Removed some trailing spaces.
This commit is contained in:
timahenning
Родитель
e711df9551
Коммит
1964c5f58c
|
|
@ -12,7 +12,6 @@ Before the hands-on lab setup guide
|
|||
[May 2022]
|
||||
</div>
|
||||
|
||||
|
||||
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
|
||||
|
||||
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
|
||||
|
|
@ -56,13 +55,13 @@ Microsoft and the trademarks listed at <https://www.microsoft.com/en-us/legal/in
|
|||
|
||||
Timeframe: 150 minutes
|
||||
|
||||
### Task 1: Review the relevant Microsoft documentation
|
||||
### Task 1: Review the relevant Microsoft documentation
|
||||
|
||||
1. Review online documentation regarding Azure Active Directory at <https://docs.microsoft.com/en-us/azure/active-directory/> focusing on its integration with Active Directory and its B2B capabilities.
|
||||
|
||||
### Task 2: Validate the role in the Azure subscription
|
||||
|
||||
1. Log in to the Azure portal at <http://portal.azure.com>, select **All services**. Then search for and select **Subscriptions**.
|
||||
1. Log in to the Azure portal at <http://portal.azure.com>, and select **All services**. Then search for and select **Subscriptions**.
|
||||
|
||||
|
||||
|
||||
|
|
@ -152,7 +151,7 @@ Timeframe: 150 minutes
|
|||
Invoke-Command -ComputerName $vmNames {Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 00000000}
|
||||
```
|
||||
|
||||
> **Note:** To run multiple PowerShell scripts in the same file, you can highlight a specific portion of the script and select **Run Selection** next to the green play button.
|
||||
> **Note:** To run multiple PowerShell scripts in the same file, you can highlight a specific portion of the script and select **Run Selection** next to the green play button.
|
||||
|
||||
|
||||
|
||||
|
|
@ -254,17 +253,17 @@ Timeframe: 150 minutes
|
|||
|
||||
|
||||
|
||||
11. Within the Remote Desktop session to **DC1**, start File Explorer, navigate to the folder where you downloaded both files, right-click on the file **CreateDemoUsers.ps1**, select **Properties**, in the **CreateDemoUsers.ps1 Properties** dialog box, check the **Unblock** checkbox and select **OK**.
|
||||
11. Within the Remote Desktop session to **DC1**, start File Explorer, navigate to the folder where you downloaded both files, right-click on the file **CreateDemoUsers.ps1**, select **Properties**, in the **CreateDemoUsers.ps1 Properties** dialog box, check the **Unblock** checkbox, and select **OK**.
|
||||
|
||||
12. Within the File Explorer window, right-click on the file **CreateDemoUsers.ps1** again and select **Open with Code**.
|
||||
|
||||
13. Close the **Get Started** tab in Visual Studio Code and then click to install the PowerShell extension.
|
||||
|
||||
|
||||
|
||||
|
||||
14. In the resulting popup window, select **Trust Workspace & Install**
|
||||
14. In the resulting pop-up window, select **Trust Workspace & Install**
|
||||
|
||||
|
||||
|
||||
|
||||
15. In the **Visual Studio Code** window, change line **148** from:
|
||||
|
||||
|
|
@ -278,7 +277,7 @@ Timeframe: 150 minutes
|
|||
$UserCount = 2500 #Up to 2500 can be created
|
||||
```
|
||||
|
||||
16. In **Visual Studio Code**, save the change. Then, in **Windows PowerShell**, run the **CreateDemoUsers.ps1** script to create a lab environment organizational unit hierarchy and populate it with test user accounts.
|
||||
16. In **Visual Studio Code**, save the change. Then, in **Windows PowerShell**, run the **CreateDemoUsers.ps1** script to create a lab environment organizational unit hierarchy, and populate it with test user accounts.
|
||||
|
||||
17. Within the **Windows PowerShell** window, run the following script to modify the settings of the AD user accounts you will use in this lab:
|
||||
|
||||
|
|
@ -302,7 +301,7 @@ Timeframe: 150 minutes
|
|||
Get-ADGroup -Identity 'Enterprise Admins' | Add-ADGroupMember -Members 'CN=Ayers\, Ann,OU=NJ,OU=US,OU=Users,OU=Demo Accounts,DC=corp,DC=contoso,DC=com'
|
||||
```
|
||||
|
||||
18. Within the **Windows PowerShell** window, add the following script to the script pane, and run it to create additional organizational units named **Servers** and **Clients** and move the **APP1** computer account to the first of them:
|
||||
18. Within the **Windows PowerShell** window, add the following script to the script pane, and run it to create additional organizational units named **Servers** and **Clients**, and move the **APP1** computer account to the first of them:
|
||||
|
||||
```pwsh
|
||||
New-ADOrganizationalUnit -Name 'Servers' -Path 'OU=Demo Accounts,DC=corp,DC=contoso,DC=com'
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ Microsoft and the trademarks listed at <https://www.microsoft.com/en-us/legal/in
|
|||
|
||||
## Abstract and learning objectives
|
||||
|
||||
In this hands-on lab, you will set up and configure a number of different hybrid identity scenarios. The scenarios involve an Active Directory single-domain forest named corp.contoso.com, which consists (for simplicity reasons) of a single domain controller named DC1 and a single domain member server named APP1. The intention is to explore Azure AD-related capabilities that allow you to integrate Active Directory with Azure Active Directory, optimize hybrid authentication and authorization, and provide secure access to on-premises resources from the Internet for both organizational users and users who are members of partner organizations.
|
||||
In this hands-on lab, you will set up and configure a number of different hybrid identity scenarios. The scenarios involve an Active Directory single-domain forest named corp.contoso.com, which consists (for simplicity reasons) of a single domain controller named DC1 and a single domain member server named APP1. The intention is to explore Azure AD-related capabilities that allow you to integrate Active Directory with Azure Active Directory, optimize hybrid authentication and authorization, and provide secure access to on-premises resources from the Internet for both organizational users and users who are members of partner organizations.
|
||||
|
||||
## Overview
|
||||
|
||||
|
|
@ -256,7 +256,7 @@ In this task, you will purchase a custom DNS domain name by leveraging the funct
|
|||
|
||||
|
||||
|
||||
5. On the **Basics** tab of the **Web App** blade, specify the following settings and select **Next: Deployment**:
|
||||
5. On the **Basics** tab of the **Web App** blade, specify the following settings, and select **Next: Deployment**:
|
||||
|
||||
- Subscription: The name of the Azure subscription into which you deployed resources in the Before Hands-On Lab exercises.
|
||||
|
||||
|
|
@ -280,7 +280,7 @@ In this task, you will purchase a custom DNS domain name by leveraging the funct
|
|||
|
||||
6. Select **Next: Networking** and then **Next: Monitoring**
|
||||
|
||||
7. On the **Monitoring** tab of the **Web App** blade, specify the following setting and select **Review + create** then **Create**:
|
||||
7. On the **Monitoring** tab of the **Web App** blade, specify the following setting, and select **Review + create** then **Create**:
|
||||
|
||||
- Enable Application Insights: **No**
|
||||
|
||||
|
|
@ -320,7 +320,7 @@ In this task, you will assign a newly purchased custom DNS domain name to the Co
|
|||
|
||||
7. On the lab computer, start another browser tab and navigate to the Azure portal.
|
||||
|
||||
8. In the Azure portal, select the **Directory + Subscription** icon in the toolbar of the Azure portal (to the right of the **Cloud Shell** icon) to switch to the Azure AD tenant associated with the Azure subscription into which you deployed resources in the Before Hands-On Lab exercises (the **Default Directory**).
