Skip to content

Latest commit

 

History

History
78 lines (61 loc) · 3.79 KB

3.1.1.1. Identities - Azure Active Directory - Hybrid Identities.md

File metadata and controls

78 lines (61 loc) · 3.79 KB
Raw

Hybrid Identities

  • Hybrid identity: Azure identities with on-premises AD connection

Azure AD Connect

  • Installed on a domain controller, handles sync to Azure AD.
  • Configuration: Register Azure AD account and AD DS account, and do some checkboxes => done.
    • Device writeback Devices must be located in the same forest as the users.
  • Can set up Seamless SSO
    • Works with both Password Hash Synchronization and Pass-through authentication
    • Automatically sign in user with their Azure ID if they're on domain joined device.
    • Works via JS, trusts Kerberos ticket.
    • Flow
      1. Prerequisites: Set up your Azure AD Connect server, Enable modern authentication
      2. Enable the feature: Enable Seamless SSO through Azure AD Connect.
      3. Roll out the feature:
        • Add https://autologon.microsoftazuread-sso.com by using Group Policy.
        • Because browsers will not send Kerberos tickets to a cloud endpoint, like the Azure AD URL, unless you explicitly add the URL to the browser's Intranet zone.
      4. Test the feature
      5. Roll over keys
        • Periodically roll over these Kerberos decryption keys - at least once every 30 days.
        • Keys can be used to create tickets and are vulnerable.

Azure AD Health

  • Monitors AD FS servers, AD connect, AD domain controllers.
  • Synchronization between AD DS and Azure.
  • Alert can be set up.

Azure authentication methods

Cloud only

  • No infrastructure on premises.

AD Connect cloud accounts

  • Just username is synced from on-prem AD DS.
  • Requires users manage two passwords.

Password hash synchronization (PHS)

  • Synchronizes hashes of passwords from an on-prem AD to a Azure AD.
  • Azure-based authentication security:
    • Smart lockout: prevents brute force attacks, and prevents genuine users from being locket out.
    • Leak credential report:Microsoft scans web and dark web for leaked accounts & requires password reset if account is leaked.
  • Active password write-back or password changes on Azure will not be updated on-prem

Pass-through authentication (PTA)

  • Authentication is on premises.
  • You deploy two or more (for availability) authentication agents on-premises.
    • They make persistent connection to Azure (ExpressRoute has circuits for this)
    • Outbounds to HTTPS 443 (no need for perimeter network)
      • Pulls authentication requests
      • Pulls rules
        • When to change password?
        • What hours I can log in?
  • Azure AD encrypts with public key, places it on queue, auth agent listens & decrypts with private key, authenticates and returns back the success/fail message.
  • Supports smart lock-out but no leak credential report.
  • Requires installation agent on the same server as Azure AD connect.
    • Install on more servers (can be domain controllers) for high availability.

Federation (AD FS)

  • Federation is a collection of domains that have established trust.
  • Recommended if something Azure does not support is used, can be smart card, biometrics, third party authentication etc.
  • Create Azure VM domain on-prem which is a replica of domain controller in Azure.
    • You can then join machines to this managed domain using traditional domain-join mechanisms.
    • Complex set-up
    • When?
      • Lift & shift workloads: Moving all of your domain controllers to Azure.
  • 2 or more (for availability) AD FS servers to accept authentication requests.
  • An AD DS instance is registered in Azure.