Azure Fundamentals

UNIT-2
Azure Active Directory (AD) and Azure AD DS
Introduction to Azure AD
In this module, you’ll be introduced to the Azure identity, access, and security services and tools. You’ll learn about
directory services in Azure, authentication methods, and access control. You’ll also cover things like Zero Trust and
defense in depth, and how they keep your cloud safer.
Learning objectives
● Describe directory services in Azure, including Azure Active Directory (AD) and Azure AD DS.
● Describe authentication methods in Azure, including single sign-on (SSO), multifactor authentication (MFA),
and passwordless.
● Describe external identities and guest access in Azure.
● Describe Azure AD Conditional Access.
● Describe Azure Role Based Access Control (RBAC).
● Describe the concept of Zero Trust.
Describe Azure directory services
• Azure Active Directory (Azure AD) is a directory service that enables you to sign in and access both Microsoft cloud
applications and cloud applications that you develop. Azure AD can also help you maintain your on-premises Active
Directory deployment.
• For on-premises environments, Active Directory running on Windows Server provides an identity and access
management service that's managed by your organization. Azure AD is Microsoft's cloud-based identity and access
management service. With Azure AD, you control the identity accounts, but Microsoft ensures that the service is
available globally. If you've worked with Active Directory, Azure AD will be familiar to you..
• When you secure identities on-premises with Active Directory, Microsoft doesn't monitor sign-in attempts. When you
connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at
no extra cost. For example, Azure AD can detect sign-in attempts from unexpected locations or unknown devices.
Who uses Azure AD?

Azure AD is for:
IT administrators. Administrators can use Azure AD to control access to applications and resources based on
their business requirements.
App developers. Developers can use Azure AD to provide a standards-based approach for adding functionality to
applications that they build, such as adding SSO functionality to an app or enabling an app to work with a user's
existing credentials.
Users. Users can manage their identities and take maintenance actions like self-service password reset.
Online service subscribers. Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics CRM Online
subscribers are already using Azure AD to authenticate into their account.
What does Azure AD do?
● Authentication: This includes verifying identity to access applications and resources. It also includes
providing functionality such as self-service password reset, multifactor authentication, a custom list of
banned passwords, and smart lockout services.
● Single sign-on: Single sign-on (SSO) enables you to remember only one username and one password to
access multiple applications. A single identity is tied to a user, which simplifies the security model. As
users change roles or leave an organization, access modifications are tied to that identity, which greatly
reduces the effort needed to change or disable accounts.
● Application management: You can manage your cloud and on-premises apps by using Azure AD.
Features like Application Proxy, SaaS apps, the My Apps portal, and single sign-on provide a better user
experience.
● Device management: Along with accounts for individual people, Azure AD supports the registration of
devices. Registration enables devices to be managed through tools like Microsoft Intune. It also allows for
device-based Conditional Access policies to restrict access attempts to only those coming from known
devices, regardless of the requesting user account.
Can I connect my on-premises AD with Azure AD?

• If you had an on-premises environment running Active Directory and a cloud deployment using Azure AD, you would
need to maintain two identity sets. However, you can connect Active Directory with Azure AD, enabling a consistent
identity experience between cloud and on-premises.

• One method of connecting Azure AD with your on-premises AD is using Azure AD Connect. Azure AD Connect
synchronizes user identities between on-premises Active Directory and Azure AD. Azure AD Connect synchronizes
changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service
password reset under both systems.
Azure Active Directory Domain Services

• Azure Active Directory Domain Services (Azure AD DS) is a service that provides managed domain services
such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM
authentication. Just like Azure AD lets you use directory services without having to maintain the infrastructure
supporting it, with Azure AD DS, you get the benefit of domain services without the need to deploy, manage,
and patch domain controllers (DCs) in the cloud.

• An Azure AD DS managed domain lets you run legacy applications in the cloud that can't use modern
authentication methods, or where you don't want directory lookups to always go back to an on-premises AD
DS environment. You can lift and shift those legacy applications from your on-premises environment into a
managed domain, without needing to manage the AD DS environment in the cloud.
How does Azure AD DS work?

