Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GABC2019: AzureAD - Identity Management and more by Patrick Fontana

GABC2019: AzureAD - Identity Management and more by Patrick Fontana

With AzureAD you don't have only a identity table for O365, you can achive more. From MFA to Conditional Access, from App publishing to Application Proxy and Security related Features with a lot of Demos.

Azure Zurich User Group

April 27, 2019

More Decks by Azure Zurich User Group

Other Decks in Programming


  1. AzureAD – Identity Management & More Global Azure Bootcamp 2019

  2. Global Azure Bootcamp 2019 AzureAD - Cloud Identity like an

  3. Patrick Fontana • Consultant / Architect @ SmartIT Services AG

    • MCT, MCSE, MCSA and many more • System Engineering & Consulting since 19 year’s in the world of Windows, Azure, System Center, WAC @itworksmart http://itworksmart.azurewebsites.net https://www.linkedin.com/in/patrick-fontana-2b7bab87/
  4. Agenda _ Basic Funtionalities _ Manage the cloud identity _

    Multifactor Authentication MFA _ Conditional Access _ Identity Protection _ Privileged Identity Management _ WebApplication Proxy _ File Access over AzureAD _ Integration of Windows 1903 and AzureAD
  5. Basic Funtionalities

  6. Basic Funtionalities – «What’s new» _ Security Authentication Information included

    -> Integration three table design _ Organisational – Relationship Management for Guest Accounts _ Google Account as Identity Provider
  7. Basic Funtionalities – «Current Situation» MFA-Sec-Table MSOL-Table AzureAD-Tenant

  8. Basic Funtionalities – «Next Situation» MSOL-Table AzureAD – Tenant &

  9. Manage the cloud identity _ Synchronisation of MFA Information _

    CloudAncher & WriteBack for Self-Service _ Attention about synchronisation timing _ Upgrade with Passtrouth-Authentication _ Contact & Guest Account Synchronisation
  10. Multifactor Authentication MFA _ Consolidation of the MFA capabilities in

    AzureAD _ MFA Preconfiguration Methodes possibility _ Integration of other product over Netscaler / NPS Server possible -> But issue in the NPS extension provides issues with certificate _ Licence «per-Autorisation» on Onprem-MFA is removed -> Guest Account Authorisation in Licence integrated (1:5)
  11. First «Central Point» AzureAD is not only a technical solutition,

    it is part of a IAM solution Consequece: You have to integrate your HR in the process!
  12. Conditional Access _ Security for your centralised app plattform _

    You have to design «UseCases» _ In conflict with onprem infrastactur _ But what can you do against client applications?
  13. Conditional Access – «What’s New» _ The app protection-based conditional

    access policy
  14. Identity Protection _ Talking with users about login security is

    not effectiv _ Give them examples helps _ Intuitive and integrated UX _ Automated reaction _ The basics for your security score
  15. Privileged Access Management _ Functionalities to protect your ressources _

    The figt against to many global admins _ Requestlable access _ Focused an the RBAC Roles _ Integrated in Office365
  16. Identity Protection & Privileged Access Management Lets take a look

    at the praxis
  17. Second «Central Point» Controlling your area of interest in your

    LAN is ok, but perimeter security is gone by the requirment of «mobility» Consequece: Protecting your ressources and data has to be established on the source and the target!
  18. AzureAD WebApplication Proxy _ Protect your resources in the LAN

    zone _ Integrated with «Enterprise Application» _ Communication is «Point-to-point» _ Provisioning for LegacyApps
  19. AzureAD WebApplication Proxy – «Working with Connector groups» Principal Shema

    Connector Groups
  20. File Access over AzureAD _ Issue: My users need access

    to a file server or have big files! _ AzureAD Domain Service is the required _ Creating custom roles for share permission _ Connect the volume to a VM net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share> /user:Azure\<storage-account-name> _ NTFS Permissions over Icacls icacls <mounted-drive-letter><Directory> /grant <user-upn>:(f) icacls <mounted-drive-letter><Directory> /grant <user-upn>:(d,wdac) icacls <mounted-drive-letter><Directory> /grant <user-upn>:(rx)
  21. Integration of Windows 1903 and AzureAD? _ Windows Admin Center

    _ Login over AzureAD (Capt) _ MFA policy available (Hulk) _ Published over WebAppProxy (Ironman) _ Conditional Access integrated (Blackwidow) _ The door for other cloud services
  22. Integration of Windows 1903 and AzureAD? Lets take a look

    at the praxis
  23. Third «Central Point» Azure «PaaS» Services are so powerfull, what

    is the right strategy to protect my systems? Consequence: Protect them directly on the future plattform
  24. Thanks to our sponsors!

  25. Questions