[Music] Okay so coming up we are going to take a
look at a new way you can harnness the power of cloud authentication while still keeping your passwords on-premises using Azure Active Directory
Pass Through Authentication and Seamless Single Sign-on capabilities. We're going to show you how you can securely use Azure Active Directory to validate passwords against on-premises Active directory without the need for an
expensive on-premises infrastructure and how you can automatically sign in your
users when they're at work. So please join me with a nice round of applause
for Alex Simons, director of Azure Active Directory Product Management. [Applauding] Thanks, Simon. Thank you for taking us through a little bit of password
authentication here. What is the idea of pass through authentication and why would people want it with Active Directory? That's a great question Simon, so look
today we're announcing the general availability of Pass Through
Authentication. It's a great new way to take the power of Azure Active Directory
and use it for all the things that people do like they get to cloud apps
and they manage passwords and usernames they take care of group assignments they
worry about how their users can get single single sign-on and they do things
like conditional access. But you can now do all of that without having to
have any kind of expensive on-premise infrastructure while still keeping your
passwords securely on-premise. Well that sounds like a really great idea but why
does it actually matter to be able to do this? Well I mean
the thing you got to keep in mind is that your identity control plane is
a really important capability, right? You want to be able to reach out to the
cloud and control all of these different cloud apps and devices, right? And so pass-through authentication gives you a really easy way to do that without
having to run a giant ADFS server farm ring on premises. How have people done this in the past? What has been the traditional way that people have
actually had their configuration in place? Yeah well so traditionally there have been three different options people have used. The first thing they've done is they've just synced their usernames up into the cloud. And then they've had a different username, a different password on-premise and one in the cloud. So you could use the same username but you didn't have the same passwords. Then some people use our password hash sync,
that takes a hash of a hash of your password Copies that up to the cloud and then you can sign in
with the same username and password in both and this is pretty popular
particularly with smaller businesses right where they just want something
simple and fast. Now if you're a big enterprise you probably use Active
Directory Federation Services (ADFS) Now this has the advantage that when someone goes
to authenticate with Azure AD, their passwords are back on premise and you
get to use all of the advantages of things like smart cards and third-party
MFA providers that a ADFS has traditionally integrated with that
weren't available in the cloud. When we start thinking about password
authentication what's actually the difference there and how have we put
password authentication into practice? Well so the way this works Simon is you install a small connector on premise. That connector can sit on the ad
connect server it can sit on your AD Server. In fact we recommend you put in a
bunch of different places. Now when a user goes to authenticate they put their
username and password in write in the same form as Azure AD as normal and
that we take it and then we encrypt it and put it onto a queue. And so up in
that queue in the cloud it's sitting there waiting for the agent to come check. So the agent calls out and brings down that encrypted username and password. And that I presume is actually an outbound configuration. So over HTTPS and probably port 443 to make it secure? Yeah that's right it's a nice thing because
there's no inbound traffic into your firewall it's all outbound so that's a
good security practice. And then the agent takes the private key that it
only it knows it cracks the username and password, plays it against your AD
on-premise, figures out if what the results are and then passes those back
up to Azure ad in the cloud. Right and then Azure AD can do all the things that
normally does. For instance you know it can let the user know that their approved or it can go and force them to do a multi-factor
authentication. But you know all of the value that you get from Azure Active
Directory conditional access and identity protection now are available to
you using this technique. So it sounds like it's actually a far simpler
mechanisms put in place then being able to have to deploy say Active Directory
Federation Services. Yeah it's much much simpler to get up and running than it is to run a bunch of ADFS servers. I tell you what should we take a look at a demo? Yeah let's do that. So if we can switch over to the machine here. So look this looks just like your normal in fact if you're looking at the new login experience for Azure AD, right? So it looks just like a
normal one but is using passwords pass through
authentication. So I'm Abby Spencer at Woodgrove. I go ahead and I click Next. Oh hey that looks really standard right, I'm going to put in my password. And there I'm logged in. It's just like your normal thing. But what happened here is
it went all the way back to my on-premise Active Directory validated by
username and password but it then also adheres to all of the rules that my on
premise directory have. Like when I have to change my passwords, what hours I
can log in and all of those things that maybe you've invested in over time and
your on-premise AD can now be used from the cloud without having to have an ADFS server. So what was really happening behind the scenes there? Well so in that one right what happened was the user, well it was just like we talked
about before right so the agent went out to the cloud, picked up the encrypted username and password and brought it back on premise, played it against AD, got back
the success criteria and let me login. Now I don't have MFA turned on so
that's ok, right? Now let's go ahead and take a look at
the seamless SSO right? Because that's the other thing that
we're now seeing is GA. So if we go over I'm going to switch to a different machine. So here you can see, well first
let me show you. I'm logged in on this domain joined machine, right? so the previous one wasn't domain joined this one is I'm logged in as Abbie, here. And then I'm going to bring up and just to prove it works, I'm going to do this in
chrome, too. Alright so here I am in a Chrome browser. I'm just gonna go to the
my apps panel now you have to pay attention this little flash you just saw there, that's Azure AD asking for a
Kerberos token from Windows. Windows client gets the Kerberos token passes it to Azure AD and boom! I'm
signed in no username a password at all. How does actually work behind the scenes what are we doing with that Kerberos authentication? Yeah so this
one's particularly cool right so what's happening in the Kerberos authentication
is when we run Azure AD Connect it creates a machine account in my
on-premise directory right that represents Azure AD in the cloud. So now when I go to log in to Azure AD,
