Deep Dive: Seamless Single Sign-On Hybrid Azure Active Directory
Deep Dive: Pass-Through Auth w/ Hybrid Azure Active Directory
Deep Dive: Password Hash Sync Hybrid Azure Active Directory
Azure Active Directory Resources
One of the new trends in modern IT is consolidating your footprint of on-premises services you provide to the organization. For many organizations, moving those workloads to the cloud or leveraging existing cloud based services for a workload you used to do on-premises can save costs, and cut complexity out of your IT operational portfolio. The primary workload for many that is identity services such as Active Directory and to extend (or migrate) to either Azure Active Directory, Azure Active Directory Domain Services, or simply migrate your Active Directory Domain Controllers to Azure Infrastructure-as-a-Service (IaaS).
This blog will provide you a list of Microsoft resources that you may find useful in your journey of extending or moving Active Directory to the cloud. If you have comments/feedback or come across a resource that I don’t have listed below – please let me know in the comments section. Enjoy!
Starting out with Azure Active Directory:
- Understanding Office 365 identity and Azure Active Directory
- What is Azure Active Directory?
- Fundamentals of Azure identity management
- Microsoft hybrid identity solutions
- What’s the difference with Azure Active Directory free,basic,premium,P1,P2?
- Active Directory Federation Services in Azure
- Azure AD Connect: Design concepts
- Azure Active Directory Seamless Single Sign-On
- Azure AD Seamless Single Sign-On: GDPR compliance
- User sign-in with Azure Active Directory Pass-through Authentication
- Prerequisites for Azure AD Connect
- Azure Roadmap
Deploy a Azure Active Directory Proof of Concept:
- Azure Active Directory Proof of Concept Playbook: Introduction
- Azure Active Directory Proof of Concept Playbook Ingredients
- Azure Active Directory Proof of Concept Playbook: Implementation
- Azure Active Directory proof of concept playbook: Building blocks
Azure AD Connect (tool) and Hybrid:
- Integrate your on-premises directories with Azure Active Directory
- What is Azure AD Connect and federation
- Architecture Topologies for Azure AD Connect
- How to manage Azure AD Connect
- GDPR compliance and Azure AD Connect
- Implement password synchronization with Azure AD Connect sync
- Azure AD Connect sync: How to manage the Azure AD service account
- Hybrid Identity Required Ports and Protocols
- Azure Active Directory Hybrid Identity Design Considerations
- Define data protection strategy for your hybrid identity solution
- Manage access to resources with Azure Active Directory groups
- User Management
Azure AD Self Service Password Reset:
- Azure AD self-service password reset for the IT professional
- Self-service password reset in Azure AD deep dive
- How to successfully roll out self-service password reset
What about Azure Active Directory Domain Services? (ADDS running in Azure as a service):
- What is Azure Active Directory (AD) Domain Services?
- How to decide if Azure AD Domain Services is right for your use-case
- Deployment scenarios and use-cases
Deployment of Active Directory Domain Services (on-premises) in Azure IaaS (on virtual machines):
- Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines
- How to install a new Active Directory forest on an Azure virtual network
- Install a new Active Directory forest on an Azure virtual network
- Install a Replica Active Directory Domain Controller in Azure Virtual Networks
Azure Active Directory Join (instead of domain joined device):
- Introduction to device management in Azure Active Directory
- Usage scenarios and deployment considerations for Azure AD Join
- Set up Azure Active Directory registered Windows 10 devices
- How to configure hybrid Azure Active Directory joined devices
- Setting up on-premises conditional access by using Azure Active Directory device registration
- Join a new Windows 10 device with Azure AD during a first run
- Troubleshooting hybrid Azure Active Directory joined down-level devices
- Afraid of Windows 10 with Azure AD join? Try it out (part 1)
- Enterprise State Roaming overview (sync your device settings to the cloud!)
