View
229
Download
0
Category
Tags:
Preview:
Citation preview
Introducción a Azure Active Directory
Javier DominguezPremier Field Engineer (PFE)Microsoft
Problem Statement
• While enterprises working to consolidate directories on-premises, cloud apps are fragmenting directories… again
Cloudapp
Cloudapp
Cloudapp
Separate username/password sign-inManual or semi-automated provisioning
Active Directory
App
App
AppSeparate username/password sign-inManual or semi-automated provisioning
No direct connection to directory
History of Azure Active Directory• Office365 services needed
access to customer directories to provide best-in-breed experiences
• Offer identity services to Organizations without on-premises directories
• Run at internet scale
• Offer multi-tenancy
ExchangeOnline
SharePointOnline
LyncOnline
Customer Directories on-premises
? ??
Windows Azure Active Directory• Active Directory revised to
operate as Internet-scale multi-tenant directory service, built concurrently with Office 365
• Extends Windows Server Active Directory into cloud
• Provides cloud-based directory and identity services for organizations without Windows Server AD
ExchangeOnline
SharePointOnline
LyncOnline
Active Directory
Azure
Active Directory
Demo
Cloud Directory Management
Directory and Identity as a Service
• Consolidate directory management across cloud apps
• Connect to the directory from any platform, any device
• Connect with people from web identity providers and other organizations
ISVApp
OtherMSFTApps
YourCustom IT
App
Office365
ISVApp
Azure
Active Directory
Active Directory
How Does a Cloud App Connect to Directory?
Cloud Application
Contoso.comDirectory
? ?
?
Browser
Mobile app
Server app Web Service API
Web Service API
Web Application
Web Application
Anatomy of a Typical Cloud Application Web
application
Web service API
Account and
profile store
Clients using wide variety of devices/languages/platforms
Server applications using wide variety of
platforms/languages
Azure Active Directory Design PrinciplesThe cloud design point demands capabilities that are not part of current-day Windows Server Active Directory
• Maximize device & platform reach• http/web/REST based protocols
• Multi-tenancy• Customer owns directory, not Microsoft
• Optimize for availability, consistent performance, scale• Keep it simple
Directory access and authenticationAdapting to the cloud paradigm
AD
AAD
Consoles
Powershell
Applications
LDAP
Kerberos
Portals
Powershell
Applications
REST
OAuth
Directory Graph API• RESTful programmatic access to directory• Objects such as users, groups, roles, licenses• Relationships such as member, memberOf, manager, directReport
• Requests use standard HTTP methods• POST, GET, PATCH, DELETE to create, read, update, and delete• Response in XML or JSON; standard HTTP status codes• Compatible with OData 3.0
• OAuth 2.0 for authentication• Role-based assignment for application and user authorization
Example Directory Graph CallRequest: https://directory.windows.net/contoso.com/Users/Ed@contoso.com
{ "Manager": { "uri": "https://directory.windows.net/contoso.com/Users('..')/Manager" }, "MemberOf": { "uri": "https://directory.windows.net/contoso.com/Users('..')/MemberOf" }, "ObjectId": "90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectReference": "User_90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectType": "User", "AccountEnabled": true, "DisplayName": "Ed Blanton", "GivenName": "Ed", "Surname": "Blanton", "UserPrincipalName": "Ed@contoso.com", "Mail": "Ed@contoso.com", "JobTitle": "Vice President", "Department": "Operations", "TelephoneNumber": "4258828080", "Mobile": "2069417891", "StreetAddress": "One Main Street", "PhysicalDeliveryOfficeName": "Building 2", "City": "Redmond", "State": "WA", "Country": "US", "PostalCode": "98007"}
Protocols to connect with Azure AD
Protocol Purpose Details
REST/HTTP directory access
Create, Read, Update, Delete directory objects and relationships
Compatible with OData V3Authenticate with OAuth 2.0
OAuth 2.0 Service to service authenticationDelegated access
JWT token format
SAML 2.0 Web application authentication SAML 2.0 token formatUsed with Office 365 Services
WS-Federation 1.3 Web application authentication SAML 1.1 token formatUsed with Office 365 Services
Demo
Directory Graph Explorer
Cloud Application
Profile Store
Contoso.com Directory
ServicePrincipal
Role(Read)
Authorized user creates principal in directory for app, authorizes it to use directory by associating with role
AuthorizedUser
End User
Cloud Application
