GABC2019: AzureAD - Identity Management and more by Patrick Fontana

AzureAD – Identity Management & More Global Azure Bootcamp 2019

Global Azure Bootcamp 2019 AzureAD - Cloud Identity like an
«Avenger»

Patrick Fontana • Consultant / Architect @ SmartIT Services AG
• MCT, MCSE, MCSA and many more • System Engineering & Consulting since 19 year’s in the world of Windows, Azure, System Center, WAC @itworksmart http://itworksmart.azurewebsites.net https://www.linkedin.com/in/patrick-fontana-2b7bab87/

Agenda _ Basic Funtionalities _ Manage the cloud identity _
Multifactor Authentication MFA _ Conditional Access _ Identity Protection _ Privileged Identity Management _ WebApplication Proxy _ File Access over AzureAD _ Integration of Windows 1903 and AzureAD

Basic Funtionalities

Basic Funtionalities – «What’s new» _ Security Authentication Information included
-> Integration three table design _ Organisational – Relationship Management for Guest Accounts _ Google Account as Identity Provider

Basic Funtionalities – «Current Situation» MFA-Sec-Table MSOL-Table AzureAD-Tenant

Basic Funtionalities – «Next Situation» MSOL-Table AzureAD – Tenant &
MFA

Manage the cloud identity _ Synchronisation of MFA Information _
CloudAncher & WriteBack for Self-Service _ Attention about synchronisation timing _ Upgrade with Passtrouth-Authentication _ Contact & Guest Account Synchronisation

Multifactor Authentication MFA _ Consolidation of the MFA capabilities in
AzureAD _ MFA Preconfiguration Methodes possibility _ Integration of other product over Netscaler / NPS Server possible -> But issue in the NPS extension provides issues with certificate _ Licence «per-Autorisation» on Onprem-MFA is removed -> Guest Account Authorisation in Licence integrated (1:5)

First «Central Point» AzureAD is not only a technical solutition,
it is part of a IAM solution Consequece: You have to integrate your HR in the process!

Conditional Access _ Security for your centralised app plattform _
You have to design «UseCases» _ In conflict with onprem infrastactur _ But what can you do against client applications?

Conditional Access – «What’s New» _ The app protection-based conditional
access policy

Identity Protection _ Talking with users about login security is
not effectiv _ Give them examples helps _ Intuitive and integrated UX _ Automated reaction _ The basics for your security score

Privileged Access Management _ Functionalities to protect your ressources _
The figt against to many global admins _ Requestlable access _ Focused an the RBAC Roles _ Integrated in Office365

Identity Protection & Privileged Access Management Lets take a look
at the praxis

Second «Central Point» Controlling your area of interest in your
LAN is ok, but perimeter security is gone by the requirment of «mobility» Consequece: Protecting your ressources and data has to be established on the source and the target!

AzureAD WebApplication Proxy _ Protect your resources in the LAN
zone _ Integrated with «Enterprise Application» _ Communication is «Point-to-point» _ Provisioning for LegacyApps

AzureAD WebApplication Proxy – «Working with Connector groups» Principal Shema
Connector Groups

File Access over AzureAD _ Issue: My users need access
to a file server or have big files! _ AzureAD Domain Service is the required _ Creating custom roles for share permission _ Connect the volume to a VM net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share> /user:Azure\<storage-account-name> _ NTFS Permissions over Icacls icacls <mounted-drive-letter><Directory> /grant <user-upn>:(f) icacls <mounted-drive-letter><Directory> /grant <user-upn>:(d,wdac) icacls <mounted-drive-letter><Directory> /grant <user-upn>:(rx)

Integration of Windows 1903 and AzureAD? _ Windows Admin Center
_ Login over AzureAD (Capt) _ MFA policy available (Hulk) _ Published over WebAppProxy (Ironman) _ Conditional Access integrated (Blackwidow) _ The door for other cloud services

Integration of Windows 1903 and AzureAD? Lets take a look
at the praxis

Third «Central Point» Azure «PaaS» Services are so powerfull, what
is the right strategy to protect my systems? Consequence: Protect them directly on the future plattform

Thanks to our sponsors!

Questions

GABC2019: AzureAD - Identity Management and more by Patrick Fontana

GABC2019: AzureAD - Identity Management and more by Patrick Fontana

Azure Zurich User Group

More Decks by Azure Zurich User Group

Other Decks in Programming

Featured

Transcript

AzureAD – Identity Management & More Global Azure Bootcamp 2019

Global Azure Bootcamp 2019 AzureAD - Cloud Identity like an

Patrick Fontana • Consultant / Architect @ SmartIT Services AG

Agenda _ Basic Funtionalities _ Manage the cloud identity _

Basic Funtionalities

Basic Funtionalities – «What’s new» _ Security Authentication Information included

Basic Funtionalities – «Current Situation» MFA-Sec-Table MSOL-Table AzureAD-Tenant

Basic Funtionalities – «Next Situation» MSOL-Table AzureAD – Tenant &

Manage the cloud identity _ Synchronisation of MFA Information _

Multifactor Authentication MFA _ Consolidation of the MFA capabilities in

First «Central Point» AzureAD is not only a technical solutition,

Conditional Access _ Security for your centralised app plattform _

Conditional Access – «What’s New» _ The app protection-based conditional

Identity Protection _ Talking with users about login security is

Privileged Access Management _ Functionalities to protect your ressources _

Identity Protection & Privileged Access Management Lets take a look

Second «Central Point» Controlling your area of interest in your

AzureAD WebApplication Proxy _ Protect your resources in the LAN

AzureAD WebApplication Proxy – «Working with Connector groups» Principal Shema

File Access over AzureAD _ Issue: My users need access

Integration of Windows 1903 and AzureAD? _ Windows Admin Center

Integration of Windows 1903 and AzureAD? Lets take a look

Third «Central Point» Azure «PaaS» Services are so powerfull, what

Thanks to our sponsors!

Questions