Exam Prep 70-398:Section 1: Design for Cloud/Hybrid Identity

Exam Prep 70-398:Section 1: Design for Cloud/Hybrid Identity

Exam Prep 70-398: Section 1: Design for Cloud/Hybrid Identity Joe Lurie MCS Northeast Alfred Ojukwu MCS Northeast Joe Lurie Senior Consultant - Microsoft [email protected] TechReady Speaker, exam prep sessions for Windows 8 and 10, Azure, and EMS. All of this is related to 70-398 Active in Devices and Mobility community Fun fact (you decide): Never watched Star Trek of any flavor no episodes of any variety, no movies Alfred Ojukwu

Senior Consultant - Microsoft [email protected] Mobility Consultant with Microsoft Consulting [email protected] Services (MCS) Certified Trainer MCT - Mobility 20+ Years in IT Administration WW Community Lead, Devices and Mobility Extensive involvement with Internal and External Readiness Blog: http://thedevicepros.com Interesting Fact: Grew up in Hawaii Agenda - list all main modules 1 Design for Cloud/Hybrid Identity (1520%) 2

Design for device access and protection (1520%) 3 Design for data access and protection (1520%) 4 Design for Remote Access (15-20%) 5 Plan for apps (15-20%) 6 Plan updates and recovery (15-20%) Design for Cloud / Hybrid Identity The Current Reality EC2 OnPremises

Managed devices Private Cloud Identity as the control plane Simple connection Windows Server Active Directory Other Directories Self-service Single sign on Username SaaS Azure Public

cloud Onpremises Microsoft Azure Active Directory Office 365 Cloud Delivering a seamless user authentication experience Active Directory Microsoft Azure Identity Synchronization with password (hash) sync Identity Synchronization User attributes are synchronized using Identity Synchronization services including a password hash, Authentication is completed against Azure Active Directory

Microsoft Azure User attributes are synchronized using Identity Synchronization tools, Authentication is passed back through federation and completed against Windows Server Active Directory AD FS Identity Federation Organizations can connect to SaaS applications running in Azure, Office 365 and 3rd party providers Enhancements to AD FS include simplified deployment and management SaaS Apps Active Directory Active Directory Organizations can federate with partners

and other organizations for seamless access to shared resources Resources in other businesses or identity realms Web Application Proxy (includes AD FS Proxy) Active Directory Federation Services Active Directory Federation Services Conditional access with multi-factor authentication is provided on a perapplication basis, leveraging user identity, device registration & network location Published

applications Claims & Kerberos web apps Office Forms Based Access Restful OAuth apps Federation Benefits Single Sign-On Reduced Credentials Fewer Accounts to manage Authentication Flexibility Authorization Control Claims extensibility

USER PERSPECTIVE IT PERSPECTIVE Unified Programming Model Stronger authentication methods (MFA) Reduced development efforts Enforce AuthN and AuthZ policies Decouple AuthN & AuthZ Policies from code DEVELOPER Interoperability PERSPECTIVE

Granular control over resources trough Conditional Access Control assets SECURITY 10 PERSPECTIVE Identity Choices Identity Type AAD Subscription Required AAD Connect Required AD DS Required AD FS Required

Microsoft Federation Gateway Required Cloud Identity YES NO NO NO NO Synced Identity YES YES YES NO

NO Federated Identity YES YES YES YES YES M I C R O S O F T C O N F I D E N T I A L I N T E R N A L O N LY Azure Active Directory Alfred Ojukwu Planning for Azure Active Directory Custom LOB applications that integrate

(AD) with Azure Active Directory Sign in to Active Directory-integrated applications with cloud identities Active Directory-integrated applications can access Office 365 and other web APIs Applications can extend Azure Active Directory schema Cross-platform support (iOS, Android, and Windows) Open Standards (SAML, OAuth 2.0, OpenID Connect, MICROSOFT C O N F I D E N T I A L I N T E R N A L O N LY Planning for Azure Active Directory (AD) Azure AD premium features Design Cloud app discovery Group-based application access Self-service group management Advanced security reporting Password reset with write-back

M I C R O S O F T C O N F I D E N T I A L I N T E R N A L O N LY Azure Active Directory features and editions Azure AD Basic Directory as a Service User/group management (add/update/delete) SSO to pre-integrated SAAS applications / custom apps User-based access management/provisioning Self-service password change for cloud users Azure AD Connect 500,000 Object Limit Yes 10 apps per user Yes Yes Yes No Object Limit Yes 10 apps per user

