Mastering Identity and Access Management with Microsoft Azure电子书

Title Page

Copyright and Credits

Mastering Identity and Access Management with Microsoft Azure Second Edition

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Section 1: Identity Management and Synchronization

Building and Managing Azure Active Directory

Implementation scenario overview

Implementing a solid Azure Active Directory

Configuring your administrative workstation

Custom company branding

Summary and recommendations of the help information

Creating and managing users and groups

Set group owners for organizational groups

Delegated group management for organizational groups

Configure self-service group management

Create the sales internal news group as an Office 365 (distribution group)

Configure dynamic group memberships

Assign roles to administrative units

Creating an administrative unit

Adding users to an administrative unit

Scoping administrative roles

Test your configuration

Protect your administrative accounts

Provide user and group-based application access

Assign applications to users and define login information

Assign applications to groups and define login information

Self-service application management

Password reset self-service capabilities

Configure notifications

Test the password reset process

Using standard security monitoring

Integrating Azure AD Join for Windows 10 clients

Join your Windows 10 client to Azure AD

Verify the newly joined Windows 10 client

Configuring a custom domain

Configure Azure AD Domain Services

Test and verify your new Azure AD Domain Services

Summary

Understanding Identity Synchronization

Technology overview

Microsoft Identity Manager (MIM) 2016

MIM synchronization service

MIM synchronization service extensions

MIM service and portal

MIM service extensions

MIM password reset and user account unlock

MIM privileged access management

Additional solution

Cloud deployment based on identity director service

On-premises deployment based on MIM 2016

Azure Active Directory Connect

Synchronization scenarios

Single-forest integration

Multi-forest integration

Multi-Azure Active Directory Integration

Azure Active Directory Domain Services Integration

Stretched Active Directory to Azure IaaS

Azure Active Directory B2B integration

Azure Active Directory and Microsoft Office 365 synchronization

Identity and password-hash synchronization including SSO options

Identity synchronization including PingFederate integration

Identity and password-hash synchronization including ADFS integration

Azure Active Directory Connect high availability

Synchronization terms and processes

UserPrincipalName suffix decisions

Active Directory preparations

Source Anchor decisions

Connected Directories

Import flow

Placeholder objects

Synchronization flows

Inbound synchronization

Outbound synchronization

Joins

Connector objects

Disconnector objects

Export flow

Summary

Exploring Advanced Synchronization Concepts

Preparing your lab environment

Understanding declarative provisioning and expressions

Synchronization rules explained

Special considerations in advanced synchronization concepts

Using standard filters to exclude users and groups

Building a custom rule for filtering

Connecting Azure AD Connect to the second forest

Summary

Monitoring Your Identity Bridge

How Azure AD Connect Health works

Azure AD monitoring and logs

Azure Security Center for monitoring and analytics

Summary

Configuring and Managing Identity Protection

Microsoft Identity Protection solutions

Azure ATP and how to use it

Azure AD Identity Protection

Using Azure AD PIM to protect administrative privileges

Summary

Section 2: Authentication and Application Publishing

Managing Authentication Protocols

Microsoft identity platform

Common token standards in a federated world

Security Assertion Markup Language (SAML) 2.0

Key facts about SAML

WS-Federation

Key facts about WS-Federation

OAuth 2.0

Key facts about OAuth 2.0

Main OAuth 2.0 flow facts

Authorization code flow

Client credential flow

Implicit grant flow

Resource owner password credentials flow

OpenID Connect (OIDC)

Key facts about OIDC

Pass-through authentication and seamless SSO

Multi-factor authentication

Azure MFA

Certificate authentication

Device authentication

Biometric authentication

Summary

Deploying Solutions on Azure AD and ADFS

Basic environment installation and configuration

Create the certificate for your environment with let's encrypt

Installing the ADFS farm on YDADS01

Installing the Web Application Proxy on YD1URA01

Installing demo applications on (YD1APP01) for ADFS

Subscribing to demo apps (Azure AD)

