Azure Active Directory Service Summary

Post by: syed hussain in All Reference Architecture

Summary

There are various Azure Active Directory services available in Azure. The following is a quick summary of the services available.

Active Directory Domain Services

Microsoft introduced Active Directory Domain Services in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems using a single identity per user.

Azure Active Directory

Azure Active Directory is an Identity and Access Management as a service (IDaaS) solution that extends an on-premises directory into the cloud and provides single sign-on to Azure, Office 365 and thousands of cloud (SaaS) apps and access to web apps you run on-premises.

Azure Active Directory Business-to-Consumer

Azure Active Directory (AD) B2C is a highly available and global identity management service for customer-facing applications, that easily integrates across mobile and web platforms and scales to hundreds of millions of identities. AD B2C enables customers and consumers to log on to internal applications through fully customizable experiences, whether they use an existing social account or create new credentials.

Azure Active Directory Domain Services

Azure Active Directory Domain Services lets you join Azure virtual machines to a domain without the need to deploy or manage domain controllers. Users sign in to these virtual machines using their corporate Active Directory credentials and can access resources seamlessly. Azure Active Directory Domain Services features domain join, LDAP, NTLM and Kerberos authentication are widely used in enterprises. Migrate legacy directory-aware applications running on-premises to Azure without having to worry about identity requirements.

Azure AD Privileged Identity Management

Protect your organization from the risk of compromised permanent privileged user accounts by managing, controlling, and monitoring your privileged identities. Privileged Identity Management provides you with a way to enable on-demand time-limited access to administrative tasks.
Using Azure AD Privileged Identity Management, you are able to:

  1. Discover the privileged Azure Active Directory roles within your organization and which users are in those roles.
  2. Manage which privileged users should have permanent vs temporary role assignments and enforce policies for on-demand, ‘just in time’ access such as duration of privileged access operations.
  3. Monitor and audit privileged role access activity across your organization.

Active Directory Health Check

Operations Management Suite Active Directory Health Check Solution assesses the risk and health of your Active Directory environments at a regular interval. It provides a prioritized list of recommendations tailored to your deployments. These recommendations are categorized across six focus areas which allow you and your team to quickly understand the risk and health of your environments and easily take action to decrease risk and improve health.

AD Replication Status

The Active Directory Replication Status IP analyzes the replication status for domain controllers in an Active Directory domain or forest. This solution helps you troubleshoot AD Replication issues in your environment.

Reasons to use Active Directory B2C

  1. AD B2C provides a logical way to separate your internal staff and Customers.
  2. Customers can sign in to your application with any social media provider (Google, Facebook, Microsoft, Amazon etc).
  3. Azure B2C is a separate service to Azure Active Directory. AD B2C allows organisations to authenticate their Customers using the same underlying Active Directory technology.
  4. In addition to authentication, authorisation to API is also possible.
  5. An API can be invoked at three stages: After generating with an identity provider, before creating a User, before including applications claims in token.
  6. Azure AD B2C uses standards-based authentication protocols including OpenID Connect, OAuth 2.0, and Security Assertion Markup Language (SAML). It integrates with most modern applications and commercial off-the-shelf software.
  7. AD B2C can store 100 custom field attributes but also integrate with an external system such as a CRM to capture additional customer data. AD B2C is a global service and by integrating with a CRM system, data policies like GDPR can be satisfied.
  8. Azure AD B2C can facilitate collecting the information from the user during registration or profile editing, then hand that data off to the external system via API. Then, during future authentications, Azure AD B2C can retrieve the data from the external system and, if needed, include it as a part of the authentication token response it sends to your application.
  9. AD B2C also allows Progressive Profiling. This means that a minimum set of data can be captured at first, and then with multiple subsequent logins, additional data can be captured.
  10. Customised User-flows can be created.
  11. Sign-up options include email, username/password and phone verification. Read more.
  12. Multifactor Authentication.
  13. Usage and Log Analytics.

Architecting Azure B2C

Here is a simple checklist for creating a simple Azure AD B2C Solution.

Plan

  1. Planning an Azure B2C project should be like any other project. Employ the right resources, allow for plenty of time, and keep prototyping and communicating with the teams and the business.
  2. Plan for migration if one is required. Read more.
  3. Plan for Usability & Security. Understand that an application that is very secure, may not provide the most user-friendly experience. Likewise, a very smooth usable experience might not provide adequate security for your organisation.
  4. Plan for Identity Protection and Conditional Access management.
  5. Plan any applications to the cloud to improve resilience.
  6. Plan supporting teams to handle any logon failures or password reset queries. Even if self-serve capabilities are present, you should always expect Customers to email/phone in if there are sign-in issues.

Design

  1. Decide if your Customers are ‘Customers’ or another Business that you engage with.
  2. Create end-to-end Customer Journey maps. This should include every screen, flow and attribute a User is required to complete. A detailed list of Flows can be found here: https://github.com/azure-ad-b2c/samples#user-experience.
  3. If possible, use infrastructure as code to deploy any resources.
  4. Select the correct authentication flow.
  5. Build out a Proof-of-concept. Detailed Customer Journeys can be found here: https://github.com/azure-ad-b2c/samples#user-experience

Implementation

  1. infrastructure as code to deploy any resources.
  2. Edit any custom policies in Visual Studio and version control as appropriate.

Test

  1. Test for both positive/negative scenarios.
  2. Test the sign-up experience including any authentication/authorisation flows.
  3. Set up A/B tests to test new features.
  4. Build-in automation (CI/CD) where possible.

Operate

  1. Create multiple environments.
  2. Create experimental environments to try out new features/PoC.
  3. Use version control for your custom policies.
  4. Use the Microsoft Graph API to automate the management of your B2C tenants.
  5. Integrate with Azure DevOps.
  6. Integrate with Azure Monitor.
  7. Set up active alerting and monitoring.

Tags: active directory azure
10 May 2021
0