The Line Between AD and Azure AD!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone in this video i actually want to talk about the line between active directory and azure active directory i had the opportunity to speak at the azure live event yesterday where i did a powerpoint version of this talk and then i thought it would be fun to kind of just do a whiteboard version and some people had asked about hey what about a whiteboard um maybe people missed the event so my goal today is to really talk about what's the difference between aed and azure ad and is azure d just a d in azure or is it saying completely different and spoiler it's something completely different so i'm going to go through what those differences are and how they really work together as always is it this useful a like subscribe comment and share is appreciated to make sure you hit that bell so you get notifications and when i release new videos so let's kind of start from the beginning i kind of think about active directory so active directory was introduced as windows 2000 so it's now 21 years old you can go and buy drink in america and it really introduced this concept of a true directory service so we had this active directory domain services and it was built on x.500 so we had this kind of structured approach actually to it and i could interact with ldap and it spoke protocols that at that time enabled this new way of working we had for example things like kerberos and we still had things like ntlm and we could interact with the directory using things like ldap now for this to function the way this really worked is we had a machine a server whatever that might be and essentially what would happen is that machine would join the domain and what that meant by joining the domain is there was now a computer record in the active directory for that machine and they shared a secret now that secret was important to support things like kerberos it enabled the domain controllers that really personified the active directory service to create tokens they could give to kind of a client that they couldn't really understand but they could present to the server and the server would know oh okay this came from the active directory now all of this you could kind of think about was on an intranet these were all on kind of this safe secure island of networking and so i had lots of ports i could really talk about anything i wanted so there were kind of lots of ports open i wasn't really restricted um he used dns to actually go and find the things and then there was no really limitation to how i could actually talk so if we actually quickly jumped over and looked at an old kind of active directory i say old i'm obviously still using this but here this is kind of my a d and you can see we have a structure so if i look for example over here at you can say the justice league you can see that's an organizational unit which has child organizational units now these are super powerful because i can do things like delegation i could give someone certain permissions just on the objects in there i could apply group policy configurations at those levels and i could use it just for kind of general organization so we had this very powerful set of capabilities and of course it had the idea of locations i could define sites in active directory that were based around ip subnets and then how they were connected to really optimize the whole experience but the key part was we had these computer records in the active directory that represented the various objects that joined the ad and they were a cornerstone of using a lot of the kind of security the authentications that we leveraged so this was all super super important to the way active directory actually worked and this was fine because everything ad was doing was on our secure little intranet um yes there was the internet over here but really when they started out the internet sure was email so i'd have like an mx record i would get things there was news groups but really i'm just looking at cartoons internet was nothing serious on that internet we really just didn't care about it so we were very happy in our little island where i joined the domain and i said servers this could be desktops as well and we had these protocols so i could interact in using this central identity structure my account i had kind of an account in my a.d that i could then use because everything trusted this kind of in-house identity provider so all was well in the world well then things kind of started to shift a little bit the internet started to do more than just have news groups and cartoons so now we had the idea that okay out here over the internet we had some kind of cloud application that i as a company wanted to use now it's very limited about how i could do that and what initially happened is for the users that wanted to use those cloud applications well they'd have to create a separate account out there and that was really bad for everyone now remember this is over the internet so over the internet i'm not opening up a broad range of services i'm really talking 443. i have that encrypted https tls so a lot of these things wouldn't work anyway because they use different ports there's a whole set of things so i'm accessing these web-based services i'd have to create a separate account and if it was just one service it's kind of a pain but as this grew more and more popular it's an issue it's bad for me as the user because now i'm using 10 cloud apps i have 10 different credentials i'm never going to remember that so i don't do 10 different credentials i do one and i use the same password and username 10 times what if one of those is compromised i've now compromised everything including probably my corporate credentials they use the same password so that's that's bad for me trying to remember 10. it's bad for my company because now i'm exposed if my users are using the same credential that's bad for me and if the