Table Of ContentMastering Identity and
Access Management with
Microsoft Azure
Second Edition
Empower users by managing and protecting identities
and data
Jochen Nickel
BIRMINGHAM - MUMBAI
Mastering Identity and Access
Management with Microsoft Azure
Second Edition
Copyright © 2019 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means, without the prior written permission of the publisher, except in the case of brief
quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information
presented. However, the information contained in this book is sold without warranty, either express or
implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any
damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products
mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the
accuracy of this information.
Commissioning Editor: Gebin George
Acquisition Editor: Rahul Nair
Content Development Editor: Deepti Thore
Technical Editor: Mamta Yadav
Copy Editor: Safis Editing
Project Coordinator: Nusaiba Ansari
Proofreader: Safis Editing
Indexer: Tejal Daruwale Soni
Graphics: Jisha Chirayil
Production Coordinator: Aparna Bhagat
First published: September 2016
Second edition: February 2019
Production reference: 1250219
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78913-230-4
www.packtpub.com
mapt.io
Mapt is an online digital library that gives you full access to over 5,000 books and
videos, as well as industry leading tools to help you plan your personal development
and advance your career. For more information, please visit our website.
Why subscribe?
Spend less time learning and more time coding with practical eBooks and
Videos from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Mapt is fully searchable
Copy and paste, print, and bookmark content
Packt.com
Did you know that Packt offers eBook versions of every book published, with PDF
and ePub files available? You can upgrade to the eBook version at www.packt.com and
as a print book customer, you are entitled to a discount on the eBook copy. Get in
touch with us at customercare@packtpub.com for more details.
At www.packt.com, you can also read a collection of free technical articles, sign up for
a range of free newsletters, and receive exclusive discounts and offers on Packt books
and eBooks.
Contributors
About the author
Jochen Nickel is a Cloud, Identity and Access Management Solution Architect with a
clear focus and in-depth technical knowledge of Identity and Access Management. He
is currently working for inovit GmbH in Switzerland leading and executing projects
in the field of Identity and Access Management including Data Classification and
Information protection. Jochen is focused on Microsoft Technologies, especially in the
Enterprise Mobility + Security Suite, Office 365 and Azure. He is an established
speaker at many technology conferences like Azure Bootcamps, TrustInTech Meetups
or the Experts Live Switzerland and Europe.
About the reviewer
Kasam Shaikh, a Microsoft Azure enthusiast, is a seasoned professional with a "can
do" attitude and 11 years of industry experience, working as a cloud architect with
one of the leading IT companies in Mumbai, India. He is a certified Azure architect,
YouTuber, recognized as an MVP by a leading online community, as well as a global
AI speaker, and has authored books on Azure Cognitive, Azure Bots, and Microsoft
Bot frameworks. He is the founder of Dear Azure, (AZ-INDIA) community, the
fastest-growing online community for learning Azure.
Packt is searching for authors like you
If you're interested in becoming an author for Packt, please visit
authors.packtpub.com and apply today. We have worked with thousands of
developers and tech professionals, just like you, to help them share their insight with
the global tech community. You can make a general application, apply for a specific
hot topic that we are recruiting an author for, or submit your own idea.
Table of Contents
Preface 1
Section 1: Identity Management and
Synchronization
Chapter 1: Building and Managing Azure Active Directory 10
Implementation scenario overview 11
Implementing a solid Azure Active Directory 12
Configuring your administrative workstation 17
Custom company branding 20
Summary and recommendations of the help information 23
Creating and managing users and groups 25
Set group owners for organizational groups 27
Delegated group management for organizational groups 28
Configure self-service group management 30
Create the sales internal news group as an Office 365 (distribution group) 31
Configure dynamic group memberships 36
Assign roles to administrative units 39
Creating an administrative unit 39
Adding users to an administrative unit 39
Scoping administrative roles 40
Test your configuration 41
Protect your administrative accounts 41
Provide user and group-based application access 47
Assign applications to users and define login information 48
Assign applications to groups and define login information 50
Self-service application management 51
Password reset self-service capabilities 51
Configure notifications 53
Test the password reset process 55
Using standard security monitoring 55
