Azure AD Overview Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
15
Video Transcription
00:00
>> Hello Cyberians, welcome to Lesson 1.2
00:00
of Module 1 of this AZ-301 course.
00:00
This lesson is a continuation of the previous lesson.
00:00
We'll pick up from where we stopped in
00:00
the last video and we start
00:00
talking about Azure AD editions.
00:00
What editions do we have or what options do we
00:00
have if you want statues in Azure AD?
00:00
Here are the main options that we have.
00:00
Before July 2019, if we're talking
00:00
about the different Azure AD Editions
00:00
>> that are available,
00:00
>> you have the options that I have on the screen.
00:00
We have a free edition, basic edition,
00:00
Office 365 apps edition,
00:00
Premium P1 and Premium P2 editions.
00:00
But after July 2019,
00:00
the basic edition is going away.
00:00
Microsoft are beginning to
00:00
remove it from all their documentation.
00:00
Actually there's an announcement from one of
00:00
Microsoft's senior vice president on identity.
00:00
The way he talks about Azure AD basic is going away,
00:00
it's very similar to the Office 365 apps option.
00:00
But for now, basic is going away,
00:00
just be aware of that going forward.
00:00
What about these editions?
00:00
What's the use cases between them?
00:00
The free edition, if you go to
00:00
sign up for an Azure subscription today,
00:00
you're going to get an Azure AD tenant that's
00:00
created on the background for you, and
00:00
>> you're going to be getting an Azure AD free edition,
00:00
>> so it comes subscriptions.
00:00
It's meant like an introduction to Azure AD is.
00:00
It does not have a lot of the advanced
00:00
>> enterprise type capabilities but
00:00
>> it's a good introduction to Azure AD functionalities.
00:00
>> Then we have the Office 365 apps edition of Azure AD.
00:00
If you go to sign up for
00:00
Microsoft Office 365 subscription,
00:00
I mentioned that you're going to get
00:00
an Azure AD tenant created at the backend,
00:00
the edition that you get is
00:00
>> the Office 365 apps edition.
00:00
>> It was very similar in functionality to
00:00
the former basic edition that's now going away.
00:00
It has limited things like limited support for
00:00
>> Cloud only Multifactor authentication capabilities,
00:00
>> so allowing you to be able to use
00:00
MFA for your users that are using Office 365.
00:00
But it does not give you like the advanced security and
00:00
enterprise capabilities that P1 and P2
00:00
provides to you but at the same time,
00:00
it's not as plain and basic like the free edition.
00:00
Then we have the Azure AD Premium P1 edition,
00:00
which you can either purchase
00:00
individually as a standalone add-on,
00:00
or you can purchase as part of
00:00
the Enterprise Mobility Suite or the
00:00
Microsoft 365 bundles and any of those bundles,
00:00
if you go for the A3 edition, I believe,
00:00
comes with Azure AD Premium P1 and It provides
00:00
you with more functionality
00:00
so things like conditional access,
00:00
self-service password reset,
00:00
it gets that with Azure AD Premium P1.
00:00
Then finally there's the Azure AD Premium P2,
00:00
which includes every feature that Azure AD has.
00:00
That includes things like identity protection,
00:00
identity governance,
00:00
privileged identity management, access reviews.
00:00
We'll look at some of these
00:00
just a little bit when we start
00:00
talking about architectural decisions.
00:00
Why are we talking about?
00:00
It's very important if you're
00:00
planning to take the exam to
00:00
understand the differences and
00:00
capabilities between this Azure AD editions,
00:00
you are very likely
00:00
to get questions when it comes to that.
00:00
Let's do a quick comparison and I'm not
00:00
going to go through all of these one by one.
00:00
I'm just going to point out some important differences
00:00
>> to you between these editions.
00:00
>> You can see the pricing right at the very top.
00:00
When it comes to directory objects,
00:00
you notice that the free edition has a
00:00
5,000 objects limit in terms of
00:00
the number of objects that you can have
00:00
>> within the Azure AD tenants,
00:00
>> whereas all the other editions have no object limits.