user leaves my company i can disable this account if i have 10 separate accounts how do i quickly get rid of those i can't to stop them having access and it's bad for the cloud app because they're now having to maintain those identities and have services to allow them for example to reset passwords when they ultimately forget them so it was bad for everyone no one kind of liked this scheme and so the goal was okay i don't want this i do not want a separate identity at the cloud apps i want to be able to use my home identity my home realm with those and so what was born was the idea of federation so now i could have kind of a service running on prem and this was some kind of federation service this could be adfs it could be something else now the whole point of this federation it was kind of tied into my local identity provider and now what happens is when me as a user wants to actually access that cloud app well that federation has been established between the cloud app and my federation service that's all out of band i.e they don't have a live connection out of band i have established all of the various configurations around that federation so that is for example what certificate they're going to use that would be trusted what claims and the format that's going to be in these token things they're going to use so i have to maintain that but when that's established now what happens is i as the user basically say hey i want to use this service it says i don't know who you are i need a token it might do a home realm discovery and kind of bounce my web browser back i would now go and talk to my federation service say hey i'm trying to talk to this thing i need a token it would do an authentication to me now i would probably use kerb ross i'm already sitting on my local networks i already have um a token that i can use to authenticate that so it's completely seamless to me i just kind of see my web browser bouncing around it would then generate this nice little token for me this is a saml token so this is kind of using saml it would give me that token and then i would redirect back again to the service passing it my token and i'm authenticated it would be out to trust it because it's been signed by that certificate they agreed to out of band and i've got claims in it about me that it would use to actually say okay so what can they really do so this kind of solved the challenge of now i don't have a separate identity i'm using my home rule my density it's good for me as the user i have one account it's good for my company because i have one account i'm not creating passwords all over the place and if i disable their account that's the same account being used everywhere and these people no longer have to worry about maintaining a list of identities now there were some pain points with this obviously we have to maintain the idea of these certificates we have to rotate them periodically i have to maintain what are we putting in the claims i have to go and do that configuration and also this federation thing i drew here is this box there's a bunch of stuff to that i can think about well it has to be public facing for one thing so it's facing the internet on kind of that 443 i then have a bunch of kind of proxies at the front end to receive the initial kind of requests coming in and then i'll actually kind of have the federation farm behind it to actually create the token so there's a amount of work i have to do to secure that and maintain it so it's all kind of work but it does the job it gets me there it gets me out of the business of now my users have this whole bunch of different tokens there's a fair amount of work to that thing and if we think about more and more use of cloud applications this starts to become a challenge this idea of maintaining all of these securing that making it highly available and also thinking about well my users they're less and less now on my network do i want them to have to vpn in it becomes painful and a bit more in their face and a bit more work also we start to see this shift so this idea of this authentication starts to change more to the idea about consent and you've probably seen this for example if i'm using an application and i'm trying to kind of use my facebook credential the app asks hey can i access your pictures or your contacts and you say yes so that's you consenting that that application that client app is allowed now to go and get a token acting as your on your behalf you are the resource owner of a set of resources on a resource server for example facebook and i'm now saying hey this client app is out of work on my behalf within the scope you're saying yes to and that's now becoming far more common as a way to actually do that authorization of something working on my behalf so that whole shift of modern authentication that oauth2 that open id connect you're going to hear more and more about i i i can't do that with those things so this new set of challenges that we really want to do so how do we solve this so as you would expect kind of enter azure active directory so now we introduce this concept of azure ad and i'm just going to say right from the back azure ad is not ad in azure the name would make you think that it is not at all there are no domain controllers sitting up here it is a cloud-based identity provider it speaks cloud and that's kind of the key thing so when i think about speaking cloud well sure it speaks things like saml it speaks things like ws fed but more useful in a lot of ways it speaks things like a wharf 2. it speaks open id connect so oauth 2 is more about authorization that hey you can do this on my behalf open id connect is more about that kind of authentication showing who i am it's actually built on a wharf too but this is actually what azure id is designed to speak it also speaks things like skim so skim scim is the system for cross domain identity management and i can think about hey i'm accessing some cloud app and