ADFS

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 42 minutes
Difficulty
Beginner
CEU/CPE
3
Video Transcription
00:00
Welcome to the office. 3 65 Migration Primer Course I'm your starter, Jim Daniels. And today we're gonna go over Model three Identity,
00:09
and we're gonna go with the lesson for a DFS. So in this lesson, we're gonna talk about what a DFS is. How it could be used for office three cc pile of authentication.
00:20
I have the rectory Federation Services,
00:23
A T. F. S for short.
00:25
A DFS is the Federation service. That's part of Windows Server Road s
00:30
is a feature that is included with server of S A DFS 4.0 is included with Sarver 2016.
00:39
It allows seamless access office for 65 by establishing a trust
00:44
between 0365 and your own premise side of the rectory.
00:49
So let's take a look. Add the workflow with a DFS
00:53
A DFS uses a claims based access control authorization model
00:58
to maintain the security and implement Federated Identity
01:02
claims based authentication is a process when you authenticate a user based on a set of claims about its identity containing a token
01:11
alright, claims based equal token, we have to have the token.
01:15
So think of it like a driver's license
01:19
you have a driver's license, that is a token
01:22
to authenticate who you are.
01:23
Otherwise, you could say you're anyone and there's no
01:27
real accountability or authentication for
01:30
So let's follow the workflow
01:34
First, the user who could be anywhere in the world
01:38
requests access with office 3 65
01:41
Office 3 65 men says, Hey, you're Tene is set up for a DFS.
01:46
I'm gonna need a token. Has this claims based?
01:49
The user then says, Wait, I don't have a token.
01:52
I'm going to request a token from the 80th s environment
01:57
in turn, the A. T. F s environment says, Okay,
02:00
I'm gonna talk to the one prim 80 server and request authentication for this user.
02:06
The 80 server goes through okay, this user pass authentication, everything is legitimate.
02:12
They didn't tell the a t. F s over. Hey, he's good.
02:15
A DFS man says to the user, Here's your token.
02:20
Now the user sends that token.
02:23
The verified claim
02:24
to office 3 65 was then, in turn, grants access to the resource.
02:31
In a nutshell. Best a DFS. That's how it works. That's the workflow with
02:38
Now let's take a look at some of the infrastructure.
02:40
You have your user. Of course, he's going to make the coin. That's who initiates everything.
02:46
Web application proxy That is your go between,
02:50
Um, that is the area that's on the outside of faces, the world,
02:55
and it funnels back inside to a DFS. It's like a traffic broker.
03:00
You're a DFS human case with your azure 80 Connect or your own premise. Active directory.
03:07
Remember, as her 80 Connect will cover a lot more next lesson, but as your 80 connect also can communicate directly with Azure 80.
03:19
So in this situation we have a DFS
03:22
we have as our 80 connect, which feeds information into a DFS,
03:27
which gap A. T. F s Dan visit to the Web application proxy, or WAP.
03:32
Well, since I was a traffic broker for the user,
03:38
we'll talk about some considerations when you use a DFS
03:44
first considerations. Infrastructural requirements.
03:46
Remember, we just showed someone the infrastructure required.
03:51
If your organization already has a DFS,
03:53
it's not much additional infrastructure
03:57
to authenticate Officer 65. With some configuration,
04:00
you stand up as ready connect. You connect it in your on a wizard you're there. However, if you do not already have a DFS.
04:11
There is a requirement calls.
04:13
You have to stay in up servers.
04:15
Consider that in your decision by him,
04:18
a DFS preserve provides true singles on.
04:23
Once a user logs into your network,
04:26
that token generated from their natural law again can be used to grant them access to a number of different resource is about one friend in the cloud
04:35
80th s also has enhanced security over some other authentication models.
04:41
You can configure a DFS in ways that you cannot configure. 80 Connect,
04:47
climb access policy. That is the way you configure it.
04:51
You have lots off
04:55
options you can geo configure you can do based on location based on if the computer passes a minimum based on,
05:03
they can connect with a DFS. If not, you can reject her coin.
05:08
Single point of failure.
05:09
This is something big.
05:12
If a DFS is down,
05:15
your user cannot authenticate an officer. 65.
05:19
Remember, a DFS comes back into your own premise Active directory
05:27
to verify the claim.
05:30
So
05:31
a. T. F S is down. Users cannot authenticate
05:35
as a backup, you can manually switch it, and there are some dynamic tools as well. Where you can switch it to Azure 80 Connect.
05:46
But just be aware of the single point of failure with a DFS
05:50
B. Y o. D. Complications.
05:53
You have to configure all these different applications all these different hardware, even for mobile devices
06:01
to use your 80th s environment.
06:04
And depending when your security posture, you may not want to do this.
06:08
So you have to kind of consider the whole picture. There are probes of a DFS and there are cons of 80 ifthis.
06:15
One of the ways organizations are reducing risk with a DFS, especially a single point of failure, the actual deployment in the clock
06:25
so offloads the single point of failure from their infrastructure
06:28
to a more robust and stable cloud environment.
06:31
This set up, you're going to mitigate the risk of the same point of failure. But you're gonna incur some charges for compute traffic and storage.
06:42
So,
06:43
again, catch 22 what's good on 1 may not be good in the other. It all depends on your client or your organization.
06:51
Here's a diagram of a DFS in as, um,
06:56
it's pretty simple. On the left hand side, we have your current organization.
07:01
There is a express round,
07:03
which is a dedicated band with that goes from your broom into azure Officer 65
07:13
and then within Microsoft Azure
07:15
You have your infrastructure for your 80th s set up.
07:19
So for those of you curious about saying them a DFS in Asir, it is possible
07:26
it is best practice if you are setting up a DFS for your environment
07:30
and you want to really mitigate and reduce a single point of failure.
07:36
So with this, if you're one print network gets hit by a tornado, um, users can still authenticating an officer 65 because remember,
07:46
a T. F s is still there because it is in the cloud.
07:51
So here's a quiz question.
07:54
This one can be multiple answers.
07:57
I'm not looking just for more on it. Could be multiple.
08:00
A. T F s requires which the phone to serve as an identity method for office 3 65 What are some requirements of 80 ifthis?
08:09
We have imprint 80. We have the whap server radius
08:13
as ready connects. Reverse proxy.
08:20
So for this question,
08:22
we've talked about the requirements and the answer is active director Environment one prim
08:28
WAP for Web application proxy that goes along with a DFS infrastructure and as your 80 connect.
08:35
Now,
08:37
as her 80 connect is not required for 80th s, however, it is required for a DFS if you're going to use office 3 65
08:46
daily management of this kind of authentication model,
08:50
all user objects are managed. One premise out of directory
08:56
office. 3 65 licenses and other cloud specific attributes are managed in the 1st 65 Admin Center
09:03
or even the Azar 80 Admin Center.
09:07
Client access policies are managed on premise, and again they get that granular level of control with how users connect in the A. D. F s
09:16
con access policies or a
09:20
feature of a DFS that you can really use to enhance your security and your compliance.
09:26
For recap
09:28
A. T. F. S is a Federated identity provided that can be used as an office 3 60 bob authentication method.
09:35
It has very specific infrastructural requirements, is highly customizable,
09:39
and cap client access policies can be used with a DFS to create another layer of security and access management for your tenant and your environment.
09:50
I want to thank you for joining me
09:52
to one of my DFS
09:54
and hopefully you'll come back Our next module we're going to cover as your A B connect. Thank you.
Up Next