You are previewing Mastering Identity and Access Management with Microsoft Azure.
O'Reilly logo
Mastering Identity and Access Management with Microsoft Azure

Book Description

Start empowering users and protecting corporate data, while managing Identities and Access with Microsoft Azure in different environments

About This Book

  • Deep dive into the Microsoft Identity and Access Management as a Service (IDaaS) solution

  • Design, implement and manage simple and complex hybrid identity and access management environments

  • Learn to apply solution architectures directly to your business needs and understand how to identify and manage business drivers during transitions

  • Who This Book Is For

    This book is for business decision makers, IT consultants, and system and security engineers who wish to plan, design, and implement Identity and Access Management solutions with Microsoft Azure.

    What You Will Learn

  • Apply technical descriptions and solution architectures directly to your business needs and deployments

  • Identify and manage business drivers and architecture changes to transition between different scenarios

  • Understand and configure all relevant Identity and Access Management key features and concepts

  • Implement simple and complex directory integration, authentication, and authorization scenarios

  • Get to know about modern identity management, authentication, and authorization protocols and standards

  • Implement and configure a modern information protection solution

  • Integrate and configure future improvements in authentication and authorization functionality of Windows 10 and Windows Server 2016

  • In Detail

    Microsoft Azure and its Identity and Access Management is at the heart of Microsoft’s Software as a Service, including Office 365, Dynamics CRM, and Enterprise Mobility Management. It is an essential tool to master in order to effectively work with the Microsoft Cloud. Through practical, project based learning this book will impart that mastery.

    Beginning with the basics of features and licenses, this book quickly moves on to the user and group lifecycle required to design roles and administrative units for role-based access control (RBAC). Learn to design Azure AD to be an identity provider and provide flexible and secure access to SaaS applications. Get to grips with how to configure and manage users, groups, roles, and administrative units to provide a user- and group-based application and self-service access including the audit functionality.

    Next find out how to take advantage of managing common identities with the Microsoft Identity Manager 2016 and build cloud identities with the Azure AD Connect utility. Construct blueprints with different authentication scenarios including multi-factor authentication. Discover how to configure and manage the identity synchronization and federation environment along with multi -factor authentication, conditional access, and information protection scenarios to apply the required security functionality.

    Finally, get recommendations for planning and implementing a future-oriented and sustainable identity and access management strategy.

    Style and approach

    A practical, project-based learning experience explained through hands-on examples.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at If you purchased this book elsewhere, you can visit and register to have the code file.