maybe yes it can use my identity but it still has some objects maybe it's kind of some kind of user object maybe it's some kind of group that i have to add things to so skim is an open standard that has these slash users slash groups endpoints then i can now on that other cloud app go and do various types of actions on it it's rest it's standard verbs that i'm actually using create update delete so i can now automate maybe i need to do some provisioning on that site so it's gonna actually let me do that so azure id speaks those things now what's important to note here is azure d does not speak kerberos it does not speak ntlm it does not speak ldap it is not those things that's what ad speaks azure id does not speak that and that's really kind of a key important thing to realize now if i think about hey um so okay so i'm going to write an application when i'm writing my application i'm using these kind of modern protocols and everything else there's this kind of microsoft authentication library msal it actually replaces the azure ad authentication library adele and if i think about this modern authentication you'll hear about tokens you'll hear about an access token which is a very short-lived token 60 minutes by default it's going to access a particular resource and then refresh tokens this long-lived rolling 90-day window it sounds like a lot of work so with things like msal it does all the work for me my app can make one call and it takes care of hey is my access token still good do i need to go and get a new token it does everything for me so that msa al does all of the work around kind of that authentication does all the work around kind of the tokens that i want to do so this standard way of actually interacting with azure id i can use things like the microsoft graph to go and do interactions like management of finding out information but if i think about maybe the biggest thing of azure ad remember i talked about i have to create this federation i have to kind of agree these certificates what the claims is i have to create those things and in a modern company i might be using 30 40 a huge range of different cloud applications out there so one of the things that azure ad actually has is azure ad has this huge kind of library built in of these federations just out of the box i can say hey i need a federation to x and it's probably there already there's a huge number of built-in federations just kind of just inbox i can actually add custom ones as well so if maybe there isn't one for what i need i can actually go and say well i want to add one based on saml or password kind of credential stuffing or just add it to my apps i can write my own applications here so i can actually add my own organizational apps very easily i can even have applications that are on premises that i want to publish up through azure id and pre-authenticate with azure id using things like azure id app proxy so as this phenomenal set of capabilities so if we just quickly kind of jump over so let's look at my azure id i can see this enterprise applications now i have some i've already pre-configured over here but i can say hey add a new application and there are literally thousands built in now now we can see there's cloud platforms so aws and google cloud and oracle sap can just integrate with azure ad there are featured now i want you to notice these icons it has these little icons to say well is it federated sso so things like saml um are off to open id connect does it support provisioning i.e skims we can actually go and create the objects on the other side and we can see those little icons here on what elements it actually supports so for example i could say okay well let's look at dropbox so for dropbox we can see okay this is using saml based sign-on we can do password-based and it does support automatic provisioning so it has kind of that skim support if i was to go and look at saying like maybe exchange online well we can see it's actually using open id connect based sign on some of those newer protocols and it's not doing automatic provisioning but that's because that object is just natively in azure id it's using azure id as its identity provider so there isn't additional provisioning actually required but then there's just a whole bunch i mean there's literally thousands in this thing even if it doesn't normally support something like a federation so twitter doesn't support anything but it can still kind of cache passwords so it does credential stuffing so what that would mean is that maybe i have a corporate twitter account i as the administrator can actually say hey i'm going to create this twitter app and i'm going to put in the corporate password and username for twitter then i can assign it to users they don't ever know that password if they leave they lose it or i could say hey on first use let the user enter their own credential and it will kind of automatically populate it in the future so different ways of leveraging that i can add my own applications so if it's not in the gallery of thousands and pretty much kind of every app is in there i can create my own i could hey i'm actually going to create my own application i'm developing i might say hey i want to publish an on-prem app using that app proxy and it can kind of do pre-authentication or hey it's another app you don't have in there but i need to kind of create there and i could say hey i want to kind of create and then it will give me the choice of well okay so what sort of app is it is it just a link in the my apps or the office 365 at portal is it doing some kind of credential stuffing or is it maybe actually using saml and if it was saml i could then go in and actually specify okay well these are the claims i want to populate here we go um okay well here's the signing certificate i can go and set up all of those things very very simply so i can still do my own custom ones um if i actually need to so we have all of that goodness just kind