, ServiceNow and others apps: 

Figure-1: Azure AD tenant connecting with SaaS

The seamless single sign-on of Azure AD tenant is the following:

  • An emerging need of unified application access and single sign-on to all types of SaaS applications
  • Consistent user experience with single sign-on across all SaaS services and on-premises apps by using below SSO methods:
    • Cloud SaaS apps can user Open-ID Connect, OAuth, SAML, password-based, linked or disabled methods for SSO
    • On-Premises applications can use password-based, integrated windows authentication (IWA), header-based, linked or disabled methods for SSO. The on-premises choice works when applications are configured with application proxy

The following flowchart help Identity Architect to decide on which Azure AD single sign-on method is best for their business apps and fits in their business scenario: 

Figure-2: Azure AD single sign-on methods

A traditional enterprise SSO solution such as on-premises corporate AD can extend to SaaS services by using Active Directory Federation Services (ADFS).

The seamless multi-factor authentication (MFA) of Azure AD tenant covers below:

  • A process where a user is prompted during the sign-in for an additional form of identification, such as to enter a code from their mobile phone or to provide a fingerprint scan.
  • Customer on-premises applications or SaaS services don’t require to make any changes to use Azure MFA. The verification prompt is part of Azure AD sign-in event, that automatically request and processes the MFA challenge when needed.
  • Azure MFA generally works by needing two or more methods:
    • Password
    • Trusted devices that is not easily duplicated (a phone or hardware key)
    • Biometrics (a fingerprint or face scan)

Azure AD B2B and B2C collaboration

Azure AD B2B collaboration enables secure integration between business to business partners

These new capabilities make it easy for businesses to create advanced trust relationships with Azure AD tenants so they can easily share their business apps (such as ServiceNow, Salesforce etc.) across companies/customers without hassle of managing additional directories or having the overhead of managing partner’s identity solution.

Below figure shows how an Azure AD B2B collaborates with SaaS applications between customer’s and partner’s Azure AD tenant:

Figure-3: Azure AD B2B collaboration

An Azure AD B2C is a highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities.

An Azure AD B2C easily integrates across mobile and web platforms, through this consumers login to all their apps through fully customizable experience by using their existing social accounts such as Google, Facebook, Linked-In or by creating new credentials. Below figure shows how an enterprise Azure AD B2C collaborates with Azure PaaS through consumers social identities:

Figure-4: Azure AD B2C collaboration

Azure AD application proxy

Microsoft Azure AD application proxy lets customer publishes their web-based apps inside their private network and provides secure access to users outside world as below:

  • Employees can log into their apps from home on their own devices and authenticate through this Azure AD cloud-based proxy
  • By using Azure AD proxy customer also can protect their on-premises apps with the same requirements as other cloud-based apps with MFA, and other conditional access.
  • Application proxy works by installing a slim Windows service called “Connector” inside a private network and that maintains an outbound connection from within private network to this Azure AD proxy service

Below figure shows how an on-premises application can be accessed through an Azure AD application proxy.

Figure-5: Azure AD application proxy

To have further more insight on my previous article on “Microsoft Azure AD Identity Solution – Part-1 !!!” , Refer to below article:

Microsoft Azure AD Identity Solution – Part-1 !!!

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

Microsoft Azure AD Identity Solution – Part-1 !!!


Microsoft Identity as a Service (IDaaS) for Enterprise Architects

What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS

Introduction

Cloud computing and mobile devices have transformed the modern digital workplace and Identity is the key foundation of our digital transformation journey today. Most of the businesses today are following a “cloud first” strategy, with lifting & shifting their existing infra and business applications into hybrid cloud, modernizing their business apps and opting in as-a-service models.

While cloud services are easy to deploy and commonly come with modern end users experience but this shift to digital transformation also introduces the new challenges (such as security risk, administrative burden and poor end users experience). Even, it becomes more challenging during the current covid-19 pandemic situation where most of businesses are opting in “work from home” to access their hosting applications in hybrid clouds.

Due to the nature of the business (i.e. manufacturing, utility, infrastructure, automotive etc.) and its gradual transition, the reality of most businesses will remain hybrid for many years, even if the enterprise’s workloads are moved into partners dc called “private cloud”, it’s still about running their legacy IT landscape and business apps on on-premises, alongside all the new SaaS services deployed in multi-tenant public clouds.