Integrating Azure AD Join for Windows 10 clients 59
Join your Windows 10 client to Azure AD 59
Verify the newly joined Windows 10 client 61
Configuring a custom domain 62
Configure Azure AD Domain Services 65
Test and verify your new Azure AD Domain Services 69
Summary 76
Chapter 2: Understanding Identity Synchronization 77
Table of Contents
Technology overview 78
Microsoft Identity Manager (MIM) 2016 80
MIM synchronization service 81
MIM synchronization service extensions 83
MIM service and portal 83
MIM service extensions 85
MIM password reset and user account unlock 85
MIM privileged access management 86
Additional solution 87
Cloud deployment based on identity director service 91
On-premises deployment based on MIM 2016 91
Azure Active Directory Connect 91
Synchronization scenarios 93
Single-forest integration 94
Multi-forest integration 94
Multi-Azure Active Directory Integration 99
Azure Active Directory Domain Services Integration 100
Stretched Active Directory to Azure IaaS 101
Azure Active Directory B2B integration 102
Azure Active Directory and Microsoft Office 365 synchronization 103
Identity and password-hash synchronization including SSO options 104
Identity synchronization including PingFederate integration 105
Identity and password-hash synchronization including ADFS
integration 106
Azure Active Directory Connect high availability 107
Synchronization terms and processes 109
UserPrincipalName suffix decisions 112
Active Directory preparations 113
Source Anchor decisions 116
Connected Directories 118
Import flow 127
Placeholder objects 131
Synchronization flows 132
Inbound synchronization 134
Outbound synchronization 139
Joins 140
Connector objects 141
Disconnector objects 141
Export flow 142
Summary 143
Chapter 3: Exploring Advanced Synchronization Concepts 144
Preparing your lab environment 145
Understanding declarative provisioning and expressions 148
Synchronization rules explained 150
Special considerations in advanced synchronization concepts 158
Using standard filters to exclude users and groups 159
[ ii ]
Table of Contents
Building a custom rule for filtering 168
Connecting Azure AD Connect to the second forest 171
Summary 188
Chapter 4: Monitoring Your Identity Bridge 189
How Azure AD Connect Health works 189
Azure AD monitoring and logs 199
Azure Security Center for monitoring and analytics 208
Summary 212
Chapter 5: Configuring and Managing Identity Protection 213
Microsoft Identity Protection solutions 214
Azure ATP and how to use it 216
Azure AD Identity Protection 224
Using Azure AD PIM to protect administrative privileges 228
Summary 241
Section 2: Authentication and Application
Publishing
Chapter 6: Managing Authentication Protocols 243
Microsoft identity platform 244
Common token standards in a federated world 246
Security Assertion Markup Language (SAML) 2.0 246
Key facts about SAML 247
WS-Federation 249
Key facts about WS-Federation 250
OAuth 2.0 251
Key facts about OAuth 2.0 251
Main OAuth 2.0 flow facts 254
Authorization code flow 255
Client credential flow 257
Implicit grant flow 258
Resource owner password credentials flow 258
OpenID Connect (OIDC) 259
Key facts about OIDC 259
Pass-through authentication and seamless SSO 261
Multi-factor authentication 264
Azure MFA 265
Certificate authentication 266
Device authentication 266
Biometric authentication 267
Summary 267
Chapter 7: Deploying Solutions on Azure AD and ADFS 268
Basic environment installation and configuration 269
[ iii ]
Table of Contents
Create the certificate for your environment with let's encrypt 273
Installing the ADFS farm on YDADS01 277
Installing the Web Application Proxy on YD1URA01 278
Installing demo applications on (YD1APP01) for ADFS 280
Subscribing to demo apps (Azure AD) 286
Azure AD authentication deployments 287
ADFS Authentication deployments 299
Integrating Azure MFA (YD1ADS01) 308
Summary 310
Chapter 8: Using the Azure AD App Proxy and the Web
Application Proxy 311
Configuring additional applications for Azure AD and ADFS 312
Publishing with Windows server and Azure AD Web
Application Proxy 334
Using conditional access 352
Summary 358
Chapter 9: Deploying Additional Applications on Azure AD 359
Preparing your lab environment 360
What defines single- and multi-tenant applications 361
Deploying a single-tenant application including roles and
claims 361
Moving the single-tenant app to a multi-tenant scenario 377
Deploying another multi-tenant app with OpenID Connect 380
Summary 390
Chapter 10: Exploring Azure AD Identity Services 391
Preparing your lab environment 392
Understanding Azure AD B2B 393
Providing resource access to external partners (on-premise) 394
Exploring Azure AD B2C 397
Azure AD B2C tenant creation 398
Demo app registration 403
User flow creation 408
Visual Studio code modification 411
Comparing Azure AD B2B and B2C 417
Comparing AD FS with Azure B2B and B2C 417
Extending Active Directory solutions with Azure AD Domain
Services 419
AD FS as an on-premise identity service for the cloud 423
Typical single-forest deployment 424
Two or more Active Directory forests running separate AD FS
instances 424
Running one AD FS instance for multiple trusted forests 425
[ iv ]
