In this post, I am going to share some quick tips, including Q/A’s and useful links from Azure Solutions Architect Day 1 Training of our recently launched new batch of Microsoft Azure Solutions Architect(AZ-305), in which we have 25+ hands-on labs of AZ-305 in the course.
On our Day 1 Live Session, we covered Design Authentication and Authorization Solutions.
Azure Active Directory, Azure AD Concepts, Azure AD comparison with Active Directory, Azure AD registered devices, Azure AD Connect, Azure Identity Protection, Conditional Access, Multi-Factor Authentication(MFA), Tenant, Azure Subscription, Getting An Azure Subscription, Password hash synchronization (PHS),Pass-through Authentication (PTA),Active Directory Federation Services (AD FS).
We also covered hands-on Lab 2 out of our 25+ extensive labs(AZ-305).
So, here are some of the Q/A asked during the Live session from Module 1: Design Authentication and Authorization Solutions .
Azure Active Directory
Azure Active Directory is a Microsoft cloud-based identity and access management service, which helps your employees sign in and access resources in:
- External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
- Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
Check More on: Azure Active Directory.
Azure AD Concepts
Identity: Anything that can be authenticated. It can be a user with a username & password, applications, or other services that require authentication.
Account: Identity with data associated.
Azure AD Account: Identity created using Azure AD or other Microsoft cloud services.
Azure Tenant: An Instance of Azure AD created when an organization signs up for a Microsoft Cloud service subscription.
Azure AD Directory: Each Azure Tenant has a dedicated and trusted Azure AD Directory.
Users: Azure AD defines users in three ways:
- Cloud identities: These users exist only in Azure AD. Examples are administrator accounts and users that you manage yourself.
- Directory-synchronized identities: These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect brings these users into Azure.
- Guest users: These users exist outside Azure. This type of account is proper when external vendors or contractors need access to your Azure resources.
Groups: Azure AD Groups is a collection of Users which helps the resource owner assign a set of access permissions to all the members of the group instead of having to provide the rights one by one.
User Subscription: To pay for Azure cloud services used.
Q1: What is a Tenant in Azure Active Directory?
Ans: A tenant represents an organization in Azure Active Directory. It’s a dedicated Azure AD service instance that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, or Microsoft 365. Each Azure AD tenant is distinct and separate from other Azure AD tenants.
Q2: Can Azure AD be used with AWS?
Ans: Yes, you can use it with AWS or any other cloud provider. Azure AD is just an identity provider. As long as your application can communicate with Azure AD, you be used as an authentication provider.
We also have Azure Active Directory single sign-on (SSO) integration with AWS Single-Account Access.
Q3: What is the pricing for Azure Active Directory?
Ans: Azure Active Directory comes in four editions—Free, Office 365 apps, Premium P1, and Premium P2. The Free edition is included with a subscription to a commercial online service, e.g. Azure, Dynamics 365, Intune and Power Platform. The other three editions have their different features, and pricing is different for them also.
Azure AD comparison with Active Directory
Azure Active Directory is a cloud-based identity solution that helps you manage users and applications, Where Active Directory manages objects, like devices and users, on your on-premises network.
Check more on: Azure AD vs Active Directory
Q4: How Active Directory is different from Azure AD? Can you specify key differences?
Answer: Key Differences between Azure AD and Active Directory:
LDAP (Lightweight Directory Access Protocol) is used in Active Directory to make queries, and HTTP/HTTPS is used in Azure Active Directory.
For Authentication, we use Kerberos in On-Prem AD and OAuth or Open ID in Azure Active Directory.
Q5: Can Azure AD be integrated with another Authentication provider like OAuth?
Ans: Yes, Azure Active Directory (Azure AD) supports all OAuth 2.0 flows. Auth 2.0 is directly related to OpenID Connect (OIDC). Since OIDC is an authentication and authorization layer built on top of OAuth 2.0, it isn’t backwards compatible with OAuth 1.0.
Azure AD registered devices
Azure AD registered devices are signed in to using a local account like a Microsoft account on a Windows 10 device. These devices have an Azure AD account for access to organizational resources.
