Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Azure AD and Office 365 - Deja Vu All Over Again
1.
2. Azure AD and Office 365
déjà vu all over again
Mark Diodati
Research VP/IAM Agenda Manager
mark.diodati@gartner.com
@mark_diodati
Sean Deuby
Solutions Architect
Sean.deuby@edgile.com
@shorinsean
3. 62% of Gartner clients
Have or will migrate
to Office 365
80% of the Global 500
65% of the Fortune 1000
4. A Tail Wagging a Very Large Dog
Office 365 is driving Azure AD adoption
• As Exchange drove Active Directory adoption
• If you want the app, you must have the platform
• 3rd party IDaaS from Okta, Centrify, Ping Identity
and others work with Azure AD
Azure AD > authentication service for Office 365
• Identity platform for all Microsoft Online Services
• Full blown IDaaS (SaaS SSO, on-premises app
publishing, MFA, on-prem integration)
5. It’s a Big Dog
• 10 million Azure AD tenants
• Mostly < 500 accounts, cloud only
• More than half a billion users
• 1.3 billion logins per day
• Detects and mitigates 10 million
attacks per day
• 4 billion in the last 12 months
• 100K organizations synching on-
premises Active Directory with
Azure AD
10. Questions
“How do we connect our enterprise users to Office 365 and
other Azure AD-protected applications?”
Connecting users requires
• Admin-time actions: Users must be provisioned/managed into Azure
AD’s identity store
• Runtime actions: Users must authenticate to Azure AD before
accessing resources (SAML or password)
11. Use IGA and AD Connect
Begin User Management
Selection
Use IGA Product
Strategic IGA Product
Deployed?
IGA Product Supports
AzureAD?
Is Password Syncor
Mgmt Important?
Yes
No
IAMfor SaaS Apps
Exclusively via Azure
AD?
No
Use AD Connect
Yes
No
Reevaluate Directory Sync
Requirements
Yes
Is Single-Vendor
Solution Important?
Use 3rd
Party Directory Sync
Use 3rd
Party Directory Sync
and AD Connect
Yes
No
No
Yes
Use IGA and AD Connect
Begin User Management
Selection
Use IGA Product
Strategic IGA Product
Deployed?
IGA Product Supports
AzureAD?
Is Password Syncor
Mgmt Important?
Yes
No
IAMfor SaaS Apps
Exclusively via Azure
AD?
No
Use AD Connect
Yes
No
Reevaluate Directory Sync
Requirements
Yes
Is Single-Vendor
Solution Important?
Use 3rd
Party Directory Sync
Use 3rd
Party Directory Sync
and AD Connect
Yes
No
No
Yes
User
Management
12. Use 3rd
Party Directory Sync
Use IGA and AD Connect
Use AD Connect
Use IGA Product
Use 3rd
Party Directory Sync
and AD Connect
User Management Options
14. AD Connect Password Management*
Azure
AD
AD
Encrypted Change Attempt
Azure AD Connect
* Other IDaaS vendors can do this, too.* Other IDaaS vendors can do this, too.
15. AD Connect Password Hash Sync*
Azure AD Connect
Azure
AD
AD
8743b52063cd84097a65d1633f5c74f5
Hash Hash
* Unique to Azure AD and AD Connect.* Unique to Azure AD and AD Connect.
17. Use AD Connect
No On-PremIAM to
SaaS Apps?
IsPassword Syncor
AzureAD DS
Important?
18. IGA Product Doesn t
Support Azure AD |
Pw Sync / AAD DS?
Strategic IGA Product
Deployed?
Use IGA Product
Use IGA and AD Connect
Yes
19. Password Sync /
AAD DS Important?
On-Premises
Provisioning to SaaS
Apps?
Use 3rd
Party Directory Sync
Use 3rd
Party Sync and AD
Connect
yes
20. Use IGA and AD Connect
Begin User Management
Selection
Use IGA Product
Strategic IGA Product
Deployed?
IGA Product Supports
AzureAD?
Is Password Syncor
Mgmt Important?
Yes
No
IAMfor SaaS Apps
Exclusively via Azure
AD?
