Azure AD Hybrid Identity Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
15
Video Transcription
00:00
>> Hello Cybrarians,
00:00
>> welcome to Lesson 1.6 of this AZ-301 course.
00:00
>> This lesson is a continuation of the previous lesson.
00:00
What I'll do is, I'll pick up
00:00
>> from where I stopped in the last video
00:00
>> where I explained how the federation option
00:00
>> of Azure AD Connect how that works.
00:00
>> One of the things that I want to highlight here is,
00:00
what's the disadvantage of using this option?
00:00
Because it's a disadvantage to it.
00:00
The disadvantage is you have a line on
00:00
the stability of your on-premises infrastructure,
00:00
for example, if that AD FS server that we have there,
00:00
if that were to go down.
00:00
That means that users will not be able to authenticate
00:00
>> to Cloud applications because
00:00
>> Azure AD cannot authenticate the users
00:00
>> because it does not have the password credentials,
00:00
>> it has to redirect them on
00:00
premises for the authentication to occur.
00:00
What many organizations we actually do is they will have
00:00
more than one AD FS server,
00:00
they will have two or probably more,
00:00
and then because it's also not good practice
00:00
to expose your AD FS servers to vector to the public.
00:00
You probably have
00:00
>> a web application proxy sits in front,
00:00
>> which means you end up with the bots
00:00
for severs at a minimum.
00:00
For many organization,
00:00
that's backward because
00:00
>> what they're trying to do is,
00:00
>> they're trying to get away
00:00
>> from managing infrastructure.
00:00
>> Now because of this scenario,
00:00
the vats to actually manage my infrastructure.
00:00
This is not like a really popular option,
00:00
but it does exist.
00:00
Let's talk about option number 3,
00:00
which is called Pass-through authentication.
00:00
With pass-through authentication,
00:00
>> again, you're going to install
00:00
>> the Azure AD connects to,
00:00
>> that buttes the connectivity
00:00
between On-Prem AD and Azure AD.
00:00
But in this case, what we're going to do is,
00:00
that's going to synchronize
00:00
the user objects and attributes only.
00:00
Not the password hashes also.
00:00
But then we introduce another agent.
00:00
This agent is called the pass-through agents.
00:00
What is pass-through agent also does
00:00
is that when you install it and set it up,
00:00
we're going to introduce another concept of a queue
00:00
>> on the side of Azure AD.
00:00
>> Here's what's the scenario is going to look like.
00:00
Your users try to access Cloud application
00:00
that uses Azure AD as the identity provider,
00:00
they get redirected to Azure AD,
00:00
which doesn't have the password hash,
00:00
so it cannot authenticate the user.
00:00
What Azure AD we do is we collects the credentials,
00:00
and it's going to place it in the queue.
00:00
Then the agents that you haven't premises,
00:00
the pasture reagent
00:00
>> which you can install on the same server,
00:00
>> where you have your Azure AD Connect agent
00:00
can install the pass-through agent on that.
00:00
The pass-through agent makes
00:00
an outbound call every two seconds to this queue,
00:00
and then it's going to retrieve
00:00
the authentication request from that,
00:00
and it's going to fulfill it on-premises.
00:00
This helps you to achieve a similar thing
00:00
>> to what many people want to achieve
00:00
>> in the case of federation
00:00
>> without the extra added infrastructure
00:00
>> and without having to open inbound firewall rules
00:00
>> to be able to get that to work.
00:00
This is an option that's popular for that scenario
00:00
>> if you don't want the password hashes
00:00
>> to leave your environment.
00:00
>> A quick summary of the functionality is
00:00
available for pass-through authentication.
00:00
It's a free feature that you can
00:00
enable with Azure AD Connect.
00:00
It's not something that you pay extra for.
00:00
It supports user sign-in into
00:00
our web browser-based applications,
00:00
it also supports seamless single sign-on so
00:00
that once you just have authenticated on-premises,
00:00
they can just go ahead and use
00:00
the existing authentication token
00:00
that they have to indicator against Cloud applications,
00:00
and it also supports Azure AD Cloud MFA and
00:00
self-service password reset scenarios.
00:00
When it comes to trends and authentication and
00:00
recommended best-practices from Microsoft,
00:00
makes it actually recommend
00:00
password hash synchronization.