From the end user’s experience and IT/IS perspective, users must access their applications in both on-premises and cloud, and IT/IS must manage and protect applications in both places. Altogether with the shift to new way of working such as “work from home”, there is a need for providing a consistent end users experience, safeguarding the end users’ identities and management of hybrid cloud environment.

Providing seamless access and integration with wide range of legacy apps and modern SaaS service is the biggest challenge. So, enabling the single sign-on to modern SaaS services is just a simple part but the real challenge is supporting full range of services within multi-cloud hybrid environments. Even though various vendors offer their respective identity as service solution (such as Oracle, IBM, Google, Octa, CA, Ping Identity and so on.) but we will focus on Microsoft identity solution in this article in more detail.

Microsoft offers Azure AD – cloud-based Identity as a Service (IDaaS) and that comes with a comprehensive approach and single control pane of providing seamless access to users for all types of apps – SaaS, on-premises and custom-built apps.

The below figure depicts the detailed features of Azure Active Directory and their functionalities such as on-premises infra integration, user accounts, devices, partner collaboration with customer account management, application integration and administration.

Figure-1: Azure AD Identity as a Service (IDaaS) Solution

Integrating Azure AD identity with Azure, AWS and GCP Hybrid Cloud

Azure AD integration with hybrid cloud provides a broad range of capabilities for business, the capabilities include but not limited to the following:

Azure identity solutions address challenges like safeguarding identities, improve user experience accessing applications seamlessly across platforms, and increasing administrative efficiency

One identity for all applications across cloud services (SaaS, PaaS, IaaS) across all cloud platforms such as Azure, AWS, Google etc.

Collaboration with partners by using Azure AD B2B and B2C

Synchronization or federation with on-premises directory through Azure AD connect

Enables single sign-on and multi-factor authentication

Integration with web-based applications located on-premises through application proxy

Use either Azure AD domain services (Azure AD DS) for authenticating to line of business (LOB) applications hosted on virtual machines in Azure IaaS or extend on-premises active directory domain service (AD DS) to Azure IaaS

Azure identity provides cloud apps discovery and management through Azure AD ‘MyApps’ panel as single control pane

Below figure shows the Azure AD integration with hybrid cloud respectively Azure, AWS and Google:

Figure-2: Azure AD integration with Azure hybrid cloud
Figure-3: Azure AD IdP Federation with AWS Cloud Apps
Figure-4: Azure AD Federation with GCP Cloud

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration.

Co-existence between Azure Virtual WAN and SD-WAN is shifting a gear in the digital transformation


Introduction:

Last year in November, Microsoft has released a new networking services named as Azure Virtual WAN as a general availability. This is an additional service over existing services such as ExpressRoute, Site-to-Site, Point-to-Site VPN and few more, these earlier services are responsible for connecting or extending the customer on-premises data centre’s or branch office network into azure public cloud.

It’s not only Microsoft and even its major competitors such as Amazon and Google are bringing some major services (may not exactly the same) towards to the similar model. AWS recently launched its Transit Gateway, which is greatly simplifying the process of routing between VPCs and customer on-premises network. Google Cloud Platform too allow for virtual private connectivity on directly into their backbone

Prior we proceed to further have a deep dive into Azure Virtual WAN, Lets go a decade back and discuss about the network connectivity.

Traditional MPLS and IPSec used as a corporate WAN:

Let’s have some light on how widely MPLS along with IPSec VPN networks are/were deployed, particularly in large global enterprises. this was the standard approach for building a on-premises corporate WAN where all customer data centres and branch offices are getting connected and access their business and infra applications to operate their business, sometimes IPsec VPN were used as a backup service and even used for remote sites to connect where MPLS was either too expensive or not feasible.

Not even that, there are physical constraints imposed by the propagation time over large distances, and the need to integrate multiple service providers (including multi-clouds) to cover global geographies, MPLS face important operational challenges, including network congestion, packet delay variation, packet loss, and even service outages.

Current huge demand in digital transformation and it’s modern applications such as, IoT, machine learning, data science, analytics, VoIP calling, videoconferencing, streaming media, and virtualized applications require low latency. Bandwidth requirements are also increasing, especially for applications featuring high-definition video and sudden hike in data growth. It can be expensive and difficult to expand MPLS corporate WAN capability, with corresponding difficulties related to network management and troubleshooting.

The role and importance of cloud exchange providers:

While connecting to Public Clouds, customer has to depends on Cloud Exchange Provider to have established connectivity between On-Premises MPLS and Public Cloud VNet/VPC, in this scenario latency becomes a challenge for business to connect their branch offices/remote sites into public cloud to access their applications. At the same time the data centre connectivity was seamless (via ExpressRoute /DirectConnect) and it’s allowed business to migrate and access their applications into cloud.

