Welcome to the office. 3 65 Migration Primer Course I'm your starter, Jim Daniels. And today we're gonna go over Model three Identity,
and we're gonna go with the lesson for a DFS. So in this lesson, we're gonna talk about what a DFS is. How it could be used for office three cc pile of authentication.
I have the rectory Federation Services,
A T. F. S for short.
A DFS is the Federation service. That's part of Windows Server Road s
is a feature that is included with server of S A DFS 4.0 is included with Sarver 2016.
It allows seamless access office for 65 by establishing a trust
between 0365 and your own premise side of the rectory.
So let's take a look. Add the workflow with a DFS
A DFS uses a claims based access control authorization model
to maintain the security and implement Federated Identity
claims based authentication is a process when you authenticate a user based on a set of claims about its identity containing a token
alright, claims based equal token, we have to have the token.
So think of it like a driver's license
you have a driver's license, that is a token
to authenticate who you are.
Otherwise, you could say you're anyone and there's no
real accountability or authentication for
So let's follow the workflow
First, the user who could be anywhere in the world
requests access with office 3 65
Office 3 65 men says, Hey, you're Tene is set up for a DFS.
I'm gonna need a token. Has this claims based?
The user then says, Wait, I don't have a token.
I'm going to request a token from the 80th s environment
in turn, the A. T. F s environment says, Okay,
I'm gonna talk to the one prim 80 server and request authentication for this user.
The 80 server goes through okay, this user pass authentication, everything is legitimate.
They didn't tell the a t. F s over. Hey, he's good.
A DFS man says to the user, Here's your token.
Now the user sends that token.
to office 3 65 was then, in turn, grants access to the resource.
In a nutshell. Best a DFS. That's how it works. That's the workflow with
Now let's take a look at some of the infrastructure.
You have your user. Of course, he's going to make the coin. That's who initiates everything.
Web application proxy That is your go between,
Um, that is the area that's on the outside of faces, the world,
and it funnels back inside to a DFS. It's like a traffic broker.
You're a DFS human case with your azure 80 Connect or your own premise. Active directory.
Remember, as her 80 Connect will cover a lot more next lesson, but as your 80 connect also can communicate directly with Azure 80.
So in this situation we have a DFS
we have as our 80 connect, which feeds information into a DFS,
which gap A. T. F s Dan visit to the Web application proxy, or WAP.
Well, since I was a traffic broker for the user,
we'll talk about some considerations when you use a DFS
first considerations. Infrastructural requirements.
Remember, we just showed someone the infrastructure required.
If your organization already has a DFS,
it's not much additional infrastructure
to authenticate Officer 65. With some configuration,
you stand up as ready connect. You connect it in your on a wizard you're there. However, if you do not already have a DFS.
There is a requirement calls.
You have to stay in up servers.
Consider that in your decision by him,
a DFS preserve provides true singles on.
Once a user logs into your network,
that token generated from their natural law again can be used to grant them access to a number of different resource is about one friend in the cloud
80th s also has enhanced security over some other authentication models.
You can configure a DFS in ways that you cannot configure. 80 Connect,
climb access policy. That is the way you configure it.
options you can geo configure you can do based on location based on if the computer passes a minimum based on,
they can connect with a DFS. If not, you can reject her coin.
Single point of failure.
This is something big.
your user cannot authenticate an officer. 65.
Remember, a DFS comes back into your own premise Active directory
to verify the claim.
a. T. F S is down. Users cannot authenticate
as a backup, you can manually switch it, and there are some dynamic tools as well. Where you can switch it to Azure 80 Connect.
But just be aware of the single point of failure with a DFS
B. Y o. D. Complications.
You have to configure all these different applications all these different hardware, even for mobile devices
to use your 80th s environment.
And depending when your security posture, you may not want to do this.
So you have to kind of consider the whole picture. There are probes of a DFS and there are cons of 80 ifthis.
One of the ways organizations are reducing risk with a DFS, especially a single point of failure, the actual deployment in the clock
so offloads the single point of failure from their infrastructure
to a more robust and stable cloud environment.
This set up, you're going to mitigate the risk of the same point of failure. But you're gonna incur some charges for compute traffic and storage.
again, catch 22 what's good on 1 may not be good in the other. It all depends on your client or your organization.
Here's a diagram of a DFS in as, um,
it's pretty simple. On the left hand side, we have your current organization.
There is a express round,
which is a dedicated band with that goes from your broom into azure Officer 65
and then within Microsoft Azure
You have your infrastructure for your 80th s set up.
So for those of you curious about saying them a DFS in Asir, it is possible
it is best practice if you are setting up a DFS for your environment
and you want to really mitigate and reduce a single point of failure.
So with this, if you're one print network gets hit by a tornado, um, users can still authenticating an officer 65 because remember,
a T. F s is still there because it is in the cloud.
So here's a quiz question.
This one can be multiple answers.
I'm not looking just for more on it. Could be multiple.
A. T F s requires which the phone to serve as an identity method for office 3 65 What are some requirements of 80 ifthis?
We have imprint 80. We have the whap server radius
as ready connects. Reverse proxy.
So for this question,
we've talked about the requirements and the answer is active director Environment one prim
WAP for Web application proxy that goes along with a DFS infrastructure and as your 80 connect.
as her 80 connect is not required for 80th s, however, it is required for a DFS if you're going to use office 3 65
daily management of this kind of authentication model,
all user objects are managed. One premise out of directory
office. 3 65 licenses and other cloud specific attributes are managed in the 1st 65 Admin Center
or even the Azar 80 Admin Center.
Client access policies are managed on premise, and again they get that granular level of control with how users connect in the A. D. F s
con access policies or a
feature of a DFS that you can really use to enhance your security and your compliance.
A. T. F. S is a Federated identity provided that can be used as an office 3 60 bob authentication method.
It has very specific infrastructural requirements, is highly customizable,
and cap client access policies can be used with a DFS to create another layer of security and access management for your tenant and your environment.
I want to thank you for joining me
and hopefully you'll come back Our next module we're going to cover as your A B connect. Thank you.