00:00
That's showing you that
00:00
>> when it comes to trend of federated authentication,
00:00
>> that's falling,
00:00
>> and you can see that when
00:00
Password Hash Synchronization was introduced,
00:00
federation was falling,
00:00
when password authentication was introduced,
00:00
>> federation kept falling in terms of adoption.
00:00
>> Recommended for Microsoft is
00:00
to use password hash synchronization,
00:00
which means that your Azure AD
00:00
is going to be able to do the authentication.
00:00
Again, azure AD is a very robust environment.
00:00
Let's talk about Azure AD Connect Health.
00:00
What's this service makes available?
00:00
This is an additional service that you can implement.
00:00
It's part of Azure AD.
00:00
It has its own separate agents.
00:00
Number 1 thing that you want to know about this service
00:00
>> is that you can only use it if paid
00:00
>> for Azure AD Premium P1 or Azure AD Premium P2.
00:00
>> Why it allows you to do is it's going to give you
00:00
certain agents for Active Directory.
00:00
It as an agent for Active Directory federation Services.
00:00
Now you can download and install.
00:00
When you download and install this agent
00:00
down your on-premises Active Directory,
00:00
or either on AD FS,
00:00
it's going to be collects
00:00
incident information and sending
00:00
them to the Azure AD service,
00:00
and specifically under
00:00
the Azure AD Connect Health section,
00:00
you'll be able to see this information
00:00
>> and then you'll be able
00:00
>> to configure notifications from here.
00:00
>> What this allows you to do is it's going to monitor
00:00
>> and help you to gain insight
00:00
>> into your on-premises identity infrastructure.
00:00
>> Again, that's not just domain controllers,
00:00
that includes AD FS.
00:00
It's going to also help in the cases of monitoring
00:00
>> and gaining insight into synchronization
00:00
>> that's happening between
00:00
>> on-premises Active Directory and Azure AD.
00:00
Very good use case of the services it is.
00:00
You want to configure email notifications of
00:00
any issues that has to do
00:00
with Directory Synchronization Service.
00:00
You've configured your Azure AD Connect.
00:00
You wants to be able to get proactive notification
00:00
going on if there's synchronization issues,
00:00
this is a good service
00:00
>> that you can implement that can help you out with that
00:00
>> and you can configure email notifications for that.
00:00
>> There's another feature sets
00:00
>> that I want to quickly highlight is called Azure AD
00:00
>> self-service password resets.
00:00
This feature is only available
00:00
with Azure AD Premium P1 and Premium P2 options.
00:00
What this service allows you to do
00:00
>> is to take off the workload from your IT service desk.
00:00
>> From where do I have in to help users
00:00
all the time to reset passwords,
00:00
so where users can go ahead
00:00
>> and reset their own passwords.
00:00
>> Many users had used when I experience already
00:00
>> or they used to the experience
00:00
>> of the forgotten your Facebook password.
00:00
>> They can just click on forgotten my password.
00:00
They're going to get a codes to their phone
00:00
>> and they can reset their own password.
00:00
>> Why can't they do that on-premises?
00:00
The great thing though,
00:00
is that you can have it
00:00
where they can be password writeback.
00:00
What that means is, for example,
00:00
a user has access to a Cloud application,
00:00
they forgotten their password,
00:00
they click, I forgotten my password.
00:00
It's going to allow them to reset their password
00:00
>> against Azure AD because that's the identity provider
00:00
>> for that Cloud application.
00:00
>> But then if you have password writeback configured
00:00
>> with self-service password reset,
00:00
>> it can actually rewrite that password
00:00
>> back to on-premises AD.
00:00
>> In that case, users able to reset their own passwords.
00:00
Quick summary of what we covered in this video.
00:00
We covered what Azure AD Connect is,
00:00
we covered how to prepare on-premises directory
00:00
>> for synchronization to Azure AD,
00:00
>> and then we covered synchronization options
00:00
for Azure AD Connect,
00:00
which is the password hash synchronization,
00:00
Federation, and password authentication.
00:00
Then we talked about Azure AD Connect Health,
00:00
alongside with two other functionalities of
00:00
Azure AD in terms of self-service password reset
00:00
>> with password writeback.
00:00
>> Thanks very much for watching
00:00
this video and watching this lesson,
00:00
and I'll see you in the next lesson
00:00
>> where I'll be demonstrating what we've discussed.
Up Next