00:00
When it comes to Azure AD Connect,
00:00
when we talk about
00:00
Azure AD hybrid identity
00:00
in the very next lesson of this module,
00:00
and this will make more sense to you.
00:00
But Azure AD Connect is
00:00
supported for all of these editions.
00:00
The other thing I want to highlight
00:00
this when it comes to MFA,
00:00
MFA is available to
00:00
all the editions for global administrators.
00:00
If you have a user that's a
00:00
global administrator in Azure AD,
00:00
they can use MFA for free.
00:00
Remember that that is only
00:00
referring to global administrators,
00:00
that's not referring to the normal uses in Azure AD.
00:00
Moving on, you can see that
00:00
when we start talking about MFA for
00:00
normal users that's available in Office 365,
00:00
Premium P1 and Premium P2.
00:00
When we start talking about things like SLA,
00:00
there's SLA for free edition,
00:00
there is SLA for the other editions.
00:00
Now when we start talking about functionalities
00:00
like self-service password resets,
00:00
that's only available for
00:00
the Premium edition so Office 365 edition,
00:00
doesn't have this capabilities.
00:00
When we talk about things like
00:00
the Azure AD Connect Health,
00:00
which helps you to monitor your identity,
00:00
infrastructure services on-premises,
00:00
it provide extra functionality,
00:00
that's only available for
00:00
Premium P1 and Premium P2 editions.
00:00
When it comes to things like conditional access,
00:00
that's only available for
00:00
Premium P1 and Premium P2 edition.
00:00
When we talk about what's specific to Premium P2,
00:00
that's specifically referring
00:00
to advanced security protection.
00:00
Things like identity protection from where you
00:00
can see and identity governance features.
00:00
That's talking about things like
00:00
privileged identity management,
00:00
risk-based conditional access policies,
00:00
access reviews and entitlement management,
00:00
which is currently in preview.
00:00
Let's talk about this service called Azure ADDS,
00:00
Azure AD Domain Services.
00:00
I'm going to start by
00:00
explaining the service to you using this scenario.
00:00
Take for example a scenario where you
00:00
have an organization that
00:00
has only the Azure Cloud,
00:00
>> no on-premises infrastructure.
00:00
>> That is not something that's strange today.
00:00
If you had a startup company today,
00:00
they may not have an on-premises
00:00
active directory infrastructure setup.
00:00
This organization, happens to
00:00
have a need for
00:00
an application that supports only Kerberos and NTLM.
00:00
Now they have Azure AD,
00:00
which supports this modern authentication protocols
00:00
>> like SAML and OpenID Connect and WS-FED.
00:00
>> But the applications that they have living in
00:00
a virtual network with a subnet of
00:00
a virtual network in Azure only
00:00
support Kerberos and NTLM.
00:00
What's the solution to this for this organization?
00:00
Now they could go ahead and
00:00
build another virtual machine,
00:00
promote it to a domain controller and
00:00
then go ahead and join the machine to that domain.
00:00
What's they we'll have to do going forward is they'll
00:00
need to maintain the operating system and
00:00
do a lot of that maintenance
00:00
than many organizations that are
00:00
Cloud only don't want to get into scenarios like that.
00:00
They don't want to manage infrastructure anymore.
00:00
That's where Azure ADDS comes in.
00:00
What Azure ADDS does it is
00:00
a service that you can deploy and it's going to
00:00
live within one of
00:00
your subnets in one of your virtual networks in Azure.
00:00
What this service would do is that is going to build
00:00
a relationship with your Azure AD tenant,
00:00
where it's going to synchronize your identities from
00:00
Azure AD to Azure ADDS.
00:00
The good thing about this service is,
00:00
it provides domain controller capabilities,
00:00
so it's support Kerberos,
00:00
it supports NTLM,
00:00
you can do domain joint.