Yes Yes Yes Azure AD Premium No Object Limit Yes No Limit Yes Yes Yes Advanced Security Report Office 365 apps only No Object limit for Office 365 accounts Yes 10 apps per user Yes Yes Yes

Azure Active Directory features and editions Azure AD Free Azure AD Basic Azure AD Premium Connect Health Yes Connect Write Back of users and groups (in Preview) Yes HR Integration with Workday (in Preview) Yes Dedicated Group (in Preview) Premium Features

Dynamic Group (in Preview) Yes Azure AD Domain Services (in Private Preview) Add your own SaaS applications Privileged Access Management Yes Self-service application requests Azure reporting API Yes Office 365 apps only Practice Question Your network contains an Active Directory domain named bcdtrain.com. You create an Azure Active Directory (Azure AD) domain named bcdtrain.onmicrosoft.com. You need to provide a single sign-on experience for on-premises users to bcdtrain.onmicrosoft.com. What should you do first? A. Install Active Directory Federation Services (AD FS) B. Add a domain in Azure AD

C. Deploy a Windows Server 2012 R2 virtual machine in Azure and install Active Directory Domain Services (AD DS). D. Enroll in Azure Active Directory Premium E. Download Azure AD Connect What is Azure Multi-Factor Authentication? A stand-alone Azure Identity and Access management service also included in Azure Active Directory Premium Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication Trusted by thousands of enterprises to authenticate employee, customer, and partner access. Azure MFA Types of MFA Supported: Phone Call, Text Message, Smart Phone app, Oauth Token

Azure MFA requires AAD Premium or EMS (which includes AAD Premium) Two usage models: Per authentication, per user (break even point is 10 auths/month) Azure MFA is free for Azure Administrators Connectivity and Mobility Options How it works Mobile apps 145676 ALERT Phone calls Text messages 1

Users sign in from any device using their existing username/ password. 2 Users must also authenticate using their phone or mobile device before access is granted. User On-Premises Apps RADIUS LDAP IIS RDS/VDI ML SA Multi-Factor Authenticati on Server

Windows Server Active Directory or Other LDAP Cloud Apps .N ET PH , Jav P a, Microsoft Azure Active Directory Multi-Factor Authenticati on Server Azure MFA vs MFA for Office 365 MFA for Office 365/Azure Administrators Azure Multi-Factor

Authentication Administrators can Enable/Enforce MFA to end-users Yes Yes Use Mobile app (online and OTP) as second authentication factor Yes Yes Use Phone call as second authentication factor Yes Yes Use SMS as second authentication factor Yes Yes

Application passwords for non-browser clients (e.g. Outlook, Lync) Yes Yes Default Microsoft greetings during authentication phone calls Yes Yes Suspend MFA from known devices Yes Yes Custom greetings during authentication phone calls Yes Fraud alert Yes

MFA SDK Yes Security Reports Yes MFA for on-premises applications/ MFA Server. Yes One-Time Bypass Yes Block/Unblock Users Yes Customizable caller ID for authentication phone calls Yes Event Confirmation

Yes Trusted IPs Yes Azure MFA What is it Initiated after the user has supplied a user name and password Initiated only if the user has been configured for MFA Users can select which form of MFA they prefer phone, text or authenticator app. NOTE: Some versions of Outlook and Lync do not support MFA. Some other non-browser based applications may also not support MFA. For these apps Practice Question (Hard) Your network contains an Active Directory domain named domain1.com. Domain1.com is synchronized with Domain1.onmicrosoft.com for Azure Active Directory (Azure AD). You

plan to require Azure Multi-Factor Authentication for Domain1.com users by using a Remote Desktop Gateway. You need to configure Azure Multi-Factor Authentication for Domain1.com users. What should you do? Select the three actions you should perform and arrange them in the order in which you should perform them. Download and install the Multi-Factor Authentication Server. Enable multi-factor authentication for users in Azure AD. Add the application to Azure AD Add a Multi-Factor Authentication Provider Add a Multi-Factor Authentication Provider Enable multi-factor authentication for users in onpremises Active Directory. Configure multi-factor authentication settings for Azure AD Download and install the Multi-Factor Authentication

