Mastering Identity and Access Management with Microsoft Azure电子书

Mastering Identity and Access Management with Microsoft Azure

Mastering Identity and Access Management with Microsoft Azure

Credits

About the Author

About the Reviewer

www.PacktPub.com

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of this book

Errata

Piracy

Questions

1. Getting Started with a Cloud-Only Scenario

Identifying business needs and challenges

Common Identity and Access Management needs

Implications of Shadow IT

The mobile workforce and cloud-first strategy

An overview of feature and licensing decisions

Azure Active Directory

Common features

Premium features

Azure Active Directory Business to Business

Azure Active Directory Business to Consumer

Azure Active Directory Privileged Identity Management

Azure MFA

Azure Rights Management

Microsoft Azure security services in combination

Defining the benefits and costs

Principles of security and legal requirements

Summary

2. Planning and Designing Cloud Identities

Understanding the user and group life cycle

Microsoft Azure Identity repositories and capabilities

Azure Active Directory conceptual architecture

Usage scenarios of Azure Active Directory Premium

Important user principles

Employee life cycle (word smart)

Defining the correct user management

Addressing successful user scenarios

Designing an added value with password management

Describing the required group principles

Group management in action

Defining the required device principles

Online device management

Designing roles and administrative units

Roles and RBAC

Designing administrative units

Managing identity reporting capabilities

Azure Active Directory Audit Report events

Summary

3. Planning and Designing Authentication and Application Access

Using Azure AD as an identity provider

Azure Active Directory Authentication endpoints

Common features for application access in Azure AD

Federation-based SSO

Password-based SSO

Password-based SSO without identity provisioning

Password-based SSO with identity provisioning

Common token standards in a federated world

Security Assertion Markup Language (SAML) 2.0

Key facts about SAML

WS-Federation

Key facts about WS-Federation

OAuth 2.0

The principal facts about OAuth 2.0

Main flow facts

Authorization code flow (very common)

Client credential flow

Implicit grant flow

Resource Owner Password Credentials flow

OpenID Connect

Azure Active Directory Domain Services

Azure Active Directory B2B

Azure Active Directory B2C

By example - SharePoint claims-based authentication

SharePoint Online use case using OAuth 2.0

User and group-based application access management

User directly assigned

Group-based

Rules-based

Data owner

Application Roles-based

Managing authentication reporting capabilities

Azure AD free monitoring capabilities

Summary

4. Building and Configuring a Suitable Azure AD

Implementation scenario overview

Implementing a solid Azure Active Directory

Configuring the requirements

Azure Active Directory deployment

Custom company branding

Creating and managing users and groups

Setting group owners for organizational groups

Delegated group management for organizational groups

Configuring self-service group management

Configuring dynamic group memberships

Assigning roles and administrative units

Connecting to Azure Active Directory

Creating an administrative unit

Adding users to an administrative unit

Scoping administrative roles

Testing your configuration

Providing user-and group-based application access

Adding several applications from the application gallery

Assigning applications to users and defining login information

Assigning applications to groups and defining login information

Self-service application management

Activating password reset self-service capabilities

Configuring notifications

Forcing password reset information

Testing the password reset process

Using standard security reports

Configuring - sign-ins after multiple failures

Possible ways to unblock a blocked user account

Possible ways to unblock a blocked user account for administrators

Unlocking the user account

Configuring - sign-ins from multiple geographies

Configuring users with anomalous sign in activity

Integrating Azure AD join for Windows 10 clients

Join your Windows 10 client to Azure AD

Verifyng the new joined Windows 10 client

Login and adopt security policies

Testing the user experience

Configuring a custom domain

Configuring Azure AD Domain Services

Creating a virtual network

Enabling Azure AD Domain Services

Enabling password synchronization

Testing and verifying your new Azure AD Domain Services

Summary

5. Shifting to a Hybrid Scenario

Identifying business drivers and changes for a hybrid move

Identity On-Premise integration

Application detection and analysis

Special handling for moving to a multi-forest Active Directory environment

Supported topologies

Describing architectures and needed changes

Authentication integration

Multi-Factor Authentication (MFA)

Rights Management Services

Summary

6. Extending to a Basic Hybrid Environment

Identifying business needs for a hybrid approach

Typical business needs

Enterprise Mobility context

Data classification

Hybrid IAM

Mobile Device and Application management

Information protection

Desktop and application virtualization

Requirements for expansion - identity classification

Enterprise cloud suite context

Choosing the correct features

MIM 2016

Azure Active Directory Connect

Azure Active Directory Connect Health

Active Directory Federation Services

Azure MFA Server

Azure Rights Management Connector

Bring Your Own Key

Getting the benefits and costs

Applying the right security strategy for legal requirements

Service regions

Microsoft certifications

Summary

7. Designing Hybrid Identity Management Architecture

Key design concepts

On-premises features overview

Azure services features overview

Azure Active Directory design decisions

Azure subscription management

Management of common identities with Microsoft Identity Manager and Active Directory