|
||||
8. In the Azure portal, select the **Directory + Subscription** icon in the toolbar of the Azure portal (to the right of the **Cloud Shell** icon) to switch to the Azure AD tenant associated with the Azure subscription into which you deployed resources in the Before Hands-On Lab exercises (the **Default Directory**).
|
||||
|
||||
9. In the Azure portal, select **All services** in the portal's left navigation. In the **Search All** textbox, type **DNS zones**, and then select the **DNS zones** entry in the listing of search results.
|
||||
|
||||
|
|
@ -330,7 +330,7 @@ In this task, you will assign a newly purchased custom DNS domain name to the Co
|
|||
|
||||
11. On the DNS zone blade, select **+ Record set**.
|
||||
|
||||
12. On the **Add record set** blade, specify the following settings and select **OK**:
|
||||
12. On the **Add record set** blade, specify the following settings, and select **OK**:
|
||||
|
||||
- Name: **\@**
|
||||
|
||||
|
|
@ -342,7 +342,7 @@ In this task, you will assign a newly purchased custom DNS domain name to the Co
|
|||
|
||||
- Value: The value of the **DESTINATION OR POINTS TO ADDRESS** entry you identified on the **Custom domain name** blade.
|
||||
|
||||
13. Switch back to the browser window displaying the custom domain name blade, and select **Verify**. Ensure that the verification was successful.
|
||||
13. Switch back to the browser window displaying the custom domain name blade, and select **Verify**. Ensure that the verification was successful.
|
||||
|
||||
14. Select **Make primary** and confirm the change when prompted.
|
||||
|
||||
|
|
@ -446,7 +446,7 @@ In this task, you will install Azure AD Connect.
|
|||
|
||||
|
||||
|
||||
19. On the **Domain and OU filtering** page, ensure that only the **DemoAccounts** OU and all its children OUs are selected and select **Next**.
|
||||
19. On the **Domain and OU filtering** page, ensure that only the **DemoAccounts** OU and all its children OUs are selected and select **Next**.
|
||||
|
||||
|
||||
|
||||
|
|
@ -471,7 +471,6 @@ In this task, you will install Azure AD Connect.
|
|||
|
||||
|
||||
> **Note**: You will configure attribute-level filtering before enabling the synchronization process.
|
||||
|
||||
> **Note**: Installation should take about 2 minutes.
|
||||
|
||||
25. On the **Configuration complete** page, select **Exit**.
|
||||
|
|
@ -480,7 +479,7 @@ In this task, you will install Azure AD Connect.
|
|||
|
||||
### Task 7: Enable Active Directory Recycle Bin
|
||||
|
||||
In this task, you will enable Recycle Bin in the Contoso Active Directory domain.
|
||||
In this task, you will enable Recycle Bin in the Contoso Active Directory domain.
|
||||
|
||||
1. Within the Remote Desktop session to **DC1**, on the Tools menu in the Server Manager console, start **Active Directory Administrative Center**.
|
||||
|
||||
|
|
@ -556,7 +555,7 @@ In this task, you will configure Azure AD Connect attribute level filtering that
|
|||
|
||||
7. When presented with a **Warning** dialog box displaying that message stating that **A full import and full synchronization will be run on 'corp.contoso.com' during your next synchronization cycle**, select **OK**.
|
||||
|
||||
> **Note**: This should bring you back to the View and manage your synchronization rules interface, with the new rule listed at the top of the rule list.
|
||||
> **Note**: This should bring you back to the View and manage your synchronization rules interface, with the new rule listed at the top of the rule list.
|
||||
|
||||
|
||||
|
||||
|
|
@ -716,7 +715,7 @@ In this task, you will configure Azure AD Connect device synchronization options
|
|||
|
||||
7. Switch back to the Remote Desktop session to **APP1** and start a **Command Prompt**.
|
||||
|
||||
8. From the Command Prompt window, check the Azure AD registration status of APP1 by running the following:
|
||||
8. From the Command Prompt window, check the Azure AD registration status of APP1 by running the following:
|
||||
|
||||
```txt
|
||||
dsregcmd /status
|
||||
|
|
@ -799,9 +798,9 @@ In this exercise, you will optimize authentication, authorization, and access co
|
|||
|
||||
In this task, you will create and configure Active Directory groups that will be used to control authentication, authorization, and access control and synchronize them to the Contoso Azure AD tenant.
|
||||
|
||||
1. Within the Remote Desktop session to **DC1**, on the **Server Manager** window, under **Tools**, start the **Active Directory Users and Computers** console.
|
||||
1. Within the Remote Desktop session to **DC1**, on the **Server Manager** window, under **Tools**, start the **Active Directory Users and Computers** console.
|
||||
|
||||
2. In the **Active Directory Users and Computers** console, expand **corp.contoso.com** on the left and navigate to **Demo Accounts > Groups**.
|
||||
2. In the **Active Directory Users and Computers** console, expand **corp.contoso.com** on the left and navigate to **Demo Accounts > Groups**.
|
||||
|
||||
|
||||
|
||||
|
|
@ -929,7 +928,7 @@ This task will enable password writeback and Self-Service Password Reset (SSPR)
|
|||
|
||||
In this task, you will implement Azure AD password protection for Windows Server Active Directory.
|
||||
|
||||
1. Within the Remote Desktop session to **DC1**, on the **Server Manager** window, under **Tools**, start the **Group Policy Management** console.
|
||||
1. Within the Remote Desktop session to **DC1**, on the **Server Manager** window, under **Tools**, start the **Group Policy Management** console.
|
||||
|
||||
2. In the **Group Policy Management** console, navigate to **Forest: corp.contoso.com > Domains > corp.contoso.com** on the left, right-click **Default Domain Policy** and select **Edit**.
|
||||
|
||||
|
|
@ -937,7 +936,7 @@ In this task, you will implement Azure AD password protection for Windows Server
|
|||
|
||||
3. In the **Group Policy Management Editor**, navigate to **Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy**.
|
||||
|
||||
4. Set the value of the **Account lockout threshold** to **10**, select **OK**, and accept the settings in the **Suggested Value Changes**.
|
||||
4. Set the value of the **Account lockout threshold** to **10**, select **OK**, and accept the settings in the **Suggested Value Changes**.
|
||||
|
||||
|
||||
|
||||
|
|
@ -1002,7 +1001,7 @@ In this task, you will implement Azure AD password protection for Windows Server
|
|||
Register-AzureADPasswordProtectionForest -AccountUpn 'john.doe@<domain_name>.onmicrosoft.com'
|
||||
```
|
||||
|
||||
18. Switch to the Remote Desktop session to the **DC1** virtual machine, where you are signed in as the user **CORP\demouser** with the **demo@pass123** password.
