Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

How to extend your Active Directory infrastructure to Azure AD

855 vues

Publié le

This presentation helps you taking the right decision if you want to extend your OnPrem Active Directory infrastructure to Microsoft Azure (Microsoft IDaaS offer).

All options/scenarios, including PHS (Password Hash Synchronization), PTA (Pass-Through Authentication) and ADFS (Active Directory Federation Services) are detailed in this slide.

This document is available to download here :
https://gallery.technet.microsoft.com/Design-Guide-Extend-your-30308441

Publié dans : Technologie

How to extend your Active Directory infrastructure to Azure AD

  1. 1. How To Extend your AD Domain to Azure AD ? hkroot.lan AD Domain hkroot.com Azure AD Author : Hicham KADIRI Document version : 1.0 Date : 12/03/2018
  2. 2. • Terminology • Users Sign-On Methods You Should Know • ADFS Method • ADFS, at what cost ? • How ADFS Works ? • ADFS Pros & Cons • PHS Method • How PHS Works ? • PHS Pros & Cons • PTA Method • How PTA Works ? • PTA Pros & Cons • To help you take the right “Design” decision
  3. 3. Terminology
  4. 4. • AD : Active Directory • DC : Domain Controller • RODC : Read-Only Domain Controller • WDC : Writable Domain Controller • AAD : Azure Active Directory • PHS : Password Hash Synchronization • PTA : Password Through Authentication • ADFS : Active Directory Federation Services • AADC : Azure Active Directory Connect • STS : Security Token Service • SSO : Single Sign-On • MD : Message Digest • PBKDF : Password Based Key Derivation Function
  5. 5. Users Sign-On Methods You Should Know
  6. 6. OnPrem Users Sign-On options are : • Federation with AD Federation Services (ADFS) • Password Hash Synchronization (PHS) • Password Through Authentication (PTA) : New ! • Important Note All methods require the useraccount to be synchronized to Azure AD HKRoot.lan IoC Azure HKRoot.com
  7. 7. Active Directory Federation Services What is it ?
  8. 8. ADFS or Active Directory Federation Services is a component of Active Directory suite available on Windows Server 2008Rx, 2012Rx and 2016. ADFS provide users with single sign-on access to systems and applications located across organizational boundaries : SSO for internal and external access to various web applications. It uses a claims-based access control authorization model to maintain application security and implement federated identity. Claims-based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token. Active Directory Federation Services, What is it ?
  9. 9. Active Directory Federation Services At What Cost ?
  10. 10. This require at least 4 (physical ou virtual) servers, SSL certificates and management effort. In addition ADFS require a highly available of the compagny’s Internet Connection and a Clustered SQL Server infrastructure. Active Directory Federation Services, At What Cost ?
  11. 11. HowADFSWorks? Datacenter
  12. 12. Active Directory Federation Services Pros & Cons
  13. 13. Active Directory Federation Services, Pros & Cons ? ADFS Pros ADFS Cons Useraccount hashed password are kept OnPrem and they don’t need to leave the internal/coportate network. • Now supported by PTA option . ADFS is not Free ! • Significant Servers costs • Setup and Configuration efforts • Require Public SSL Certificates • Ongoing maintenance costs • No repeatability • More Apps = More cost ADFS allows authentication process itself to take place on premises • Now supported by PTA option . ADFS is not a Complete Solution • Limited Apps Support • No Provisioning • No Monitoring & No Reporting Seamless SSO experience for users connecting from OnPrem/Corporate Network • Now supported by PHS/PTA Seamless SSO  A complexe Federation Services solution that requires a strong Technical Skills. Using the existing third-party MFA solution with Azure AD • Now Supported by AD Custom Controls  Require highly available of the compagny’s Internet Connection In addition, Federation does’t give you : • Cloud Authentication Scalability • Identity Protection • May require manual certificate rollover Finally, what about a Planned recovery from the loss of ADFS availability ? How do you deal with that ?
  14. 14. Password Hash Synchronization What is it ?
  15. 15. PHS or Password Hash Synchronization is a Sign-On options that allows Onprem users to SSO Microsoft SaaS Apps or any other Cloud SaaS Apps that trust Azure AD (e.g : Facebook, Salesforce…etc) PHS allows you to synchronize OnPrem useraccount and their (hashed) password to your Azure AD tenant. Password Hash Synchronization, What is it ?
