Time
2 hours 42 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
Welcome to the office. 3 65 Migration Primer Course I'm your starter, Jim Daniels. And today we're gonna go over Model three Identity,
00:09
and we're gonna go with the lesson for a DFS. So in this lesson, we're gonna talk about what a DFS is. How it could be used for office three cc pile of authentication.
00:20
I have the rectory Federation Services,
00:23
A T. F. S for short.
00:25
A DFS is the Federation service. That's part of Windows Server Road s
00:30
is a feature that is included with server of S A DFS 4.0 is included with Sarver 2016.
00:39
It allows seamless access office for 65 by establishing a trust
00:44
between 0365 and your own premise side of the rectory.
00:49
So let's take a look. Add the workflow with a DFS
00:53
A DFS uses a claims based access control authorization model
00:58
to maintain the security and implement Federated Identity
01:02
claims based authentication is a process when you authenticate a user based on a set of claims about its identity containing a token
01:11
alright, claims based equal token, we have to have the token.
01:15
So think of it like a driver's license
01:19
you have a driver's license, that is a token
01:22
to authenticate who you are.
01:23
Otherwise, you could say you're anyone and there's no
01:27
real accountability or authentication for
01:30
So let's follow the workflow
01:34
First, the user who could be anywhere in the world
01:38
requests access with office 3 65
01:41
Office 3 65 men says, Hey, you're Tene is set up for a DFS.
01:46
I'm gonna need a token. Has this claims based?
01:49
The user then says, Wait, I don't have a token.
01:52
I'm going to request a token from the 80th s environment
01:57
in turn, the A. T. F s environment says, Okay,
02:00
I'm gonna talk to the one prim 80 server and request authentication for this user.
02:06
The 80 server goes through okay, this user pass authentication, everything is legitimate.
02:12
They didn't tell the a t. F s over. Hey, he's good.
02:15
A DFS man says to the user, Here's your token.
02:20
Now the user sends that token.
02:23
The verified claim
02:24
to office 3 65 was then, in turn, grants access to the resource.
02:31
In a nutshell. Best a DFS. That's how it works. That's the workflow with
02:38
Now let's take a look at some of the infrastructure.
02:40
You have your user. Of course, he's going to make the coin. That's who initiates everything.
02:46
Web application proxy That is your go between,
02:50
Um, that is the area that's on the outside of faces, the world,
02:55
and it funnels back inside to a DFS. It's like a traffic broker.
03:00
You're a DFS human case with your azure 80 Connect or your own premise. Active directory.
03:07
Remember, as her 80 Connect will cover a lot more next lesson, but as your 80 connect also can communicate directly with Azure 80.
03:19
So in this situation we have a DFS
03:22
we have as our 80 connect, which feeds information into a DFS,
03:27
which gap A. T. F s Dan visit to the Web application proxy, or WAP.
03:32
Well, since I was a traffic broker for the user,
03:38
we'll talk about some considerations when you use a DFS
03:44
first considerations. Infrastructural requirements.
03:46
Remember, we just showed someone the infrastructure required.
03:51
If your organization already has a DFS,
03:53
it's not much additional infrastructure
03:57
to authenticate Officer 65. With some configuration,
04:00
you stand up as ready connect. You connect it in your on a wizard you're there. However, if you do not already have a DFS.
04:11
There is a requirement calls.
04:13
You have to stay in up servers.
04:15
Consider that in your decision by him,
04:18
a DFS preserve provides true singles on.
04:23
Once a user logs into your network,
04:26
that token generated from their natural law again can be used to grant them access to a number of different resource is about one friend in the cloud
04:35
80th s also has enhanced security over some other authentication models.
04:41
You can configure a DFS in ways that you cannot configure. 80 Connect,
04:47
climb access policy. That is the way you configure it.
04:51
You have lots off
04:55
options you can geo configure you can do based on location based on if the computer passes a minimum based on,
05:03
they can connect with a DFS. If not, you can reject her coin.