No
Use AD Connect
Yes
No
Reevaluate Directory Sync
Requirements
Yes
Is Single-Vendor
Solution Important?
Use 3rd
Party Directory Sync
Use 3rd
Party Directory Sync
and AD Connect
Yes
No
No
Yes
User
Authentication
Use 3rd
Party Federation
Use AD FS
Begin Authentication
Selection
Federation to Azure AD
Only?
Yes
Yes No Yes
No Yes No
No
Many On-Premises
Connections to SaaS
Apps?
Federated SP Required?
SP for Windows and
SAML Apps Only?
Use AD Connect
SSO Requirement?
Low Assurance
Requirement?
No
Yes
Yes
No
27. Azure MFA
• Second factor authentication for all
Azure AD-integrated resources
• Originally acquired from
PhoneFactor
• Focuses on phone
• Smart (voice, SMS, app)
• Feature (voice, SMS)
• Landline (voice)
• Soft token in the app
Azure
Active Directory
28. Azure MFA vs. MFA Server
• Azure MFA service
• Protects Azure AD-integrated
resources
• MFA Server
• Hybrid solution
• On-premises server(s)
• Protects on-premises services
• VPN, Remote Desktop, IIS apps
• Can protect Azure AD resources
(with AD FS)
Azure
Active Directory
29. Which Type Of MFA Do I Need?
It’s (mostly) about where
the IdP is
• Microsoft cloud (Azure
AD): Azure MFA
• On premises (AD FS):
MFA Server or 3rd party
Resource Protected Azure MFA MFA Server
Azure AD IdP
Azure AD native AuthN X
Office 365 X X (if AD FS)
Azure AD-integrated SaaS apps (per app basis) X
On-premises apps published to Azure AD via Azure
App Proxy
X
On-premises (e.g. AD DS) IdP
Azure AD AuthN (via AD FS) X
VPN access to corpnet X
Remote Desktop to corpnet X
IIS applications X
SP-initiated SaaS login via AD FS X
30. Directions & Recommendations
• Where is this hybrid product going?
• Overall solution will incrementally gain capabilities
• Azure MFA is the strategic service
• MFA Server is stable but not being enhanced
• Capabilities are being picked up by other services
• AD FS 2016 built-in Azure MFA adapter
• Prediction: Connector tech (like AAD App Proxy) to replace other capabilities
• Recommendations
• Azure MFA very smartphone focused
• Bundling with other services makes pricing attractive
• Only option for fine-grained MFA in Microsoft Online Services
33. Microsoft’s B2B Model
• 10 Million organizations in Azure AD
today…
• …Why not use Azure AD for the B2B
infrastructure?
• B2BaaS
• If you aren’t in Azure AD…we’ll add
you automagically
• Partner org identities made available
to you
• You control access
• They control their identities
34. Azure B2B Access Model
• Creates CSV
file of
invited
partner
employees
• Uploads to
Azure –
invites are
sent
Invite
• Invitee
accepts
invitation
• If in Azure AD:
Sign in
• Not in Azure
AD: Sign up /
viral tenant
created
Accept
• Invitee
created as
external
user in
inviter’s
directory
• Access
granted to
user
Access
35. Strengths
• B2B infrastructure is handled for you
• Scalable to many partners
• You control access without managing their identities
• Supports
• SaaS apps
• Azure services
• Other claims-aware apps
• Essentially free to Azure AD-using organizations
36. Current Flat Spots
• External user is copied from partner directory, not linked
• Outside of identity lifecycle management
• User authenticates against their home directory
• Can delete
• No attestation yet
• CSV file
• PowerShell, invite API not yet supported
• Does not support social email providers yet (e.g. gmail)
37. Stuff We Didn’t Get To
• Azure AD Domain Services
• Graph API for provisioning
• Adaptive/Conditional Access
• OpenID Connect
• SSO to On-Premises Applications (App Proxy)
The more observant of you may have noted that my esteemed co-presenter, Mark Diodati of Gartner, is not here.
