Skip to content

Latest commit

 

History

History
76 lines (60 loc) · 3.85 KB

5.4. Hybrid Cloud.md

File metadata and controls

76 lines (60 loc) · 3.85 KB
Raw

Hybrid Cloud

Azure AD

  • In its basic form, it's a free service that provides the ability for Single Sign-On into cloud applications.
  • Allows connection with
    • consumers (Azure AD B2C)
    • business partners (Azure AD B2B) without deploying complex infrastructure or federation.

Azure AD Connect

  • Provides the ability to integrate on-premises directories with Azure AD.
  • Provide single sign-on to cloud applications such as Microsoft 365, Azure and other SaaS applications.

Azure AD Hybrid solutions

  • Azure AD Connect provides the choice of:
    • 1. Password Synchronization only , the ability to synchronize users and groups.
    • 2. ADFS , to allow on-premises authentication, 3rd party MFA, etc.
    • 3. Pass-through authentication , provides on-premises authentication without deploying ADFS.
  • In all 3, you need Azure AD Connect to provide the synchronization engine.
    • Additionally, the Microsoft Identity Manager (MIM) can be installed on-premises and used to configure the users, groups and attributes to be synchronized.

Azure AD Pricing

  • Basic: SLA + self-service password reset for cloud users.
  • Premium: MFA + other stuff.
  • P2 only: Conditional risk policy, privileged identity management

Azure AD Domain Services

  • Provides managed domain services.
  • Windows Server Active Directory compatible.
    • LDAP, Kerberos, NTLM, Group Policy, and domain join capabilities are compatible.
    • ❗ Not all features available in Windows Server AD are available in Azure AD Domain Services.
  • Compatible with both Cloud only tenants and hybrid tenants using Azure AD Connect.
  • No additional costs other than underlying Azure IaaS Virtual Machines.

Cloud Only Tenant

  • Managed by Azure.
  • All user identities, credentials and groups, including group memberships, are created and managed in Azure AD.
  • All the Azure AD objects are available within this domain

Hybrid Cloud Tenant

  • Synchronized to an on-premises directory
  • An additional stand-alone Domain is created by the managed service.
    • The managed domain is a standalone domain and not an extension to the on-premises directory.
  • Management
    • Tenant identities are still created and managed within Azure AD
    • On-premises identities are still created and managed on-premises.
  • All objects from the on-premises domain and the Azure AD tenant are available to the managed service domain.
  • Allows users to sign in to cloud services with their on-premises identities
    • Azure AD Connect must be configured to allow password synchronization
      • Allows resources in the cloud to connect to the managed domain can use Kerberos to authenticate.
  • Managed by Azure
    • So domain administrator does not need to
      • manage this domain or any domain controllers.
      • have has no domain or enterprise admin privileges.
    • Available automatically, no need for AD replication.

Azure AD Pass-Through Authentication

  • Enables users to sign in to both on-premises and cloud applications using the same credentials.
  • Azure AD validates users' passwords against on-premises Active Directory.
    • passwords are never stored in the cloud.
  • No need to deploy ADFS infrastructure.
    • No need for complicated certificates or trusts.
  • 📝 Azure AD Connect installs Pass-through authentication agent on same server where it is.
    • 💡 Install additional agents to make the service highly available.
  • Free for all Azure AD tiers.
  • Multi-forest environments are supported with some required routing changes.
  • Users can be enabled to use self-service password management from the Azure AD directly.
  • No additional ports or network configuration is required since the agent communicates outbound, so no perimeter network is required.
  • Takes advantage of Azure AD Conditional Access policies, including Multi-Factor Authentication (MFA).