How to choose the right authentication option in Azure Active Directory

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Hi there my name is Swaroop Krishnamurthy and I'm a program manager on the Azure AD Engineering team. Hi there, my name is Martin Coetzer I'm also a program manager on the Azure AD Engineering team. Today we're going to look at choosing the right authentication method for your Azure AD solution, for your organization. So why is choosing the right authentication method so important, first it is the first decision that you make on your journey to the cloud. When you're trying to deploy apps such as Office 365, cloud applications or even line of business applications. You need to decide how your users will actually sign in and access the application. Second it is the foundation of your modern IT infrastructure on top of which you will build your security identity and access management solution using Azure AD. Third once you actually choose your authentication method, it is hard to change because it will likely disrupt your users sign-in experience. Azure AD supports many authentication options to meet the requirements of all types of organizations. The first option is Cloud-only this is for Born-in cloud organizations with no on-premises infrastructure. Here you can establish user identities directly in the cloud and Azure AD handles all of the authentications completely in the cloud. Now all the other options required an on-premises active directory We call this hybrid identity. Now the second option is Password Hash Sync in this case users can actually sign in to cloud-based applications using the same usernames and passwords that they use with their on-premises Active Directory. In addition password hash sync also provides user and password protection. Seamless single sign-on is a complimentary feature we'll talk about that a little bit later on in this video. Pass-through authentication is the third option, it is very similar to password hash sync, but it's for organizations where their security policies or something that they would like to reuse in the cloud. The next two options are federated authentication, it can be either using Microsoft's AD FS or Third party compatible Federation providers. In this case Azure AD actually hands-off the authentication to a trusted authentication system to handle all of the authentication. Federated authentication is the best fit for organization which need advanced requirements that are not natively supported in Azure AD. This decision tree will make it easier for you to choose the right authentication method for your organization. You can use it to determine what is the best method by answering a few simple questions. Let's explore a few examples\ with this decision tree. Let's take Wing Tip Toys, Wing Tip Toys is a online retailer for toys they manufacture. Today they use a simple email system from the internet provider and they want to use Microsoft Teams to collaborate around new projects. Since they don't have an on-premises footprint cloud only is the right option for them. They will create and manage new users and passwords in Azure AD directly. This will allow them to use Microsoft Teams and extend their applications to other Office 365 apps and even other cloud apps that is available. So next up is Fabrikam they're widget manufacturing company and have been making widgets over the last 30 years. There are more than 7000 factory workers who sign-in to Active Directory every day to do their jobs. Now Fabrikam has decided to deploy workday a HR cloud-based application to let factory workers handle their payroll online and also to migrate to Office 365, so that these factory workers can actually receive their work schedules over email. It is important that the Fabrikam factory workers use the same usernames and passwords that they use today with Active Directory also to sign into workday and Office 365. It lets them say it productive and also Fabrikam helped us cause I just kept under control. In addition Fabrikam doesn't have a large IT department so they need the simplest solution possible which actually means the lowest on-prem footprint and also low operating costs. Password hash sync seems to be the right solution for them here's how password Hash Sync works, first you install Azure AD connect our provisioning tool to actually provision users from on-premises Active Directory into Azure AD and you also enable password hash sync as your sign-in option. Now on-premises Active Directory never stores passwords in clear-text but in hash form. A hash is the value that you get from a one-way mathematical function applied on a clear text password there is no method to reverse a hash to get back the clear text password. Now Azure AD connects to the on-premises Active Directory and reads these password hashes, hashes them thousand times over and then copies them over to Azure AD and it does this process every two minutes. Now when the user is actually trying to sign in to Azure AD they plug in their username and password into Azure AD, we applied the same hash sync algorithms as I described before and then we compared the username and the hashed value and try to match it with the username and the stored hash value in Azure AD if there is a match that the user is successfully signed in. As you can see during authentication there is no dependency on the on-premises infrastructure. Password hash sync also provides a couple of key security benefits, first among them is this report that we call leaked credential reports the way that works is Microsoft scans the internet especially the dark web for usernames and passwords lists that have been leaked to the wild it then if it finds any matches to users to your users accounts it'll actually alert your administrators through a leaked credential reports or it will