  16. 16. Password Hash Synchronization How PHS Works ?
  17. 17. How PHS Works ?
  18. 18. Password Hash Synchronization Pros & Cons
  19. 19. Password Hash Synchronization, Pros & Cons ? PHS Pros PHS Cons Seamless SSO experience for users connecting from OnPrem/Corporate Network (Hash of) useraccounts passwords are synchronized to Azure : if your security policies/requirements or local regulatory prevent you synchronizing (hashed) password to the Cloud, PHS has to be bypassed ! Very simple to deploy & administer Distributing password to more than one place for authentication PHS is free : no additional cost is required Integrated with SSPR cloud solution, including Write-back password to OnPrem Protects useraccounts by working seamlessly with Azure MFA/CA, and by filtering out brute-force password attacks. No additional agent Onprem is required Adopt a SSO (Same Sign-On/Same Creds) approch for both Cloud & OnPrem Apps
  20. 20. Password Through Authentication What is it ?
  21. 21. Password Through Authentication, What is it ? PTA or Password Through Authentication is a Sign-On options that allows Onprem users to SSO Microsoft SaaS Apps or any other Cloud SaaS Apps that trust Azure AD (e.g : Facebook, Salesforce…etc) PHS allows you to synchronize ONLY useraccounts to Azure AD and leave their (hashed) password OnPremise. The authentication process takes place OnPrem and your (hashed) Password never leave your
  22. 22. Password Through Authentication How PTA Works ?
  23. 23. How PTA Works ?
  24. 24. Password Through Authentication Pros & Cons ?
  25. 25. Password Through Authentication, Pros & Cons ? PTA Pros PTA Cons Useraccount hashed password are kept OnPrem and they don’t need to leave the internal/coportate network. Require highly available of the compagny’s Internet Connection PTA allows authentication process itself to take place on premises At least, two PTA agents must be deployed for High Availability. They can be deployed on AADC server or any existing server. Seamless SSO experience for users connecting from OnPrem/Corporate Network Easy to deploy & administer PTA is free : no additional cost is required Integrated with SSPR cloud solution, including Write-back password to OnPrem Protects useraccounts by working seamlessly with Azure AD Conditional Access policies, including MFA, and by filtering out brute force password attacks.
  26. 26. Use PHS or PTA and take advantage of Azure AD Benefits • Authentication to applications via : • OpenID Connect /OAuth2 • WS-Federation /SAML • Windows Kerberos Authentication (by using Azure AD Application Proxy) • Self-Service for : • Passwords reset, application and group management • MFA • Confidtional Access • Identity Protection • And more…
  27. 27. To help you take the right Design decision ADFS vs PHS vs PTA ?
  28. 28. Use case ADFS PHS PTA If you want to keep the useraccounts password OnPrem If you want the authentication Process/Policies taking place OnPrem If you want to apply all OnPrem password and account lockout policies If you want to deploy a simple and easy AD-to-AAD solution If you want to re-use your existing MFA third-party solution If you want Seamless SSO experience for end users connecting from OnPrem/Corporate Network If you want to take advantage of all Cloud Authentication Capabilités and Scalability (CA /MFA /IDMgmt…) If you wan’t to distribute password to more than one place for authentication If you want to adopt the Same Sign-On approch (One Credentials : username+password), for both Cloud & OnPrems apps access.
  29. 29. Any questions ? Feel free to contact me if you have any question or need more informations about a specific options/Sync scenario.
  30. 30. About the Author Microsoft MVP • Windows Expert-IT Pro (2014-2015) • Cloud and Datacenter Management (2016) • Enterprise Mobility (since 2017) TechNet Contributor • MTFC (Microsoft Technical French Contributor) • MCC (Microsoft Community Contributor) Founder @BecomeITExpert.com Co-Founder @K&K Group IT Author (+10) • RDS 2012 R2 and 2016 Pocket Consultant • RDS Migration guide • RDS & OS Security & Hardening guide • Azure CLI 2.0 Pocket Consultant Lead Cloud Security Architect • Working for several large companies and international group including Thales, Rabobank, Gemalto, Vinci… IT Bloggeur • hichamkadiri.wordpress.com • AskTheCloudExpert.wordpress.com • ~2millions views  /hicham_kadiri /in/hichamkadiri
  31. 31. #HK

×