General capabilities of MIM 2016 in a hybrid world

Use case - Office 365 license management

Use case - provisioning in an SaaS application

Small technical footnote about MIM 2016

MIM 2016 components overview

MIM Synchronization Service

Connected Data Source

Management Agent

Connector Space (CS)

Staging

Synchronization

Export

MIM Service

Choosing the best directory synchronization scenario for cloud identities

Synchronization scenarios

Directory and password synchronization

Federation and directory synchronization

Federation, directory, and password synchronization

Extension scenarios

Stretching your local Active Directory to Azure IaaS

Using Azure Active Directory Domain Services

Source Anchor decisions

IdFix error remediation tool

AAD Connect tool

General overview

Provisioning

AAD Connect Sync Flow

AAD Connect high availability

Delivering password management capabilities

Using multiple identity providers and authentication scenarios

Using multiple identity providers

AD FS architecture including the Web Application proxy (AD FS proxy)

Enabling strong authentication scenarios

What are app passwords?

Deployment models

How does advanced identity and authentication reporting work?

Summary

8. Planning Authorization and Information Protection Options

Designing and applying risk-based Access Control

Managing device registration (AD FS DRS)

Managing authentication and authorization

The magic of claims rules for application access

Delivering authentication and authorization improvements with Windows Server 2016

Features overview

LDAP authentication

Azure MFA integration

AD certificate proxy authentication

Access control policies

OAuth 2.0 and Open ID Connect

Web Application Proxy in Windows Server 2016

Enabling advanced application Access Control

Usage of MIM 2016

Group capabilities

Getting in touch with information protection

Overview and needs

Deployment models

On-Premise deployment model

Cross-premises deployment model

Important user attributes and information

Synchronization considerations

User principal name considerations

Azure RMS

Certification service

Licensing service

Rights policy templates

Azure RMS trusts

High availability

Azure rights management key material

Hardware security modules

Azure Rights Management Super User

Azure Rights Management templates

Logging services

Azure rights management trusts

RMS for individuals

RMS clients and application usage scenarios

How does authorization and information protection reporting work?

Summary

9. Building Cloud from Common Identities

Creating the basic lab environment

Virtual machines

Cloud services

Public domain and Azure AD default directory

Administrative workstation

Public SSL certificates

Internal DNS entries

External DNS entries

Mobile applications

Adding additional virtual machines

Installing and configuring the synchronization and federation environment

Preparing the group management service account - GMSA

Installing AD FS on IDB01

Configuring AD FS on IDB01

Testing AD FS functionality

Installing a Web Application Proxy on URA01

Configuring a Web Application Proxy on URA01

Testing Web Application Proxy functionality

Installing the Claims Web Application on APP01

Configuring the Claims website

Configuring the Kerberos website

Configuring the AAD/Office 365 federation

Installing and configuring Azure AD Connect

AAD Connect stepping through the initial load

Configuring attribute-based filtering

Enabling password writeback

Forcing a synchronization task after changes

Creating dynamic groups

Using on premise groups for assigning licenses

Using PowerShell to assign Office 365 licenses based on group membership

Using groups for application access assignment

Configuring self-service group management

Implementing secure remote access and SSO for on premise web applications

Publishing a Claims-based application

Publishing a Kerberos-based application

Enabling and configuring Multi-Factor Authentication

Device Registration Service (DRS)

Enabling Azure MFA for a synchronized account

Summary

10. Implementing Access Control Mechanisms

Extending the basic lab environment

Additional internal DNS entries

Additional external DNS entries

Additional endpoint configuration for URA03

Configuring fixed IP addresses

Configuring conditional access control

Installing and configuring the Azure MFA server

Integrating Azure MFA in ADFS

First conditional access scenario

Second conditional access scenario

Additional configuration for mitigating risks and user support

Enabling and configuring information protection

Enabling and configuring Azure RMS

Implementing and configuring the RMS Connector

Configuring the protect files on a file share scenario

Securing your most valuable files

Configuring advanced security scenarios with Windows Server 2016

Azure MFA integration

Device registration and authentication

A small challenge - HTTP to HTTPS publishing

Working with Access Control Policies

Summary

11. Managing Transition Scenarios with Special Scenarios

Identifying special Active Directory and ADFS considerations

Single Forest scenario with multiple Azure AD tenants

Extending your resource access to external partners (on-premise)

B2B WebSSO scenario

B2B active clients support

Modern service provider architectures and Azure IdAM integrations

Fabric management - Active Directory

Fabric management - identity synchronization

Fabric management - identity management

Tenant management - Active Directory

Tenant management identity synchronization - tenant AD and Customer AD

Tenant management - Federation Services

Customer premises - Identity and Access Management

Planning the correct connectivity to your Azure infrastructure

Express-Route

Microsoft Azure Site-to-Site (S2S) VPN

Microsoft Azure Point-to-Site VPN

Forced tunneling

Integrating Azure MFA in your MIM 2016 deployment

Knowing the migrate from AD RMS to Azure RMS shortcut

Summary

12. Advanced Considerations for Complex Scenarios

Additional business needs in a complex hybrid environment

Is data classification really needed?