In the meanwhile, many players had emerged and have started to offer on-demand global interconnectivity and becomes network hub to reach/connects most of public and private clouds along with on-premises data centres and even terminate these connection into corporate MPLS network. Now, business is allowed to migrate/host their business application based on their choice, flexibility and needs. It’s was the time where customer can host/migrate their enterprise application between multi-cloud service providers and create their seamless hybrid cloud platform but the real business challenges about latency, cost and others for accessing their cloud application from remote sites/ branch offices are still present

Another evolution and revolution in the network landscape:

On the other side, as cloud computing and mobile device has transformed the modern digital workplace, digital transformation is now taking major shift in the networking landscape. the cloud computing has evolved the terminology “as a service” several years back and that becomes mature and reality in the today business.

In the current digital transformation era, the dynamic (on-demand) provisioning and scaling of network capacity and slicing the network resources is now more aligned and satisfying the current enterprise needs. Likewise, the automation has gained the presence in the cloud, the Network-as-a-services (NaaS) has evolved into new phase and becomes a potent technology in a very short period of time.

the virtualized network function (VNF) as a software-based services, software defined networking, network as-a-service and 5G/Edge computing are the emerging trends in the network services, and those are adding another revolution remark in digital transformation industry, in the similar line of software-defined networking revolution, the SD-WAN has emerged and become a new digital transformation pillar which address the traditional MPLS limitation and challenges

SD-WAN simplifies the management and operation of a traditional corporate WAN by decoupling the networking hardware from its control mechanism. This concept is similar to how software-defined networking implements virtualization technology to improve data center management and operation.

A key application of SD-WAN is to allow organization to build higher-performance WANs using lower-cost and commercially available Internet access, enabling businesses to partially or wholly replace more expensive corporate WAN connection technologies such as MPLS

As per research firm Gartner prediction in 2018, by 2023 more than 90 percent of WAN edge infrastructure refresh initiatives will be based on virtualized customer premises equipment (vCPE) platforms or SD-WAN software/appliances

Azure Virtual WAN goes hand in hand with Partner’s SD-WAN/vCPE NVA:

Now we are entering into a new emerge model which is taking the cloud connectivity to the next level where the cloud is moving closer to the business and on other side the business moving closer to the cloud. So, we foresee a new gear shift where the existing MPLS WAN will be transformed to a SD-WAN based network. Precisely, you might have observed a parallel thread is running where all major cloud service providers are building their own network presence globally.

Microsoft, Google and Amazon are rapidly increasing their global network reach and created their own global network backbone and that has large number of PoPs/Edges locations across globe and these are very close to business enterprise. In other words, we will eventually see a compelling alternative to traditional MPLS providers where the connectivity is served directly into the business by cloud service provider. This kind of transition is already witnessed with AWS. AWS now allows the companies to run AWS infrastructure in their own private data centers.

Microsoft Azure Virtual WAN has brought a WAN-centric service to the market last year that brings many networking (utilizing their existing services such as ExpressRoute/Site-to-Site VPN), security, and routing functionalities together to provide a single operational interface. These functionalities include branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN connectivity, remote user VPN (Point-to-site) connectivity, private (ExpressRoute) connectivity, intra-cloud connectivity (transitive connectivity for virtual networks), VPN ExpressRoute inter-connectivity, routing, Azure Firewall, and encryption for private connectivity.

Summary:

Initially you might not need all of these Azure Virtual WAN functionalities to start using Virtual WAN. You can simply get started with just one or two, and then adjust further your network as it evolves. The Virtual WAN architecture is a hub and spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks. It enables global transit network architecture, where the cloud hosted network ‘hub’ enables transitive connectivity between endpoints that may be distributed across different types of ‘spokes’.

The Virtual WAN key promising is the potential for API-based integration with various SD-WAN solutions (various third party such as Cisco Meraki, Citrix, Fortinet, Barracuda Networks, Check Point etc.), that would allow for the encrypted tunnel creation process to be automated. A branch office would connect to their nearest PoPs and this would automatically allow the branch to communicate with the rest of the global WAN.

To have further more insight technical details about Azure Virtual WAN design and architecture, Refer to below article:

Microsoft Azure Virtual WAN – How it’s getting closer to Business!

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

Managing and Securing Employee’s Personal Devices (BYOD) through Active Directory 2012 R2 !


