SlideShare une entreprise Scribd logo
1  sur  32
How To Extend your AD
Domain to Azure AD ?
hkroot.lan
AD Domain
hkroot.com
Azure AD
Author : Hicham KADIRI
Document version : 1.0
Date : 12/03/2018
• Terminology
• Users Sign-On Methods You Should Know
• ADFS Method
• ADFS, at what cost ?
• How ADFS Works ?
• ADFS Pros & Cons
• PHS Method
• How PHS Works ?
• PHS Pros & Cons
• PTA Method
• How PTA Works ?
• PTA Pros & Cons
• To help you take the right “Design” decision
Terminology
• AD : Active Directory
• DC : Domain Controller
• RODC : Read-Only Domain Controller
• WDC : Writable Domain Controller
• AAD : Azure Active Directory
• PHS : Password Hash Synchronization
• PTA : Password Through Authentication
• ADFS : Active Directory Federation Services
• AADC : Azure Active Directory Connect
• STS : Security Token Service
• SSO : Single Sign-On
• MD : Message Digest
• PBKDF : Password Based Key Derivation Function
Users Sign-On Methods You Should Know
OnPrem Users Sign-On options are :
• Federation with AD Federation Services (ADFS)
• Password Hash Synchronization (PHS)
• Password Through Authentication (PTA) : New !
• Important Note
All methods require the useraccount to be synchronized to Azure AD
HKRoot.lan
IoC
Azure
HKRoot.com
Active Directory
Federation Services
What is it ?
ADFS or Active Directory Federation Services is a
component of Active Directory suite available on
Windows Server 2008Rx, 2012Rx and 2016.
ADFS provide users with single sign-on access to
systems and applications located across
organizational boundaries : SSO for internal and
external access to various web applications. It uses a
claims-based access control authorization model to
maintain application security and implement
federated identity.
Claims-based authentication is the process of
authenticating a user based on a set of claims about
its identity contained in a trusted token.
Active Directory Federation Services, What is it ?
Active Directory
Federation Services
At What Cost ?
This require at least 4 (physical ou virtual) servers, SSL certificates and management effort. In addition ADFS require
a highly available of the compagny’s Internet Connection and a Clustered SQL Server infrastructure.
Active Directory Federation Services, At What Cost ?
HowADFSWorks?
Datacenter
Active Directory
Federation Services
Pros & Cons
Active Directory Federation Services, Pros & Cons ?
ADFS Pros ADFS Cons
Useraccount hashed password are kept OnPrem
and they don’t need to leave the
internal/coportate network.
• Now supported by PTA option .
ADFS is not Free !
• Significant Servers costs
• Setup and Configuration
efforts
• Require Public SSL Certificates
• Ongoing maintenance costs
• No repeatability
• More Apps = More cost
ADFS allows authentication process itself to take
place on premises
• Now supported by PTA option .
ADFS is not a Complete Solution
• Limited Apps Support
• No Provisioning
• No Monitoring & No
Reporting
Seamless SSO experience for users connecting
from OnPrem/Corporate Network
• Now supported by PHS/PTA Seamless SSO 
A complexe Federation Services
solution that requires a strong
Technical Skills.
Using the existing third-party MFA solution with
Azure AD
• Now Supported by AD Custom Controls 
Require highly available of the
compagny’s Internet Connection
In addition,
Federation does’t give you :
• Cloud Authentication Scalability
• Identity Protection
• May require manual certificate
rollover
Finally, what about a Planned
recovery from the loss of ADFS
availability ? How do you deal with
that ?
Password Hash Synchronization
What is it ?
PHS or Password Hash Synchronization is a Sign-On options that
allows Onprem users to SSO Microsoft SaaS Apps or any other Cloud
SaaS Apps that trust Azure AD (e.g : Facebook, Salesforce…etc)
PHS allows you to synchronize OnPrem useraccount and their
(hashed) password to your Azure AD tenant.
Password Hash Synchronization, What is it ?
Password Hash Synchronization
How PHS Works ?
How PHS Works ?
How to extend your Active Directory infrastructure to Azure AD
Password Hash Synchronization
Pros & Cons
Password Hash Synchronization, Pros & Cons ?