|
||||
18. Switch to the Remote Desktop session to the **DC1** virtual machine, where you are signed in as the user **CORP\demouser** with the **demo@pass123** password.
|
||||
|
||||
19. Within the Remote Desktop session to **DC1**, start the Edge browser and navigate to the **Azure AD Password Protection for Windows Server Active Directory** page at the URL below. Select **Download** under **Azure AD Password Protection for Windows Server Active Directory**. Download and install **AzureADPasswordProtectionProxySetup.exe** with the default options.
|
||||
|
||||
|
|
@ -1016,7 +1015,7 @@ In this task, you will implement Azure AD password protection for Windows Server
|
|||
|
||||
In this task, you will enable Azure AD Identity Protection.
|
||||
|
||||
1. After **DC1** reboots, connect to **DC1** via Remote Desktop. When prompted to sign in, use the **demouser** name with the **demo\@pass123** password.
|
||||
1. After **DC1** reboots, connect to **DC1** via Remote Desktop. When prompted to sign in, use the **demouser** name with the **demo\@pass123** password.
|
||||
|
||||
2. Within the Remote Desktop session to **DC1**, start the Edge browser and navigate to the Azure portal at the URL below:
|
||||
|
||||
|
|
@ -1190,7 +1189,7 @@ In this task, you will implement Azure AD Conditional Access Policies.
|
|||
|
||||
|
||||
|
||||
30. Back on the **New** blade, in the **Access controls** section, select **0 controls selected** under **Session**.
|
||||
30. Back on the **New** blade, in the **Access controls** section, select **0 controls selected** under **Session**.
|
||||
|
||||
31. Review the **Session** blade settings but do not modify them. Close it when you are finished.
|
||||
|
||||
|
|
@ -1200,7 +1199,7 @@ In this task, you will implement Azure AD Conditional Access Policies.
|
|||
|
||||
33. Back on the **Conditional Access - Policies** blade, select **What If**.
|
||||
|
||||
34. On the **What If** blade, specify the following settings and select **What If**:
|
||||
34. On the **What If** blade, specify the following settings, and select **What If**:
|
||||
|
||||
- User: **Teresa F. Bell**
|
||||
|
||||
|
|
@ -1288,7 +1287,7 @@ Duration: 90 minutes
|
|||
|
||||
**Overview**
|
||||
|
||||
In this exercise, you will configure access to an on-premises Integrated Windows Authentication app (implemented as the default IIS website) from the internet by installing and configuring Azure AD Application Proxy. You will test access to this application by using a Contoso Azure AD tenant user account and using a Fabrikam Azure AD tenant user account configured as a guest account in the Contoso Azure AD tenant.
|
||||
In this exercise, you will configure access to an on-premises Integrated Windows Authentication app (implemented as the default IIS website) from the internet by installing and configuring Azure AD Application Proxy. You will test access to this application by using a Contoso Azure AD tenant user account and using a Fabrikam Azure AD tenant user account configured as a guest account in the Contoso Azure AD tenant.
|
||||
|
||||
### Task 1: Install and configure Azure AD Application Proxy
|
||||
|
||||
|
|
@ -1320,7 +1319,7 @@ In this task, you will configure an Azure AD Application Proxy application.
|
|||
|
||||
1. On the **Contoso - Application proxy** blade, select **+ Configure an app**.
|
||||
|
||||
2. On the **Add your own on-premises application** blade, specify the following settings and select **+ Add**.
|
||||
2. On the **Add your own on-premises application** blade, specify the following settings, and select **+ Add**.
|
||||
|
||||
- Name: **APP1 Default Web Site**
|
||||
|
||||
|
|
@ -1354,7 +1353,7 @@ In this task, you will configure an Azure AD Application Proxy application.
|
|||
|
||||
5. On the **APP1 Default Web Site - Users and groups** blade, select **+ Add user/group**.
|
||||
|
||||
6. On the **Add Assignment** blade, specify the following settings and select **Assign**:
|
||||
6. On the **Add Assignment** blade, specify the following settings, and select **Assign**:
|
||||
|
||||
- Users and groups: **Engineering**
|
||||
|
||||
|
|
@ -1382,7 +1381,7 @@ In this task, you will configure an Azure AD Application Proxy application.
|
|||
|
||||
> **Note**: The HTTP service class is one of the built-in services that act as an alias to the HOST SPN. For more information, refer to **How to use SPNs when you configure Web applications that are hosted on Internet Information Services** at <https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on>.
|
||||
|
||||
11. Within the Remote Desktop session to **DC1**, in the Server Manager console, select **Tools** and then select **Active Directory Users and Computers**.
|
||||
11. Within the Remote Desktop session to **DC1**, in the Server Manager console, select **Tools** and then select **Active Directory Users and Computers**.
|
||||
|
||||
12. In the **Active Directory Users and Computers** console, select **View** and, in the **View** menu, enable **Advanced Features**.
|
||||
|
||||
|
|
@ -1394,11 +1393,11 @@ In this task, you will configure an Azure AD Application Proxy application.
|
|||
|
||||
14. In the **DC1 Properties** window, switch to the **Delegation** tab and select the option **Trust this computer for delegation to specified services only**.
|
||||
|
||||
15. Select the option **Use any authentication protocol**, select **Add**, in the **Add Services** window, select **Users or Computers**. In the **Select Users or Computers** dialog box, in the **Enter the object names to select** text box, type **APP1**. Select **Check Names** to verify the name resolves, and select **OK**.
|
||||
15. Select the option **Use any authentication protocol**, select **Add**, in the **Add Services** window, select **Users or Computers**. In the **Select Users or Computers** dialog box, in the **Enter the object names to select** text box, type **APP1**. Select **Check Names** to verify the name resolves, and select **OK**.
|
||||
|
||||
|
||||
|
||||
16. In the **Add Services** window, select the **http** entry and select **OK**.
|
||||
16. In the **Add Services** window, select the **http** entry and select **OK**.
|
||||
|
||||
|
||||
|
||||
|
|
@ -1418,7 +1417,7 @@ In this task, you will configure an Azure AD Application Proxy application.
|
|||
|
||||
### Task 4: Create an Azure Active Directory tenant and activate an EMS E5 trial
|
||||
|
||||
In this task, you will create another Azure Active Directory tenant representing the Fabrikam organization with the following settings:
|
||||
In this task, you will create another Azure Active Directory tenant representing the Fabrikam organization with the following settings:
|
||||
|
||||
- Organization name: **Fabrikam**
|
||||
|
||||
|
|
@ -1614,7 +1613,7 @@ In this task, you will create and configure Azure AD guest accounts in the Conto
|
|||
|
||||
12. When prompted, change the password for the **jane.doe** Fabrikam Azure AD user account.
|
||||
|
||||
> **Note**: If you receive the message **We've seen that password too many times before. Choose something harder to guess**; you'll need to modify the password until it is unique enough to be accepted.
|
||||
> **Note**: If you receive the message, "**We've seen that password too many times before. Choose something harder to guess**", you will need to modify the password until it is unique enough to be accepted.
