Azure Active Directory features and possibilities

In the last couple of years now, Microsoft has been working actively with new features in Azure Active Directory. For those who aren’t aware of what that is I can tell you briefly. It is identity as a service hosted in Azure (Its not the same as regular Active Directory even thou it shares the same name, but it is a user administration system and stores users in a catalog but it is built for the cloud. You also don’t have features like Group Policy and the notion of Machine objects are not present (well almost not) ill come back to that.

So when you set a Intune account, Office365 account or CRM online it will automatically create a Azure Active Directory tenant. All users that are created will be populated into that Azure AD tenant. From an administrator point-of-view all they will see is the users listed in their administration portal. In order to get full benefit of Azure Active Directory you need to go into Azure.

(Before I go into specifics you need to be aware of that there are 3 edtions of Azure Active Directory, free, basic and Premium) You can see the different features that are included in all 3 here –>

And also take note that Premium is also included in Microsoft EMS package (With Azure Rights Management and Intune) https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

So what do I mean that its built for the cloud ? well first of regular Active Directory which today is well established and one of the key important features of an on-premise setup does not work well with all the SaaS services that are being added to many enterprises today. Now many vendors include Active Directory integration in their Service (like Dropbox and such) but this is because that there are no native features in Active Directory.

Azure Active Directory on the other hand is built to be a platform which can include all the applications you want and work as an identity provider for all your SaaS applications or be on-premise. Now many are familiar with the syncronization tools that Microsoft offer to give a consistent user experience between on-prem and Office365. These tools will place users in Azure Active Directory tenant and will then allow us to build upon with new features and add integrations with other SaaS applications. We can also use Azure Active Directory standalone if we want a more pure cloud based setup.

So what does Azure Active Directory consist of ?

  • Azure Access Control
  • Azure Authentication System (SAML, OpenID & Oauth, WS-federation)
  • Azure Graph
  • Azure Rights Management Service
  • Azure Multi-factor authentication

So all these services have a set of sub-features as well, but with all this Azure Active Directory can be a platform for managing identity across different clouds. So what might it look like ? Let’s think of a traditional enterprise where the HR application is where all new employees might be generated, the IT needs to setup a Active directory user and then he would need to provisiong access to all SaaS apps that the company uses.

What would it look like with Azure Active Directory setup with the different tools that Microsoft offers ?

Lets look at the example again, a new employee is setup in the HR system. Microsoft Identity Mnager(which is vNExt of Forefront) has a connector which allows it to grab hold of the information and has a workflow of how new employees should be setup and provisions a user in the local Active Directory. Azure AD Connect (Which is the new and upcoming Dirsync and AAD sync) will based upon the filters sync the user to Azure Active Directory. There can also be an ADFS which allows for true SSO since then ADFS will work as an SAML iDP and users can access it in real-time, another option is the setup user syncronization with password hash, this allows for users to use their username and passwords (a bit delayed when a password has been changed and a sync has not been run) but it does not give users a true SSO to services in Azure.

image

Now that the users are in Azure we can setup access to other SaaS services like SalesForce, Dropbox, other Social media applications and maybe even Citrix. Another option is to setup an internal application which we want to publish. This requires another feature called application proxy which will allow the users to authenticate users their Azure AD credentials (with or without MFA) then proxy a connection to a on-prem service)

So far I’ve covered some of the basics. Lets look how it looks like. this is a screenshot from my management portal here I have one catalog

image

Inside here I have multiple users, some are cloud only and some are synced from on-premise. Here I also have option to manage MFA for my tenant ( I have a valid subscription)

image

Also inside the tenant catalog I have a bunch of different options which we are going to go trough.

image

First of lets look at the configuration part. First of is the part to customize sign-in experience for our users.

image

So we can define background logo and background screen and such. Just basic stuff so when users try to login they might see this.

image

(Familiy photo!)

We also have configuration options for users password reset

image

We can also define a password write back feature (Which allows new passwords generated in Azure AD be written back to an on-premise Active Directory. Note that this requires Active Directory sync services be setup with write back feature.

image

As I mentioned earlier was that Azure AD has no idea about machine objects, well they kinda do. This is another preview feature but it allows for Windows 10 machines to “join” Azure Active Directory and allow for user login using their Azure AD credentials

image

(From a Window 10 tech preview machine)

image

After joining the Azure AD domain you can now sign it with your credentials

image

There are also alot of different options regarding Group Managment in Azure

image

And one important part is Application Proxy

image

I have blogged about this before (https://msandbu.wordpress.com/2015/02/19/publishing-internal-applications-using-azure-active-directory-using-application-proxy/)

So let’s talk abit about the important part.. The Applications. Now Azure has some possibilities when adding applications. Work as an front-end authentication feature for instance on-prem applications. single-sign on for web based applications (password and federated SSO) and setting up MFA.