Server. Enable multi-factor authentication for users in onpremises Active Directory. User Self-Service Configured after setting up MFA Allows users to update their contact information (phone number) without involving IT Accessible via http://myapps.microsoft.com Allows self-service password reset TIP: Exam questions that refer to reducing IT overhead or reducing administrative effort with regards to user management, look for answers around user self-service Group Management Allows users to create/manage/delete groups NOTE: SECURITY GROUPS CANNOT BE CREATED USING SELF-SERVICE GROUP MANAGEMENT Allow group owners to add new members, edit the group name, leave the group, delete the group, set group ownership Can delegate self-service of groups to a restricted set

of users (do not need to open to all users) Pro Tip: In a hybrid identity scenario, you could have both AD DS sourced groups and cloud groups. Be careful about complexity if you enable group management in both locations. Practice Question (Easy) You plan to deploy Azure Active Directory self-service password reset on your network. You need to configure the user password reset policy to meet the following requirements: Users must answer security questions if they forget their password. Users must be presented with three questions if they forget their password. Users must answer five questions to enroll for password reset. Users should not have to update their security questions once they have enrolled. How should you configure the user password reset policy? (All options range from 0 to 5) Number of authentication methods required Number of questions required to register 1 Number of questions required to reset 3

Number of days before users are asked to reconfirm their authentication 0 5 Click icon to add picture Directory Synchronizatio n AD Sync and Active Directory Connect AD Connect connects on-prem AD with Azure AD allowing for SSO Design single sign-on Password Sync: hashes of user passwords syncd from on-prem AD to Azure AD (default option) AD Federation Services (AD FS): user logs onto SaaS applications with on-prem password use if security policy prohibits syncing password hashes to the cloud Active Directory integration scenarios On-prem to Cloud Cloud to on-prem

M I C R O S O F T C O N F I D E N T I A L I N T E R N A L O N LY Upgrade Options DirSync (<50k objects) In-place migration of all supported custom configurations Will not migrate unsupported configurations (such as removed attribute flows) DirSync (>50k objects) Side-by-side deployment. Export DirSync configuration and import in Azure AD Connect On Dirsync box, wizard prompts you to export config file On new box, @ cmd prompt run AzureADConnect.exe /migrate, specify config file Once full import and full sync complete, uninstall dirsync on old box, on new box run wizard second time to turn off staging mode Azure AD Sync In-place upgrade Prepare for AAD Connect r all scenarios (Express Settings or Custom) Office 365 or Azure AD subscription free trial

is OK For custom Azure AD domains, configure your public DNS records Wizard will tell you if DNS is not complete AD users have UPNs (IDFix) Just for AD FS SSL certificate is trusted on all FS+WAP host Generally a non issue if publicly trusted cert Enable WinRM on all remote targets Federation service name resolves Wizard verify helps with this For write-back scenarios AAD Premium, prepare Active Directory Demo: Azure Active Directory Connect Azure Active Directory Connect Required Servers Server Type Operating

Role Comments System/Version Existing Domain Controllers Windows Server 2008 or later Active Directory domain Forest functional level controller must be 2003 or higher Synchronizati on Windows Server 2008 R2 or later Azure Active Directory Connect Synchronization Services

Windows Server 2012 R2 recommended Federation Windows Server 2012 R2 AD FS Two or more recommended Federation Proxy Windows Server 2012 R2 Windows Server WAP Two or more recommended Database

SQL Server 2008 or later Data store for synchronization and AD FS Required only when scaling beyond approximately 50,000 100,000 users Active Directory Connect Health What is it Offers ability to view alerts, performance patterns, and configuration settings Agent found in Marketplace under Security + Identity Requirements

Requires Azure AD Premium subscription Must be Global Administrator to enable If using AD FS, AD FS auditing must be enabled to use Usage Analytics Agent must be installed on all targeted servers Azure AD Connect Health Agent for Sync must be installed (installed by default) Firewall ports 80, 443, 5671 Must have connectivity to Azure Service endpoints M I C R O S O F T C O N F I D E N T I A L I N T E R N A L O N LY Reporting M I C R O S O F T C O N F I D E N T I A L I N T E R N A L O N LY Security reports Rule based (free) Sign ins from unknown sources Sign ins after multiple failures Sign ins from multiple geographies Specialized information Sign ins from possibly infected devices Sign ins from IP addresses with suspicious activity

Machine learning Irregular sign in activity Combined Users with anomalous sign in activity Actions Reset password Manage Multi-factor auth Ignore event Download reports Operational reports Activity Audit (free) Password reset activity Password reset registration activity Application Management Application usage

