GABC2019: AzureAD - Identity Management and more by Patrick Fontana

Transcript

1. AzureAD – Identity Management & More Global Azure Bootcamp 2019

2. Global Azure Bootcamp 2019 AzureAD - Cloud Identity like an

   «Avenger»

3. Patrick Fontana • Consultant / Architect @ SmartIT Services AG

   • MCT, MCSE, MCSA and many more • System Engineering & Consulting since 19 year’s in the world of Windows, Azure, System Center, WAC @itworksmart http://itworksmart.azurewebsites.net https://www.linkedin.com/in/patrick-fontana-2b7bab87/

4. Agenda _ Basic Funtionalities _ Manage the cloud identity _

   Multifactor Authentication MFA _ Conditional Access _ Identity Protection _ Privileged Identity Management _ WebApplication Proxy _ File Access over AzureAD _ Integration of Windows 1903 and AzureAD

5. Basic Funtionalities

6. Basic Funtionalities – «What’s new» _ Security Authentication Information included

   -> Integration three table design _ Organisational – Relationship Management for Guest Accounts _ Google Account as Identity Provider

7. Basic Funtionalities – «Current Situation» MFA-Sec-Table MSOL-Table AzureAD-Tenant

8. Basic Funtionalities – «Next Situation» MSOL-Table AzureAD – Tenant &

   MFA

9. Manage the cloud identity _ Synchronisation of MFA Information _

   CloudAncher & WriteBack for Self-Service _ Attention about synchronisation timing _ Upgrade with Passtrouth-Authentication _ Contact & Guest Account Synchronisation

10. Multifactor Authentication MFA _ Consolidation of the MFA capabilities in

    AzureAD _ MFA Preconfiguration Methodes possibility _ Integration of other product over Netscaler / NPS Server possible -> But issue in the NPS extension provides issues with certificate _ Licence «per-Autorisation» on Onprem-MFA is removed -> Guest Account Authorisation in Licence integrated (1:5)

11. First «Central Point» AzureAD is not only a technical solutition,

    it is part of a IAM solution Consequece: You have to integrate your HR in the process!

12. Conditional Access _ Security for your centralised app plattform _

    You have to design «UseCases» _ In conflict with onprem infrastactur _ But what can you do against client applications?

13. Conditional Access – «What’s New» _ The app protection-based conditional

    access policy

14. Identity Protection _ Talking with users about login security is

    not effectiv _ Give them examples helps _ Intuitive and integrated UX _ Automated reaction _ The basics for your security score

15. Privileged Access Management _ Functionalities to protect your ressources _

    The figt against to many global admins _ Requestlable access _ Focused an the RBAC Roles _ Integrated in Office365

16. Identity Protection & Privileged Access Management Lets take a look

    at the praxis

17. Second «Central Point» Controlling your area of interest in your

    LAN is ok, but perimeter security is gone by the requirment of «mobility» Consequece: Protecting your ressources and data has to be established on the source and the target!

18. AzureAD WebApplication Proxy _ Protect your resources in the LAN

    zone _ Integrated with «Enterprise Application» _ Communication is «Point-to-point» _ Provisioning for LegacyApps

19. AzureAD WebApplication Proxy – «Working with Connector groups» Principal Shema

    Connector Groups

20. File Access over AzureAD _ Issue: My users need access

    to a file server or have big files! _ AzureAD Domain Service is the required _ Creating custom roles for share permission _ Connect the volume to a VM net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share> /user:Azure\<storage-account-name> _ NTFS Permissions over Icacls icacls <mounted-drive-letter><Directory> /grant <user-upn>:(f) icacls <mounted-drive-letter><Directory> /grant <user-upn>:(d,wdac) icacls <mounted-drive-letter><Directory> /grant <user-upn>:(rx)

21. Integration of Windows 1903 and AzureAD? _ Windows Admin Center

    _ Login over AzureAD (Capt) _ MFA policy available (Hulk) _ Published over WebAppProxy (Ironman) _ Conditional Access integrated (Blackwidow) _ The door for other cloud services

22. Integration of Windows 1903 and AzureAD? Lets take a look

    at the praxis

23. Third «Central Point» Azure «PaaS» Services are so powerfull, what

    is the right strategy to protect my systems? Consequence: Protect them directly on the future plattform

24. Thanks to our sponsors!

25. Questions