of built in so when i think about hey azure ad it speaks cloud and it has this massive number of federations just built in for me so it makes my life so much simpler it does a lot more than that i mean this is probably one of the most attractive features all these federations that i can i just start using the cloud and i can grant it to users based on group memberships i can set different roles but obviously it does a lot more things than just that one of the biggest things um we see around azure ad is kind of this idea of this kind of conditional access and what conditional access does it kind of adds this barrier this protection around the azure id so when i try and access something it gets really tested against these conditional access policies so i can essentially say hey i have a different set of assignment conditions when this policy should be used and then what are the various controls i'm going to use around it now this integrates with things like azure ad mfa for example so i might say hey this is a sensitive application i'm detecting some height and risk i want you to do a stronger authentication if you haven't already so if we jump over again and look at this so here if i actually go and jump over and i look at my security firstly there are things like other identity protection there's a whole set of other capabilities it helps me with helps me with identity score helping me be kind of what should i focus on now the conditional access i can create things like a terms of use a pdf document that i can make them kind of agree to before they access maybe anything or maybe particular applications i have kind of a very simple one over here which is not saying you would ever use in any real way it's just a homer simpson version of me saying uh behave but i can link that to my various policies i can define locations based on ip ranges based on geographical countries states for example then i create these policies and a policy is really nothing more than and i say nothing more than i can assign it based on all users and particular users particular groups based on particular roles if they are a guest user i can then exclude users directory roles etc i can target all apps i can target a particular app so here under my select i can search for all the different apps that exist now these applications are ones that i have added to my azure id as an enterprise application so remember this could be any of those applications it could be the ones that have inbox that i've added to my azure id tenant it might be a custom application i've defined via saml or credential stuffing it could be one that i have developed that i'm linking against my azure id or it could be sync that i'm publishing using azure 80 at proxy all of those are going to show up so here i can see all of the applications that i have so to this point if i search for sav i can see hey i've got some of my own apps i've developed i'll also see ones from let's see if i've got office over here i can see office ones like exchange and sharepoint i would also be able to see custom ones i could see things like twitter so i can assign policy to really anything i want and i can even now do it to things like user actions so if they're going to register security information maybe they're registering mfa that security information i might have a policy that maybe says hey they have to be in a named location like an on premises so i can increase some kind of security around that for that initial security information population so i can target apps and then i have this huge range of conditions so it can integrate with things like azure ad identity protection a p2 feature that can establish user risk session risk based on machine learning is it some kind of anomalous behavior they're from a location they don't normally work from they're working at a time they don't normally work hey we've detected malicious traffic from that same ip or that ip's trying to authenticate against 10 different tenants this huge range of different kind of checks across the entire spectrum of what sort of microsoft identity services cover and then i could say hey i've detected this height and risk for this sign in maybe then i want an mfa we don't want mfa all the time but hey i've detected some risk let's make them mfa i can target particular platforms obviously if it's windows phone we're probably going to reject that anyway i could target locations particular apps device state i have all these capabilities then i can control hey i want to block access or i want to grant access but make them do an mfa make the device be marked as compliant according to things like intune it has to be hybrid join so it's in ad and azure id an approved client app um i want them to change the password i want them to accept one of my terms of use it has to be one of them or all of them i even have things like session controls i can change that sign-in frequency so instead of having that rolling 90-day window i don't want that i'm actually going to force them to basically whatever i can figure here of this number of days i'm going to change that or do they have to be days i could do hours as well i can fill in things like persistent browser session automatically instead of asking them hey do you want to do that but essentially it's this massive amount of controls at a per user a per group per app level and that's so important because if i think about hey i've got this token i still have maybe different degrees of what i need to access all of these applications so conditional access is one of the biggest features of azure idea i think there is this federation kind of broker built in is phenomenal but then having this granularity of control about what i need to be met to access that it is super super important there are other things it has things like pim privilege identity management so pim lets me kind of do just in time so pim is really this jit so i can elevate up to an azure roll and azure