Account provisioning activity (free) Account provisioning errors (free) Practice Question (Easy) Your network contains an on-premises Active Directory Domain Services (AD DS) domain named bcdtrain.com and an Azure Active Directory (Azure AD) domain named bcdtrain.onmicrosoft.com Azure AD Connect is installed and Active Directory Federation Services (AD FS) is configured. Password write-back is enabled. You need to monitor the synchronization events generated by Azure AD Connect. What should you do first? A. B. C. D. Install Azure AD Connect Health Create a new Operational Insights workspace Install Azure AD Privileged Identity Management

Enable Azure AD Premium Features Practice Question (Medium) You are the Enterprise Mobility Administrator for Contoso.com. You have been asked to ensure that all cloud access to mobile device can be monitored. After configuring the cloud settings for Azure AD Connect health using default settings, you install the client agent and notice that you are unable to retrieve reports from the Azure AD. You need to ensure you can retrieve reports to review health status. What should you do to retrieve reports? A. You need to open TCP Port 80, and 443 to resolve IIS traffic in your firewalls B. You need to uninstall and re-install the client agent C. You need to open TCP Ports 80, 443, and 5671 in your firewalls. D. You need to enable Microsoft to access your health information E. You need to enable automatic of your Azure AD Connect Health agent in the portal F. You need to open TCP Port 80, and 3389 to resolve IIS traffic in your firewalls Design for Cloud/Hybrid Identity EXAM TIPS Tip #1 Know the Azure editions and the features available in

each Connectivity and Mobility Options Azure AD Free Azure AD Basic Azure AD Premium O365 apps only Azure AD Connect Health Tip #2 Tip #3 MFA Multifactor Authentication supports phone, text, app, or Oauth. User can select which he prefers

Azure AD Connect Health can be used to monitor the synchronization events generated by Azure AD Connect 2016 Microsoft Corporation. All rights reserved. The text in this document is available under the Creative Commons Attribution 3.0 License, additional terms may apply. All other content contained in this document (including, without limitation, trademarks, logos, images, etc.) are not included within the Creative Commons license grant. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Recently Viewed Presentations

  • Weihnachten in Deutschland - WordPress.com

    Weihnachten in Deutschland - WordPress.com

    Weihnachten in Deutschland Die Zeit vor Weihnachten, die Adventszeit , ist nicht nur für die Kinder eine Zeit voll Freude und Erwartung Vier Wochen vor dem Fest stellt man einen Adventskranz aus Tannenzweigen mit vier Kerzen auf.
  • Poe-Gothic and Allegory

    Poe-Gothic and Allegory

    This was the Era of Romantics. The main medium that presented itself at that time were short stories, poems, and novels. Imagination dominated; intuition ruled over fact. Gothic literature was also introduced at this time, which is a sub-genre of...
  • Swearing as a Leadership Tool - Cardiff University

    Swearing as a Leadership Tool - Cardiff University

    no fucking mercy . hardcore and we're fucking ruthless. are we up for it boys? Functions of Swearing ... pre-match huddle during match half-time huddle post-match huddle training drill frontstage ... The pragmatics of swearing. Journal of Politeness Research. Language,...
  • 1st Period - lcps.org

    1st Period - lcps.org

    Unit packets & graded work should be organized in your Chemistry binder / folder. I recommend that you organize unit packets and graded work by quarter. Complete your homework for each class and the corresponding study sheet section in class...
  • spartan.ac.brocku.ca

    spartan.ac.brocku.ca

    Negligence is failure to perform a duty with requisite standard care. Plaintiff must demonstrate: There is a There must be a There must be There must be a Haig v. Bamford Canadian case for Third Party Liability * Gordon T....
  • Fitting: Voting and the Hough Transform - University of Texas ...

    Fitting: Voting and the Hough Transform - University of Texas ...

    Connection between image (x,y) and Hough (m,b) spaces. A line in the image corresponds to a point in Hough space. To go from image space to Hough space: given a set of points (x,y), find all (m,b) such that y...
  • TA and Student Interface for Online Testing Training

    TA and Student Interface for Online Testing Training

    When the Translation Glossary is enabled, some terms in mathematics items will appear with a gray dotted outline around them. When the student hovers the mouse over the term, it will highlight in blue. If the student clicks a highlighted...
  • Integrative and Functional Characterization of the Soft Tissue

    Integrative and Functional Characterization of the Soft Tissue

    MSKCC Pennelope DeCarolis Mariana Lagos-Quintana Alan Ho Tsuyoshi Saito Neerav Shukla Christopher Lau Comp Biology Center Barry Taylor John Major Boris Reva Nick Socci Alex Lash Genomics Core Lab Agnes Viale Biological Samples Platform Scott Mahan Jennifer Franklin Jennifer Chen...