azure:az-500:alt:hybrid_identity

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-500:alt:hybrid_identity [2022/07/25 19:49] – [AD Connect] mmuzeazure:az-500:alt:hybrid_identity [2023/03/03 20:29] (current) – [Hybrid Identity] mmuze
Line 5: Line 5:
   * Keep in mind the difference between authentication and authorization.   * Keep in mind the difference between authentication and authorization.
  
-  * **Azure AD registered:** allows users to use their personal devices to access organization (Azure AD controlled) apps and data. Users can authenticate on their device using local or personal credentials — an organization/AAD account is not required.+  * **Azure AD registered:** allows users to use their personal devices to access organization (Azure AD controlled) apps and data. Users can authenticate on their device using local or personal credentials—an organization/AAD account is not required.
   * **Azure AD joined/workplace joined:** is when a device is joined to Azure AD and organization credentials (as opposed to personal) are required.   * **Azure AD joined/workplace joined:** is when a device is joined to Azure AD and organization credentials (as opposed to personal) are required.
   * **[[https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid|hybrid Azure AD joined:]]** devices are joined to your on-premises Active Directory and registered with Azure Active Directory   * **[[https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid|hybrid Azure AD joined:]]** devices are joined to your on-premises Active Directory and registered with Azure Active Directory
 +  * [[https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso|Seamless SSO]]
 +
 +> Azure Active Directory Seamless single sign-on (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network.
 +
 +=== Hybrid Azure AD Use Cases ===
 +  * You support down-level devices running 8.1.
 +  * You want to continue to use Group Policy to manage device configuration.
 +  * You want to continue to use existing imaging solutions to deploy and configure devices.
 +  * You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.
 +
 ===== Hybrid Identity Authentication ===== ===== Hybrid Identity Authentication =====
   * [[https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn]]   * [[https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn]]
Line 17: Line 27:
  
 ===== Azure AD Authentication Features ===== ===== Azure AD Authentication Features =====
-  * **Password hash synchronization.** A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.+  * **Password hash synchronization.** A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD. The **Azure AD Connect** service is installed on an on-prem server and it syncs on-prem AD users and password hashes to AAD.
   * **Pass-through authentication.** A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment.   * **Pass-through authentication.** A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment.
       * Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method.       * Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method.
       * When a user authenticates against AAD it passes the request to on-prem AD via the auth agent to complete the authentication.       * When a user authenticates against AAD it passes the request to on-prem AD via the auth agent to complete the authentication.
-      * PTA uses a lightweight on-premises agent that listens for and responds to password validation requests. +      * PTA uses a lightweight on-premises agent that listens for and responds to password validation requests from AAD
-  * **Federation integration.** Federation is an optional part of Azure AD Connect and can be used to  configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.+  * **Federation integration.** Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
     * You can setup password sync also for use as a backup in case the ADFS goes down.     * You can setup password sync also for use as a backup in case the ADFS goes down.
 +    *  One use case is to take advantage of additional advanced authentication requirements, like smartcard-based authentication or third-party multifactor authentication
 +
   * **Synchronization.** Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.   * **Synchronization.** Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
   * **Health Monitoring.** Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.   * **Health Monitoring.** Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
   * **Password writeback** is an option with AAD that will sync password changes made in AAD back to the on-prem AD.   * **Password writeback** is an option with AAD that will sync password changes made in AAD back to the on-prem AD.
       * This does not require any inbound firewall rules; it works over the Azure Service Bus relay on the outbound connection of port 443.       * This does not require any inbound firewall rules; it works over the Azure Service Bus relay on the outbound connection of port 443.
 +      * **//self-service password reset (SSPR)//** is the feature that allows users to change passwords in AAD that get synced back to Windows AD. This requires AAD P1 or above.
  
 === Choosing an authentication method === === Choosing an authentication method ===
Line 46: Line 59:
 ====== AD Connect ====== ====== AD Connect ======
   * [[https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions|Permissions]] needed to install AD Connect   * [[https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions|Permissions]] needed to install AD Connect
 +  * **Three** accounts are needed to install AD Connect and **three** other accounts are needed to run AD Connect and synchronize Windows AD to AAD.
   * AD Connect used local MSSQL Server 2012 Express Edition for its datastore   * AD Connect used local MSSQL Server 2012 Express Edition for its datastore
  
  
  • azure/az-500/alt/hybrid_identity.1658778559.txt.gz
  • Last modified: 2022/07/25 19:49
  • by mmuze