automatically block users for signing in or maybe even allowing them to reset their password the next time they actually sign in. This feature is only possible if you use password hash sync second a feature called smart lockout is also applicable here this actually protects brute force part password attacks in the cloud and prevents genuine users from being locked out of their applications. Now you should combine Password Hash Sync with this complimentary feature called seamless single sign-on. Seamless SSO allows users to automatically sign in to Azure AD If they're on their corporate devices connected on their corporate network. When enabled they don't need to actually even type in their passwords to get into Azure AD so it actually makes the user experience a whole lot better this features also set up using Azure AD connect. Now some organizations may require, an authentication feature not currently supported by Azure AD for example signing it with smart card authentication or using an on -premises MFA server in this case organizations may choose to use Federation keep in mind that Azure AD was pretty quickly and we add features all the time so make sure to check the latest documentation, and before you make your decision. My next example is Woodgrove Bank Woodrow Bank is a trusted financial institution that has strong regulatory requirements. They require strong password policies for their bank tellers and they also require that they don't log on after hours they're planning to move to office 365 use some cloud applications and even some on-premises applications and make them available to tellers and corporate employees. Clearly Woodgrove bank cannot use password Hash Sync because their password policies are different from Azure AD default policy and they require support for user logon hours that are not supported by Azure AD natively going with Federation could help solve these requirements but they would lead to they could lead to higher operational cost in terms of managing server certificates and network configuration. Woodgrove Bank should actually use the modern cloud first approach of Pass-through authentication. let me explain how pass-through authentication actually works pass-through authentication is also set up using Azure AD Connect just like password Hash Sync but instead of synchronizing password hashes to Azure AD you start by installing two or more for authentication agents on premises you need two or more for high availability. So when I use these agents, actually make persistent outbound connections to Azure AD and listen for Authentication requests. So when user signs into Azure AD and they plug in their user names and Passwords Azure AD actually encrypts the password using a public key and the username and encrypted password is placed on a queue that cloud. One of the agents that have been deployed on Prem actually, pulls down this username and encrypted password decrypt's password field using its private key and test the username and password against on-premises Active Directory. Now the result of this authentication should be successful failed password expired, or user is locked out is relayed back to Azure AD via the agent. Now this if this authentication is successful then the user can actually access the application. Now pass through authentication also supports smart lockout but doesn't provide password protection which is the leak credential report that I just talked about before now pass through authentication should also be combined with seamless SSO for the best possible user experience. Now past authentication is the right option for Woodgrove bank only if they don't need one of the advanced features listed here. Federation is recommended as an Authentication method for organizations that have advanced features not currently supported in Azure AD including multi-site low latency authentication infrastructure Federation requires a bit more setup first you will need two servers in your internal network to accept authentication requests more than one server is required for high availability next you will need two or more servers in your parameter network to accept requests from the internet and then relay those authentication requests to your internal AD FS servers. When a user signs into Azure AD Azure AD will hand off this authentication request to this trusted Federation system that you have configured this basic topology supports other scenarios such as on-premises MFA servers or smart card authentication Federated Authentication is not just Microsoft AD FS but also is for compatible trusted third-party providers. To conclude this video we want you to consider our top recommendation always enable password Hash Sync if you use password Hash Sync and use that for sign in you don't need to worry about high availability it will be on us if anything goes wrong with your on -premises service your authentication will continue to work but if you choose pass-through authentication or Federation you can still use password Hash Sync because you can then use that as a backup authentication method. For example if your on premises service goes down you can manually failover to password Hash Sync and still allow your users to sign into cloud apps. In a blink password Hash Sync also gives you identity protection through the leak credentials reports. This ends our video on choosing the right authentication method for Azure AD in your organization to learn more please use these resources on the web. Thank you.
Info
Channel: Microsoft Azure
Views: 40,814
Rating: undefined out of 5
Keywords: Azure Active Directory, Azure AD, Microsoft Azure, identity, authentication, admin, security, cloud, active directory
Id: YtW2cmVqSEw
Channel Id: undefined
Length: 13min 15sec (795 seconds)
Published: Thu Jun 07 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.