Azure AD asks my PC hey give me a kerb ticket right and since the PC has visibility of the Active Directory you can get a kerb ticket pass it to Azure AD. Azure AD trusts the on-premise directory, cracks the token just like it was an app
almost, right? Cracks open that token, sees the username
and goes ahead and logs me on into the cloud. Right, now that's really cool
because I get all the valid value of my on-premise ad and kerb tickets all done
up in the cloud, really easy. And then that kerb ticket is good for 12 hours. So even if I take my laptop and go home right I still get that same experience overnight. And then the worst case let's say the
kerb ticket expired right. Then all I'd have to do is log in again like we were seeing earlier with pass authentication. So it really is a really nice simplification. And Seamless SSO like this works with
all of our login technologies. It's not just a thing
for pass through authentication. You could use it with password sync and you
can use it with all of our other authentication technologies as well. That's really cool and it is just that one agent that's deployed on-premises or
maybe a couple of agents in order to be able to provide a higher availability scenario. Yeah that's right and those little
agents wherever you put them, they're automatically updating and we load balance across them. Right so it's a really great way to make sure you have a high availability, low maintenance
deployment of Azure Active Directory. So can you show us how you actually would
configure that inside of Azure Active Directory Connect? Yeah let's take a look. So it's super easy to do right? So those of you who've set up Azure AD before have
used Azure AD Connect probably. So we've just added in some new options. So when you go into the wizard you want to make sure you click on the customize section. And then you can see here we've now added this option for pass-through authentication. And I want to enable a single sign-on right? And that's it that's the only difference. You know I entered my passwords and stuff like that
other things happen. But that's all you've got to do to get it
set up using AD Connect. And then what we're going to do is go
use our Group Policy editor. So in Group Policy I'm going to go ahead and now there's a trick happening under
the covers here right? Azure AD is asking my PC to give us a Kerb token. And the PC doesn't want to do that unless it thinks that Azure AD is in the intranet zone. So what I'm going to do is I'm going to
come in to my policies. And under my Windows Components
and in Internet Explorer, I'm going to change my
site zones a little bit. So let's go ahead we're gonna take a look at the
change I've made here. I've moved the two key Azure AD endpoints from being on the
Internet into the intranet zone by setting this value to one right. And so now the PC and the browser
will do what Azure AD wants. It'll give us a kerb token so we can do
that validation because you know you've kind of tricked the PC into what zone
you're in. Right but that's all you got to do you push this out using group policy and hey you're all set. actually all the research just a couple
of Azure Active Directory settings inside of azure ad connect and a couple
of settings inside of Group Policy and then that's going to work for all of
your I guess Windows 10 machines but Windows 7 and Windows 8 machines as well? Yeah, it even works for a Mac. Wow, what about other browsers? Yeah so in fact I was showing you works in Chrome. It works in Internet Explorer and
it'll be working in Edge really soon. All of these things right it's just we're just using the same standards that Windows has always had. So you can use it back to a lot of old versions. Super nice and it's just using the
power of Kerberos. When can folks actually get hold of Azure Active Directory connect with all of these capabilities in there own and and whereabouts can they learn more
about what they need to do? Well the easiest thing to do is to go into the
portal in fact why don't I show you in the portal where you can get ahold
of all this stuff. So I'm here and I'm going to go to the Azure portal. I'm going to show you a couple of cool things. First you can when you've got your agents on-premises, you can monitor them here from your console. So let's go ahead and look at Azure AD connect. And you can see
here I've got Federation turned off, I've got seamless single sign-on turn on and then I've got pass-through authentication enabled. And then when I click into this I can see all of the connectors I have. I can see where they are, what IP address they're coming from and what their status is. So if I'm having trouble with the connector, I can tell which one
might not be working correctly. But like I was saying this is really
nice because you're monitoring these all from the cloud, they all get updated
automatically from the cloud, there's no extra overhead for you to
take on to run this. And then this is the same place where you can come up here and if you want to download additional connectors. So let's say you want to install them on
additional AD DS's, or some other set of servers for your HA
you just get all of this right here. Alright so essentially you've got two
things, you want to get Azure AD connect and you want to run the group
policy tool. Those are the two and the if you want to
do high availability just come here and get the MSI. That's really cool and obviously you
kind of mentioned it really quickly that your on-premises controls are being
enforced as well so if you've got password lockout policies and those kind
of things those are actually still going to be used. And I guess you're also going to get some additional protections maybe from Azure Active Directory? It's almost like the best of both worlds. So I'm going to get all of the value I've
built up in AD overtime. Like you we're saying lockout policies, and times I can log in and password policies and things like that. But I'm also going to get the value of
Azure AD in the Cloud. So for instance I'm going to
get DDoS protection. I don't have to worry about how do I protect my ADFS
servers anymore. I'm going to get lockout protection from the cloud, I'm going to get all of the things that we do with Azure Identity Protection that you know
protect certain IP addresses and make sure that you don't get hit by the hackers. All that value you now can essentially think of the Microsoft cloud protecting your on-premise AD while allowing people to seamlessly authenticate. That's fantastic. And all of that authentication still happening on
premises like a lot of people want for their regulatory requirements. That's right, if you have regulatory requirements or really really stiff CSO (Chief Security Officer) or CISO (Chief Information Security Officer) you can you can meet all those requirements. That's fantastic. Alex thank you very much for joining us on the Microsoft Mechanics Live stage. Did you guys like that? Do you think it was useful? Seems like maybe this might be a little bit of
a hit product here. Obviously the big news is that this has all gone to
general availability this week. Yes, that's right. So you can get hold of it today and you
can use it in production. Absolutely fantastic Thank you very much for joining us
on the Mechanics stage. And thank you all for watching. Keep watching Microsoft Mechanics on the
website as often as you can do so that way you can keep up with the
latest in updates. We'll see you next time. Thank you very much. [Music]