|
||||
|
||||
13. In the Azure portal, sign out from the Contoso Azure AD tenant and close the in private/incognito browser window.
|
||||
|
||||
|
|
@ -1742,11 +1741,11 @@ In this task, you will configure an Azure AD Application Proxy application for B
|
|||
Install-Module AzureAD
|
||||
```
|
||||
|
||||
33. Execute the script and ensure it did not return any error messages.
|
||||
33. Execute the script and ensure it did not return any error messages.
|
||||
|
||||
> **Note**: You can schedule script execution regularly by using Windows Scheduled Tasks. Refer to the **Readme - Script to pull Azure AD B2B users on-prem_v1.0.3.pdf** file for details.
|
||||
|
||||
34. Switch back to the Azure Active Directory Users and Computers console and verify that a user account of **jane.doe** is listed in the **Demo B2B Accounts\\Enabled** organizational unit. You may have to refresh the console.
|
||||
34. Switch back to the Azure Active Directory Users and Computers console and verify that a user account of **jane.doe** is listed in the **Demo B2B Accounts\\Enabled** organizational unit. You may have to refresh the console.
|
||||
|
||||
> **Note**: In a production environment, you could provide access to Integrated Windows Authentication apps by leveraging Microsoft Identity Manager. You can also give access to on-premises apps that support SAML-based authentication directly from the Azure portal. Refer to Grant B2B users in Azure AD access to your on-premises applications at <https://docs.microsoft.com/en-us/azure/active-directory/b2b/hybrid-cloud-to-on-premises> for more information.
|
||||
|
||||
|
|
@ -1760,7 +1759,7 @@ In this task, you will configure an Azure AD Application Proxy application for B
|
|||
https://myapps.microsoft.com
|
||||
```
|
||||
|
||||
2. When prompted, sign in by using the **jane.doe** Fabrikam Azure AD user account.
|
||||
2. When prompted, sign in by using the **jane.doe** Fabrikam Azure AD user account.
|
||||
|
||||
3. Once signed in, select the **Jane Fabrikam** icon in the upper right corner of the Application Access Panel page and, in the dropdown menu, select **Switch organization**.
|
||||
|
||||
|
|
@ -1859,7 +1858,7 @@ In this task, you will promote the newly created VM to a domain controller and c
|
|||
10. Right-click the network connection icon on the taskbar to open the **Network and sharing center**.
|
||||
|
||||
11. Select **Ethernet** next to **Connections**.
|
||||
|
||||
|
||||
12. When the **Ethernet Status** tile opens, select **Properties**.
|
||||
|
||||
13. On the **Ethernet Properties** tile, select **Internet Protocol Version 4 (TCP/IPv4)**, and select **Properties**.
|
||||
|
|
@ -1874,7 +1873,7 @@ In this task, you will promote the newly created VM to a domain controller and c
|
|||
|
||||
|
||||
|
||||
17. Select **Add a domain controller to an existing domain**, select **Select**.
|
||||
17. Select **Add a domain controller to an existing domain**, select **Select**.
|
||||
|
||||
|
||||
|
||||
|
|
@ -1964,13 +1963,13 @@ In this task, you will install and configure Azure AD Connect in standby mode. T
|
|||
|
||||
11. Make sure the tab Connectors is still selected. Then, for each Connector with type **Active Directory Domain Services**, select **Run**, select **Delta Synchronization**, and **OK**.
|
||||
|
||||
12. Select the Connector with type **Azure Active Directory (Microsoft)**. Select **Run**, select **Delta Synchronization**, and **OK**.
|
||||
12. Select the Connector with type **Azure Active Directory (Microsoft)**. Select **Run**, select **Delta Synchronization**, and **OK**.
|
||||
|
||||
### Task 4: Configure Azure AD Application Proxy for BDC-1 VM
|
||||
|
||||
In this task, you will configure Azure AD Application Proxy for the BDC-1 VM.
|
||||
|
||||
1. Within the Remote Desktop session to **DC1**, in the Server Manager console, select **Tools** and then select **Active Directory Users and Computers**.
|
||||
1. Within the Remote Desktop session to **DC1**, in the Server Manager console, select **Tools** and then select **Active Directory Users and Computers**.
|
||||
|
||||
2. In the **Active Directory Users and Computers** console, select **View** and, in the **View** menu, enable **Advanced Features**.
|
||||
|
||||
|
|
@ -1982,17 +1981,17 @@ In this task, you will configure Azure AD Application Proxy for the BDC-1 VM.
|
|||
|
||||
4. In the **BDC-1 Properties** window, switch to the **Delegation** tab and select the option **Trust this computer for delegation to specified services only**.
|
||||
|
||||
5. Select the option **Use any authentication protocol**, select **Add**, in the **Add Services** window, select **Users or Computers**, in the **Select Users or Computers** dialog box, in the **Enter the object names to select** text box, type **APP1** and select **OK**.
|
||||
5. Select the option **Use any authentication protocol**, select **Add**, in the **Add Services** window, select **Users or Computers**, in the **Select Users or Computers** dialog box, in the **Enter the object names to select** text box, type **APP1** and select **OK**.
|
||||
|
||||
|
||||
|
||||
6. Back in the **Add Services** window, select the **http** entry and select **OK**.
|
||||
6. Back in the **Add Services** window, select the **http** entry and select **OK**.
|
||||
|
||||
|
||||
|
||||
7. In the **DC1 Properties** window, select **OK**.
|
||||
|
||||
**Summary**
|
||||
**Summary**
|
||||
|
||||
In this exercise, you installed and configured a backup domain controller, set it up for Azure AD Connect standby synchronization, and added redundancy with the Azure AD Connect pass-through agents and Application proxy. You have now configured a resilient and available hybrid identity architecture.
|
||||
|
||||
|
|
@ -2022,7 +2021,7 @@ In this exercise, you installed and configured a backup domain controller, set i
|
|||
|
||||
**Lab summary**
|
||||
|
||||
In this hands-on lab, you set up and configured a number of different hybrid identity scenarios. The scenarios involved an Active Directory single-domain forest named corp.contoso.com in this lab environment consisted (for simplicity reasons) of a single domain controller named DC1 and a single domain member server named APP1. You explored Azure AD-related capabilities that allowed you to integrate Active Directory with Azure Active Directory, optimized hybrid authentication and authorization, and provided secure access to on-premises resources from the Internet for both organizational users and users who are members of partner organizations.
|
||||
In this hands-on lab, you set up and configured a number of different hybrid identity scenarios. The scenarios involved an Active Directory single-domain forest named corp.contoso.com in this lab environment consisted (for simplicity reasons) of a single domain controller named DC1 and a single domain member server named APP1. You explored Azure AD-related capabilities that allowed you to integrate Active Directory with Azure Active Directory, optimized hybrid authentication and authorization, and provided secure access to on-premises resources from the Internet for both organizational users and users who are members of partner organizations.
|
||||
|
||||
## After the hands-on lab
|
||||
|
||||
|
|
@ -2032,4 +2031,4 @@ Duration: 20 Minutes
|
|||
|
||||
1. Now that the HOL is complete, delete all of the Resource Groups created for this HOL. You will no longer need those resources, and it will be beneficial to clean up your Azure Subscription. In addition, remove the verified domain from the Contoso Azure AD tenant.
|
||||
|
||||
You should follow all steps provided *after* attending the Hands-on lab.
|
||||
You should follow all steps provided *after* attending the Hands-on lab.
