Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft 365 Business Technical Fundamentals Series

Published byCoralie Marion Modified over 5 years ago

Similar presentations

Presentation on theme: "Microsoft 365 Business Technical Fundamentals Series"— Presentation transcript:

1 Microsoft 365 Business Technical Fundamentals Series
Welcome back to the Microsoft 365 Business Technical Fundamental Series

2 Hybrid Identity In this module, we will be discussing hybrid identity. If you are unfamiliar with this term it means having an traditional on-premises Active Directory account synchronizing into Azure Active Directory This allows users to leverage the same credentials to access on premises resources such as traditional file and print solutions, and also seamlessly access cloud based resources including those provided by Microsoft 365 Business.

3 Hybrid Identity Authentication Options
Let’s start with an overview of the different authentication options Microsoft provides for hybrid identity, to help you choose the one that is most appropriate for you.

4 John Doe lllllll I want to provide employees access to every app from any location and any device As mentioned, the main idea with hybrid identity is to allow users to have a single identity which can be used across a range of business related services, including being able to leverage almost 3000 integrated SaaS applications. What you can see here is that while we tend to talk about on-premises Active Directory, the reality is that you may already be hosting this in a cloud environment, such as running virtual machines with the domain controller role in an Azure network. For the content we will be covering in this slide, the term on-premises Active Directory will be used as the default term for traditional Active Directory. Microsoft Azure Active Directory Hybrid made easy Azure AD Connect 1 Identity Thousands of apps On-premises / Private cloud

5 Windows Server Active Directory
Hybrid made easy Self Service MFA Single sign-on When we start looking at the different solutions available for enabling hybrid identity, the key component that is required is the center component – Azure Active Directory Connect. You may be aware of earlier names for this tool – originally it was known as DirSync, and then as AADSync. This is a small download with a wizard driven installation to help you configure it quickly and easily. It requires Windows Server 2008 Standard edition or higher, and it is not supported on Small Business Server or Windows Server Essentials. While it’s normally not a best practice in larger organisations, in a smaller environment with a single server that is the domain controller, installing AAD Connect onto a DC is supported. The URL at the bottom of the screen is a link that further details what the system requirements are. Azure AD Connect Windows Server Active Directory On-premises / Private cloud Microsoft Azure Active Directory docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites

6 1 Identity Microsoft Azure Active Directory
Seamless authentication Sync engine As mentioned, one of the benefits of hybrid identity is that we can use one identity to access traditional and cloud based resources, and this simplifies the user experience while also helping to improve security based identity. Self Service MFA Single sign-on Azure AD Connect Windows Server Active Directory On-premises / Private cloud Microsoft Azure Active Directory

7 Azure AD Connect authentication options Password Hash synchronization
Part 2 of 4 Azure AD Connect authentication options Password Hash synchronization Microsoft Azure Active Directory Office 365, SaaS, and LoB apps The preferred option that we have for most Microsoft 365 Business customers that require hybrid identity is to use the password hash sync capability. The reason why we recommend this option is that you can probably install AAD Connect onto an existing server or virtual machine. Password hash synchronization is a feature used to synchronize user passwords from an on-premises Active Directory instance to a cloud-based Azure AD instance. Use this feature to sign in to Azure AD services such as Microsoft 365 Business and the underlying components of the suite. You sign in to the service by using the same password you use to sign in to your on-premises Active Directory instance. The Active Directory domain service stores passwords in the form of a hash value representation of the actual user password. A hash value is a result of a one-way mathematical function known as the hashing algorithm. There is no method to revert the result of a one-way function to the plain text version of a password. You cannot use a password hash to sign in to your on-premises network. To synchronize your password, Azure AD Connect sync extracts your password hash from the on-premises Active Directory instance. Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory authentication service. Password Hash synchronization Windows Server Active Directory On-premises / Private cloud

8 Azure AD Connect authentication options Pass-through authentication
Part 1 of 4 Azure AD Connect authentication options Pass-through authentication Microsoft Azure Active Directory Office 365, SaaS, and LoB apps Passthrough authentication doesn’t require the synchronisation of the hashed password details into Azure Active Directory, instead user authentication against a cloud service is redirected back through AAD Connect to your on-premises domain controllers. You will notice that I said domain controllers, plural. The reason why I mention this is that you need to have a running and responding domain controller to allow the user authentication. This also means that network reliability and congestion can also have an impact on the user experience, so you really need to plan for highly available infrastructure to deploy this in a recommended way. It also has a minimum requirement of Windows Server 2012 R2 or later to run Azure AD Connect, and a second for running another instance of the pass-through authentication agent to help with availability. The reason why someone would go down this path is that they may have additional restrictions that require the user to be authenticated against an on prem Domain Controller rather than against Azure Active Directory. Pass-through authentication Pass-through authentication agent Windows Server Active Directory On-premises / Private cloud