He had to cancel at the last minute, thanks to a careless cyclist on the wrong side of the bike trail, and had surgery on his shoulder yesterday, so send him your best wishes..
As a result, I’ll be presenting Mark’s material. Unfortunately I didn’t have time to come up with one of Mark’s trademark sweater vests!
He does give his best regards to all and wishes he could be here. I’ve done my part to make him feel included < show photo > so if you have any questions I can’t answer, I’ll just pretend that’s Mark’s material so you can talk to the photo!
It’s impossible to survey Azure AD and o365
https://blogs.technet.microsoft.com/enterprisemobility/2016/01/05/best-way-to-connect-to-office-365-and-azure-ad-latest-data-azure-ad-connect-momentum/
Big: https://blogs.technet.microsoft.com/ad/2016/05/05/major-coolness-microsoft-security-intelligence-report-20-highlights-azuread-identity-protection/
100K customers syncing: https://blogs.technet.microsoft.com/ad/2016/04/13/100000-customers-are-syncing-on-premises-directories-with-azure-ad/
Large tenants make up 91% of all users
Gartner’s forward-thinking clients are starting to look at IAM not as a pure service into itself any more, but built into an IaaS. This speaks well for Azure AD for its IAM capabilities such as Azure AD domain services.
AWS doesn’t have an identity store with real users, doesn’t have an Openid Connect or SAML provider (it’s a SAML service provider but not an identity provider).
Duopology that’s emerging is that Azure AD wins on identity features, but AWS wins on IaaS features because of its depth and breadth of services
A very common question from Gartner customers is…
Must have users in local identity store because there’s no way that Azure AD is going to reach back into your on-premises AD at run time because they’d be on the hook for YOUR availability, e.g. firewall, network connectivity, DC availability, against their SLA. All SaaS providers work this way.
Okta and Centrify can do this too.
Password hash sync is a capability that no other identity bridge provider can do, because of Microsoft’s ownership of on-premises AD and Azure AD. Synching the AD password hash – it can be captured and written into the Azure AD credentials cash to provide a consistent sign on (not single) experience
If a third party wanted to do this, you’d have to force users through their portal where the password could be captured, or install filters on every DC in the domain. Possible, but very difficult.
If you aren’t connecting to SaaS apps from on-premises, only from Azure AD, AD Connect is fine because it only syncs to Azure AD.
If you’re doing local connections you need a more fully-featured synchronizer.
If you’re happy with your IGA system, and it has a connector to provision to Azure AD , use it
If it doesn’t provision, use iga to manage on-premises in conjunction with AD Connect to sync with Azure AD
Radiant Logic, PingFed
17:00
If you’re provisioning to an existing set of apps, aint br
What’s new in AD FS 2016: https://technet.microsoft.com/en-us/library/mt617220.aspx
What’s the need for B2B?
Companies collaborating with other companies
Getting the talent
Spreading the risk
Supply chain networks
Partners
The need
Cross org collaboration with clear security between what allowed and what’s not
Traditional B2B access control models have a number of shortcomings
inter-org federation partnerships
require sophisticated infra for the (perhaps small) partner
Complexity grows linearly, gets unwieldy for large corporations
Very limited partner user level visibility (just what’s in the security token)
Internally managed partner directories
More creds for partners to remember, lose, get stolen
Typically not managed as closely as employee accounts = attack vector
Not connected to partner’s identity lifecycle, thus not kept current (zombies)
“The hackers that carried out the massive data breach at Target Corp. appear to have gained access via a refrigeration contractor in Pittsburgh that connected to the retailer's systems to do electronic billing.”
– Wall Street Journal
“Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network.”
– Home Depot
"If I want to attack Fort Knox and I know they have locks and guards and strong security, it is easier to attack one of their providers who already have access to the gold.“
– James Christiansen, VP, Accuvant
Invitation: Azure AD > Users > Add Users > Users in partner companies > upload file > click on link for batch status report as invitiations are sent out
External user management and limitations: https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users-external/#external-user-management-and-limitations
CSV file is source for invitations
Apps and groups partner user are assigned to are stored in list as AppPrincipalID and ObjectIDs which must be looked up via PowerShell