PHS Pros PHS Cons
Seamless SSO experience for users
connecting from OnPrem/Corporate
Network
(Hash of) useraccounts passwords are
synchronized to Azure : if your security
policies/requirements or local
regulatory prevent you synchronizing
(hashed) password to the Cloud, PHS
has to be bypassed !
Very simple to deploy & administer Distributing password to more than one
place for authentication
PHS is free : no additional cost is required
Integrated with SSPR cloud solution,
including Write-back password to OnPrem
Protects useraccounts by working
seamlessly with Azure MFA/CA, and by
filtering out brute-force password attacks.
No additional agent Onprem is required
Adopt a SSO (Same Sign-On/Same Creds)
approch for both Cloud & OnPrem Apps
Password Through Authentication
What is it ?
Password Through Authentication, What is it ?
PTA or Password Through Authentication is a Sign-On options that
allows Onprem users to SSO Microsoft SaaS Apps or any other Cloud
SaaS Apps that trust Azure AD (e.g : Facebook, Salesforce…etc)
PHS allows you to synchronize ONLY useraccounts to Azure AD and
leave their (hashed) password OnPremise. The authentication process
takes place OnPrem and your (hashed) Password never leave your
Password Through Authentication
How PTA Works ?
How PTA Works ?
Password Through Authentication
Pros & Cons ?
Password Through Authentication, Pros & Cons ?
PTA Pros PTA Cons
Useraccount hashed password are kept
OnPrem and they don’t need to leave the
internal/coportate network.
Require highly available of the
compagny’s Internet Connection
PTA allows authentication process itself to take
place on premises
At least, two PTA agents must be
deployed for High Availability.
They can be deployed on AADC
server or any existing server.
Seamless SSO experience for users connecting
from OnPrem/Corporate Network
Easy to deploy & administer
PTA is free : no additional cost is required
Integrated with SSPR cloud solution, including
Write-back password to OnPrem
Protects useraccounts by working seamlessly
with Azure AD Conditional Access policies,
including MFA, and by filtering out brute force
password attacks.
Use PHS or PTA and take advantage of Azure AD
Benefits
• Authentication to applications via :
• OpenID Connect /OAuth2
• WS-Federation /SAML
• Windows Kerberos Authentication (by using Azure AD Application Proxy)
• Self-Service for :
• Passwords reset, application and group management
• MFA
• Confidtional Access
• Identity Protection
• And more…
To help you take the right
Design decision
ADFS vs PHS vs PTA ?
Use case ADFS PHS PTA
If you want to keep the useraccounts password OnPrem
If you want the authentication Process/Policies taking place OnPrem
If you want to apply all OnPrem password and account lockout policies
If you want to deploy a simple and easy AD-to-AAD solution
If you want to re-use your existing MFA third-party solution
If you want Seamless SSO experience for end users connecting from OnPrem/Corporate
Network
If you want to take advantage of all Cloud Authentication Capabilités and Scalability (CA
/MFA /IDMgmt…)
If you wan’t to distribute password to more than one place for authentication
If you want to adopt the Same Sign-On approch (One Credentials : username+password),
for both Cloud & OnPrems apps access.
Any questions ?
Feel free to contact me if
you have any question or
need more informations
about a specific
options/Sync scenario.
About the Author
Microsoft MVP
• Windows Expert-IT Pro (2014-2015)
• Cloud and Datacenter Management (2016)
• Enterprise Mobility (since 2017)
TechNet Contributor
• MTFC (Microsoft Technical French Contributor)
• MCC (Microsoft Community Contributor)
Founder @BecomeITExpert.com
Co-Founder @K&K Group
IT Author (+10)
• RDS 2012 R2 and 2016 Pocket Consultant
• RDS Migration guide
• RDS & OS Security & Hardening guide
• Azure CLI 2.0 Pocket Consultant
Lead Cloud Security Architect
• Working for several large companies
and international group including
Thales, Rabobank, Gemalto, Vinci…
IT Bloggeur
• hichamkadiri.wordpress.com
• AskTheCloudExpert.wordpress.com
• ~2millions views 
/hicham_kadiri
/in/hichamkadiri
#HK