Profile Store
Contoso.com Directory
User AuthN
End User
ServicePrincipal
Role(Read)
End user authenticates to directory to get token to call cloud app
t1
t1
Cloud Application
Profile Store
Contoso.com Directory
Delegated AuthN
Directory Graph
End User
ServicePrincipal
Role(Read)
Cloud app gets tokenAccesses Directory Graph using tokenUses user unique ID to find profile in local profile store
t2
t2
Relationship to Windows Server AD• On-premises and cloud
Active Directory managed as one
• Directory information synchronized to cloud, made available to cloud apps via roles-based access control
• Federated authentication enables single sign on to cloud applications with corporate credentials
Active Directory
Azure
Active Directory
Sync and Federation
Directory and Identity as a Service
• Consolidate directory management across cloud apps
• Connect to the directory from any platform, any device
• Connect with people from web identity providers and other organizations
• Users can use same identity to access on-prem and cloud apps
ISVApp
OtherMSFTApps
YourCustom IT
App
Office365
ISVApp
Azure
Active Directory
Active Directory
YourOn-prem
App
YourOn-prem
App
Sync & Federation
Directory Synchronization
• Directory synchronization between on-premises and online
• Objects are created and managed on-premises and synchronized to the cloud
• Optionally password hashes can be sync’d to the cloud providing a single identity and credential, but not single Sign-On
• Reuse existing directory implementation on-premises, including Non-AD sources
Federation and single sign on
• Single identity and sign-on for on-premises and cloud services
• Identities mastered on-premises, single point of management
• Secure Token based authentication• Client access control based on IP address
with AD FS and Office 365 services • Strong factor authentication options
for additional security
Windows Azure Active Authentication• Why multi factor• Your data and applications are under attack• Passwords are easily compromised• Consumerization of IT has only increased the scope of vulnerability• Strengthening regulatory requirements call for strongly
authenticating access
• Proven Authentication Platform• Powered by market-leading PhoneFactor platform• Trusted by thousands of enterprise customers across a wide range
of industries, including healthcare, financial services, manufacturing, and government
• Authenticating millions of logins and transactions each month
Mobile Apps
Enterprise authentication using any phone
Text MessagesPhone Calls
Out-of-Band PushOne-Time-Passcode Out-of-Band Call
Out-of-Band TextOne-Time Passcode
Architecture
ISV/CSV Apps
Windows AzureActive Directory
Microsoft AppsCustom LOB Apps
Custom LOB Apps
ActiveAuthentication
Users sign in from any device using their existing username/password.
Users must also authenticate using their phone or mobile device before access is granted.
Credentials are checkedin Windows Azure AD. Then Active Authentication is triggered for additional verification.
1
2
Embracing BYODAD Workplace Join Users join their device to their workplace, making the device known to the
company’s Active Directory
Single Sign On (SSO)Users sign-in once to their company from any application and are not prompted for credentials by every company application when using workplace joined devices.
Work From Anywhere Businesses enable users to work from anywhere while adhering to their IT governance policies around risk management
Multi-factor Authentication
Businesses require additional factors of authentication when business critical resources are accessed or when there is perceived risk
Multi-factor Access Control
Businesses set conditional access control to resources based on four core pivots: the user, the device used, the user’s network location and use of additional auth factors
AD Authentication Library
ISVs build enterprise apps that delivery SSO and allow enterprises to set the access control policies based on user, device and network location, and MFA
Windows Azure AD• Extension of Active
Directory into the cloud• The platform for Microsoft
Cloud Apps• Designed to meet the
needs of cloud applications, scale an multi-tenancy
• Provides directory and identity services: an essential part of Platform as a Service
• Your cloud directory for your apps
ISVApp
OtherMSFTApps
YourCustom IT
App
Office365
ISVApp
Azure
Active Directory
Active Directory
Over 3 million tenants
Over 7 Billion authenticationsJust last week
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Recommended