Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GABC2019: AzureAD - Identity Management and more by Patrick Fontana

GABC2019: AzureAD - Identity Management and more by Patrick Fontana

With AzureAD you don't have only a identity table for O365, you can achive more. From MFA to Conditional Access, from App publishing to Application Proxy and Security related Features with a lot of Demos.

Azure Zurich User Group

April 27, 2019
Tweet

More Decks by Azure Zurich User Group

Other Decks in Programming

Transcript

  1. Patrick Fontana • Consultant / Architect @ SmartIT Services AG

    • MCT, MCSE, MCSA and many more • System Engineering & Consulting since 19 year’s in the world of Windows, Azure, System Center, WAC @itworksmart http://itworksmart.azurewebsites.net https://www.linkedin.com/in/patrick-fontana-2b7bab87/
  2. Agenda _ Basic Funtionalities _ Manage the cloud identity _

    Multifactor Authentication MFA _ Conditional Access _ Identity Protection _ Privileged Identity Management _ WebApplication Proxy _ File Access over AzureAD _ Integration of Windows 1903 and AzureAD
  3. Basic Funtionalities – «What’s new» _ Security Authentication Information included

    -> Integration three table design _ Organisational – Relationship Management for Guest Accounts _ Google Account as Identity Provider
  4. Manage the cloud identity _ Synchronisation of MFA Information _

    CloudAncher & WriteBack for Self-Service _ Attention about synchronisation timing _ Upgrade with Passtrouth-Authentication _ Contact & Guest Account Synchronisation
  5. Multifactor Authentication MFA _ Consolidation of the MFA capabilities in

    AzureAD _ MFA Preconfiguration Methodes possibility _ Integration of other product over Netscaler / NPS Server possible -> But issue in the NPS extension provides issues with certificate _ Licence «per-Autorisation» on Onprem-MFA is removed -> Guest Account Authorisation in Licence integrated (1:5)
  6. First «Central Point» AzureAD is not only a technical solutition,

    it is part of a IAM solution Consequece: You have to integrate your HR in the process!
  7. Conditional Access _ Security for your centralised app plattform _

    You have to design «UseCases» _ In conflict with onprem infrastactur _ But what can you do against client applications?
  8. Identity Protection _ Talking with users about login security is

    not effectiv _ Give them examples helps _ Intuitive and integrated UX _ Automated reaction _ The basics for your security score
  9. Privileged Access Management _ Functionalities to protect your ressources _

    The figt against to many global admins _ Requestlable access _ Focused an the RBAC Roles _ Integrated in Office365
  10. Second «Central Point» Controlling your area of interest in your

    LAN is ok, but perimeter security is gone by the requirment of «mobility» Consequece: Protecting your ressources and data has to be established on the source and the target!
  11. AzureAD WebApplication Proxy _ Protect your resources in the LAN

    zone _ Integrated with «Enterprise Application» _ Communication is «Point-to-point» _ Provisioning for LegacyApps
  12. File Access over AzureAD _ Issue: My users need access

    to a file server or have big files! _ AzureAD Domain Service is the required _ Creating custom roles for share permission _ Connect the volume to a VM net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share> /user:Azure\<storage-account-name> _ NTFS Permissions over Icacls icacls <mounted-drive-letter><Directory> /grant <user-upn>:(f) icacls <mounted-drive-letter><Directory> /grant <user-upn>:(d,wdac) icacls <mounted-drive-letter><Directory> /grant <user-upn>:(rx)
  13. Integration of Windows 1903 and AzureAD? _ Windows Admin Center

    _ Login over AzureAD (Capt) _ MFA policy available (Hulk) _ Published over WebAppProxy (Ironman) _ Conditional Access integrated (Blackwidow) _ The door for other cloud services
  14. Third «Central Point» Azure «PaaS» Services are so powerfull, what

    is the right strategy to protect my systems? Consequence: Protect them directly on the future plattform