Authentication Commonly Used
Authorization: Proving who I am.
Authentication: What I am allowed to do.
OAuth2: Idea of consent: I want to give this particular application or service to act on my behalf in a certain scope.
In cloud authentication and authorization is quite often merged because in the cloud authorization is often used as a pseudo authentication i.e. if I have been authorized to do something, I can assume that I have been authenticated.
For example Oauth2 , the most common type of authentication used by Azure AD is strictly authorization, not authentication: a owner of a recourse (a user,) gives consent to some client service (an application), to access some resources he owns ( a scope) and perform certain actions on his behalf. The service actually got authorization to delegate as that user, but we can assume that because the service got this authorization, it must have been authenticated.
OpenID Connect: Sits on top of OAuth2 and is there strictly to provide authentication: to prove the user is who he says he is. It uses a JWT token
SAML/WS-FED: WS-Fed is more Microsoft-specific. SAML is an open-based standard for exchanging authentication and authorization data between parties. SAML is what we are commonly going to use with Federation. If we are using ADFS, behind the scenes we’re using SAML as the format for the assertions we are using, the claims about the user
Utilize MFA when possible
Azure Active Directory Service
Its called Active Directory but is not Active Directory. It is an identity provider geared towards the cloud
Azure AD Domain Services: Enables limited machine membership and policy application for Azure services where legacy authentication protocol (Kerbros, NTLM, maybe bind with LDAP or ADSI) and binding support is required.
However regular AAD is not speaking legacy protocols like Kerbros, which is simply not a good fit for internet based service where communication is generally limited to HTTPS.
Azure AD ad min center : https://aad.portal.azure.com
Azure Shell: https://shell.azure.com
- Azure AD Roles: for controlling access to cloud applications that trust ad (SharePoint, Skype, Intune etc.) Accessed through Active Directory/Roles & Administrators
- Resource Manager Roles: for controlling access to Azure resources. Accessed through Subscriptions/Access Control/Roles. Role permissions are based on “Resource Providers”. A role might have a number of Resource Providers (e.g. Microsoft Compute, Microsoft Storage etc). Roles are applied to a scope: Management Groups, Subscription, RG, Resource etc.
Note: with synchronization, Azure AD contains passwords, synchronized from on-prem AD. However in pass-through, passwords remain on-prem and Azure AD has no passwords. On login, on-prem AD is asked to authenticate credentials.
Azure AD Connect with Pass Through gives similar results as Federation, with much simple setup.
Azure AD Connect Health
Azure AD Connect Health is an Azure AD Premium feature (Connect is available in Free and Basic, but Health requires Premium) that will monitor on-premises AD DS identities and provide alerts. This requires an agent on each server being monitored.
A tenant is simply a dedicated instance of Azure AD that your organization receives and owns when it signs up for a Microsoft cloud service such as Azure or Office 365. For example, contosogold.onmicrosoft.com, is a tenant.
A tenant houses the users in a company and the information about them - their passwords, user profile data, permissions, and so on. It also contains groups, applications, and other information pertaining to an organization and its security.
You can have multiple tenants within your organization. Each tenant can have a different purpose and fulfill a different scenario. For example, you might have tenant for Testing, Office365, and Production.
Can you think of reasons why you might want different tenants?
- Isolation. Each tenant is isolated with different policies, users, groups, and roles.
- Resources. Each tenant can have different resources specific for their functionality.
- Administration. Each tenant can have different administrator roles.
- Synchronization. Each tenant can implement synchronization in a different way.
To use a tenant, it must be associated with a subscription. The basic steps are: create a directory, create an admin for the directory, and then have the admin associate the directory with a subscription. Each directory must have at least one subscription.
Tenant vs Subscription
A subscription is a credit card definition: the entity that pays for using Azure resources. A Tenant is an instance of Azure Active directory
Guest users are user added to Azure AD from a third party like Microsoft or Google.