Azure AD Join
Azure AD join allows you to join devices directly to Azure AD without the need to join to on-premises Active Directory while keeping your users productive and secure. Azure AD join is enterprise-ready for both at-scale and scoped deployments.
Azure AD joined devices can still maintain single sign-on access to on-premises resources when they are on the organization’s network.
Check more on Azure AD Join.
Q6: Can a disabled or deleted user sign in to an Azure AD joined device?
Ans: Yes, but only for a limited time. When a user is deleted or disabled in Azure AD, it’s not immediately known to the Windows device. So users who signed in previously can access the desktop with the cached username and password.
Azure AD Connect
It is used to integrate the on-premise directories (Active Directories) with Azure Active Directory, which provides a common identity for accessing both cloud and on-premise resources.
There are various features of Azure AD Connect:
- Password Hash Synchronization.
- Pass-through authentication.
- Synchronization.
- Health Monitoring
Q7: Does Azure AD Connect support syncing from two domains to an Azure AD?
Ans: Yes, We have Multiple Domain Support for Federating with Azure AD.
Azure Identity Protection
Azure Active Directory (Azure AD) Identity Protection helps keep you informed of suspicious users and sign-in behaviour in your environment. Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users.
Q8: What is a risky user?
Ans: A user risk or risky user represents the probability that a given identity or account is compromised. You can gauge the probability of compromised user accounts in your environment. A user flagged for risk is an indicator for a user account that might have been compromised.
Q9: Which licensing plan supports Identity Protection?
Ans: You need Azure Active Directory Premium P2 to use Identity Protection.
Conditional Access
Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity-driven control plane. Conditional Access policies, at their simplest, are if-then statements. if a user wants to access a resource, then they must complete an action.
Q10: Are Conditional Access policies enforced for B2B collaboration and guest users?
Ans: Policies are enforced for business-to-business (B2B) collaboration users. However, in some cases, a user might not be able to satisfy the policy requirements.
For example, a guest user’s organization might not support multi-factor authentication.
Multi-Factor Authentication(MFA)
Azure Multi-Factor Authentication(MFA) is an addition to a two-step verification process. This becomes quite a challenge for attackers to hack into someone’s ID. Even if the hacker or attacker knows the user ID and password, it is useless without an additional authentication method. This is a trusted security feature that can guarantee the solid security of your accounts. Various methods such as facial recognition, fingerprint access, registered mobile number, etc., are helpful in Multi-Factor Authentication.
Check More on Azure MFA.
Q11: Is there a free version of Azure AD Multi-Factor Authentication?
Ans: Security defaults can be enabled in the Azure AD Free tier. With security defaults, all users are enabled for multi-factor authentication using the Microsoft Authenticator app. There’s no ability to use text message or phone verification with security defaults, just the Microsoft Authenticator app.
Tenant
Azure AD is Microsoft’s cloud-based identity and access management service that provides authentication and authorization services for Azure resources. When you create an Azure subscription, a tenant is automatically created for you. It acts as a dedicated and isolated instance of Azure AD for your organization. Think of it as a distinct directory or identity store that contains information about users, groups, applications, and other resources associated with your Azure environment.
Azure Subscription
Azure Subscriptions are a logical unit of Azure services that are linked to an Azure account. In order to take advantage of Azure’s cloud-based services, you must have a subscription as it serves as a single billing unit for Azure resources used in that account.
- An Azure subscription is linked to a single account, the one that was used to create the subscription and is used for billing purposes. Within the subscription, resources can be provisioned as instances of the many Azure products and services.
- You can have more than one subscription, often for billing purposes, since each subscription generates its own set of billing reports and invoices.
- The person who creates an Azure subscription becomes the global administrator for that subscription and has full access to every aspect of that subscription hence separate subscriptions can also be a way to create a division of responsibility for Azure service
Getting An Azure Subscription
Azure Subscriptions can be obtained from Microsoft in a variety of ways:
- Enterprise Agreement: Enterprise customers can make a bulk purchase of subscriptions with an upfront monetary commitment and consume services throughout the year.
- Resellers: Provide a simple, flexible way for medium to large businesses to purchase Azure cloud services.
- Partners: They can design and implement your Azure cloud solution for you.
- Personal Free Account: This is the type of account used by most individuals, Microsoft provides free credits for a limited time so that Companies and/or individuals can try out their services
Azure Subscriptions Types
Microsoft offers different types of subscriptions tailored to fulfill all types of requirements.
- Free: A free subscription can be created with an email account and a credit card that includes 200$ credit for the first 30 days and free limited access for 12 months when converted to a pay-as-you-go subscription.
- Pay-As-You-Go: Generates a monthly charge depending on the amount of Cloud resources used.
- Enterprise: A single Enterprise agreement is made for bulk purchases of subscriptions, with discounts for new licenses and Software Assurance – targetted at enterprise scale – Organisations.
- Student: These subscriptions include 100$ for 12 months, this subscription can be activated without a credit card however student verification is required.
Password hash synchronization (PHS)
It is a feature in Azure Active Directory (Azure AD) that allows the synchronization of user password hashes from an on-premises Active Directory (AD) environment to Azure AD. It is one of the methods available for user authentication and sign-in in a hybrid identity scenario. When password hash synchronization is enabled, the password hashes of on-premises AD user accounts are securely synchronized to Azure AD.
This synchronization occurs in a one-way direction, meaning that the password hashes are replicated from the on-premises environment to Azure AD and not the other way around. The primary purpose of password hash synchronization is to enable users to sign in to cloud-based services, such as Microsoft 365 or Azure services, using their on-premises AD passwords. By synchronizing the password hashes, users can authenticate against Azure AD without the need to maintain separate passwords or implement federation.
Here’s an overview of how password hash synchronization works:
Azure AD Connect: To enable password hash synchronization, you need to install and configure Azure AD Connect on a server in your on-premises environment. Azure AD Connect is a tool that integrates on-premises AD with Azure AD and handles the synchronization process.
Password Hash Sync: During the synchronization process, Azure AD Connect extracts the password hashes from the on-premises AD database and securely hashes them. The hashed password values are then synchronized to Azure AD via a secure channel.
Sign-in and Authentication: Once the password hashes are synchronized to Azure AD, users can sign in to Azure AD-integrated services using their on-premises AD passwords. Azure AD validates the password hashes to authenticate the user. It’s important to note that password hash synchronization uses secure mechanisms to protect the password hashes during synchronization, such as encryption and SSL/TLS protocols.
Q12. can we secure the pass hash sync traffic when we use the agent to sync users and hash ?
Ans. Yes, when using the Azure AD Connect agent for password hash synchronization, the traffic between the on-premises environment and Azure AD is secured to ensure the confidentiality and integrity of the data being synchronized
Q13. For Example if i want to move on prem AD and Fileserver (to azure file share ) with all user permissions applied on file shares . what is the right solution among this? in future on prem file server and AD need to be removed.
Ans. The right solution would be to set up Azure Active Directory Domain Services (Azure AD DS) and Azure File Sync.
1. Azure AD DS: Create an Azure AD DS instance to replace your on-premises Active Directory. Azure AD DS provides domain services in the cloud, allowing you to manage user accounts and apply permissions.
2. Azure File Sync: Install Azure File Sync on your on-premises file server. This tool synchronizes your on-premises file server with Azure File Share, enabling seamless access to files from both locations. During the synchronization process, the user permissions on the file shares will be preserved.
By implementing Azure AD DS and Azure File Sync, you can move your on-premises Active Directory and file server to the cloud. Once everything is successfully migrated and tested, you can safely decommission your on-premises file server and Active Directory, as all user permissions will be applied on the Azure File Share.
Pass-through Authentication (PTA)
It is a feature in Azure Active Directory (Azure AD) that allows users to sign in to Azure AD-integrated services using their on-premises Active Directory (AD) passwords. It provides a simple and secure way to authenticate users without the need to synchronize password hashes or deploy federation infrastructure.
Here’s an overview of how pass-through authentication works:
Azure AD Connect: To enable pass-through authentication, you need to install and configure Azure AD Connect on a server in your on-premises environment. Azure AD Connect is a tool that integrates on-premises AD with Azure AD and handles the authentication process.