    Table of Contents

    1. Mastering Identity and Access Management with Microsoft Azure
      1. Mastering Identity and Access Management with Microsoft Azure
      2. Credits
      3. About the Author
      4. About the Reviewer
        1. Why subscribe?
      6. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Downloading the color images of this book
          3. Errata
          4. Piracy
          5. Questions
      7. 1. Getting Started with a Cloud-Only Scenario
        1. Identifying business needs and challenges
          1. Common Identity and Access Management needs
            1. Implications of Shadow IT
            2. The mobile workforce and cloud-first strategy
        2. An overview of feature and licensing decisions
          1. Azure Active Directory
            1. Common features
          2. Premium features
          3. Azure Active Directory Business to Business
          4. Azure Active Directory Business to Consumer
          5. Azure Active Directory Privileged Identity Management
          6. Azure MFA
          7. Azure Rights Management
          8. Microsoft Azure security services in combination
        3. Defining the benefits and costs
        4. Principles of security and legal requirements
        5. Summary
      8. 2. Planning and Designing Cloud Identities
        1. Understanding the user and group life cycle
          1. Microsoft Azure Identity repositories and capabilities
          2. Azure Active Directory conceptual architecture
          3. Usage scenarios of Azure Active Directory Premium
          4. Important user principles
        2. Employee life cycle (word smart)
          1. Defining the correct user management
          2. Addressing successful user scenarios
          3. Designing an added value with password management
          4. Describing the required group principles
          5. Group management in action
          6. Defining the required device principles
          7. Online device management
        3. Designing roles and administrative units
          1. Roles and RBAC
          2. Designing administrative units
        4. Managing identity reporting capabilities
          1. Azure Active Directory Audit Report events
        5. Summary
      9. 3. Planning and Designing Authentication and Application Access
        1. Using Azure AD as an identity provider
          1. Azure Active Directory Authentication endpoints
          2. Common features for application access in Azure AD
            1. Federation-based SSO
            2. Password-based SSO
              1. Password-based SSO without identity provisioning
              2. Password-based SSO with identity provisioning
          3. Common token standards in a federated world
          4. Security Assertion Markup Language (SAML) 2.0
            1. Key facts about SAML
          5. WS-Federation
            1. Key facts about WS-Federation
          6. OAuth 2.0
            1. The principal facts about OAuth 2.0
            2. Main flow facts
            3. Authorization code flow (very common)
            4. Client credential flow
            5. Implicit grant flow
            6. Resource Owner Password Credentials flow
          7. OpenID Connect
          8. Azure Active Directory Domain Services
          9. Azure Active Directory B2B
          10. Azure Active Directory B2C
          11. By example - SharePoint claims-based authentication
            1. SharePoint Online use case using OAuth 2.0
        2. User and group-based application access management
          1. User directly assigned
          2. Group-based
            1. Rules-based
            2. Data owner
          3. Application Roles-based
        3. Managing authentication reporting capabilities
          1. Azure AD free monitoring capabilities
        4. Summary
      10. 4. Building and Configuring a Suitable Azure AD
        1. Implementation scenario overview
        2. Implementing a solid Azure Active Directory
          1. Configuring the requirements
          2. Azure Active Directory deployment
          3. Custom company branding
        3. Creating and managing users and groups
          1. Setting group owners for organizational groups
          2. Delegated group management for organizational groups
          3. Configuring self-service group management
          4. Configuring dynamic group memberships
        4. Assigning roles and administrative units
          1. Connecting to Azure Active Directory
          2. Creating an administrative unit
          3. Adding users to an administrative unit
          4. Scoping administrative roles
          5. Testing your configuration
        5. Providing user-and group-based application access
          1. Adding several applications from the application gallery
          2. Assigning applications to users and defining login information
          3. Assigning applications to groups and defining login information
          4. Self-service application management
        6. Activating password reset self-service capabilities
          1. Configuring notifications
          2. Forcing password reset information
          3. Testing the password reset process
        7. Using standard security reports
          1. Configuring - sign-ins after multiple failures
            1. Possible ways to unblock a blocked user account
            2. Possible ways to unblock a blocked user account for administrators
            3. Unlocking the user account
          2. Configuring - sign-ins from multiple geographies
          3. Configuring users with anomalous sign in activity
        8. Integrating Azure AD join for Windows 10 clients
          1. Join your Windows 10 client to Azure AD
