In this video, Pete Zerger explains Azure Active Directory Premium SKUs and identity models, and introduces advanced authentication and security features.
- [Instructor] Azure Active Directory is Microsoft multi-tenant cloud-based identity as a service, delivered at global scale, from the Microsoft cloud. And with a few clicks, you can integrate Azure AD with your existing Windows server active directory, so you can leverage your org's existing on-premises identity investment to manage access to cloud-based saas apps. All paid SKUs of Azure Active Directory are backed by a three nines SLA.
What can we do with Azure AD? You can manage users and access to cloud resources. With Azure AD Connect you can extend your on-premises active directory to the cloud. You can provide single sign-on to your cloud applications, and reduce the risk associated to those authentications by enabling multi-factor authentication, based on conditions of the authentication request. For orgs with custom application needs, you can support development of secure directory-integrated applications for the enterprise.
While there is a free version of Azure Active Directory, we're going to focus on the paid versions, which deliver the advanced identity and access management features needed for enterprise scenarios. Azure AD Basic is designed for task workers with cloud-first needs. This edition provides cloud-centric application access, and self-service identity management functions. With the basic edition, you get group-based access management, self-service password reset, and Azure AD application proxy to publish on-premises web applications using Azure Active Directory.
There are actually two tiers of Azure AD Premium, with plan one, or P1 as it's called, this edition includes everything you see here, everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management, identity protection, and security in the cloud, including advanced administration and delegation resources, like dynamic groups and self-service group management.
It also includes self-service password reset, as well as advanced synchronization capabilities, all of which we'll cover in this course. Azure Active Directory P2 adds advanced protection for all your users and administrators. The P2 tier adds the identity protection, and identity management features. This feature taps into the machine learning of the Microsoft intelligence security graph to provide risk-based evaluation of authentication scenarios. There are three primary identity models in Azure AD.
In the cloud identity model, a user is created and managed in Office 365, and stored and verified in Azure Active Directory. In the synchronized identity model, the user identity is managed in an on-premises server, and account and password hashes are synchronized to the cloud. Federated identity requires a synchronized identity, but with one change to that model; the user password is verified by the on-premises identity provider, Windows Server Active Directory.
The three identity models are shown in order of increasing complexity and effort to implement, from left to right. Microsoft recommends you begin with the simplest model that meets your requirements. The cloud identity model is simplest to implement, while the federated model is the most capable, and the synchronized identity model in the middle is the one most customers end up with. Azure multi-factor authentication is Microsoft's two-step verification solution.
Azure MFA helps safeguard access, while maintaining single sign-on. It delivers a second factor of authentication via a range of verification methods, including phone call, text message, or verification with a mobile app. MFA requires two or more verification methods, something you know, typically a password or a PIN, something you have, like a trusted device, such as a phone, and something you are, such as fingerprint or facial recognition.
With MFA, the user logs in using their username and password, they're prompted with an additional challenge, which they then respond to, and are granted access. Azure AD Premium's conditional access feature brings advanced policy-based controls to single sign-on with Azure AD. With conditional access control in place, Azure AD checks for the specific conditions you set for a user to access an application. After access requirements are met, the user is authenticated, and can access the application.
You can include multiple conditions, including group membership, location, device platform and state associated with the login. Based on the context, you can then apply controls, including allowing access, forcing the user to respond to an MFA challenge, or blocking access altogether.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups