azure:az-500:hybrid_identity

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-500:hybrid_identity [2022/05/31 19:23] mmuzeazure:az-500:hybrid_identity [2022/07/22 14:52] (current) mmuze
Line 1: Line 1:
 ====== Hybrid Identity ====== ====== Hybrid Identity ======
 +  * [[https://docs.microsoft.com/en-us/learn/modules/hybrid-identity]]
   * **Hybrid Identity** refers to identity that integrates traditional/on-prem Active Directory with Azure AD.   * **Hybrid Identity** refers to identity that integrates traditional/on-prem Active Directory with Azure AD.
   * **Azure AD Connect** is the service that integrates on-prem AD with Azure AD.   * **Azure AD Connect** is the service that integrates on-prem AD with Azure AD.
 +  * Keep in mind the difference between authentication and authorization.
  
-===== Azure AD Features =====+===== Hybrid Identity Authentication ===== 
 +  * [[https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn]] 
 +  * There are three options for hybrid authentication 
 +      * password hash sync 
 +      * pass-thru authentication 
 +      * federated authentication 
 +  * [[https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#architecture-diagrams]] 
 + 
 +===== Azure AD Authentication Features =====
   * **Password hash synchronization.** A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.   * **Password hash synchronization.** A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
   * **Pass-through authentication.** A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment.   * **Pass-through authentication.** A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment.
-      * When a user authenticates against AAD ADD passes the request to on-prem AD to complete the authentication.+      * Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method. 
 +      * When a user authenticates against AAD it passes the request to on-prem AD via the auth agent to complete the authentication
 +      * PTA uses a lightweight on-premises agent that listens for and responds to password validation requests.
   * **Federation integration.** Federation is an optional part of Azure AD Connect and can be used to  configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.   * **Federation integration.** Federation is an optional part of Azure AD Connect and can be used to  configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
 +    * You can setup password sync also for use as a backup in case the ADFS goes down.
   * **Synchronization.** Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.   * **Synchronization.** Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
   * **Health Monitoring.** Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.   * **Health Monitoring.** Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
 +  * **Password writeback** is an option with AAD that will sync password changes made in AAD back to the on-prem AD.
 +      * This does not require any inbound firewall rules; it works over the Azure Service Bus relay on the outbound connection of port 443.
  
 +=== Choosing an authentication method ===
 +  * [[https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn]]
 +
 +{{:azure:az-500:azure-auth-options.png|}}
 ===== Use Cases ===== ===== Use Cases =====
  
Line 17: Line 36:
   - If you do need on-premises Active Directory integration, but you do not need to use cloud authentication, password protection, and your authentication requirements are natively supported by Azure AD, then you would use Pass-through Authentication Seamless SSO.   - If you do need on-premises Active Directory integration, but you do not need to use cloud authentication, password protection, and your authentication requirements are natively supported by Azure AD, then you would use Pass-through Authentication Seamless SSO.
   - If you need on-premises Active Directory integration, have an existing federation provider and your authentication requirements are NOT natively supported by Azure AD, then you would use Federation authentication.   - If you need on-premises Active Directory integration, have an existing federation provider and your authentication requirements are NOT natively supported by Azure AD, then you would use Federation authentication.
 +
 +====== Azure AD Join ======
 +  * Azure AD Join allows a Windows 10/11 desktop to be joined to Azure AD for the purposes of controlling access to resources and enforcing requirements on devices.
 +  * For example, an AAD joined BYOD phone could be Intune managed and be required to not be rooted or jail broken to access company resources.
 +
 +====== AD Connect ======
 +  * [[https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions|Permissions]] needed to install AD Connect
  
  • azure/az-500/hybrid_identity.1654024995.txt.gz
  • Last modified: 2022/05/31 19:23
  • by mmuze