Home » Posts tagged 'Azure AD Domain Services (Azure AD DS)'
Tag Archives: Azure AD Domain Services (Azure AD DS)
Microsoft Azure AD Identity Solution – Part-3 !!!
Microsoft Identity as a Service (IDaaS) for Enterprise Architects
“What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS“
Brief Introduction
In my previous article “Microsoft Azure AD Identity Solution – Part-2 !!!”, we discussed about Microsoft Azure AD as an identity solution in detail and how Azure identity (IDaaS) solution provides seamless SSO and MFA solution for SaaS and on-premises apps. Apart from that, we also discussed on how an Azure AD collaborates with B2B and B2C scenarios and then finally we talk about the use cases of Azure AD application proxy for accessing on-premises hosted applications.
In this article, we will talk about specific industry use cases scenarios such as identity authentication & authorization for applications hosted in IaaS cloud platform. Here we will discuss on how on-premises Active Directory Domain Services (generally called corporate or enterprise AD DS) and Active directory Federation Services (AD FS) are getting extended into IaaS platform and provides authentication and authorization to applications/workloads hosted in Infrastructure as a Service (IaaS).
In case of customer does not have the on-premises AD DS or AD FS exist into their corporate landscape then customer can leverage the Microsoft managed Azure Active Directory Domain Services (Azure AD DS) for providing authentication and authorization to applications or workloads hosted in Infrastructure as a Service (IaaS).
These are most common scenario used in industry for legacy and modern apps which are either migrated from on-premises into IaaS or directly hosted in IaaS as a fresh build.
Azure AD domain service (Azure AD DS)
Azure AD domain service is a cloud-based domain services that’s completely managed by Microsoft and provide below features:
- This cloud-based domain services provide certain features of on-premises AD such as domain join, group policy, LDAP & Kerberos/NTLM authentication in Azure laaS
- Remember that Azure AD DS has certain limitations as compare to on-Premises AD
- Customer can join their Azure VMs to a domain without deploying DC’s because Azure AD DS is part of customer existing Azure AD tenant and users can login using the same credentials, they use for Azure AD.
Note: This Azure AD managed domain is a standalone domain and is not an extension of on-premises AD domain/forest infra. However, all user accounts, group memberships, and credentials from on-premises AD are available in this via Azure AD tenant
Below figure shows how an Azure AD domain services provides the authentication and other domain services to customer line of business applications running under Azure infrastructure as a service (IaaS)
Synchronize on-premises AD accounts to Azure AD
This solution provides access to all of Microsoft SaaS and cloud-based identity options for Azure PaaS & laaS apps, two below approaches are recommended, choose either one
A. Directory & password synchronization
B. Identity federation
Directory and password synchronization
This is a simplest and recommended option for most enterprise organizations, below figure shows how an Azure AD directory, password sync and MFA can be achieved Azure AD connect tool:
- User accounts are synchronized from customer’s on premises directory to their Azure AD tenant. The on promises directory remains the authoritative source for accounts
- Azure AD performs all authentication for cloud-based services and applications
- Supports multi-forest synchronization
Note: Using cloud-only accounts is not recommended for enterprise-scale customer unless Windows AD is not already used on premises
Password synchronization: Users enter the same password for cloud services as they do on-premises. user’s passwords are never sent to Azure AD instead a hash of each password is synchronized
Multi-factor authentication (MFA): Apps in Azure can take advantage of the Azure MFA service whereas directory sync does not provide integration with on-premises MFA solutions
Identity federation
Federation provides additional enterprise capabilities, but It is also more complex & introduces more dependencies for access to cloud services as shown in figure below:
- All authentication to Azure AD is performed against the on-premises directory via Active Directory federation services (AD FS) or another federated identity provider
- Works with non-Microsoft identity providers
- Password hash sync adds the capability to act as a sign-in backup for federated sign-in (f the federation solution fails)
Use identity federation if
AD FS s already deployed or using a third-party identity provider
Having an on-premises integrated smart card or other MFA solution
Require sign-in audit and/or disablement of accounts
Compliance with Federal Information Processing Standards (FIPS)
Federated authentication requires a greater investment in infrastructure on premises
- The on-premises servers must be Internet-accessible through a corporate firewall Microsoft recommends the use of federated proxy servers deployed in a perimeter network, screened subnet, or DMZ
- Requires hardware, licenses, and operations for AD FS servers, AD FS proxy or web application proxy servers, firewalls, and load balancers
- Availability and performance are important to ensure users can access cloud applications
Placing directory components in Azure IaaS
Consider the benefits of deploying directory components i.e. AAD Connect/AD DS/AD FS to Azure laaS, as shown in figure, especially if customer plan to extend their on-premises AD to Azure virtual machines for their line of business apps
If customer hasn’t already deployed AD FS on-premises, consider whether the benefits of deploying this workload to Azure makes sense for the organization –
- Provides autonomy for authentication to cloud services (no on-premises dependencies) and reduces servers and tools hosted on-premises
- Use a S2S VPN gateway on a two-node duster or ExpressRoute to connect Azure
- Uses ACLs to ensure that Web App Proxy servers can only communicate with AD FS, not AD DCs or others server directly
Extending On-premises AD to virtual machines into Azure IaaS
Refer to the figure which shows the configuration of hybrid deployment on-Premises AD extension to Azure AD and It requires:
- A virtual network (VNet) in Azure laaS
- A S2S VPN or ExpressRoute connection.