          2. Verifyng the new joined Windows 10 client
          3. Login and adopt security policies
          4. Testing the user experience
        9. Configuring a custom domain
        10. Configuring Azure AD Domain Services
          1. Creating a virtual network
          2. Enabling Azure AD Domain Services
          3. Enabling password synchronization
          4. Testing and verifying your new Azure AD Domain Services
        11. Summary
      11. 5. Shifting to a Hybrid Scenario
        1. Identifying business drivers and changes for a hybrid move
          1. Identity On-Premise integration
          2. Application detection and analysis
        2. Special handling for moving to a multi-forest Active Directory environment
          1. Supported topologies
        3. Describing architectures and needed changes
          1. Authentication integration
          2. Multi-Factor Authentication (MFA)
          3. Rights Management Services
        4. Summary
      12. 6. Extending to a Basic Hybrid Environment
        1. Identifying business needs for a hybrid approach
          1. Typical business needs
          2. Enterprise Mobility context
            1. Data classification
            2. Hybrid IAM
            3. Mobile Device and Application management
            4. Information protection
            5. Desktop and application virtualization
            6. Requirements for expansion - identity classification
          3. Enterprise cloud suite context
        2. Choosing the correct features
          1. MIM 2016
          2. Azure Active Directory Connect
          3. Azure Active Directory Connect Health
          4. Active Directory Federation Services
          5. Azure MFA Server
          6. Azure Rights Management Connector
          7. Bring Your Own Key
        3. Getting the benefits and costs
        4. Applying the right security strategy for legal requirements
          1. Service regions
          2. Microsoft certifications
        5. Summary
      13. 7. Designing Hybrid Identity Management Architecture
        1. Key design concepts
          1. On-premises features overview
          2. Azure services features overview
          3. Azure Active Directory design decisions
          4. Azure subscription management
        2. Management of common identities with Microsoft Identity Manager and Active Directory
          1. General capabilities of MIM 2016 in a hybrid world
          2. Use case - Office 365 license management
          3. Use case - provisioning in an SaaS application
          4. Small technical footnote about MIM 2016
            1. MIM 2016 components overview
            2. MIM Synchronization Service
              1. Connected Data Source
              2. Management Agent
              3. Connector Space (CS)
              4. Staging
              5. Synchronization
              6. Export
            3. MIM Service
        3. Choosing the best directory synchronization scenario for cloud identities
          1. Synchronization scenarios
            1. Directory and password synchronization
            2. Federation and directory synchronization
            3. Federation, directory, and password synchronization
          2. Extension scenarios
            1. Stretching your local Active Directory to Azure IaaS
            2. Using Azure Active Directory Domain Services
          3. Source Anchor decisions
          4. IdFix error remediation tool
          5. AAD Connect tool
            1. General overview
              1. Provisioning
            2. AAD Connect Sync Flow
            3. AAD Connect high availability
        4. Delivering password management capabilities
        5. Using multiple identity providers and authentication scenarios
          1. Using multiple identity providers
          2. AD FS architecture including the Web Application proxy (AD FS proxy)
        6. Enabling strong authentication scenarios
          1. What are app passwords?
          2. Deployment models
        7. How does advanced identity and authentication reporting work?
        8. Summary
      14. 8. Planning Authorization and Information Protection Options
        1. Designing and applying risk-based Access Control
          1. Managing device registration (AD FS DRS)
          2. Managing authentication and authorization
          3. The magic of claims rules for application access
        2. Delivering authentication and authorization improvements with Windows Server 2016
          1. Features overview
          2. LDAP authentication
          3. Azure MFA integration
          4. AD certificate proxy authentication
          5. Access control policies
          6. OAuth 2.0 and Open ID Connect
          7. Web Application Proxy in Windows Server 2016
        3. Enabling advanced application Access Control
          1. Usage of MIM 2016
          2. Group capabilities
        4. Getting in touch with information protection
          1. Overview and needs
          2. Deployment models
            1. On-Premise deployment model
            2. Cross-premises deployment model
          3. Important user attributes and information
            1. Synchronization considerations
            2. User principal name considerations
          4. Azure RMS
            1. Certification service
            2. Licensing service
            3. Rights policy templates
            4. Azure RMS trusts
          5. High availability
          6. Azure rights management key material
            1. Hardware security modules
          7. Azure Rights Management Super User
          8. Azure Rights Management templates
          9. Logging services
          10. Azure rights management trusts
          11. RMS for individuals