00:00
There are many other features that we will see that you
00:00
can do and that helps you with that situation.
00:00
Plus, you don't have to
00:00
deal with managing operating system
00:00
or managing upgrades for applications going forward.
00:00
With that in mind,
00:00
let's go talk about Azure ADDS,
00:00
and let's talk about
00:00
some quick point about what this service provides.
00:00
It provides domain controller capabilities like
00:00
domain join and group policy and LDAP and
00:00
Kerberos and NTLM without
00:00
the overhead of having to manage domain controllers.
00:00
That's the advantage that it has.
00:00
Number 2, I showed you that in the earlier slide.
00:00
It's synchronize resources from
00:00
Azure AD to emulate Active Directory domain,
00:00
it's going to synchronize
00:00
those identities straight into the Azure ADDS service.
00:00
One thing that you should note is that
00:00
>> you can only have one Azure ADDS service
00:00
>> per Azure AD tenant.
00:00
>> You cannot have multiple pages
00:00
AD tenants, you can only have one.
00:00
This service has high availability built in.
00:00
Actually if you look within the service,
00:00
what it actually doing is it's setting up
00:00
two domain controllers within that subnet,
00:00
so that's where the high availability comes in,
00:00
but you don't have to manage
00:00
them, so that's a great thing.
00:00
With that in mind, let me talk to you about
00:00
another scenario where
00:00
Azure ADDS service can provide value.
00:00
Take this other scenario,
00:00
where you have Azure ADDS
00:00
created and within this subnet and
00:00
it's synchronizing identities from
00:00
Azure AD straight into Azure ADDS.
00:00
For an organization that
00:00
already has an on-premises AD infrastructure,
00:00
what they could use is they could use it to
00:00
like Azure AD Connect to
00:00
synchronize identities from on-premises AD to Azure AD,
00:00
specifically using the password
00:00
as synchronization option when you're using that tool,
00:00
we'll talk about this in the next lesson.
00:00
What this allows you to do is you synchronize
00:00
identity from on-premises AD straight into Azure AD,
00:00
and then Azure ADDS synchronizes
00:00
those identities and their password ashes to itself.
00:00
That way you can join your virtual machine in Azure to
00:00
that domain and sign in being able to
00:00
authenticate with existing credentials on-premises.
00:00
But a good finish, you don't need to have
00:00
a VPN connection or express route or express route,
00:00
however you pronounce, you don't have
00:00
enough to have that connection in
00:00
place to be able to make that to work.
00:00
Functionalities, let's talk about these.
00:00
You can see the functionalities of what
00:00
Azure ADDS provides,
00:00
it provides a managed service,
00:00
it has DNS capabilities,
00:00
domain join capabilities,
00:00
NTLM and Kerberos, Kerberos constraint delegation.
00:00
It has all these capabilities all built into that.
00:00
The main thing that
00:00
you'll notice is that it does not have
00:00
domain or enterprise administrator
00:00
privileges because again,
00:00
this is a managed service.
00:00
Some other features that it has.
00:00
You can see it has customer OU structure, group policy,
00:00
LDAP read, LDAP write.
00:00
The main thing that I want to point out in
00:00
terms of limitation is you see that you
00:00
cannot do schema extension and you cannot
00:00
do AD domain forest trusts,
00:00
you cannot do geo-distributed deployment.
00:00
Again, it's a managed service remember that.
00:00
In summary, what did we
00:00
discuss in this two part video set?
00:00
We discussed, what
00:00
Azure AD is and what Azure AD is not,
00:00
we discussed the differences between
00:00
Azure AD and on-premises AD,
00:00
we discussed Azure AD editions
00:00
and the differences between them,
00:00
and then we also discussed
00:00
>> Azure ADDS and its use cases.
00:00
>> Hopefully this video has been informative for you.
00:00
I'll see you in the next lesson
00:00
where I'll do a demonstration
00:00
of Azure AD and Azure ADDS.
Up Next