- Extending customer on-premises to virtual machines in the virtual network
- Deploying one or more DC in Azure VNet designated as a GC to reduces egress traffic
When to use this solution?
- Schema extensibility and need to write to existing directory identities.
- Support for apps in Azure VNet where network isolation is a requirement
- Support across multiple Azure subscriptions.
- Certificate or smartcard-based authentication for apps
Note: On-Premises AD extension covers lots of limitation of Azure AD DS Below Microsoft FAQ covers features and limitations of Azure AD DS as compare to on premises AD DS: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/faqs
To have further more insight on my previous articles on “Microsoft Azure AD Identity Solution – Part-1 & 2!!!” , Refer to below article:
Microsoft Azure AD Identity Solution – Part-1 !!!
Microsoft Azure AD Identity Solution – Part-2 !!!
Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration.
Microsoft Azure AD Identity Solution – Part-2 !!!
Microsoft Identity as a Service (IDaaS) for Enterprise Architects
“What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS“
Brief Introduction
In my previous article “Microsoft Azure AD Identity Solution – Part-1 !!!”, we discussed about Microsoft Azure AD as an identity solution in detail and how Azure identity (IDaaS) solution effectively address the challenges on seamless access & integration with a wide range of legacy apps and modern SaaS services in a multi-hybrid cloud environment such as AWS, Azure and Google cloud.
In this article, we will focus on some more industry use cases of Azure identify solution and its integration capabilities. These industry use cases are such as seamless solution on single sign-on (SSO) and multifactor authentication (MFA), Azure AD collaboration with business-to-business (B2B) partners and business-to-consumer (B2C) and then finally talk about Azure AD application proxy
Seamless SSO and MFA solution to SaaS and on-premise applications
An Azure AD integration with hybrid cloud provides a seamless single sign-on (SSO) and multi-factor authentication (MFA) capability to SaaS and on-premises apps. Refer to the below figure on how Azure AD tenant connects to Azure SaaS apps such as office365, ServiceNow and others apps:
The seamless single sign-on of Azure AD tenant is the following:
- An emerging need of unified application access and single sign-on to all types of SaaS applications
- Consistent user experience with single sign-on across all SaaS services and on-premises apps by using below SSO methods:
- Cloud SaaS apps can user Open-ID Connect, OAuth, SAML, password-based, linked or disabled methods for SSO
- On-Premises applications can use password-based, integrated windows authentication (IWA), header-based, linked or disabled methods for SSO. The on-premises choice works when applications are configured with application proxy
The following flowchart help Identity Architect to decide on which Azure AD single sign-on method is best for their business apps and fits in their business scenario:
A traditional enterprise SSO solution such as on-premises corporate AD can extend to SaaS services by using Active Directory Federation Services (ADFS).
The seamless multi-factor authentication (MFA) of Azure AD tenant covers below:
- A process where a user is prompted during the sign-in for an additional form of identification, such as to enter a code from their mobile phone or to provide a fingerprint scan.
- Customer on-premises applications or SaaS services don’t require to make any changes to use Azure MFA. The verification prompt is part of Azure AD sign-in event, that automatically request and processes the MFA challenge when needed.
- Azure MFA generally works by needing two or more methods:
- Password
- Trusted devices that is not easily duplicated (a phone or hardware key)
- Biometrics (a fingerprint or face scan)
Azure AD B2B and B2C collaboration
Azure AD B2B collaboration enables secure integration between business to business partners
These new capabilities make it easy for businesses to create advanced trust relationships with Azure AD tenants so they can easily share their business apps (such as ServiceNow, Salesforce etc.) across companies/customers without hassle of managing additional directories or having the overhead of managing partner’s identity solution.