          12. RMS clients and application usage scenarios
        5. How does authorization and information protection reporting work?
        6. Summary
      15. 9. Building Cloud from Common Identities
        1. Creating the basic lab environment
          1. Virtual machines
          2. Cloud services
          3. Public domain and Azure AD default directory
          4. Administrative workstation
          5. Public SSL certificates
          6. Internal DNS entries
          7. External DNS entries
          8. Mobile applications
          9. Adding additional virtual machines
        2. Installing and configuring the synchronization and federation environment
          1. Preparing the group management service account - GMSA
          2. Installing AD FS on IDB01
          3. Configuring AD FS on IDB01
          4. Testing AD FS functionality
          5. Installing a Web Application Proxy on URA01
          6. Configuring a Web Application Proxy on URA01
          7. Testing Web Application Proxy functionality
          8. Installing the Claims Web Application on APP01
          9. Configuring the Claims website
          10. Configuring the Kerberos website
          11. Configuring the AAD/Office 365 federation
          12. Installing and configuring Azure AD Connect
          13. AAD Connect stepping through the initial load
          14. Configuring attribute-based filtering
          15. Enabling password writeback
          16. Forcing a synchronization task after changes
        3. Creating dynamic groups
          1. Using on premise groups for assigning licenses
          2. Using PowerShell to assign Office 365 licenses based on group membership
          3. Using groups for application access assignment
        4. Configuring self-service group management
        5. Implementing secure remote access and SSO for on premise web applications
          1. Publishing a Claims-based application
          2. Publishing a Kerberos-based application
        6. Enabling and configuring Multi-Factor Authentication
          1. Device Registration Service (DRS)
          2. Enabling Azure MFA for a synchronized account
        7. Summary
      16. 10. Implementing Access Control Mechanisms
        1. Extending the basic lab environment
          1. Additional internal DNS entries
          2. Additional external DNS entries
          3. Additional endpoint configuration for URA03
          4. Configuring fixed IP addresses
        2. Configuring conditional access control
          1. Installing and configuring the Azure MFA server
          2. Integrating Azure MFA in ADFS
          3. First conditional access scenario
          4. Second conditional access scenario
          5. Additional configuration for mitigating risks and user support
        3. Enabling and configuring information protection
          1. Enabling and configuring Azure RMS
          2. Implementing and configuring the RMS Connector
          3. Configuring the protect files on a file share scenario
          4. Securing your most valuable files
        4. Configuring advanced security scenarios with Windows Server 2016
          1. Azure MFA integration
          2. Device registration and authentication
          3. A small challenge - HTTP to HTTPS publishing
          4. Working with Access Control Policies
        5. Summary
      17. 11. Managing Transition Scenarios with Special Scenarios
        1. Identifying special Active Directory and ADFS considerations
          1. Single Forest scenario with multiple Azure AD tenants
          2. Extending your resource access to external partners (on-premise)
            1. B2B WebSSO scenario
            2. B2B active clients support
          3. Modern service provider architectures and Azure IdAM integrations
            1. Fabric management - Active Directory
            2. Fabric management - identity synchronization
            3. Fabric management - identity management
            4. Tenant management - Active Directory
            5. Tenant management identity synchronization - tenant AD and Customer AD
            6. Tenant management - Federation Services
            7. Customer premises - Identity and Access Management
        2. Planning the correct connectivity to your Azure infrastructure
          1. Express-Route
          2. Microsoft Azure Site-to-Site (S2S) VPN
          3. Microsoft Azure Point-to-Site VPN
          4. Forced tunneling
        3. Integrating Azure MFA in your MIM 2016 deployment
        4. Knowing the migrate from AD RMS to Azure RMS shortcut
        5. Summary
      18. 12. Advanced Considerations for Complex Scenarios
        1. Additional business needs in a complex hybrid environment
          1. Is data classification really needed?
          2. Why do we need identity protection?
          3. Device and general certificate management requirements
        2. Advanced information for often-used additional features
          1. Privileged identity management and protection
            1. Microsoft Advanced Threat Analytics (ATA)
            2. MIM 2016 and Windows Server - Privileged Access Management (PAM)
            3. Azure identity protection
            4. Azure Privileged Identity Management (PIM)
          2. Device management and enterprise data protection
          3. Certificate management
        3. Summary
      19. 13. Delivering Multi-Forest Hybrid Architectures
        1. Enabling identity synchronization in multi-forest environments
          1. UPN suffix decisions (recap)
          2. Supporting the separate technologies scenario
          3. Handling a full mesh scenario with optional GAL synchronization
          4. Providing synchronization for an account and resource forest scenario
