Category Archives: Azure AD

Azure AD B2C

19 Thursday Aug 2021

Posted by in Azure, Azure AD, Azure B2C

Leave a comment

Tags

,

In this article we look at the benefits of Azure AD B2C that provides identity-management framework allowing application to use corporate accounts and as well use social accounts to login to the application. This article will details provisioning Azure AD B2C tenant and subsequent articles will walkthrough implementation of a sample application that utilizes Azure AD B2C for Authentication and Authorization.

The capabilities provided by Azure AD B2C can be summarized as below:

Identity as a Service: Azure hosts all the necessary components so end users can register and sign-in

Business to Consumer: Enterprise applications have users in AD store, Azure AD B2C still has a directory of users but is targeted at consumers or external user(s)

Local or social account identities: External users able to register and sign-in to the application or use the social identities viz, Google, LinkedIn etc.

Customization: Provides ability to customize the UI

Protocol Supported: OpenID, OAuth and SAML

Scenarios where Azure AD B2C works well: Web Applications, Mobile Apps, Web API’s

Where Azure AD B2C Does not work: Web API Chains (ie one Web API calling another secured API)

In following section we will look at setting up Azure AD B2C tenant. A tenant represents an organization and contains a directory of users. This will be separate to Azure AD tenant which we have access to by default once signed into Azure.

Let us take brief tour of what Azure AD tenancy looks like from with in Azure Portal

Manage Tenants allow us to switch between different domains.

From the above it is clear that Azure AD B2C tenancy is separate from Azure AD tenancy. So there has to be a way of linking the two as under the hood the user accounts are still being managed by Azure AD.

In the next section we will look at the steps involved in setting up Azure AD B2C tenant:

  1. On Azure Portal home page navigate to “Subscriptions”

The next screen will list the available subscriptions

Click on Subscription and go to Resource Providers to register Microsoft.AzureActiveDirectory

Once Microsoft.AzureActiveDirectory resource provider is Registered, Create a resource by looking up for Azure Active Directory B2C

Creating a Azure B2C tenancy and linking it to existing Azure Subscription will appear as options in one page and first step will be to create a tenant

Enter initial domain name and then Review and Create

Once the Azure AD B2C tenant is created the next will be to link it to current Azure Subscription

Choose Azure Active Directory B2C and click on Create

Choose the option to link Azure B2C tenant to a subscription

Enter the details and click on Create

Once successful the link to subscription should be reflected in the created Azure AD B2C information page

This will complete the walk through of setting up Azure AD B2C tenant. In the next article we will look into features of Azure AD B2C in the context of providing IAM capabilities to users.

Deploying Azure AD DS

29 Friday May 2020

Posted by in Azure, Azure AD, Azure AD DS

2 Comments

Tags

,

In the article   we looked at comparison of Active Directory offering between On-Premises and cloud. This article will walk through deployment of Azure AD DS.

  • Logon to AzurePortal and select “Azure AD Domain Services”

AzureADDS1

  • Choose “Create Azure AD Domain Services”

AzureADDS3

  • Choose and existing Resource Group or Create a New one if required,
  • Enter a DNS domain name keeping in mind the following condition(s):
    • If the default built-in domain name of directory with a suffix of “. onmicorosoft.com” is used then cannot create a digital certificate to secure the connection with this default domain.
    • Non-routable domain suffixes are not to be used such as “*.local”
    • Domain prefix cannot be longer than 15 characters.
    • DNS domain name for managed domain shouldn’t already exist in the virtual network or in on-premises network if Azure managed domain has a VPN connection to on-premises network.

AzureADDS4

The default Forest type is set to “User”. This type of forest synchronizes all objects from Azure AD, including the user accounts created in on-premises AD DS environment. A Resource forest synchronizes users and groups created directly in Azure AD only.

  • The next step of the wizard automatically creates a VNet and an associated subnet

AzureADDS5

AzureADDS6

AzureADDS7

The above highlighted text for synchronization is important. In the context of moving user accounts from on-premises AD DS to Azure AD DS the synchronization path was shown here

AzureADDS8

AzureADDS9

  • Once deployment is complete the topology can be viewed by going to adds-vnet > Diagram

AzureADDS10

The following topology diagram will be generated and the highlighted sections indicate Virtual Network, SubNet and Network Security Group (NSG).

AzureADDS11

  • The Overview tab of the provisioned managed domain will indicate Required Configuration step to update DNS settings

AzureADDS12

Prior to Configuration the DNS Servers settings for adds-vnet will be:

AzureADDS13

After Configuration

AzureADDS14

AzureADDS15

The above steps will complete deployment of Azure AD DS in the next article we will join Azure VM’s create here to his managed domain and in the process learn about Azure Virtual network peering.