Azure AD authentication deployments

ADFS Authentication deployments

Integrating Azure MFA (YD1ADS01)

Summary

Using the Azure AD App Proxy and the Web Application Proxy

Configuring additional applications for Azure AD and ADFS

Publishing with Windows server and Azure AD Web Application Proxy

Using conditional access

Summary

Deploying Additional Applications on Azure AD

Preparing your lab environment

What defines single- and multi-tenant applications

Deploying a single-tenant application including roles and claims

Moving the single-tenant app to a multi-tenant scenario

Deploying another multi-tenant app with OpenID Connect

Summary

Exploring Azure AD Identity Services

Preparing your lab environment

Understanding Azure AD B2B

Providing resource access to external partners (on-premise)

Exploring Azure AD B2C

Azure AD B2C tenant creation

Demo app registration

User flow creation

Visual Studio code modification

Comparing Azure AD B2B and B2C

Comparing AD FS with Azure B2B and B2C

Extending Active Directory solutions with Azure AD Domain Services

AD FS as an on-premise identity service for the cloud

Typical single-forest deployment

Two or more Active Directory forests running separate AD FS instances

Running one AD FS instance for multiple trusted forests

One AD FS instance for multiple Active Directory forests without an AD trust

Using a local CP trust to support multiple Active Directory forests

Using a shared Active Directory environment

Microsoft Cloud Solution Provider summary

Summary

Creating Identity Life Cycle Management in Azure

Lab environment readiness

Handling the guest user life cycle

Use Case 1 – Exploring the invitation process with different user types

Using the Azure AD B2B portal and use cases

Installation and configuration

Usage of the portal

Special considerations

On-premise application access for guest users

Azure services for automation

Summary

Section 3: Data Classification and Information Protection

Creating a Security Culture

Why do we need a security culture?

Pillars of a good security culture

Leadership support

Training

Testing

Continuous communication

General overview of data classification

Methods of data classification

Data classification and unstructured data

Data classification and Data Leakage/Loss Prevention

Data classification and compliance

Storage optimization

Access control to data

Classification scheme and policy example

Description of the classification scheme

Visual markings and rules based on the classification label

General desired behavior example

Defining the data-processing roles

Change of classification

Azure Information Protection (AIP) overview

Summary

Identifying and Detecting Sensitive Data

Extending your lab environment

Understanding and using AIP capabilities for data in motion

Scenario 1 – Usage of Azure Information Protection

Scenario 2 – Monitoring with Windows Defender ATP

Scenario 3 – Identifying sensitive information in your cloud ecosystem

Scenario 4 – Data leakage prevention in Office 365

Understanding and using AIP capabilities for data at rest

Summary

Understanding Encryption Key Management Strategies

Azure Information Protection key basics

Microsoft-managed keys

Bring your own key

What is an HSM?

What is the Azure Key Vault?

Hold your own key

How Azure RMS works under the hood

Algorithms and key lengths

User environment-initialization flow

Content-protection flow

Content-consumption flow

Summary

Configuring Azure Information Protection Solutions

Preparing to configure and manage AIP

Azure RMS management with PowerShell

Azure RMS super users

Onboarding controls

Azure RMS templates

Azure RMS logging

AIP client PowerShell

Configuring AIP

Creating the classification schema

Creating sub-labels and scoped policies

Using visual markings

Configuring automatic classification and protection

Using justification

Configuring protection options

Activating unified labeling

Lab challenge

Summary

Azure Information Protection Development

Technical requirements

Microsoft Information Protection solutions

Understanding the Microsoft Information Protection SDK

Preparing your Azure AD environment for tests

Using MIP binaries to explore functionality

Using PowerShell with Azure Information Protection

Useful Azure RMS cmdlets

Overview of the RMS 2.1 and 4.2 SDKs

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think