Below figure shows how an Azure AD B2B collaborates with SaaS applications between customer’s and partner’s Azure AD tenant:
An Azure AD B2C is a highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities.
An Azure AD B2C easily integrates across mobile and web platforms, through this consumers login to all their apps through fully customizable experience by using their existing social accounts such as Google, Facebook, Linked-In or by creating new credentials. Below figure shows how an enterprise Azure AD B2C collaborates with Azure PaaS through consumers social identities:
Azure AD application proxy
Microsoft Azure AD application proxy lets customer publishes their web-based apps inside their private network and provides secure access to users outside world as below:
- Employees can log into their apps from home on their own devices and authenticate through this Azure AD cloud-based proxy
- By using Azure AD proxy customer also can protect their on-premises apps with the same requirements as other cloud-based apps with MFA, and other conditional access.
- Application proxy works by installing a slim Windows service called “Connector” inside a private network and that maintains an outbound connection from within private network to this Azure AD proxy service
Below figure shows how an on-premises application can be accessed through an Azure AD application proxy.
To have further more insight on my previous article on “Microsoft Azure AD Identity Solution – Part-1 !!!” , Refer to below article:
Microsoft Azure AD Identity Solution – Part-1 !!!
Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration.
Microsoft Azure AD Identity Solution – Part-1 !!!
Microsoft Identity as a Service (IDaaS) for Enterprise Architects
“What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS“
Introduction
Cloud computing and mobile devices have transformed the modern digital workplace and Identity is the key foundation of our digital transformation journey today. Most of the businesses today are following a “cloud first” strategy, with lifting & shifting their existing infra and business applications into hybrid cloud, modernizing their business apps and opting in as-a-service models.
While cloud services are easy to deploy and commonly come with modern end users experience but this shift to digital transformation also introduces the new challenges (such as security risk, administrative burden and poor end users experience). Even, it becomes more challenging during the current covid-19 pandemic situation where most of businesses are opting in “work from home” to access their hosting applications in hybrid clouds.
Due to the nature of the business (i.e. manufacturing, utility, infrastructure, automotive etc.) and its gradual transition, the reality of most businesses will remain hybrid for many years, even if the enterprise’s workloads are moved into partners dc called “private cloud”, it’s still about running their legacy IT landscape and business apps on on-premises, alongside all the new SaaS services deployed in multi-tenant public clouds.
From the end user’s experience and IT/IS perspective, users must access their applications in both on-premises and cloud, and IT/IS must manage and protect applications in both places. Altogether with the shift to new way of working such as “work from home”, there is a need for providing a consistent end users experience, safeguarding the end users’ identities and management of hybrid cloud environment.
Providing seamless access and integration with wide range of legacy apps and modern SaaS service is the biggest challenge. So, enabling the single sign-on to modern SaaS services is just a simple part but the real challenge is supporting full range of services within multi-cloud hybrid environments. Even though various vendors offer their respective identity as service solution (such as Oracle, IBM, Google, Octa, CA, Ping Identity and so on.) but we will focus on Microsoft identity solution in this article in more detail.
Microsoft offers Azure AD – cloud-based Identity as a Service (IDaaS) and that comes with a comprehensive approach and single control pane of providing seamless access to users for all types of apps – SaaS, on-premises and custom-built apps.
The below figure depicts the detailed features of Azure Active Directory and their functionalities such as on-premises infra integration, user accounts, devices, partner collaboration with customer account management, application integration and administration.
Integrating Azure AD identity with Azure, AWS and GCP Hybrid Cloud
Azure AD integration with hybrid cloud provides a broad range of capabilities for business, the capabilities include but not limited to the following:
Azure identity solutions address challenges like safeguarding identities, improve user experience accessing applications seamlessly across platforms, and increasing administrative efficiency
One identity for all applications across cloud services (SaaS, PaaS, IaaS) across all cloud platforms such as Azure, AWS, Google etc.
Collaboration with partners by using Azure AD B2B and B2C
Synchronization or federation with on-premises directory through Azure AD connect
Enables single sign-on and multi-factor authentication
Integration with web-based applications located on-premises through application proxy
Use either Azure AD domain services (Azure AD DS) for authenticating to line of business (LOB) applications hosted on virtual machines in Azure IaaS or extend on-premises active directory domain service (AD DS) to Azure IaaS
Azure identity provides cloud apps discovery and management through Azure AD ‘MyApps’ panel as single control pane
Below figure shows the Azure AD integration with hybrid cloud respectively Azure, AWS and Google:
Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration.
Technology Blog 