Contenu connexe

Dernier

CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kitJamie (Taka) Wang
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsDianaGray10
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 

Dernier (20)

CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kit
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projects
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 

En vedette

Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellSaba Software
 

En vedette (20)

Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 

How to extend your Active Directory infrastructure to Azure AD

  • 1. How To Extend your AD Domain to Azure AD ? hkroot.lan AD Domain hkroot.com Azure AD Author : Hicham KADIRI Document version : 1.0 Date : 12/03/2018
  • 2. • Terminology • Users Sign-On Methods You Should Know • ADFS Method • ADFS, at what cost ? • How ADFS Works ? • ADFS Pros & Cons • PHS Method • How PHS Works ? • PHS Pros & Cons • PTA Method • How PTA Works ? • PTA Pros & Cons • To help you take the right “Design” decision
  • 4. • AD : Active Directory • DC : Domain Controller • RODC : Read-Only Domain Controller • WDC : Writable Domain Controller • AAD : Azure Active Directory • PHS : Password Hash Synchronization • PTA : Password Through Authentication • ADFS : Active Directory Federation Services • AADC : Azure Active Directory Connect • STS : Security Token Service • SSO : Single Sign-On • MD : Message Digest • PBKDF : Password Based Key Derivation Function
  • 5. Users Sign-On Methods You Should Know
  • 6. OnPrem Users Sign-On options are : • Federation with AD Federation Services (ADFS) • Password Hash Synchronization (PHS) • Password Through Authentication (PTA) : New ! • Important Note All methods require the useraccount to be synchronized to Azure AD HKRoot.lan IoC Azure HKRoot.com
  • 8. ADFS or Active Directory Federation Services is a component of Active Directory suite available on Windows Server 2008Rx, 2012Rx and 2016. ADFS provide users with single sign-on access to systems and applications located across organizational boundaries : SSO for internal and external access to various web applications. It uses a claims-based access control authorization model to maintain application security and implement federated identity. Claims-based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token. Active Directory Federation Services, What is it ?
  • 10. This require at least 4 (physical ou virtual) servers, SSL certificates and management effort. In addition ADFS require a highly available of the compagny’s Internet Connection and a Clustered SQL Server infrastructure. Active Directory Federation Services, At What Cost ?
  • 13. Active Directory Federation Services, Pros & Cons ? ADFS Pros ADFS Cons Useraccount hashed password are kept OnPrem and they don’t need to leave the internal/coportate network. • Now supported by PTA option . ADFS is not Free ! • Significant Servers costs • Setup and Configuration efforts • Require Public SSL Certificates • Ongoing maintenance costs • No repeatability • More Apps = More cost ADFS allows authentication process itself to take place on premises • Now supported by PTA option . ADFS is not a Complete Solution • Limited Apps Support • No Provisioning • No Monitoring & No Reporting Seamless SSO experience for users connecting from OnPrem/Corporate Network • Now supported by PHS/PTA Seamless SSO  A complexe Federation Services solution that requires a strong Technical Skills. Using the existing third-party MFA solution with Azure AD • Now Supported by AD Custom Controls  Require highly available of the compagny’s Internet Connection In addition, Federation does’t give you : • Cloud Authentication Scalability • Identity Protection • May require manual certificate rollover Finally, what about a Planned recovery from the loss of ADFS availability ? How do you deal with that ?
  • 15. PHS or Password Hash Synchronization is a Sign-On options that allows Onprem users to SSO Microsoft SaaS Apps or any other Cloud SaaS Apps that trust Azure AD (e.g : Facebook, Salesforce…etc) PHS allows you to synchronize OnPrem useraccount and their (hashed) password to your Azure AD tenant. Password Hash Synchronization, What is it ?
