Self-service identity and access management

Azure Active Directory

Azure Active Directory Benefits

 Reducing costs and enhancing security with self- service capabilities
 Support for iOS, Mac OS X, Android, and Windows devices
 Single sign-on to cloud and on-premises web app Extending Active Directory to the cloud
 Protecting cloud and on-premises web applications:  multi-factor authentication
 conditional access policies
 group-based access management

 Directory lookups: Azure AD Azure AD relies on REST API over HTTP and HTTPS.

 Federation: Azure AD includes built-in federation support.

Azure AD DS is a managed AD DS deployment in an Azure VNet:
 Integrates with Azure AD
 Delivers core AD DS features:
 Domain join
 Kerberos and NTLM
 LDAP
 Group Policy
 Intended for:
 Azure VMs that rely on AD DS
 Cloud-based environments

Role-Based Access Control

 Microsoft’s multi-tenant cloud-based directory and identity management service
 Provides SSO access
 Identity management capabilities and integration Integrates with Windows Server Active Directory

Azure Active Directory Differences

 Azure AD is primarily an identity solution, and designed for HTTP and HTTPS communications
 Queried using the REST API over HTTP and HTTPS. Instead of LDAP.

 Azure Active Directory Basic designed for task workers with cloud-first needs, this edition provides cloud-centric application access and self-service identity management solutions.

 Azure Active Directory Premium P1 designed to empower
organizations with more demanding identity and access management needs.

Built-in Roles

A role represents a set of permissions to carry out specific actions

Role Definitions

Actions and NotActions:
 Include or exclude actions associated with the role

 Azure CLI:
 az role definition create --role-definition “./sysops.json”
 az role assignment create --role $roleName \
--assignee $assigneeName \
--resource-group $resourceGroupName

Configuring Self-Service Password Reset

Password Writeback

 Writes Azure AD users’ password changes/resets to AD DS
 Eliminates the need for on-premises SSPR solutions Requires Azure AD Premium P1 or P2 edition
 Is enabled by using Azure AD Connect:
 Start Azure AD Connect Configuration Wizard
 Select Customize synchronization options
 Enable the checkbox on the Optional features page

Azure AD Connect

Supported by Azure AD Connect:
 Synchronizes user passwords from AD DS to Azure AD  Allows users to use their AD credentials in order to access:  Azure resources
 Office 365
 Microsoft Intune

Azure AD Connect Health

Provides monitoring of AD DS and Azure AD integration:
 Azure AD Connect and its synchronization engine
 AD DS domain controllers
 AD FS servers

 It supports disabling or enabling the Azure AD identity representing the device.

 Joining a device to Azure AD:
 Constitutes an extension to registering a device
 Provides the benefits of registering a device and, in addition, changes the local state of a device.

Hybrid Azure AD join facilitates:

 Centralized management of all work-owned devices