- Azure Active Directory best practices from around the world
- What’s new in Azure Active Directory Domain Services
- Windows devices in Azure Active Directory: Why should I care?
Azure Active Directory B2B:
- What is Azure AD B2B collaboration?
- How do Azure Active Directory admins add B2B collaboration users?
- How do information workers add B2B collaboration users?
- Multi-factor authentication for B2B collaboration users
Azure Active Directory Application Management:
- Managing Applications with Azure Active Directory
- Integrating Azure Active Directory with applications getting started guide
- Managing access to apps
- Develop line-of-business apps for Azure Active Directory
Manage Access to Azure:
- Manage access to Azure resources with Azure Active Directory
- Get started with Role-Based Access Control in the Azure portal
- Manage access to Azure management with conditional access
- Securing privileged access for hybrid and cloud deployments in Azure AD
- Manage emergency-access administrative accounts in Azure AD
- Azure AD access reviews
Securing your identities:
- Conditional access in Azure Active Directory
- Authenticating identities without passwords through Windows Hello for Business
- Get started with certificate-based authentication in Azure Active Directory
- Azure Active Directory Identity Protection
- Securing privileged access in Azure AD
And my favorite…
Intune: If you want email on your phone, you have to follow the rules!
Maintaining governance over where company data is stored and how it is used, is a core priority for many IT professionals. In this mobile first world, with each user on average having 3+ devices and each with company data on them, ensuring that data is well protected can be a challenge. Giving users a choice of what device they want to use and how they want to use it to execute their job can be empowering – but we must protect the data that lives on those devices. This means ensuring that only compliant/approved devices, (and compliant/approved apps), can access that data. If that data were to be compromised (leaked, lost,stolen,etc) that could be devastating to an organization and place individual employees at risk.
A classic example is when an employee has a smartphone and would like to receive their company email on it. If they go to configure the built-in mail app with their email, how can you require the device to be enrolled into an MDM to be protected and require they use an approved email app? Well, Microsoft Intune and Azure Active Directory Conditional Access to the rescue! In this blog, you and I will take a journey on how to setup and configure this exact scenario and then test it to see what the end-user experience will look like.
I’m not going to cover Microsoft Intune or Azure AD Conditional Access in full technical detail. Please refer to the product documentation (links above) for more information.
Let’s start with understanding Conditional Access. At a high level, this allows me (IT) to provide you (the end user) with access to corporate resources based on a set of conditions and if you meet those conditions I’ll let you in. If you don’t meet those conditions, or perhaps meet only one or two, I will have additional steps for you to take before I unlock the front door and invite you in for dinner. You can best think of Conditional Access as an “If/Then” statement. For example, if you are coming from a device that is un-managed (and using an un-approved application), then allow access but require you to enroll the device in MDM (i.e. managed) and download the approved application for accessing email. Here’s a good graphical representation on how to think about this, at a high level (as you can see, this can be very powerful!):
Now that we have an understanding of Conditional Access, let’s configure it for this scenario. I’m going to create a new Conditional Access policy in Azure Active Directory from within the Azure portal:
Next I will scope it to all users:
Next, for Cloud Apps I will chose Office 365 Exchange Online:
Next, for Conditions I will choose device platforms and select all platforms:
For Grant I will choose grant access and check the box for require device to be marked as compliant and require approved client app. I’ll also check the radio button so that all controls are required. (For more information about what are approved client apps see this article).
Next I’ll enable the policy and click create:
I now need to configure the device compliance for Intune. I’m going to navigate to Device Compliance in the Intune blade:
I’m going to create a new policy that is targeted at just iOS:
IMPORTANT: If there’s other platforms you need to accommodate, you’ll need to create a new policy for each platform type (i.e. Windows, Mac, Android, etc).
For fun, block jail broken devices under device health:
And for more fun, require a passcode under system security:
Now the compliance policy has been created, I am going to assign it to all users:
Okay, let’s take a look at what the user experience is like for this scenario.