Agent Installation: During the Azure AD Connect configuration, you will install the Azure AD Connect agent on a server in your on-premises environment. This agent communicates securely with Azure AD.
User Sign-in: When a user attempts to sign in to an Azure AD-integrated service, such as Microsoft 365 or Azure services, their sign-in request is redirected to the Azure AD Connect agent.
Password Validation: The Azure AD Connect agent validates the user’s password against the on-premises AD. The agent securely communicates with the on-premises AD infrastructure to authenticate the user.
Sign-in Response: If the user’s password is validated successfully, the Azure AD Connect agent sends a response to Azure AD indicating that the user is authenticated.
Access Granted: Azure AD grants the user access to the requested service, allowing them to sign in and use the resources associated with their account.
Q14. What is ad connect cloud sync ? how is different from azure ad connect sync?
Ans. AD Connect Cloud Sync is a cloud-native solution for synchronizing on-premises AD with Azure AD, while Azure AD Connect Sync is an on-premises tool for achieving the same synchronization.
Active Directory Federation Services (AD FS)
It is a feature in the Windows Server operating system that provides a solution for implementing Single Sign-On (SSO) and identity federation. AD FS allows users to access multiple applications and services across different security boundaries using a single set of credentials.
Here are the key components and concepts related to Active Directory Federation Services (AD FS):
1. Claims-based Authentication: AD FS is based on a claims-based authentication model, where authentication and authorization decisions are made based on the claims or attributes associated with a user’s identity. Claims represent pieces of information about a user, such as their name, email address, group membership, or role.
2. Identity Federation: AD FS enables identity federation between an organization’s Active Directory and external identity providers, such as other organizations or cloud-based identity services. Federation allows users to authenticate with their home organization and access resources in partner organizations without the need for separate user accounts.
3. Security Token Service (STS): AD FS includes a Security Token Service component, which issues and validates security tokens during the authentication process. Security tokens contain claims about the user’s identity and are used to establish trust and exchange authentication information between participating parties.
4. Claims Provider Trust: AD FS establishes trust relationships with external identity providers through claims provider trusts.
5. Relying Party Trust: AD FS also establishes trust relationships with applications and services that consume the federated identities. These trust relationships, known as relying party trusts, enable the secure exchange of claims and facilitate Single Sign-On for users accessing the applications.
6. Federation Metadata: AD FS uses federation metadata, an XML-based file that contains information about the federation server, claims providers, and relying party trusts. Federation metadata simplifies the configuration and establishment of trust relationships by providing a standardized way to exchange metadata between participating parties.
By implementing AD FS, organizations can achieve seamless SSO across a variety of applications and services, both within their own infrastructure and with external partners. It enables users to access resources with a single set of credentials and simplifies identity management and authentication processes.
Quiz Time (Sample Exam Questions)!
With our Microsoft Azure Solutions Architect training program, we cover 220+ [AZ-305] sample exam questions to help you prepare for the certification AZ-305.
Note: Download the 25 Sample Exam Questions of Microsoft Azure Solutions Architect.
Check out one of the questions and see if you can crack this…
Ques: What is a tenant in Azure AD?
A. A Tenant represents an entire organization.
B. A Tenant represents a user in an organization.
C. A Tenant represents a geographic location in an organization.
The right answer will be revealed in my next week’s blog.
Feedback
We always work on improving and being the best version of ourselves from the previous session hence constantly ask feedback from our attendees.
Here’s the feedback that we received from our trainees who had attended the session…
Related/References
- Azure Firewall vs Azure Network Security Group
- Introduction to ARM Templates: Learn, Create and Deploy in Azure
- Top 10 Best Practices for Azure Security in 2021
- Tips To Prepare Exam AZ-304: Microsoft Azure Architect Design
- Exam AZ-305: Azure Solutions Architect Expert Certification
Next Task For You
Begin your journey toward Mastering Azure Cloud and landing high-paying jobs. Just click on the register now button on the below image to register for a Free Class on Mastering Azure Cloud: How to Build In-Demand Skills and Land High-Paying Jobs. This class will help you understand better, so you can choose the right career path and get a higher paying job.
Leave a Reply