Microsoft Azure and its identity and access management (IAM) are at the heart of Microsoft's Software as a Service (SaaS) products, including Office 365, Dynamics CRM, and Enterprise Mobility Management. With this book, you'll understand how mastering Microsoft Azure helps you to work with the Microsoft Cloud effectively.
Mastering Identity and Access Management with Microsoft Azure starts by taking you through the benefits of Azure in the field of identity and access management. Working through the functionality of IAM as a service, you'll get a complete overview of the Microsoft strategy and discover how identity synchronization can help you to provide a well-managed identity. The book covers several project scenarios and examples to show you how to troubleshoot and develop essential authentication protocols and publishing scenarios. Finally, you'll will acquire a thorough understanding of Microsoft Information Protection technologies.
By the end of the book, you'll have developed the skills you need for planning and implementing a future-oriented and sustainable IAM strategy.
Author(s): Jochen Nickel
Edition: 2
Publisher: Packt Publishing
Year: 2019
Language: English
Pages: 700
Cover
Title Page
Copyright and Credits
About Packt
Contributors
Table of Contents
Preface
Section 1: Identity Management and Synchronization
Chapter 1: Building and Managing Azure Active Directory
Implementation scenario overview
Implementing a solid Azure Active Directory
Configuring your administrative workstation
Custom company branding
Summary and recommendations of the help information
Creating and managing users and groups
Set group owners for organizational groups
Delegated group management for organizational groups
Configure self-service group management
Create the sales internal news group as an Office 365 (distribution group)
Configure dynamic group memberships
Assign roles to administrative units
Creating an administrative unit
Adding users to an administrative unit
Scoping administrative roles
Test your configuration
Protect your administrative accounts
Provide user and group-based application access
Assign applications to users and define login information
Assign applications to groups and define login information
Self-service application management
Password reset self-service capabilities
Configure notifications
Test the password reset process
Using standard security monitoring
Integrating Azure AD Join for Windows 10 clients
Join your Windows 10 client to Azure AD
Verify the newly joined Windows 10 client
Configuring a custom domain
Configure Azure AD Domain Services
Test and verify your new Azure AD Domain Services
Summary
Chapter 2: Understanding Identity Synchronization
Technology overview
Microsoft Identity Manager (MIM) 2016
MIM synchronization service
MIM synchronization service extensions
MIM service and portal
MIM service extensions
MIM password reset and user account unlock
MIM privileged access management
Additional solution
Cloud deployment based on identity director service
On-premises deployment based on MIM 2016
Azure Active Directory Connect
Synchronization scenarios
Single-forest integration
Multi-forest integration
Multi-Azure Active Directory Integration
Azure Active Directory Domain Services Integration
Stretched Active Directory to Azure IaaS
Azure Active Directory B2B integration
Azure Active Directory and Microsoft Office 365 synchronization
Identity and password-hash synchronization including SSO options
Identity synchronization including PingFederate integration
Identity and password-hash synchronization including ADFS integration
Azure Active Directory Connect high availability
Synchronization terms and processes
UserPrincipalName suffix decisions
Active Directory preparations
Source Anchor decisions
Connected Directories
Import flow
Placeholder objects
Synchronization flows
Inbound synchronization
Outbound synchronization
Joins
Connector objects
Disconnector objects
Export flow
Summary
Chapter 3: Exploring Advanced Synchronization Concepts
Preparing your lab environment
Understanding declarative provisioning and expressions
Synchronization rules explained
Special considerations in advanced synchronization concepts
Using standard filters to exclude users and groups
Building a custom rule for filtering
Connecting Azure AD Connect to the second forest
Summary
Chapter 4: Monitoring Your Identity Bridge
How Azure AD Connect Health works
Azure AD monitoring and logs
Azure Security Center for monitoring and analytics
Summary
Chapter 5: Configuring and Managing Identity Protection
Microsoft Identity Protection solutions
Azure ATP and how to use it
Azure AD Identity Protection
Using Azure AD PIM to protect administrative privileges
Summary
Section 2: Authentication and Application Publishing
Chapter 6: Managing Authentication Protocols
Microsoft identity platform
Common token standards in a federated world
Security Assertion Markup Language (SAML) 2.0
Key facts about SAML
WS-Federation
Key facts about WS-Federation
OAuth 2.0
Key facts about OAuth 2.0
Main OAuth 2.0 flow facts