05:08
Single point of failure.
05:09
This is something big.
05:12
If a DFS is down,
05:15
your user cannot authenticate an officer. 65.
05:19
Remember, a DFS comes back into your own premise Active directory
05:27
to verify the claim.
05:30
So
05:31
a. T. F S is down. Users cannot authenticate
05:35
as a backup, you can manually switch it, and there are some dynamic tools as well. Where you can switch it to Azure 80 Connect.
05:46
But just be aware of the single point of failure with a DFS
05:50
B. Y o. D. Complications.
05:53
You have to configure all these different applications all these different hardware, even for mobile devices
06:01
to use your 80th s environment.
06:04
And depending when your security posture, you may not want to do this.
06:08
So you have to kind of consider the whole picture. There are probes of a DFS and there are cons of 80 ifthis.
06:15
One of the ways organizations are reducing risk with a DFS, especially a single point of failure, the actual deployment in the clock
06:25
so offloads the single point of failure from their infrastructure
06:28
to a more robust and stable cloud environment.
06:31
This set up, you're going to mitigate the risk of the same point of failure. But you're gonna incur some charges for compute traffic and storage.
06:42
So,
06:43
again, catch 22 what's good on 1 may not be good in the other. It all depends on your client or your organization.
06:51
Here's a diagram of a DFS in as, um,
06:56
it's pretty simple. On the left hand side, we have your current organization.
07:01
There is a express round,
07:03
which is a dedicated band with that goes from your broom into azure Officer 65
07:13
and then within Microsoft Azure
07:15
You have your infrastructure for your 80th s set up.
07:19
So for those of you curious about saying them a DFS in Asir, it is possible
07:26
it is best practice if you are setting up a DFS for your environment
07:30
and you want to really mitigate and reduce a single point of failure.
07:36
So with this, if you're one print network gets hit by a tornado, um, users can still authenticating an officer 65 because remember,
07:46
a T. F s is still there because it is in the cloud.
07:51
So here's a quiz question.
07:54
This one can be multiple answers.
07:57
I'm not looking just for more on it. Could be multiple.
08:00
A. T F s requires which the phone to serve as an identity method for office 3 65 What are some requirements of 80 ifthis?
08:09
We have imprint 80. We have the whap server radius
08:13
as ready connects. Reverse proxy.
08:20
So for this question,
08:22
we've talked about the requirements and the answer is active director Environment one prim
08:28
WAP for Web application proxy that goes along with a DFS infrastructure and as your 80 connect.
08:35
Now,
08:37
as her 80 connect is not required for 80th s, however, it is required for a DFS if you're going to use office 3 65
08:46
daily management of this kind of authentication model,
08:50
all user objects are managed. One premise out of directory
08:56
office. 3 65 licenses and other cloud specific attributes are managed in the 1st 65 Admin Center
09:03
or even the Azar 80 Admin Center.
09:07
Client access policies are managed on premise, and again they get that granular level of control with how users connect in the A. D. F s
09:16
con access policies or a
09:20
feature of a DFS that you can really use to enhance your security and your compliance.
09:26
For recap
09:28
A. T. F. S is a Federated identity provided that can be used as an office 3 60 bob authentication method.
09:35
It has very specific infrastructural requirements, is highly customizable,
09:39
and cap client access policies can be used with a DFS to create another layer of security and access management for your tenant and your environment.
09:50
I want to thank you for joining me
09:52
to one of my DFS
09:54
and hopefully you'll come back Our next module we're going to cover as your A B connect. Thank you.

Up Next

Office 365 Migration

In this Office 365 migration training, we look at the migration processes involved with Office 365 including preparation, identity configuration and Exchange, SharePoint and OneDrive migrations. Multiple scenarios are covered with supported migration techniques.

Instructed By

Instructor Profile Image
Jim Daniels
IT Architect
Instructor