          5. Understanding AAD Connect rule precedence logic
        2. Guidance through federation in multi-forest environments
          1. Typical single-forest deployment
          2. Two or more Active Directory forests running separate ADFS instances
          3. Running one AD FS instance for multiple trusted forests
          4. Supporting one AD FS instance for multiple Active Directory forests without an AD trust relationship
        3. Using alternate login ID and ADAL
          1. Disassociation of AAD UPN from AD DS UPN and trade-offs
          2. What does modern authentication mean?
          3. How Outlook authentication works today
          4. How authentication happens with Word and SharePoint Online
          5. Monitoring with AAD Connect Health
          6. Getting in touch with the AAD Connect Health service
          7. AAD Connect Health - Management interface
          8. AAD Connect Health - alerts, usage, and performance insights
        4. Comparing AD FS against Azure B2B/B2C
          1. Comparing ADFS versus Azure B2B
          2. Comparing ADFS versus Azure B2C
        5. Designing ADFS 4.0 identity and attribute stores
          1. Using custom attributes store to populate claims
          2. Using a new identity store as claims provider
        6. Summary
      20. 14. Installing and Configuring the Enhanced Identity Infrastructure
        1. Important note for readers
        2. Creating the extended lab environment
          1. Virtual machines
          2. Public domains and Azure AD Default Directory
          3. The public SSL certificate
          4. Internal and external DNS entries
          5. Additional lab environment information
        3. Installing and configuring the multi-forest synchronization environment
          1. Configuring AAD Connect to add the additional forest
          2. Configuring AAD Connect high availability
          3. Viewing AAD Connect Health for synchronization components
        4. Installing and configuring the multi-forest and high availability Federation environments
          1. Building high availability - ADFS and Web Application Proxy in
          2. Configuring ADFS to support multiple forests
          3. Configuring ADFS to support a partner organization
            1. Prerequisites
          4. Configuring Home Realm Discovery (HRD)
          5. Configuring ADLDS and ADFS - additional attribute store
            1. Sending information from an AD claim rule
            2. Sending claims using a custom rule
          6. Delegating the administration of ADFS
          7. Configuring AAD Connect Health for Federation components
          8. Configuring AD FS to support Windows Integrated Authentication on certain browsers
          9. Configuring alternate login ID
        5. Configuring application access with ADFS, WAP, and AAD AP
          1. Using Azure AD Application Proxy to publish applications
          2. Publish Exchange and SharePoint on premise
          3. Publishing Lync/S4B on premise
          4. Publishing Remote Desktop Services on premise
          5. Publishing Microsoft Identity Manager
        6. Configuring Multi-Factor authentication scenarios for Conditional Access
          1. Configuring certificate-based authentication
        7. Summary
      21. 15. Installing and Configuring Information Protection Features
        1. Preparing your admin workstation to manage Azure RMS
        2. Configuring onboarding controls
        3. Delegating administrative permissions
        4. Enabling Azure RMS super users
        5. Configuring Exchange Online to use Rights Management capabilities
        6. Configuring Exchange to use Rights Management capabilities
        7. Configuring SharePoint to use Rights Management capabilities
        8. Creating and publishing custom Rights Policy templates
          1. Creating a custom rights policy template
        9. Verifying Azure RMS logging
        10. Preview of Azure Information Protection
        11. SAP integration as a special scenario
        12. Configuring a BYOK scenario
        13. Summary
      22. 16. Choosing the Right Technology, Methods, and Future Trends
        1. MIM 2016 future improvements
          1. Synchronization engine merger
          2. REST API support
          3. PAM improvements
          4. MIM and Exchange Online integration
          5. MIM compatibility updates
          6. Advanced Conditional Access Helper
          7. Conditional Access Client scenarios - mail access
            1. Client scenario Outlook 2010 on domain joined computer
            2. Client scenario Outlook 2013 on domain joined computer
            3. Client scenario Outlook 2013/16 on domain joined computer with Windows 7/8.1
            4. Client scenario Outlook 2013/16 on domain joined computer with Windows 10
            5. Client scenario iOS and Android ActiveSync Mail Clients
            6. Client scenario Outlook for iOS and Android
            7. Client scenario OWA for iOS and Android
            8. Client scenario Outlook WP8.1
            9. Client scenario Outlook 2016 Mac OS X
            10. Conditional Access Client scenarios - SharePoint access
              1. Client scenario Browser from domain joined PC Windows 7/8.1
              2. Client scenario Browser from domain joined PC Windows 10
              3. Client scenario Browser from Mac OS
              4. Client scenario OD4B Client from domain joined PC Windows 7/8.1
              5. Client scenario OD4B Client from domain joined PC Windows 10
              6. Client scenario non-ADAL OD4B client
              7. Client scenario OD4B Client from mobile devices
        2. Summary