Authorization code flow
Client credential flow
Implicit grant flow
Resource owner password credentials flow
OpenID Connect (OIDC)
Key facts about OIDC
Pass-through authentication and seamless SSO
Multi-factor authentication
Azure MFA
Certificate authentication
Device authentication
Biometric authentication
Summary
Chapter 7: Deploying Solutions on Azure AD and ADFS
Basic environment installation and configuration
Create the certificate for your environment with let's encrypt
Installing the ADFS farm on YDADS01
Installing the Web Application Proxy on YD1URA01
Installing demo applications on (YD1APP01) for ADFS
Subscribing to demo apps (Azure AD)
Azure AD authentication deployments
ADFS Authentication deployments
Integrating Azure MFA (YD1ADS01)
Summary
Chapter 8: Using the Azure AD App Proxy and the Web Application Proxy
Configuring additional applications for Azure AD and ADFS
Publishing with Windows server and Azure AD Web Application Proxy
Using conditional access
Summary
Chapter 9: Deploying Additional Applications on Azure AD
Preparing your lab environment
What defines single- and multi-tenant applications
Deploying a single-tenant application including roles and claims
Moving the single-tenant app to a multi-tenant scenario
Deploying another multi-tenant app with OpenID Connect
Summary
Chapter 10: Exploring Azure AD Identity Services
Preparing your lab environment
Understanding Azure AD B2B
Providing resource access to external partners (on-premise)
Exploring Azure AD B2C
Azure AD B2C tenant creation
Demo app registration
User flow creation
Visual Studio code modification
Comparing Azure AD B2B and B2C
Comparing AD FS with Azure B2B and B2C
Extending Active Directory solutions with Azure AD Domain Services
AD FS as an on-premise identity service for the cloud
Typical single-forest deployment
Two or more Active Directory forests running separate AD FS instances
Running one AD FS instance for multiple trusted forests
One AD FS instance for multiple Active Directory forests without an AD trust
Using a local CP trust to support multiple Active Directory forests
Using a shared Active Directory environment
Microsoft Cloud Solution Provider summary
Summary
Chapter 11: Creating Identity Life Cycle Management in Azure
Lab environment readiness
Handling the guest user life cycle
Use Case 1 – Exploring the invitation process with different user types
Using the Azure AD B2B portal and use cases
Installation and configuration
Usage of the portal
Special considerations
On-premise application access for guest users
Azure services for automation
Summary
Section 3: Data Classification and Information Protection
Chapter 12: Creating a Security Culture
Why do we need a security culture?
Pillars of a good security culture
Leadership support
Training
Testing
Continuous communication
General overview of data classification
Methods of data classification
Data classification and unstructured data
Data classification and Data Leakage/Loss Prevention
Data classification and compliance
Storage optimization
Access control to data
Classification scheme and policy example
Description of the classification scheme
Visual markings and rules based on the classification label
General desired behavior example
Defining the data-processing roles
Change of classification
Azure Information Protection (AIP) overview
Summary
Chapter 13: Identifying and Detecting Sensitive Data
Extending your lab environment
Understanding and using AIP capabilities for data in motion
Scenario 1 – Usage of Azure Information Protection
Scenario 2 – Monitoring with Windows Defender ATP
Scenario 3 – Identifying sensitive information in your cloud ecosystem
Scenario 4 – Data leakage prevention in Office 365
Understanding and using AIP capabilities for data at rest
Summary
Chapter 14: Understanding Encryption Key Management Strategies
Azure Information Protection key basics
Microsoft-managed keys
Bring your own key
What is an HSM?
What is the Azure Key Vault?
Hold your own key
How Azure RMS works under the hood
Algorithms and key lengths
User environment-initialization flow
Content-protection flow
Content-consumption flow
Summary
Chapter 15: Configuring Azure Information Protection Solutions
Preparing to configure and manage AIP
Azure RMS management with PowerShell
Azure RMS super users
Onboarding controls
Azure RMS templates
Azure RMS logging
AIP client PowerShell
Configuring AIP
Creating the classification schema
Creating sub-labels and scoped policies
Using visual markings
Configuring automatic classification and protection
Using justification
Configuring protection options
Activating unified labeling
Lab challenge
Summary
Chapter 16: Azure Information Protection Development
Technical requirements
Microsoft Information Protection solutions
Understanding the Microsoft Information Protection SDK
Preparing your Azure AD environment for tests
Using MIP binaries to explore functionality
Using PowerShell with Azure Information Protection
Useful Azure RMS cmdlets
Overview of the RMS 2.1 and 4.2 SDKs
Summary
Other Books You May Enjoy
Index