Let’s launch the native mail app on an iPad (iOS device):
Sign in with my corporate credentials:
Tap sign in:
When my company’s login page appears to finish the sign in process, enter my password:
What do we have here? …. Looks like Conditional Access kicked in! My device is not managed! But it does give me an option to Enroll!
IMPORTANT: To see the enrollment process, reference my other blog article Intune: MDM Enrollment Experience (complete device management)
Once the device is enrolled, with my policy it is also pulling down the Outlook app (well, the user is prompted to install it). When I launch the Outlook app….
Tap get started, and there’s my email profile!
NOTE: This does not require any configuration for the email profile to be automatically displayed.
And there’s my email!
Now what if I go back to the native mail app and try to use it? Well following the same process above where I type in my credentials and try to sign in again to the native mail app – Conditional Access will catch me red handed, and block me from using it:
Conclusion: As you can see, this is a very powerful feature and introduces automation into your device security strategy. Enjoy!
Microsoft Teams: Limit access to only managed devices and reduce risk!
It’s amazing watching the adoption journey of Microsoft teams among organizations and how it is quickly becoming a mission critical tool. For me, it’s mission critical because of the collaboration and teamwork that’s occurring inside, and the data that is being stored is quickly becoming the heartbeat of many organizations and their project teams. There is one challenge however with storing proprietary and sensitive data in Microsoft Teams, as users are accessing the data using the Teams app on not just their PC or laptop, but mobile devices and other (even unmanaged) computers as they perform their job – if that data is leaked/spilled/exposed or compromised, it could put the organization at risk, and as IT Professionals we need to help protect against this risk.
Not to worry – Azure Active Directory Conditional Access to the rescue! Using AzureAD Conditional Access, we will ensure Microsoft Teams is only accessed on devices that are managed, whether they are Active Directory domain joined, Azure AD joined or managed by Intune. This is very easy and straight forward to setup, let’s take a look together.
Important: Conditional Access requires AzureAD Premium. I won’t be discussing licensing requirements in this blog post, please reference this article for more information.
In the Azure Portal, I am going to create a new AzureAD Conditional Access policy with the following configuration:
- Users and Groups: “All Users”
- Cloud apps: (Include) “Microsoft Teams”
Conditions: Client Apps -> Configure “Yes” -> Select Client Apps -> check “Browser” and “Mobile apps and desktop clients”
Access Controls: Grant Access -> Check “Require Domain Joined” and “Require device to be marked as compliant”
Important: If you check “Require device to be marked as compliant” you must create a device compliance policy in Intune. This will ensure devices such as iOS, Android, Windows, Mac that try to access Microsoft Teams using either the app, client or website must be Intune MDM enrolled (which requires an Intune subscription). If accessed from a Windows PC and is Active Directory domain joined or Azure AD joined, require MDM enrollment will not apply. Here’s what an example Device Compliance policy looks like in Intune:
Back to Conditional Access…
Enable Policy: “On”
Now the policy is created, let’s test this out. It should deny access to Microsoft Teams.
From a Windows PC that is unmanaged (not joined to Azure AD, Active Directory, or MDM enrolled):
From a Web browser:
Notice the error reads “Windows device is not in required device state: compliant”
From the Microsoft Teams Windows Desktop Application:
Next, from an iPad Pro (iOS) that is unmanaged (not MDM enrolled):
Notice it gives me the option to enroll in MDM (Intune), pretty cool!
This is a quick and easy way to ensure that users are using Microsoft Teams on managed devices, where IT can control the configuration of the device and ensure the device is healthy and compliant. What’s more is this policy can be reversed and disallow users from using the Teams web client if that becomes a requirement. For additional fun, check out Microsoft Teams: Manage it using Mobile Application Management (MAM) and Microsoft Teams: Restrict Usage with Azure AD Conditional Access
If you have questions or feedback, let me know in the comments below. Enjoy and have fun!