9 Azure AD Connect authentication options Federation via ADFS
Part 3 of 4 Azure AD Connect authentication options Federation via ADFS Microsoft Azure Active Directory Office 365, SaaS, and LoB apps The final option here is Active Directory Federation Services. This solution requires even more infrastructure, and isn’t usually recommended for organisations that would be considering Microsoft 365 Business. Federation Windows Server Active Directory On-premises / Private cloud

10 Considerations For Microsoft 365 Business Customers
with an existing Active Directory environment Password Hash Synchronisation has the lowest footprint Azure Active Directory (AAD) Connect can be installed on an existing server if requirements are met, including on Domain Controller if required AAD Connect can be used for short term migration needs, or longer term hybrid coexistence AAD Connect has recently been updated to assist with enabling hybrid domain join scenarios. To bring some of these previous points together, the recommendation is to use Password Hash Synchronisation due to the low footprint and ease of deployment. For small customer that may only have a single server that is a domain controller, provided that it’s Windows Server 2008 or later you may be able to install AAD Connect on that server. While larger organisations would generally be using AAD Connect for longer term integration scenarios, for smaller customers, it could be used as a tool to assist with migrations as it won’t just synchronise users, but it will also synchronise other objects such as security groups and their members. This is important because even a small organisation can have an extensive number of groups that are in use to control access to resources, and you probably want to leverage them immediately rather than creating them again from scratch. Finally, one of the important updates that was made recently to AAD connect is that it has been updated to assist with enabling Active Directory joined PCs to register with Azure Active Directory, and we will discuss this in more detail on the next slide.

11 Hybrid Domain Join Benefit from integrating cloud benefits with existing investments Azure AD lights up new experiences in Windows 10 AD domain joined devices Single Sign On (SSO) from anywhere including SSO to AAD apps Enterprise compliant roaming of user settings across joined devices Access to Microsoft Store for Business using work (AAD) account Windows Hello for Business for secure and convenient access to work resources. Domain Join and Azure Active Directory Windows Server Active Directory (AD) is the most widely used corporate directory deployed by over 90% of enterprises in the world. In the last 15+ years, Domain Join has connected millions of computers to Active Directory for secure access to applications and centralized device management via Group Policy. T he Integrated Windows Authentication stack (Kerberos/NTLM) gives users single-sign-on (SSO) to on-premises applications and resources like file servers and printers. Azure AD lights up new experiences in Windows 10 AD domain joined devices: SSO from anywhere including SSO to Azure AD apps from the extranet. Enterprise compliant roaming of user settings across joined devices. Access to Windows Store for Business using work account. Windows Hello for Business for secure and convenient access to work resources. AAD Connect is a fundamental piece to enabling this functionality. It does three things in particular: It Creates an object in Active Directory (a Service Connection Point) that enables domain joined devices to know the Azure AD tenant to which it belongs. It sync’s computers in AD to Azure AD as device objects. This enables computers to securely authenticate upon automatic registration with Azure AD.

12 Demonstration Setting up Azure Active Directory Connect
Let’s jump on to a domain controller so we can see some AAD Connect capabilities.

13 Thank you.

Download ppt "Microsoft 365 Business Technical Fundamentals Series"

Similar presentations

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:

Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
Empower Enterprise Mobility Jasbir Gill Azure Mobility.

Empower Enterprise Mobility Jasbir Gill Azure Mobility.
Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation

Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation
123456789101112…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Alessandro Cardoso Microsoft MVP | Readify National Manager |

Alessandro Cardoso Microsoft MVP | Readify National Manager |
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows Infra @MaccaMSOz.

Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.

Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
Access resources in a federation partner organization.

Access resources in a federation partner organization.
Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.

Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,

Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,
70-417 MCSA Windows Server 2012 Pass Upgrading Your Skills to MCSA Windows Server 2012 Exam By The Help Of Exams4Sure Get Complete File From

MCSA Windows Server 2012 Pass Upgrading Your Skills to MCSA Windows Server 2012 Exam By The Help Of Exams4Sure Get Complete File From
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Today’s challenges Data Users Apps Devices

Today’s challenges Data Users Apps Devices
Identity; What you need to know to be in the Microsoft Cloud

Identity; What you need to know to be in the Microsoft Cloud
Unit 3 Virtualization.

Unit 3 Virtualization.

Similar presentations

Ads by Google