Why do we need identity protection?

Device and general certificate management requirements

Advanced information for often-used additional features

Privileged identity management and protection

Microsoft Advanced Threat Analytics (ATA)

MIM 2016 and Windows Server - Privileged Access Management (PAM)

Azure identity protection

Azure Privileged Identity Management (PIM)

Device management and enterprise data protection

Certificate management

Summary

13. Delivering Multi-Forest Hybrid Architectures

Enabling identity synchronization in multi-forest environments

UPN suffix decisions (recap)

Supporting the separate technologies scenario

Handling a full mesh scenario with optional GAL synchronization

Providing synchronization for an account and resource forest scenario

Understanding AAD Connect rule precedence logic

Guidance through federation in multi-forest environments

Typical single-forest deployment

Two or more Active Directory forests running separate ADFS instances

Running one AD FS instance for multiple trusted forests

Supporting one AD FS instance for multiple Active Directory forests without an AD trust relationship

Using alternate login ID and ADAL

Disassociation of AAD UPN from AD DS UPN and trade-offs

What does modern authentication mean?

How Outlook authentication works today

How authentication happens with Word and SharePoint Online

Monitoring with AAD Connect Health

Getting in touch with the AAD Connect Health service

AAD Connect Health - Management interface

AAD Connect Health - alerts, usage, and performance insights

Comparing AD FS against Azure B2B/B2C

Comparing ADFS versus Azure B2B

Comparing ADFS versus Azure B2C

Designing ADFS 4.0 identity and attribute stores

Using custom attributes store to populate claims

Using a new identity store as claims provider

Summary

14. Installing and Configuring the Enhanced Identity Infrastructure

Important note for readers

Creating the extended lab environment

Virtual machines

Public domains and Azure AD Default Directory

The public SSL certificate

Internal and external DNS entries

Additional lab environment information

Installing and configuring the multi-forest synchronization environment

Configuring AAD Connect to add the additional forest

Configuring AAD Connect high availability

Viewing AAD Connect Health for synchronization components

Installing and configuring the multi-forest and high availability Federation environments

Building high availability - ADFS and Web Application Proxy in identityplus.ch

Configuring ADFS to support multiple forests

Configuring ADFS to support a partner organization

Prerequisites

Configuring Home Realm Discovery (HRD)

Configuring ADLDS and ADFS - additional attribute store

Sending information from an AD claim rule

Sending claims using a custom rule

Delegating the administration of ADFS

Configuring AAD Connect Health for Federation components

Configuring AD FS to support Windows Integrated Authentication on certain browsers

Configuring alternate login ID

Configuring application access with ADFS, WAP, and AAD AP

Using Azure AD Application Proxy to publish applications

Publish Exchange and SharePoint on premise

Publishing Lync/S4B on premise

Publishing Remote Desktop Services on premise

Publishing Microsoft Identity Manager

Configuring Multi-Factor authentication scenarios for Conditional Access

Configuring certificate-based authentication

Summary

15. Installing and Configuring Information Protection Features

Preparing your admin workstation to manage Azure RMS

Configuring onboarding controls

Delegating administrative permissions

Enabling Azure RMS super users

Configuring Exchange Online to use Rights Management capabilities

Configuring Exchange to use Rights Management capabilities

Configuring SharePoint to use Rights Management capabilities

Creating and publishing custom Rights Policy templates

Creating a custom rights policy template

Verifying Azure RMS logging

Preview of Azure Information Protection

SAP integration as a special scenario

Configuring a BYOK scenario

Summary

16. Choosing the Right Technology, Methods, and Future Trends

MIM 2016 future improvements

Synchronization engine merger

REST API support

PAM improvements

MIM and Exchange Online integration

MIM compatibility updates

Advanced Conditional Access Helper

Conditional Access Client scenarios - mail access

Client scenario Outlook 2010 on domain joined computer

Client scenario Outlook 2013 on domain joined computer

Client scenario Outlook 2013/16 on domain joined computer with Windows 7/8.1

Client scenario Outlook 2013/16 on domain joined computer with Windows 10

Client scenario iOS and Android ActiveSync Mail Clients

Client scenario Outlook for iOS and Android

Client scenario OWA for iOS and Android

Client scenario Outlook WP8.1

Client scenario Outlook 2016 Mac OS X

Conditional Access Client scenarios - SharePoint access

Client scenario Browser from domain joined PC Windows 7/8.1

Client scenario Browser from domain joined PC Windows 10

Client scenario Browser from Mac OS

Client scenario OD4B Client from domain joined PC Windows 7/8.1

Client scenario OD4B Client from domain joined PC Windows 10

Client scenario non-ADAL OD4B client

Client scenario OD4B Client from mobile devices

Summary