Roundup on Microsoft Azure Active Directory (Hybrid, SSO, MFA, Self-Service, SaaS Apps)

Microsoft Azure Active directory has made many setup and administrative actions so much simpler for IT admins. Azure active directory is multi-tenant, Geo located which means highly available.

Some benefits are

  1. Easy integration of single sign on experience with various types of application including SaaS app access management
    1. SSO is facilitated via SAML, WS-Federation, OpenID Connect
  2. Improved and easy use of self-access management
  3. Monitor the usage, audit and protect your business from advanced threats
  4. Secure mobile access to on premise environments
  5. Enables cross business integration easier.
  6. Multi Factor Authentication capability on per user/application based.

Azure Active Directory is available in three editions

  1. AAD Basic
    1. Can manage users, groups, self-service identity management service
    2. Azure Active Directory Application proxy (for on premise web based applications)
    3. Company branding
    4. SLA 99.9% uptime
  2. AAD Premium P1
    1. Can manage hybrid users to access the applications seamlessly
    2. It can manage hybrid user, dynamic groups
    3. Connect Health
    4. Automatic password rollover for group accounts
    5. MFA
    6. Enables cloud write back for self-service identity management with on premise active directory
  3. AAD Premium P2
    1. Advanced Identity protection and privileged Identity management
    2. Risk based conditional access to the company data
    3. You can discover, restrict and monitor administrators and their resources then provide JIT access when needed.

Different ways you can configure SSO with Azure Active Directory

  1. Azure AD Single-Sign On
    1. Users will only see the applications have been granted access to
    2. redirected to that application and automatically signed in
  2. Password Based SSO Without Identity provisioning
    1. All users in the directory can see all application that have been configured in the mode
    2. When users click the application tile, prompted to install SSO plugin, provide a username/password then users will be automatically signing in to the applications
    3. If user details change, then they have to update credential to keep the application access
  3. Password based SSO with identity provisioning
    1. When user clicks the application tile, it will be prompted to install SSO plugin and after browser restart it will automatically allow users to login.
  4. Existing SSO Solutions
    1. This will simply create a link in the application access panel to the existing SSO third party applications
    2. If an application is already configured with ADFS 2.0 or any other SSO solution will simple allow users to use the same model.

Access Panel

Access Panel is a web-based portal that allows user to view all the application they have granted access by the administrator. Access Panel does not require azure subscriptions (both are completely different)

Different ways you can start to integrate SaaS applications.

Note: To set up SSO for an existing application, you need to have global administrator rights in both Azure AD and the SaaS application.

  1. Apps Available from the Gallery – Follow the simple steps presented on screen.
  2. Custom Apps – Application should support SAML 2.0 or HTML based sign-in page as a password SSO app

Different Types of Authentication of Users

  1. WS-Federation (signing certificates to establish trust relationships)
  2. SAML 2.0 (signing certificates to establish trust relationships)
  3. OpenID Connect Protocols (signing certificates to establish trust relationships)
  4. Simple Password forms based sign-in (uses ‘password vaulting’ to establish trust relationships)

Authorization will enable users to access the application after the account is provisioned

Multifactor Authentication Server – Two ways, one is to Manage auth providers directly and second via Service Settings

User the Service Settings if you already have an MFA level account like Azure AD Premium. Otherwise you need to use the option 1.

Three States of MFA are Enabled, Enforced and Disabled.

Graph API

Can be used with Line of Business Application which is single tenant and SaaS applications which are multi-tenant.

Common Operations are

  1. Creating new users in the Azure Active Directory
  2. Get detailed user properties
  3. Update user Properties
  4. User group membership for RBAC
  5. Disable users account and delete it

Features are

  1. Rest API Endpoints (Supports XML or JSON Objects)
  2. Authentication with AAD (JSON web Token in authorization header)
  3. RBAC (Security Groups are used to perform RBAC)
  4. Differential Query (Identify changes between certain times)
  5. Secured by permission scopes
  6. Directory Extensions

Two Types of Azure Active Directory are

  1. AAD B2C – Identity and access management solution for consumer facing solutions and applications
  2. AAD B2B – Enables collaboration capabilities for working closely with any partners in the world. Help in bringing two different organisations closer and work seemingly

Note: Images are source from Microsoft website

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.