Now Managing of BYOD (Bring Your Own Device) through Microsoft Active Directory 2012 R2-

Few weeks back, I have published my blog “Microsoft Windows Server 2012 R2 Top 20 Released Features!” and two of important features are “Workplace Join” and “Multitenant VPN gateway“. Today, Lets discuss on these features in more detail.

As per Microsoft TechNet Article:

“One of the most prevalent IT industry trends at the moment is the proliferation of consumer devices in the workplace. Employees and partners want to access protected corporate data from their personal devices, from checking email to the consumption of advanced business applications. IT administrators in organizations, while wanting to enable this level of productivity, would like to continue to ensure that they can manage risk and govern the use of corporate resources.”

In Windows Server® 2012 R2, Active Directory has been enhanced with the below value propositions to connect employee’s personal devices to internal corporate network to access their application from anywhere anytime in a secured manner. It enables IT to empower their users to be productive from a variety of devices:

  • Workplace Join – IT administrators can allow devices to be associated with the company’s Active Directory and use this association as a seamless second factor authentication.
  • Single Sign-On (SSO) from devices that are associated with the company’s Active Directory
  • Managing Risk – Enable users to connect to applications and services from anywhere with Web Application Proxy
  • With Multi-Factor Access Control and Multi-Factor Authentication (MFA), manage the risk of users working from anywhere, accessing protected data from user’s devices.

Workplace Join:

Though “Workplace Join” feature is self-explanatory but let me explain here – Employee can “join” his/her own devices to his/her own “workplace” (Internal Corporate Application/Data). In simple terms, Employees can access their applications and data everywhere, on any device.

In this case, Employees require to registering their devices with their AD domain so that device will reflect in AD with associated owner and will be trusted when requesting and running company-secured applications, accessing company-secured data, or accessing company-secured resources.

To get more detail on Workplace Join – Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications Overview

Single-Sign-On (SSO):

When user joins a device to the workplace, it becomes “a known device and will provide seamless Second Factor Authentication and Single-Sign-On (SSO) to workplace resources and applications.” And once the device is “known”, IT Administrator can leverage that knowledge to apply/enforce additional configurations/policies (example: pushing company polices settings to the device). Administrators can control who has access to company resources based on application, user, device, and location.

Practically speaking, Device Registration Service (DRS) is the new feature and part of Active Directory Federation Service (ADFS) role which allows users to register their devices in AD Domain, tracks the associated device’s certificate in order to represent the device’s identity and provides on-board mechanism for Single Sign-On (SSO) with appropriate/conditional access.

Single Sign-On (SSO) is the functionality that reduces the number of password prompts the end user has to enter when accessing company resources from known devices. This implies that Users will be prompted only once during the lifetime of SSO when accessing company applications and resource. For example, A User wants to access their different applications (SharePoint, Exchange and HR) from their devices – without SSO, user would be prompted for a login with every application user try to access. But with SSO, user will only be asked one time.

As above mentioned, Device Registration Service part of ADFS role allows claims-based authentication to occur based on trusted certificates. Once the user is authenticated (username + password + trusted device along with certificate), the claim is trusted/validated, can be used to launch company applications or access company data.

To get more detail on Single Sign-On – Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications Overview or Single sign-on Wikipedia, the free encyclopedia

Managing Risk through Web Application Proxy:

The Web Application Proxy is a new service part of Remote Access Role. Web Application Proxy “provides reverse proxy functionality for web applications inside corporate network to allow users on any device to access them from outside the corporate network. It pre-authenticates access to web applications using ADFS, and also known as an ADFS proxy.”

So, now SSO facilitated through DRS, the authenticated AD user with his/her own device can access applications on the corporate network and manage the risk with a reverse proxy secure layer without having a 3rd party VPN connection.

To get more detail on Managing Risk through Web Application Proxy – Connect to Applications and Services from Anywhere with Web Application Proxy Overview

Multi-Factor Access Control and Multi-Factor Authentication (MFA):

ADFS in Windows Server 2012 R2 supports more than just the permitted (or denied) user in ADFS claims. Microsoft added “Multiple Factors Authentication”, including user, device, data and location. Authorization claim rules have a greater variety of claim types.

“In ADFS in Windows Server® 2012 R2, Administrator can enforce multi-factor access control based on user identity or group membership, network location, and device (whether it is workplace joined)”

To get more detail on Multi-Factor Access Control and Multi-Factor Authentication (MFA) – Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications Overview