  • 20. Password Hash Synchronization, Pros & Cons ? PHS Pros PHS Cons Seamless SSO experience for users connecting from OnPrem/Corporate Network (Hash of) useraccounts passwords are synchronized to Azure : if your security policies/requirements or local regulatory prevent you synchronizing (hashed) password to the Cloud, PHS has to be bypassed ! Very simple to deploy & administer Distributing password to more than one place for authentication PHS is free : no additional cost is required Integrated with SSPR cloud solution, including Write-back password to OnPrem Protects useraccounts by working seamlessly with Azure MFA/CA, and by filtering out brute-force password attacks. No additional agent Onprem is required Adopt a SSO (Same Sign-On/Same Creds) approch for both Cloud & OnPrem Apps
  • 22. Password Through Authentication, What is it ? PTA or Password Through Authentication is a Sign-On options that allows Onprem users to SSO Microsoft SaaS Apps or any other Cloud SaaS Apps that trust Azure AD (e.g : Facebook, Salesforce…etc) PHS allows you to synchronize ONLY useraccounts to Azure AD and leave their (hashed) password OnPremise. The authentication process takes place OnPrem and your (hashed) Password never leave your
  • 26. Password Through Authentication, Pros & Cons ? PTA Pros PTA Cons Useraccount hashed password are kept OnPrem and they don’t need to leave the internal/coportate network. Require highly available of the compagny’s Internet Connection PTA allows authentication process itself to take place on premises At least, two PTA agents must be deployed for High Availability. They can be deployed on AADC server or any existing server. Seamless SSO experience for users connecting from OnPrem/Corporate Network Easy to deploy & administer PTA is free : no additional cost is required Integrated with SSPR cloud solution, including Write-back password to OnPrem Protects useraccounts by working seamlessly with Azure AD Conditional Access policies, including MFA, and by filtering out brute force password attacks.
  • 27. Use PHS or PTA and take advantage of Azure AD Benefits • Authentication to applications via : • OpenID Connect /OAuth2 • WS-Federation /SAML • Windows Kerberos Authentication (by using Azure AD Application Proxy) • Self-Service for : • Passwords reset, application and group management • MFA • Confidtional Access • Identity Protection • And more…
  • 28. To help you take the right Design decision ADFS vs PHS vs PTA ?
  • 29. Use case ADFS PHS PTA If you want to keep the useraccounts password OnPrem If you want the authentication Process/Policies taking place OnPrem If you want to apply all OnPrem password and account lockout policies If you want to deploy a simple and easy AD-to-AAD solution If you want to re-use your existing MFA third-party solution If you want Seamless SSO experience for end users connecting from OnPrem/Corporate Network If you want to take advantage of all Cloud Authentication Capabilités and Scalability (CA /MFA /IDMgmt…) If you wan’t to distribute password to more than one place for authentication If you want to adopt the Same Sign-On approch (One Credentials : username+password), for both Cloud & OnPrems apps access.
  • 30. Any questions ? Feel free to contact me if you have any question or need more informations about a specific options/Sync scenario.
  • 31. About the Author Microsoft MVP • Windows Expert-IT Pro (2014-2015) • Cloud and Datacenter Management (2016) • Enterprise Mobility (since 2017) TechNet Contributor • MTFC (Microsoft Technical French Contributor) • MCC (Microsoft Community Contributor) Founder @BecomeITExpert.com Co-Founder @K&K Group IT Author (+10) • RDS 2012 R2 and 2016 Pocket Consultant • RDS Migration guide • RDS & OS Security & Hardening guide • Azure CLI 2.0 Pocket Consultant Lead Cloud Security Architect • Working for several large companies and international group including Thales, Rabobank, Gemalto, Vinci… IT Bloggeur • hichamkadiri.wordpress.com • AskTheCloudExpert.wordpress.com • ~2millions views  /hicham_kadiri /in/hichamkadiri
  • 32. #HK