When you create an Azure AD DS managed domain, you define a unique namespace. This namespace is the domain
name. Two Windows Server domain controllers are then deployed into your selected Azure region. This deployment
of DCs is known as a replica set.
You don't need to manage, configure, or update these DCs. The Azure platform handles the DCs as part of the
managed domain, including backups and encryption at rest using Azure Disk Encryption.
Azure authentication methods

Authentication is the process of establishing the identity of a person, service, or device. It requires the person,
service, or device to provide some type of credential to prove who they are. Authentication is like presenting ID
when you’re traveling. It doesn’t confirm that you’re ticketed, it just proves that you're who you say you are.
Azure supports multiple authentication methods, including standard passwords, single sign-on (SSO),
multifactor authentication (MFA), and passwordless.
Single sign-on
● Single sign-on (SSO) enables a user to sign in one time and use that credential to access multiple resources
and applications from different providers. For SSO to work, the different applications and providers must trust
the initial authenticator.
● More identities mean more passwords to remember and change. Password policies can vary among
applications. As complexity requirements increase, it becomes increasingly difficult for users to remember
them. The more passwords a user has to manage, the greater the risk of a credential-related security incident.

With SSO, you need to remember only one ID and one password. Access across applications is granted to a single
identity that's tied to the user, which simplifies the security model. As users change roles or leave an organization,
access is tied to a single identity. This change greatly reduces the effort needed to change or disable accounts.
Using SSO for accounts makes it easier for users to manage their identities and for IT to manage users.
Azure AD Multi-Factor Authentication

Multifactor Authentication: Multifactor authentication is the process of prompting a user for an extra form (or
factor) of identification during the sign-in process. MFA helps protect against a password compromise in situations
where the password was compromised but the second factor wasn't.
Think about how you sign into websites, email, or online services. After entering your username and password, have
you ever needed to enter a code that was sent to your phone? If so, you've used multifactor authentication to sign in.

Azure AD Multi-Factor Authentication is a Microsoft service that provides multifactor authentication capabilities.
Azure AD Multi-Factor Authentication enables users to choose an additional form of authentication during sign-in,
such as a phone call or mobile app notification.
Azure external identities
An external identity is a person, device, service, etc. that is outside your organization. Azure AD External Identities
refers to all the ways you can securely interact with users outside of your organization. If you want to collaborate
with partners, distributors, suppliers, or vendors, you can share your resources and define how your internal users
can access external organizations. If you're a developer creating consumer-facing apps, you can manage your
customers' identity experiences.
External identities may sound similar to single sign-on. With External Identities, external users can "bring their
own identities.
Business to business (B2B) collaboration - Collaborate with external users by letting them use their preferred
identity to sign-in to your Microsoft applications or other enterprise applications (SaaS apps, custom-developed
apps, etc.). B2B collaboration users are represented in your directory, typically as guest users.
Azure external identities

B2B direct connect - Establish a mutual, two-way trust with another Azure AD organization for seamless
collaboration. B2B direct connect currently supports Teams shared channels, enabling external users to access your
resources from within their home instances of Teams. B2B direct connect users aren't represented in your directory,
but they're visible from within the Teams shared channel and can be monitored in Teams admin center reports.
Azure external identities

● Azure AD business to customer (B2C) - Publish modern SaaS apps or custom-developed apps
(excluding Microsoft apps) to consumers and customers, while using Azure AD B2C for identity and access
management.
● Depending on how you want to interact with external organizations and the types of resources you need to
share, you can use a combination of these capabilities.
● With Azure Active Directory (Azure AD), you can easily enable collaboration across organizational
boundaries by using the Azure AD B2B feature. Guest users from other tenants can be invited by
administrators or by other users. This capability also applies to social identities such as Microsoft accounts.
Any Questions??
Thank You.