id when i need it there are things that identity protection that's helping me detect the risk help me detect leaked credentials looking for impossible travel it's doing those things things like access reviews so it has all of these various capabilities to it additionally well this is great when i think about my users say hey i have an account and through means we'll talk about in a second i have an account up in azure id as well but if we think about it as a company well i probably have other things that i work with i probably have partners i have people that i as a company collaborate with now they have their own accounts already now that could be kind of an azure ad account it could be a kind of microsoft account it could be a gmail account it could be some kind of direct saml or federation it could even be a facebook that's kind of a newer feature or if it's none of those i can use a one-time passcode they'll get emailed a passcode every time they try and access my tenant and those can be added as kind of known objects through this kind of b2b capability that's part of external identities then i can give them access to services i can give them access to my cloud applications be it things i've added be it things i've developed sharepoint online they actually get little stub objects in my azure id i see them and then we have a different type then i have customers now a customer i don't want them in my azure id it would it would clog it up and also customers they want to use my app but they may want to just create a local application or some kind of kind of social identity and there's a whole set of those so the solution here is we have a different instance of azure id but this one is a special type called b2c and that's really kind of the whole point this is a b to c business to consumer it's a different azure id tenant it's a particular type it lets me customize every pixel of the user interface i can even customize the url now that they see when they authenticate and it supports a wider range of kind of social identities today so i can support those things and let's have a quick look at this so if i jump back over firstly let's look at the b2b side if i go and look at my users in my my tenant remember these are people i'm collaborating with b2b and my partners here i can see hey look i've got some people like yahoo well that's using mails that's a one-time passcode i have some people are using a facebook account if i keep scrolling down i have some that are using a google and i think if i keep going i've got some that are actually using a text one-time passcode just via text messages so i have all of these different types of ways to support my partners that i want to collaborate with then i can add them to groups and give them access to applications and then completely hey i have a application that's customer facing so i have an azure ad b2c instance and here we can see will they support a completely different set of identity providers yes i can create a local account they don't want to use one of their existing social identities they want to create a local account in the azure adb to see and i can configure a very custom flow for that or they can use this huge range of social identities that they really want to kind of just bring with them to then leverage with this so we have this massive set of capabilities that they can actually use so this is kind of how we think about hey i have this ability with the azure id to support all of these different types of things so hopefully by now 7k is kind of obvious azure ad is definitely not ad in azure it's a cloud-based identity provider that speaks cloud protocols has a massive number of federations the different apps make it easy for me and my company to integrate with other cloud services it has fantastic features about controlling the access securing that mfa password list i can do and it supports integration with my partners um even customers if i need be which in the ad world was was kind of hard to do i'd normally end up creating my partners an account which again sucked for everyone so ad is definitely azure id is definitely not 80 in azure we know it's not that again there's no kerbros or ntlm or ldap or any of that stuff now the reality is what you're going to do is you're going to have a hybrid solution because it's really not a case of okay i have azure id can i get rid of ad probably not i have servers for example and those servers they still speak kerberos they still need active directory they're on-prem i still need my active directory but now as a company i'm starting to use more cloud applications as part of my just day-to-day business well i don't want to do this federation thing there's limits to this maybe they speak of2 and open id connect i want to use azure id for that but also because it's now cloud-based i want some of those better controls around the security that conditional access gives me things like identity protection gives me to detect the risk i want to integrate the mfa for that single identity so i'm going to use both now what i don't want is two separate credentials so what actually is happening here is we we kind of think about we use things like azure ad connect there's also a cloud sync version where the engine actually runs now in azure ad but it's synchronizing those objects so there's a separate object in azure id but it's synchronized from my active directory if i was to actually go and look at my azure id and i looked at my users we'll see for most of mine if i look at directory syncs it's going to say yes these were synced from active directory now i still want a seamless experience for my end user so that's where we have things like azure ad connect and also now we have azure ad cloud sync and i'm actually using both those i'm using azure id cloud sync for a particular organizational unit just so i can kind of test it but essentially i'm replicating my objects from ad to azure id now on its own