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# Hybrid identity
|
||||
|
||||
Contoso is a medium size financial services company with its headquarters in New York and a branch office in San Francisco. It is currently operating entirely on-premises, with the majority of its infrastructure running on the Windows platform. Contoso has recently upgraded its Active Directory environment to Windows Server 2016, and it is in the process of migrating its desktops from Windows 7 to Windows 10.
|
||||
|
||||
|
||||
Contoso is facing challenges related to increased mobility of its workforce and providing access to its services to other financial partners. Contoso is looking to improve security while providing users with self-service capabilities around device, account, and password management. To drive better integration with partners, Contoso needs to provide access to some existing internal applications while maintaining a high level of security for applications hosted in the cloud and on premises while minimizing the effort required to manage customer identities.
|
||||
|
||||
May 2022
|
||||
|
|
@ -62,6 +62,7 @@ In this hands-on lab you will setup and configure a number of different hybrid i
|
|||
We welcome feedback and comments from Microsoft SMEs & learning partners who deliver MCWs.
|
||||
|
||||
***Having trouble?***
|
||||
|
||||
- First, verify you have followed all written lab instructions (including the Before the Hands-on lab document).
|
||||
- Next, submit an issue with a detailed description of the problem.
|
||||
- Do not submit pull requests. Our content authors will make all changes and submit pull requests for approval.
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ Microsoft and the trademarks listed at <https://www.microsoft.com/en-us/legal/in
|
|||
<!-- TOC -->
|
||||
|
||||
- [Hybrid identity whiteboard design session student guide](#hybrid-identity-whiteboard-design-session-student-guide)
|
||||
- [Abstract and learning objectives](#abstract-and-learning-objectives)
|
||||
[Abstract and learning objectives](#abstract-and-learning-objectives)
|
||||
- [Step 1: Review the customer case study](#step-1-review-the-customer-case-study)
|
||||
- [Customer situation](#customer-situation)
|
||||
- [Customer needs](#customer-needs)
|
||||
|
|
@ -44,11 +44,11 @@ Microsoft and the trademarks listed at <https://www.microsoft.com/en-us/legal/in
|
|||
|
||||
# Hybrid identity whiteboard design session student guide
|
||||
|
||||
## Abstract and learning objectives
|
||||
## Abstract and learning objectives
|
||||
|
||||
In this whiteboard design session, you will learn how to implement different components of a hybrid identity solution that integrates an Active Directory forest with an Azure Active Directory tenant and leverages a number of Azure Active Directory features, including pass-through authentication with Seamless Single Sign-On, Multi-Factor Authentication, Self-Service Password Reset, Azure AD Password Protection for Windows Server Active Directory, Hybrid Azure AD join, Windows Hello for Business, Microsoft Intune automatic enrollment, Azure AD Conditional Access, Azure AD Application Proxy, Azure AD B2B, and Azure AD B2C.
|
||||
|
||||
## Step 1: Review the customer case study
|
||||
## Step 1: Review the customer case study
|
||||
|
||||
**Outcome**
|
||||
|
||||
|
|
@ -66,7 +66,7 @@ Directions: With all participants in the session, the facilitator/SME presents
|
|||
|
||||
### Customer situation
|
||||
|
||||
Contoso is a medium size financial services company with its headquarters in New York and a branch office in San Francisco. It is currently operating entirely on-premises, with majority of its infrastructure running on the Windows platform.
|
||||
Contoso is a medium size financial services company with its headquarters in New York and a branch office in San Francisco. It is currently operating entirely on-premises, with majority of its infrastructure running on the Windows platform.
|
||||
|
||||
Contoso is facing challenges related to increased mobility of its workforce. In particular, in order to drive down its office space costs, Contoso management is considering implementing a flexible work arrangement policy which would allow its employees to work on designated days from home, using either corporate- and employee-owned devices. However, the Contoso's Information Security team expressed concerns about insufficient controls that would prevent access from unauthorized or non-compliant systems. In addition, there are concerns regarding using traditional VPN technologies or DirectAccess, which tend to provide excessive access to on-premises infrastructure.
|
||||
|
||||
|
|
@ -81,13 +81,13 @@ Contoso has recently upgraded its Active Directory environment to Windows Server
|
|||
Contoso is exploring the option of transitioning its operations into a more internet-open model which would facilitate support for mobile workforce and integration with business partners, while, at the same time, support current security and manageability controls. Given its current environment, which is heavily dependent on Active Directory and undergoes migration to Windows 10 devices, Contoso intends to evaluate Azure Active Directory and Microsoft Endpoint Management as potential identity and management components of the target design.
|
||||
|
||||
The identity component of the target design should facilitate step-up authentication and per-application permissions based not only on the properties of users' accounts but also on the state of these users' devices. To maximize security, Contoso wants to minimize or even eliminate persistent assignments of privileged roles for identity management, but, at the same time, such arrangement must account for break-glass scenarios, allowing for a non-gated emergency use of privileged accounts. For obvious reasons, such accounts need to be closely monitored and audited.
|
||||
|
||||
|
||||
Another Information Security concern is accidental exposure of users' passwords. Contoso would like to minimize their use in lieu of more secure authentication methods. In situations where passwords are required, users should also be able to both change and reset them without having to rely on HelpDesk services. At the same time, any on-premises Active Directory user account restrictions, such as allowed sign-in hours must be honored. Similarly, the existing Active Directory password policies must apply, although the head of Information Security would like to enhance them by preventing use of common terms within password values.
|
||||
|
||||
|
||||
Besides enhancing self-service user capabilities, Contoso wants to optimize end-user experience, especially in environments where users might be using several different devices. The user-defined settings, such as accessibility or app customization should be consistent across all devices.
|
||||
|
||||
|
||||
In addition, Contoso needs to expand its customer base through partnership with other financial institutions and providing direct access to its services to external clients. As part of this effort, Contoso established a business relationship with Fabrikam, which manages an extensive portfolio of mortgage related products. Contoso intends to provide Fabrikam with access to its internal Windows Integrated Authentication-based web applications that could be integrated with the existing Fabrikam's products. The access methodology needs to account for the fact that in recent years, Fabrikam has modernized its technology and moved its operations almost entirely to Microsoft Azure.
|
||||
|
||||
|
||||
To facilitate the expansion of their customer base, Contoso started developing a number of applications intended to be available both via web and from mobile devices. Historically, such applications were hosted in on-premises data centers and relied on an internally developed identity management product. Going forward, Contoso wants to minimize the effort managing customer identities.
|
||||
|
||||
The management team of Contoso, including its CIO, Andrew Cross, emphasized the need for resiliency and Service Level Agreements associated with each of the identity-related components that are part of the target design. At the same time, they are also interested in minimizing additional infrastructure requirements to implement the design.
|
||||
|
|
@ -96,15 +96,15 @@ The management team of Contoso, including its CIO, Andrew Cross, emphasized the
|
|||
|
||||
1. Remote users must be able to sign into their devices using their Active Directory credentials.
|
||||
|
||||
2. Existing Active Directory user sign-in hours and password policies must be preserved (although allowed password values could be further restricted).