Comparing Windows AD DS, Azure AD and Azure AD DS

29 Friday May 2020

Posted by in Azure, Azure AD, Azure AD DS, Uncategorized

2 Comments

Tags

,

Windows AD DS:

Provides authentication and authorization to on-premise applications, resources. Access to various resources can be streamlined through Group Policy some examples of implementing GPO for user’s rights assignment are detailed in the article here.

Authentication Protocol: Kerberos and NTLM

AD Database access: Through LDAP query

Creation of Domain Trusts: Allowed

On-Premise Windows Server AD offers 5 core services:

  • Active Directory Domain Services (ADDS)
  • Active Directory Certificate Services (ADCS)
  • Active Directory Rights Management Services (ADRMS)
  • Active Directory Lightweight Directory Services (ADLDS)
  • Active Directory Federation Services (ADFS)

Windows ADDS provides a hierarchical data storage for various objects in the network users, computers, groups, printers etc. The objects are placed within various Organizational Units (OUs). For example the following screen snap shot demonstrates a way of organizing On-Premises ADDS

capture1

 

Azure Active Directory (Azure AD):

While allowing to create users and groups Azure AD provides a flat structure without Organizational Units (OUs) or Group Policy Objects (GPOs).

  • Azure AD does have a domain name
  • Provides no trusts between domains
  • Supports Web based authentication OAuth 2.0, SAML 2.0 and Open ID Connect
  • Use of HTTP/HTTPS to provide identity services
  • Querying Azure AD done through REST API end point called AD Graph API

Azure Active Directory Domain Services (Azure AD DS):

Cloud based PaaS offering providing managed domain services, group policy, Kerberos / NTLM authentication that is compatible with on-premises Windows AD DS.  The following will additional features of Azure AD DS:

  • Integration with Azure AD
  • Cannot extend the schema
  • No Domain / Forest trust
  • Read-Only LDAP

The following screen snap shots show how identity information is synchronized in cloud-only and hybrid models.

Cloud-Only:

capture2

Hybrid Model:

capture3

 

 

Azure AD Built-in Administrator Roles

27 Monday Jan 2020

Posted by in Azure AD, Dynamics 365 CE Online

Leave a comment

Tags

, ,

A tenant/ user account used during the sign-up of Azure subscription has a default role of Global Administrator assigned. The Global Administrator role can modify everything in the Azure AD organization.  The link here provides detail of all the available roles.  The following two roles gives most of what is required for Dynamics CE and Power Apps Portal.

ADRoles1

Scenario Example:

In the example below we will create a new user with the following credentials and assign the Power Platform administrator role to see the end result

User Name: jsmith@idyconsulting.onmicrosoft.com

ADRoles2

ADRoles3

ADRoles4

  • Assign the user “jsmith” a role of built-in Azure AD Power platform administrator role and access to Dynamics 365 CE will be available only after assigning product license

ADRoles5

ADRoles6

Product licenses can be managed from Microsoft 365 admin center

ADRoles7

Administering Dynamics 365 CE Subscription

25 Saturday Jan 2020

Posted by in Azure AD, Dynamics 365 CE Online, Power Platform

Leave a comment

Tags

, ,

Microsoft 365 Admin Center will provide the ability to create users requiring access to Dynamics 365 CE.

In the screen snap shot below there are two users one without a Dynamics 365 CE licence

Administer1

Of the two users listed above user “John Smith” has no license assigned and hence cannot access Dynamics 365 CE apps. Logging on to https://portal.office.com using jsmith@idyconsulting.onmicrosoft.com will display the following landing page.

Administer2

 

Product licenses can be allocated/managed from Microsoft 365 admin center

Administer3

Azure AD view for the above two user(s):

Within Azure AD admin portal the users will have the following roles assigned

Administer4

Administer5

From the above we can look up Assigned roles, Groups etc. The Global Administrator role provides capability to manage all aspects of Azure AD, Services that use Azure AD identities. Within Dynamics 365 CE a Azure AD user with Global Administrator role will have the following roles assigned to the instance.

  • Common Data Service User
  • System Administrator

Administer6

Administer7

 

For solution management and other aspects of customization assign “System Customizer” role.

Office 365 admin roles related to Microsoft Dynamics 365

  • Global Admin: Provides administrative features to Office 365 suite of services. By default initial signing account will be global admin and additional administrators can be added.
  • Billing Administrator: To manage all aspects of subscription
  • User Management Administration: For password resets, service health monitoring, user account provisioning.
  • Dynamics 365 Administrator: To manage Dynamics 365 at the tenant level without the need of having a Global Admin role assigned to user.