that would not be a particularly pleasant option so then what we do is we add things like seamless sign-on and what that does is hey i'm on a machine and that has communications to my domain controllers when i try and access something in azure id i'm just seamlessly authenticated kind of magic behind the scenes and i kind of lied to you i said azure id does not speak kerberos it does in one instance so the way the seamless cyano works is azure id actually has a computer object in the ad and it can consume a token that is generated when i try and talk to azure id and we can even see it so when you set up seamless sign-on what it actually does behind the scenes is notice this azure aed computer account that is replicating sorry representing azure ad in my ad so when i try and speak to azure id it kind of pretends it's a computer and says hey i need a token my name is azure adsso acc so my client goes to active director and says hey i need a token for this and it actually presents that to azure ad and for that one instance um azure id actually speaks kobros will take that token and then give me my access token my refresh token so i can carry on doing that good stuff so i can fully integrate again i'm using them together i think about it's not one or the other i'm probably going to use both of them ideally when i talk to azure id i want to use cloud authentication so i'm sending kind of the hash of the hash to azure ad we really try and move weight can use federation doesn't really buy you anything even if you think i have policies in federation that's fantastic the only use for the first auth after that it has a refresh token all of the checks are done through conditional access pass-through authentication is a light agent that will use the on-prem domain controllers to actually talk so i can do that if i really need to but the native cloud authentication is kind of the better option now i did say hey hybrid now what about user machines now one of the things we do start to see is user machines more and more now maybe not sitting in the corporate network i have kind of this user machine maybe it's at home maybe it's traveling so one of the things i can actually do is there's the concept of kind of azure adjoin so now instead of that joining active directory it's joining azure ad i can now authenticate directly with my azure id credential but obviously now i'm not getting group policy i'm not probably using things like configuration i could i'm really not using configuration manager to do patches so there are other cloud services things like for example intune in tune will now actually manage the machine intune will do things like policy intune will now do things like app deployment for my patching hey i can go and talk to things like microsoft update so i can go and get my patches from there so we have this whole idea of modern management azure id joined in tune managed getting updates from microsoft update etc instead of group policy and those types of things so for most of us we're going to kind of live in this hybrid world that that's really where everything is going now i kind of said azure ad is not a d it's not at all it's a flat structure there are things like administrative units they let me delegate management certain roles to a certain subset of users and groups but there's still no hierarchy it's still this very flat structure um so you're going to use both i'm going to carry on using ad where i need kerberos and ntlm and ldap i'm going to use azure id for my cloud services maybe more for my desktops i'm going to start to move those from adjoin to azure adjoined when i'm doing my move i can have my client machines registered to azure ad so it's kind of this hybrid join mode and i can still start to get the benefits of azure ads that manage the movie in tune but one of the things you're probably going to want to start to do is hey you might have a whole bunch of apps currently federated with your on-prem federation services so many companies will actually start to migrate those federations i don't want to maintain this federation infrastructure i want to start migrating those app federations up to the azure ad native capability now i don't actually have it on my system but if you did have adfs and there's actually an azure ad connect health for federation services i don't i see it's kind of disabled when you look i'm not using federation but if you were using it then what i could actually do is if i went to my enterprise applications and under here if i'm remembering correct usage and insights though it says this adfs application activity i can download and install this and it will actually go and look at what's talking to adfs and work out what would be required to actually move that to the native azure ad set of capabilities now also there are things in azure id to help with my active directory for example i can think about identity protection we'll go and look for leaked credentials okay that that's great but also there are things around hey if i was to go and look for example at my security my authentication methods there are things like password protection stop it using common passwords i can add custom words that i don't want to be used in my passwords or any kind of modified version using a zero instead of the o etc well notice here i can actually use these same protections my on-prem active directory i can actually light that up again there's a component that runs on-prem that will help actually give me those same kind of now protections for my on-prem domain controllers there's things like microsoft defender for identity again my on-prem domain controllers will now have an agent that sends telemetry to this this service that used to be called azure atp advanced threat protection which was a cloud version of advanced threat analytics was an on-prem version but it will look for signs of attack on my domain controllers pass the hash golden ticket dns kind of scavenging it will