|
||||
2. Existing Active Directory user sign-in hours and password policies must be preserved (although allowed password values could be further restricted).
|
||||
|
||||
3. User sign-in experience should be simplified by minimizing the number of sign-in prompts and limiting the use passwords in lieu of more secure authentication methods.
|
||||
3. User sign-in experience should be simplified by minimizing the number of sign-in prompts and limiting the use passwords in lieu of more secure authentication methods.
|
||||
|
||||
4. User device configuration should be simplified by leveraging a mobile device management solution and roaming user-specific settings across multiple devices.
|
||||
|
||||
5. Control access of users to applications and resources by relying on a combination of multiple conditions, including users group membership, state of the users' devices, and dynamically evaluated risk based on heuristics and globally collected security related telemetry.
|
||||
|
||||
6. Users must be allowed to reset their own passwords.
|
||||
6. Users must be allowed to reset their own passwords.
|
||||
|
||||
7. Designated users should be able to temporarily elevate their privileges to manage other user accounts. All elevation events must be edited.
|
||||
|
||||
|
|
@ -126,7 +126,7 @@ The management team of Contoso, including its CIO, Andrew Cross, emphasized the
|
|||
|
||||
3. If we decide to integrate our Active Directory environment with Azure Active Directory, this must be performed in stages. This is likely to be complex, considering that users in each stage would be members of different Active Directory groups and their accounts might reside in different Active Directory organizational units.
|
||||
|
||||
4. Synchronizing our Active Directory accounts with Azure AD accounts makes the former vulnerable to malicious or accidental lockouts that affect the latter. This would effectively expose our on-premises environment to external attacks.
|
||||
4. Synchronizing our Active Directory accounts with Azure AD accounts makes the former vulnerable to malicious or accidental lockouts that affect the latter. This would effectively expose our on-premises environment to external attacks.
|
||||
|
||||
5. A number of critical web applications running in our on-premises environment rely on Kerberos-based Windows Integrated Authentication. Microsoft states that Azure Active Directory does not support Kerberos. Doesn't this mean that remote users authenticating to Azure Active Directory and our business partners will not be able to properly authenticate and access these applications?
|
||||
|
||||
|
|
@ -138,7 +138,7 @@ The management team of Contoso, including its CIO, Andrew Cross, emphasized the
|
|||
|
||||
3. The choice of Azure AD edition required to satisfy Contoso's requirements
|
||||
|
||||
4. The Service Level Agreements associated with the choice of the Azure AD edition
|
||||
4. The Service Level Agreements associated with the choice of the Azure AD edition
|
||||
|
||||
5. Requirements necessary to minimize dependency on passwords in lieu of more secure authentication methods
|
||||
|
||||
|
|
@ -269,4 +269,4 @@ Directions: Reconvene with the larger group to hear the facilitator/SME share th
|
|||
| Azure Active Directory B2C documentation | <https://docs.microsoft.com/en-us/azure/active-directory-b2c/> |
|
||||
| Microsoft Enterprise Mobility + Security options | <https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing> |
|
||||
| Windows authentication - Kerberos constrained delegation with Azure Active Directory | <https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-kcd> |
|
||||
| Plan a passwordless authentication deployment in Azure Active Directory | <https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment> |
|
||||
| Plan a passwordless authentication deployment in Azure Active Directory | <https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment> |
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ Whiteboard design session trainer guide
|
|||
May 2022
|
||||
</div>
|
||||
|
||||
|
||||
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
|
||||
|
||||
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
|
||||
|
|
@ -192,10 +191,10 @@ Directions: With all participants in the session, the facilitator/SME presents
|
|||
|
||||
### Customer situation
|
||||
|
||||
Contoso is a medium size financial services company with its headquarters in New York and a branch office in San Francisco. It is currently operating entirely on-premises, with majority of its infrastructure running on the Windows platform.
|
||||
Contoso is a medium size financial services company with its headquarters in New York and a branch office in San Francisco. It is currently operating entirely on-premises, with majority of its infrastructure running on the Windows platform.
|
||||
|
||||
Contoso is facing challenges related to increased mobility of its workforce. In particular, in order to drive down its office space costs, Contoso management is considering implementing a flexible work arrangement policy which would allow its employees to work on designated days from home, using either corporate- and employee-owned devices. However, the Contoso's Information Security team expressed concerns about insufficient controls that would prevent access from unauthorized or non-compliant systems. In addition, there are concerns regarding using traditional VPN technologies or DirectAccess, which tend to provide excessive access to on-premises infrastructure.
|
||||
|
||||
|
||||
**Existing Contoso Active Directory environment**
|
||||
|
||||
Contoso has a single domain Active Directory forest which was implemented over a decade ago. The domain was assigned a non-routable DNS name contoso.local. While the Directory Services team considered renaming the domain, this has never been implemented due to potential negative implications of such change. Contoso does own a publicly routable DNS domain name contoso.com.
|
||||
|
|
@ -209,11 +208,11 @@ Contoso is exploring the option of transitioning its operations into a more inte
|
|||
The identity component of the target design should facilitate step-up authentication and per-application permissions based not only on the properties of users' accounts but also on the state of these users' devices. To maximize security, Contoso wants to minimize or even eliminate persistent assignments of privileged roles for identity management, but, at the same time, such arrangement must account for break-glass scenarios, allowing for a non-gated emergency use of privileged accounts. For obvious reasons, such accounts need to be closely monitored and audited.
|
||||
|
||||
Another Information Security concern is accidental exposure of users' passwords. Contoso would like to minimize their use in lieu of more secure authentication methods. In situations where passwords are required, users should also be able to both change and reset them without having to rely on HelpDesk services. At the same time, any on-premises Active Directory user account restrictions, such as allowed sign-in hours must be honored. Similarly, the existing Active Directory password policies must apply, although the head of Information Security would like to enhance them by preventing use of common terms within password values.
|
||||
|
||||
|
||||
Besides enhancing self-service user capabilities, Contoso wants to optimize end-user experience, especially in environments where users might be using several different devices. The user-defined settings, such as accessibility or app customization should be consistent across all devices.
|
||||
|
||||
|
||||
In addition, Contoso needs to expand its customer base through partnership with other financial institutions and providing direct access to its services to external clients. As part of this effort, Contoso established a business relationship with Fabrikam, which manages an extensive portfolio of mortgage related products. Contoso intends to provide Fabrikam with access to its internal Windows Integrated Authentication-based web applications that could be integrated with the existing Fabrikam's products. The access methodology needs to account for the fact that in recent years, Fabrikam has modernized its technology and moved its operations almost entirely to Microsoft Azure.
|
||||
|
||||
|
||||
To facilitate the expansion of their customer base, Contoso started developing a number of applications intended to be available both via web and from mobile devices. Historically, such applications were hosted in on-premises data centers and relied on an internally developed identity management product. Going forward, Contoso wants to minimize the effort managing customer identities.
|
||||
|
||||
The management team of Contoso, including its CIO, Andrew Cross, emphasized the need for resiliency and Service Level Agreements associated with each of the identity-related components that are part of the target design. At the same time, they are also interested in minimizing additional infrastructure requirements to implement the design.