So let’s start with adding Facebook for our tenant and seting up the new feature called password roll-over (Which allows Azure AD to automatically update a password on behalf of the user)

So head on over to applications and choose add from Gallery

image

Find Facebook from the list and choose OK.

image

Click on Configure Single sign-on and choose Password SSO (Note that this requires that a user authenticate first with a username and password using a browser which has Azure AD extension installed. So when the user authenticated the extension will take the username and password, encrypt it and store it in the Azure AD tenant, so next time the users logs inn they don’t need to enter a username and password.

Then lets assign some users. Go into users and groups and find a users and choose Assign

Now we can also enter a username and password on behalf of the user

image

(Note that for Linkedin, Twitter and Facebook) we have the preview feature automatic password rollover)

image

Then click OK.

Now let’s add an on-prem application, now as I’ve blogged about it before it won’t show what the steps are but just to show what’s new.

For on-premise applications we can configure access rules, let’s for instance say that all users (except for sales users) need to use MFA when accessing this application outside of the Office.

image

Note that this is based upon IP whitelisting to allow who needs to access with or without MFA. Now this is part of the cloud based MFA feature, it is also possible to download a server component MFA which you can attach to your on-prem services as well using traditional AD https://msandbu.wordpress.com/2014/05/05/azure-multifactor-authentication-and-netscaler-aaa-vserver/

Now note that you can also use Azure Active Directory as an SAML iDP and use Graph API when developing other applications and setup integration with it. Now there are also some applications like Salesforce which offer full identity management

image

true SSO and provisioning.

image

But this is only a few vendors which has added this support. Now if we are approaching a enterprise with “Hey you should get Azure AD, its great stuff!” and they have like 200 applications SaaS based which they use how can you get the overview ? Microsoft has also created something called Cloud App discovery (Which also is in preview –> https://appdiscovery.azure.com/)

Which is basically an agent that you download and run in your infrastructure it will gather info and find out what applications are being using and try to map them aganst those that Microsoft has support for.

image

So when you have setup the applications and given users access how does it look like ?

and voila user access!

image

 

Now this was just a brief touch into Azure Active Directory. In the last 6 months these features has been added to Azure AD

•Administrative units

•Dynamick Group membership

•Password roll-over

•Azure AD Connect Health

•Per-App MFA

•200+ applications in the gallery list

•Workplace join

•SaaS provisioning attributes

•MIM in Public Preview

•Azure AD Proxy

•Password write-back

•Azure AD on iOS and Android

•Conditional Access pr App

And this list will continue to grow, if you want to see what’s happning on Azure AD I suggest you follow Alex Simons (@Alex_a_simons) on twitter (He is the Product Manager for Azure AD, and from the looks of it from the feature list, he is feeding his developers Red Bull or something stronger)

image

and follow the Azure AD blog http://blogs.technet.com/b/ad/

Stay tuned for more news about Azure AD

#azure-ad, #cloudapp-discovery, #mfa, #rms

Azure Active Directory Premium preview

So as of today, Azure Active Directory Premium is available in trial for all users. For those that aren’t aware of what Azure Active Directory Premium is in short Identity and Access Management for the cloud so its a extension of the previous features which include,

  • custom domains
  • users and groups
  • directory integration with local Active Directory

The premium part allows for single-sign and multi-factor authentication to any cloud application. To show the entire functionality.

Active Directory Premium edition is a paid offering of Azure AD and includes the following features:

  • Company branding – To make the end user experience even better, you can add your company logo and color schemes to your organization’s Sign In and Access Panel pages. Once you’ve added your logo, you also have the option to add localized versions of the logo for different languages and locales. For more information, see Add company branding to your Sign In and Access Panel pages.
  • Group-based application access – Use groups to provision users and assign user access in bulk to over 1800 SaaS applications. These groups can either be created solely in the cloud or you can leverage existing groups that have been synced in from your on-premises Active Directory. For more information, see Assign access for a group to a SaaS application.
  • Self-service password reset – Azure has always provided self-service password reset for directory administrators. With Azure AD Premium, you can now further reduce helpdesk calls whenever your users forget their password by giving all users in your directory the capability to reset their password using the same sign in experience they have for Office 365. For more information, seeSelf-service password reset for users.
  • Self-service group management – Azure AD Premium simplifies day-to-day administration of groups by enabling users to create groups, request access to other groups, delegate group ownership so others can approve requests and maintain their group’s memberships. For more information, see Self-service group management for users.
  • Advanced security reports and alerts – Monitor and protect access to your cloud applications by viewing detailed logs showing more advanced anomalies and inconsistent access pattern reports. Advanced reports are machine learning-based and can help you gain new insights to improve access security and respond to potential threats. For more information, see View your access and usage reports.
  • Multi-Factor Authentication – Multi-Factor Authentication is now included with Premium and can help you to secure access to on-premises applications (VPN, RADIUS, etc.), Azure, Microsoft Online Services like Office 365 and Dynamics CRM Online, and over 1200 Non-MS Cloud services preintegrated with Azure AD. Simply enable Multi-Factor Authentication for Azure AD identities, and users will be prompted to set up additional verification the next time they sign in. For more information, see Adding Multi-Factor Authentication to Azure Active Directory.
  • Forefront Identity Manager (FIM) – Premium comes with the option to grant rights to use a FIM server (and CALs) in your on-premises network to support any combination of Hybrid Identity solutions. This is a great option if you have a variation of on-premises directories and databases that you want to sync directly to Azure AD. There is no limit on the number of FIM servers you can use, however, FIM CALs are granted based on the allocation of an Azure AD premium user license. For more information, see Deploy FIM 2010 R2.
  • Enterprise SLA of 99.9% – We guarantee at least 99.9% availability of the Azure Active Directory Premium service. For more information, see Active Directory Premium SLA
  • More features coming soon – The following premium features are currently in public preview and will be added soon:
    • Password reset with write-back to on-premises directories
    • Azure AD Sync bi-directional synchronization
    • Azure AD Application Proxy

Now in order to activate premium in your azure account you need to have an existing directory service in place, then you can go into the directory and then create a premium trial

image

Then you have to activate the trial.

image

After premium is enabled you have to license users to use the feature. In the trial we are given 100 licenses which we can use.

image

But note that now we have other panes here as well that we can use to configure the single-sign on experience. Now in an ideal scenario we would have a Active Directory catalog synced and with a public domain which is verified, i’m in vacation mode so therefore im going to show how to use a cloud only user and setup SSO to different cloud applications.

If we go into users we can see all the users which are located in the cloud directory, either they are synced from a local AD or they are a Microsoft account.

image

So we have some users in place, if we go into Configure pane we have the option to customize the access page which users are using to use SSO to web applications. We also have the option to enable users to do password reset (NOTE: that this requires that users have either a phone or alternative email adress defined) this can also me combined with password write back to on-premises AD. http://msdn.microsoft.com/en-us/library/azure/dn688249.aspx

Now we want to add some SaaS applications for the test, go into applications and choose add.
There are 3 ways to add an application. Either add a an regular web application or a native client application, choosing a application from the gallery (which atm consists of over 1000 different SaaS applications. Or if we want to publish an internal application outside of our network (this uses Microsoft Azure AD Application Proxy)

image

So in our case we are going to choose applicaiton from the gallery. Now I have already added some applications to the list here, and some appliactions have different capabilities then others. For instance Salesforce application has the capabilities for provisioning users automatically after a dirsync for instance, while twitter or Yammer do not have this capability.

image 

There are also two types of SSO for each applications, we can either use ADFS (federation based SSO) or use Password based SSO.

Important to note that password based SSO is when a user click on a application from the access portal and has a plug-in installed which then populates the username and password field of the application when entering, it also has some requirements.

Configuring password-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Windows Azure AD using the user account information from the third-party SaaS application. When you enable this feature, Windows Azure AD collects and securely stores the user account information and the related password.

Password-based SSO relies on a browser extension to securely retrieve the application and user specific information from Windows Azure AD and apply it to the service. Most third-party SaaS applications that are supported by Windows Azure AD support this feature.

For password-based SSO, the end user’s browsers can be:

  • IE 8, IE9 and IE10 on Windows 7 or later
  • Chrome on Windows 7 or later or MacOS X or later

Now if I again go back to the application list and click on an application I have usually two options. Defining SSO options and choosing who has access.

image

NOTE: for salesforce I have the ability to configure automatic user provisioning as well.

image

Now go into assign users and choose an user in the directory. Now when using password based SSO you get the option of entereting the credentials on behaf of the users (now they are also able to enter this information on the access portal)

image

After this is done and you have assigned users to different applications they can open the access portal (which can be found here –> http://myapps.microsoft.com ) After I login here with my username I am able to SSO to the application I click on from the portal (NOTE that this requires a browser plug-in installed) Microsoft has also already created an wiki containing best-practices for accessing SSO applications.

image

And voila, I have my personal little password manager. From a user perspective I have the option to change credentials from this portal I can also change my password for my main user (which is a outlook user in this scenario) But this is a huge step in how to manage access to users and applications with a little touch of the cloud.

#azure, #citrix, #mfa