Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GABC2019: AzureAD - Identity Management and mor...

GABC2019: AzureAD - Identity Management and more by Patrick Fontana

With AzureAD you don't have only a identity table for O365, you can achive more. From MFA to Conditional Access, from App publishing to Application Proxy and Security related Features with a lot of Demos.

Avatar for Azure Zurich User Group

Azure Zurich User Group

April 27, 2019
Tweet

More Decks by Azure Zurich User Group

Other Decks in Programming

Transcript

  1. Patrick Fontana • Consultant / Architect @ SmartIT Services AG

    • MCT, MCSE, MCSA and many more • System Engineering & Consulting since 19 year’s in the world of Windows, Azure, System Center, WAC @itworksmart http://itworksmart.azurewebsites.net https://www.linkedin.com/in/patrick-fontana-2b7bab87/
  2. Agenda _ Basic Funtionalities _ Manage the cloud identity _

    Multifactor Authentication MFA _ Conditional Access _ Identity Protection _ Privileged Identity Management _ WebApplication Proxy _ File Access over AzureAD _ Integration of Windows 1903 and AzureAD
  3. Basic Funtionalities – «What’s new» _ Security Authentication Information included

    -> Integration three table design _ Organisational – Relationship Management for Guest Accounts _ Google Account as Identity Provider
  4. Manage the cloud identity _ Synchronisation of MFA Information _

    CloudAncher & WriteBack for Self-Service _ Attention about synchronisation timing _ Upgrade with Passtrouth-Authentication _ Contact & Guest Account Synchronisation
  5. Multifactor Authentication MFA _ Consolidation of the MFA capabilities in

    AzureAD _ MFA Preconfiguration Methodes possibility _ Integration of other product over Netscaler / NPS Server possible -> But issue in the NPS extension provides issues with certificate _ Licence «per-Autorisation» on Onprem-MFA is removed -> Guest Account Authorisation in Licence integrated (1:5)
  6. First «Central Point» AzureAD is not only a technical solutition,

    it is part of a IAM solution Consequece: You have to integrate your HR in the process!
  7. Conditional Access _ Security for your centralised app plattform _

    You have to design «UseCases» _ In conflict with onprem infrastactur _ But what can you do against client applications?
  8. Identity Protection _ Talking with users about login security is

    not effectiv _ Give them examples helps _ Intuitive and integrated UX _ Automated reaction _ The basics for your security score
  9. Privileged Access Management _ Functionalities to protect your ressources _

    The figt against to many global admins _ Requestlable access _ Focused an the RBAC Roles _ Integrated in Office365
  10. Second «Central Point» Controlling your area of interest in your

    LAN is ok, but perimeter security is gone by the requirment of «mobility» Consequece: Protecting your ressources and data has to be established on the source and the target!
  11. AzureAD WebApplication Proxy _ Protect your resources in the LAN

    zone _ Integrated with «Enterprise Application» _ Communication is «Point-to-point» _ Provisioning for LegacyApps
  12. File Access over AzureAD _ Issue: My users need access

    to a file server or have big files! _ AzureAD Domain Service is the required _ Creating custom roles for share permission _ Connect the volume to a VM net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share> /user:Azure\<storage-account-name> _ NTFS Permissions over Icacls icacls <mounted-drive-letter><Directory> /grant <user-upn>:(f) icacls <mounted-drive-letter><Directory> /grant <user-upn>:(d,wdac) icacls <mounted-drive-letter><Directory> /grant <user-upn>:(rx)
  13. Integration of Windows 1903 and AzureAD? _ Windows Admin Center

    _ Login over AzureAD (Capt) _ MFA policy available (Hulk) _ Published over WebAppProxy (Ironman) _ Conditional Access integrated (Blackwidow) _ The door for other cloud services
  14. Third «Central Point» Azure «PaaS» Services are so powerfull, what

    is the right strategy to protect my systems? Consequence: Protect them directly on the future plattform