|
||||
|
|
@ -264,7 +263,7 @@ The management team of Contoso, including its CIO, Andrew Cross, emphasized the
|
|||
|
||||
3. The choice of Azure AD edition required to satisfy Contoso's requirements
|
||||
|
||||
4. The Service Level Agreements associated with the choice of the Azure AD edition
|
||||
4. The Service Level Agreements associated with the choice of the Azure AD edition
|
||||
|
||||
5. Requirements necessary to minimize dependency on passwords in lieu of more secure authentication methods
|
||||
|
||||
|
|
@ -465,7 +464,7 @@ Have the table attendees reconvene with the larger session group to hear a subje
|
|||
|
||||
1. Remote users must be able to sign into their devices by using their Active Directory credentials.
|
||||
|
||||
2. Existing Active Directory user sign-in hours and password policies must be preserved (although allowed password values could be further restricted).
|
||||
2. Existing Active Directory user sign-in hours and password policies must be preserved (although allowed password values could be further restricted).
|
||||
|
||||
3. User sign-in experience should be simplified by minimizing the number of sign-in prompts and limiting the use passwords in lieu of more secure authentication methods.
|
||||
|
||||
|
|
@ -497,7 +496,7 @@ Have the table attendees reconvene with the larger session group to hear a subje
|
|||
|
||||
- Contoso has not implemented any cloud-based services, including an Azure AD tenant and an Azure subscription.
|
||||
|
||||
Implementing the hybrid identity model will allow Contoso to take advantage of such technologies and capabilities as:
|
||||
Implementing the hybrid identity model will allow Contoso to take advantage of such technologies and capabilities as:
|
||||
|
||||
- Passthrough authentication with Seamless Single Sign-On
|
||||
|
||||
|
|
@ -535,7 +534,7 @@ Have the table attendees reconvene with the larger session group to hear a subje
|
|||
|
||||
- Contoso will provision a new Azure Active Directory tenant with a custom, publicly routable domain name and use Azure AD Connect in order to integrate it with an on-premises Active Directory environment.
|
||||
|
||||
- Contoso will purchase Azure AD Premium P2 licenses for its users, in order to provide the ability to implement:
|
||||
- Contoso will purchase Azure AD Premium P2 licenses for its users, in order to provide the ability to implement:
|
||||
|
||||
- Azure AD Privileged Identity Management. This will allow designated users to temporarily elevate their privileges to manage other user accounts with auditing automatically enabled for all elevation events.
|
||||
|
||||
|
|
@ -549,7 +548,7 @@ Have the table attendees reconvene with the larger session group to hear a subje
|
|||
|
||||
- Password Protection for Windows Server Active Directory (available starting with Azure AD Premium P1). This will allow imposing restrictions on allowed password values.
|
||||
|
||||
- Self-service password reset/change/unlock with on-premises writeback (available starting with Azure AD Premium P1).
|
||||
- Self-service password reset/change/unlock with on-premises writeback (available starting with Azure AD Premium P1).
|
||||
|
||||
|
||||
|
||||
|
|
@ -596,15 +595,15 @@ Have the table attendees reconvene with the larger session group to hear a subje
|
|||
|
||||
- Authentication method
|
||||
|
||||
- For pass-through authentication, you need to install at least one or more (three are recommended) lightweight Authentication Agents on your on-premises computers running Windows Servers 2012 R2 or newer with TLS 1.2 enabled. The computers hosting the agents must have direct access to Active Directory domain controllers and outbound access to internet. The first agent is installed automatically on the computer hosting Azure AD Connect once you choose to use pass-through authentication. To install additional agents, you can download their setup files from the **Pass-through authentication** blade (accessible via **Azure AD Connect** blade in the **Azure Active Directory** section of the Azure portal). Installation can be performed interactively (you will be prompted to sign in with an account that has been assigned the Azure AD Global Administrator role) or via an unattended deployment script.
|
||||
- For pass-through authentication, you need to install at least one or more (three are recommended) lightweight Authentication Agents on your on-premises computers running Windows Servers 2012 R2 or newer with TLS 1.2 enabled. The computers hosting the agents must have direct access to Active Directory domain controllers and outbound access to internet. The first agent is installed automatically on the computer hosting Azure AD Connect once you choose to use pass-through authentication. To install additional agents, you can download their setup files from the **Pass-through authentication** blade (accessible via **Azure AD Connect** blade in the **Azure Active Directory** section of the Azure portal). Installation can be performed interactively (you will be prompted to sign in with an account that has been assigned the Azure AD Global Administrator role) or via an unattended deployment script.
|
||||
|
||||
- Filtering
|
||||
|
||||
- Azure AD Connect offers a number of different filtering options that determine the scope of synchronized Active Directory objects. While organizational unit-based filtering is the most straightforward to configure option, the scope can be based on a value of individual Active Directory attributes, which offers object-level granularity.
|
||||
|
||||
- Configuring attribute-based filtering relies on declarative provisioning, which is configurable by using Synchronization Rules Editor, included in the installation of Azure AD Connect. It can be applied when importing objects from Active Directory into to the metaverse (inbound) or when exporting objects from the metaverse to Azure AD (outbound). The recommended approach involves inbound filtering because this is easiest to maintain. Outbound filtering might be required in some scenarios, such as, for example, joining objects from more than one Active Directory forest before applying the filtering logic.
|
||||
- Configuring attribute-based filtering relies on declarative provisioning, which is configurable by using Synchronization Rules Editor, included in the installation of Azure AD Connect. It can be applied when importing objects from Active Directory into to the metaverse (inbound) or when exporting objects from the metaverse to Azure AD (outbound). The recommended approach involves inbound filtering because this is easiest to maintain. Outbound filtering might be required in some scenarios, such as, for example, joining objects from more than one Active Directory forest before applying the filtering logic.
|
||||
|
||||
- In inbound filtering, the scope determines which objects to synchronize or not synchronize. The scope has a group and a clause to determine when a sync rule is in scope. A group contains one or many clauses. There is a logical *AND* between multiple clauses, and a logical *OR* between multiple groups. Objects which are supposed to be synchronized to Azure AD must have the metaverse attribute **cloudFiltered** not set to a value to be synchronized. If this attribute's value is set to **TRUE**, then the object is not synchronized. It is important to note that, in general, this attribute should not be set to **FALSE**. To make sure that multiple rules can affect its value, the attribute is supposed to have the value of either **TRUE** or **NULL** (not set). There are, however, scenarios where the choice of **FALSE** is appropriate, such as, so called *positive* filtering, where you do specify which objects to include (rather than exclude) based on the value of their designated attribute.
|
||||
- In inbound filtering, the scope determines which objects to synchronize or not synchronize. The scope has a group and a clause to determine when a sync rule is in scope. A group contains one or many clauses. There is a logical *AND* between multiple clauses, and a logical *OR* between multiple groups. Objects which are supposed to be synchronized to Azure AD must have the metaverse attribute **cloudFiltered** not set to a value to be synchronized. If this attribute's value is set to **TRUE**, then the object is not synchronized. It is important to note that, in general, this attribute should not be set to **FALSE**. To make sure that multiple rules can affect its value, the attribute is supposed to have the value of either **TRUE** or **NULL** (not set). There are, however, scenarios where the choice of **FALSE** is appropriate, such as, so called *positive* filtering, where you do specify which objects to include (rather than exclude) based on the value of their designated attribute.