find those things and tell me so the cloud can actually help with the overall protection of my active directory so hopefully that kind of makes sense azure id is not id and azure most of the time you're going to use them together however what if i'm in azure and i have some service let's say it's a virtual machine so it's sitting in a virtual network and it wants to speak kerberos it wants ntlm it wants ldap well then i need ad in azure and azure id is not that so what member i have is currently sitting on my on-premises network i have my ad which is personified by domain controllers so we have two kind of options here option one or i i have some network connection between them and what i could do is as a virtual network i can do kind of a custom dns configuration so don't use azure dns so i have this custom dns that basically resolves to the ip address of my domain controllers what is ad ads dns resolution and then ip connectivity to the dc's or i have a site-to-site vpn for example or it could be express route so i have that link between this ip space of the v-net and this type space of on-prem so they have ip connectivity and now when they go and look up and underscore ldap to underscore tcp.savotec.net it will resolve and that will work i can now use kerbos and ntlm and ldap from these services or i can build on that and say actually i'm going to deploy some dc's actually in azure once again these are virtual machines so now my custom dns would point to those dc's and once again i've got kerberos and ntlm and ldap in azure i'm maintaining those those dc's they could be in the same v-net they could be in a different v-net i might have kind of some shared services kind of v-neck with the dc's and then i could use something like peering so again they still have ip connectivity and once again i would point the custom dns now at the dc's over there so i'm bringing my existing id into my virtual network so i kind of think about that as option one so that's extending your existing ad into azure when i have ad and azure id ad is always the source of truth the flow is that way the objects go from a d to azure ad it basically never flows from azure id to ad there's a few things if i change a password or certain machine properties but it's super limited even if i use like a hr link to azure ad in its provisioning service it still doesn't create the objects in azure id that hr system talks to the azure id provisioning service which talks to a special component of azure ad connect that creates the object in aed then it replicates up to azure id so it's always that way well there's an option now imagine i have that v-net in azure and i i don't have an ad maybe or i can't extend it i don't want to and remember we have that azure ad sitting over here again maybe it's objects replicated maybe there is an id and i just can't extend it so it is replicating or i can just create native cloud accounts but now i've got some workload once again running here that needs kerberos that needs ntlm that needs ldap what do i do so there is one scenario i kind of have a managed subnet azure ad can actually flow in and it basically creates these managed domain controllers you cannot access them you are not an enterprise admin on them i can do group policy um but this is managed so this is azure ad domain services so it is actually creating domain controllers and it is actually flowing that way this is the only time objects can flow that way it's only to his own managed azure ad domain services then the v-net for the member that dns would point to these so now the vms hey i can talk kerberos and ntlm and ldap to those domain controllers that are replicating the objects from azure ad to there and that's that's kind of option two now one of the things i can actually do is imagine i had v-nets in multiple regions i can actually have up to four replica sets so up to four sets of these kind of managed dc's so i can have four in total i must have peering or some connectivity because i need a mesh network because they're actually going to do multi-master replication between them but i could have up to four replica sets of this managed azure id so that's option two if i cannot bring my existing ad extend it to the cloud i think that would be my preference i don't really want a separate um aed unless there was there was some restriction around connectivity or something else hey i can create this managed azure ad domain services if i need those legacy kerberos ntlm ldap type connections it will create that for me in up to four regions because i can have four replica sets um so that's really it so i can actually have ad in azure if i need it by extending my existing or using azure ad domain services but hopefully as we've kind of seen apart from that um azure ad is definitely not a d in azure but they really work together i'm going to keep my ad for that kerbos ntlm ldap my servers will join it and use it and then i extend my identity using things like azure ad connect into azure id where i can take advantage of its cloud speak all those built-in federations or custom federations or my apps or publishing apps throughout proxy all that security with pm and azure id identity protection and access reviews conditional access mfa password lists and that great support for my partners and even customer scenarios with b to c so i hope that made sense and i hope that kind of clarified and that azure id is not ad in azure but hopefully you can see where they really work together and you're going to have this hybrid solution for a long time hope that was useful to everyone until next time take care you

Info

Channel: John Savill's Technical Training

Views: 20,967

Rating: undefined out of 5

Keywords: azure, azure cloud, active directory, azure ad, azure active directory, azure ad domain services, aadds, domain services, ad in azure

Id: uts0oy8NlUs

Channel Id: undefined

Length: 49min 52sec (2992 seconds)

Published: Thu Apr 15 2021