|
||||
|
||||
- Contoso will use a combination of the organizational unit-based filtering and the *positive* filtering based on the value of the userPrincipalName attribute. In particular, user objects to be synchronized will need to have the domain suffix portion of their userPrincipalName attribute match the custom, verified DNS domain name of the Azure AD tenant. This value can be set individually on per user object level as part of staged implementation of the proposed hybrid identity solution.
|
||||
|
||||
|
|
@ -660,7 +659,7 @@ Have the table attendees reconvene with the larger session group to hear a subje
|
|||
|
||||
Some of the risk detections detected by Azure Active Directory Identity Protection occur in real time and some require offline processing. Administrators can choose to block users who exhibit risky behaviors and remediate manually, require a password change, or require a multi-factor authentication as part of their Conditional Access policies.
|
||||
|
||||
- Customers also need to choose the authentication methods that they want to make available for users. It is important to allow more than a single authentication method so that users have a backup method available in case their primary method is unavailable. The methods include:
|
||||
- Customers also need to choose the authentication methods that they want to make available for users. It is important to allow more than a single authentication method so that users have a backup method available in case their primary method is unavailable. The methods include:
|
||||
|
||||
- Notification through mobile app
|
||||
|
||||
|
|
@ -728,7 +727,7 @@ Have the table attendees reconvene with the larger session group to hear a subje
|
|||
|
||||
- **Azure AD tenant** performs the authentication of remote users attempting to access on-premises applications.
|
||||
|
||||
- **Application Proxy service** hosted by Azure AD passes the sign-in token from the user to on-premises instances of Application Proxy Connector.
|
||||
- **Application Proxy service** hosted by Azure AD passes the sign-in token from the user to on-premises instances of Application Proxy Connector.
|
||||
|
||||
- **Application Proxy Connector** is a lightweight, stateless agent running on an on-premises Windows Server 2012 R2 or newer with direct connectivity to the target application. The server needs to have TLS 1.2 enabled before you install the Application Proxy connector. The connector manages communication between the on-premises application and the Application Proxy service via an outbound, persistent connection, which eliminates dependency on a perimeter network or open inbound ports on perimeter firewalls. In general, connectors can run on a Windows server that is not domain-joined. However, scenarios that require single sign-on (SSO) to applications which rely on Integrated Windows Authentication (IWA), it is necessary to use a domain-joined machine. In such scenarios, the connector machines must be domain-joined in order to perform Kerberos Constrained Delegation on behalf of the users of the published applications. This is one of the requirements that applies to the proposed solution.
|
||||
|
||||
|
|
@ -736,7 +735,6 @@ Have the table attendees reconvene with the larger session group to hear a subje
|
|||
|
||||
- **On-premises applications** deliver required functionality to users once their access requests are authenticated.
|
||||
|
||||
|
||||
*Assessing resiliency aspects of a hybrid identity solution*
|
||||
|
||||
1. What are provisions that eliminate single points of failure in your design?
|
||||
|
|
@ -750,7 +748,7 @@ Have the table attendees reconvene with the larger session group to hear a subje
|
|||
You can use password hash synchronization as a backup authentication method for pass-through authentication, to address scenarios in which the agents cannot validate users' credentials because Active Directory domain controllers are unavailable or unreachable. By combining password hash synchronization and pass-through authentication, users will be able to authenticate directly against Azure AD in cases where the latter fails.
|
||||
|
||||
Another mitigation approach involves extending your Active Directory environment to Azure. To accomplish this, you need to establish a hybrid network connection (such as Site-to-Site VPN or ExpressRoute) between your on-premises data center and an Azure virtual network and
|
||||
deploy additional domain controllers of the on-premises Active Directory domain into that virtual network, as well as install additional pass-through authentication agents on Azure virtual machines within the same virtual network. This minimizes the possibility of network connectivity issues affecting communication between Active Directory and Azure AD.
|
||||
deploy additional domain controllers of the on-premises Active Directory domain into that virtual network, as well as install additional pass-through authentication agents on Azure virtual machines within the same virtual network. This minimizes the possibility of network connectivity issues affecting communication between Active Directory and Azure AD.
|
||||
|
||||
- Azure AD Connect synchronization engine
|
||||
|
||||
|
|
@ -794,7 +792,7 @@ deploy additional domain controllers of the on-premises Active Directory domain
|
|||
|
||||
- Azure AD Connect passthrough authentication agent
|
||||
|
||||
- Authentication requests are dynamically distributed across all available Authentication Agents, so no explicit failover is required.
|
||||
- Authentication requests are dynamically distributed across all available Authentication Agents, so no explicit failover is required.
|
||||
|
||||
- Azure AD Password Protection for Windows Server Active Directory
|
||||
|
||||
|
|
@ -860,7 +858,7 @@ deploy additional domain controllers of the on-premises Active Directory domain
|
|||
|
||||
- Enforce multi-factor authentication to activate any roles
|
||||
|
||||
- Ensure that a rationale is provided as part of elevation approval process
|
||||
- Ensure that a rationale is provided as part of elevation approval process
|
||||
|
||||
- Configure notifications triggered by activation of privileged roles
|
||||
|
||||
|
|
@ -868,7 +866,7 @@ deploy additional domain controllers of the on-premises Active Directory domain
|
|||
|
||||
- Track elevation events
|
||||
|
||||
**Note**: Privileged Identity Management requires Azure AD Premium P2 licensing.
|
||||
**Note**: Privileged Identity Management requires Azure AD Premium P2 licensing.
|
||||
|
||||
*Optimizing access control and management of applications and devices*
|
||||
|
||||
|
|
@ -920,10 +918,9 @@ deploy additional domain controllers of the on-premises Active Directory domain
|
|||
|
||||
For more information regarding this subject, refer to *Technical and feature overview of Azure Active Directory B2C* at <https://docs.microsoft.com/en-us/azure/active-directory-b2c/technical-overview>
|
||||
|
||||
|
||||
## Checklist of preferred objection handling
|
||||
|
||||
1. Our Active Directory domain is using a non-routable domain name. We cannot risk renaming it in order to implement single sign-on with Azure Active Directory.
|
||||
1. Our Active Directory domain is using a non-routable domain name. We cannot risk renaming it in order to implement single sign-on with Azure Active Directory.
|
||||
|
||||
**Potential Answer:** Contoso does not have to rename their Active Directory domain in order to integrate with an Azure Active Directory tenant. Such integration is possible regardless of the DNS name of the Active Directory domain. What's important in order to ensure single sign-on experience for Active Directory users accessing cloud-based resources is to ensure that there is a match between the userPrincipalName in Active Directory and Azure AD. This is Microsoft's recommended approach. It is also possible to configure **Alternate Login ID**, which makes it possible to choose another attribute to designate the sign-in user names. The impact of this choice differs depending on the authentication method. For more information regarding **Alternate Login ID**, refer to Microsoft Docs at <https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id>.
|
||||
|
||||
|
|
|
|||
Двоичный файл не отображается.
Загрузка…
Ссылка в новой задаче