Azure AD Deployment Guide Identity Lifecycles



-4826001231900Managing Identity Lifecycles at ScaleMicrosoft Azure? Active Directory Deployment Guidefor Retail Industry CustomersAbstractThis guide helps you deploy a unified identity and access management solution with Microsoft Azure Active Directory. The primary emphasis is on managing identity lifecycle across your corporate employees and thousands of seasonal and temporary staff.Intended AudienceIdentity Architects, Deployment Advisors, and System Integrators00Managing Identity Lifecycles at ScaleMicrosoft Azure? Active Directory Deployment Guidefor Retail Industry CustomersAbstractThis guide helps you deploy a unified identity and access management solution with Microsoft Azure Active Directory. The primary emphasis is on managing identity lifecycle across your corporate employees and thousands of seasonal and temporary staff.Intended AudienceIdentity Architects, Deployment Advisors, and System Integratorscentertop00 The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS plying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.? 2016 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited.Microsoft and Windows are either registered trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Table of Contents TOC \h \z \t "Heading 1 MS,1,Heading 2 MS,2,Heading 3 MS,3,Heading 1 Num MS,1,Heading 2 Num MS,2,Heading 3 Num MS,3" Overview PAGEREF _Toc452931238 \h 4Key Concepts PAGEREF _Toc452931239 \h 5Azure AD Connect PAGEREF _Toc452931240 \h 5Partner Managed Identities (B2B) PAGEREF _Toc452931241 \h 5Consumer Identities (B2C) PAGEREF _Toc452931242 \h 5Single Sign-On PAGEREF _Toc452931243 \h 5Same Sign-On PAGEREF _Toc452931244 \h 5User Principal Name PAGEREF _Toc452931245 \h 6Identity Namespace PAGEREF _Toc452931246 \h 6Tenant Name PAGEREF _Toc452931247 \h 6Kiosk Worker PAGEREF _Toc452931248 \h 6Information Worker PAGEREF _Toc452931249 \h 6Identity Lifecycle PAGEREF _Toc452931250 \h 7Configure the Prerequisites PAGEREF _Toc452931251 \h 8Build Your Identity Organization Teams PAGEREF _Toc452931252 \h 9Architectural Options for Azure AD Identity Solutions PAGEREF _Toc452931253 \h 10Onboarding new off-premises identities (Kiosk Workers) PAGEREF _Toc452931254 \h 10Synchronize on-premises identities (Information Workers) PAGEREF _Toc452931255 \h 15What to expect during each phase of the Identity Lifecycle PAGEREF _Toc452931256 \h 18Key Infrastructure Design Considerations PAGEREF _Toc452931257 \h 21Tenant Name Design PAGEREF _Toc452931258 \h 21User Principal Name (UPN) patterns PAGEREF _Toc452931259 \h 22Sign-in Experience PAGEREF _Toc452931260 \h 23Organizational Security PAGEREF _Toc452931261 \h 23Reference PAGEREF _Toc452931262 \h 25OverviewAzure Active Directory (AD) Premium enables you to create a unified identity and access management (IAM) system that integrates different kinds of identities from multiple sources within your organization. Azure AD Premium makes it easier to cope with typical IAM challenges such as the following:Multiple identity repositories. Without a single authoritative source of identity, such as an Active Directory forest, Human Resources (HR) system, Lightweight Directory Access Protocol (LDAP) directory, relational database, and so on, some organizations have no unique identity for employees, particularly casual workers.Different identity types. Different categories of people, such as kiosk workers, full-time employees, hourly wage workers, consumers, suppliers, partners and so on have differing identity needs and characteristics. Disjointed or ad-hoc tools and solutions. The typical organic evolution of many organizations’ IT systems results in multiple, often incompatible solutions to address IAM challenges like group management, remote access, password management, provisioning, business to business collaboration and so on.Differing regulatory requirements. Specific industry sectors may need to address defined regulatory requirements. One example in the retail industry is Payment Card Industry (PCI).Multiple stakeholders. To compete effectively, modern agile organizations may define multiple reporting lines and areas of responsibility that span different business units within in the organization.Azure AD gives you effective solutions for extending on-premises identities into the cloud through single sign-on or same sign-on authentication techniques in order to address the above challenges. The following illustration provides an example of the “identity lifecycle at scale” solution that uses Azure AD cloud services to integrate with a complex retail on-premises infrastructure.Figure 1: Identity Lifecycle at ScaleKey ConceptsThe following sections provide background to help you understand the benefits and technical considerations of deploying and managing Azure AD.Azure AD ConnectAzure AD Connect integrates on-premises identity systems, such as Windows Server Active Directory, LDAP directories and transactional databases, with Azure Active Directory. It also connects and authenticates your users to Office 365, Azure and thousands of Software as a Service (SaaS) applications. This integration includes on-premises identity synchronization to and from the cloud and, optionally, single sign-on configuration with Active Directory Federation Services (AD FS).Learn More: Microsoft Azure – Azure AD ConnectPartner Managed Identities (B2B)Partner Managed Identities, such as suppliers and contractors, are not part of your organization but have a business relationship with it. An Identity-as-a-Service (IDaaS) solution would grant these identities access to your resources on a restricted basis only, with authentication through the partner organization’s credentials.Learn More: Azure AD Business to Business collaboration (B2B)Consumer Identities (B2C)Consumer Identities represent customers to whom you want to provide services directly. In most cases, consumers either choose an existing social identity, such as Facebook, a Microsoft account or Twitter, or sign up for an account directly, typically using their email address as an identity. A retail example would be a grocery delivery application, where customers log in and place orders online. Consumer identities can scale to large numbers.Learn More: Azure AD Business to Consumer (B2C)Single Sign-OnSingle sign-on lets you access all the resources you need to do business by signing in once using a single user account. After signing on via password, Personal Identification Number (PIN), or smartcard, you can run any of your authorized applications or connect to shares and data stores without having to authenticate a second time. Learn More: Azure AD – Single Sign OnSame Sign-OnSame Sign-On enables use of the same set of credentials to access multiple resources. For example, an information worker logged onto his Windows computer with a username and password can go to a cloud resource and supply the same username and password to get access. Azure AD enables same sign-on through password hash synchronization.User Principal NameA User Principal Name (or UPN) identifies an object uniquely within Azure Active Directory. UPNs typically have a structure similar to email addresses, such as bob@. Identity NamespaceThe Identity Namespace is the suffix of the UPN. In the case of bob@, the identity namespace is “.” The Identity Namespace is also known as the domain or UPN suffix.Tenant NameThe Azure AD Tenant name is a string, e.g., “Contoso,” that you set when creating a tenant account in the Azure management portal. The tenant name is prepended to the domain to create the initial tenant domain and UPN, in the form contoso.. This name will be exposed to end users in some scenarios, so selecting the tenant name is a critical factor in the user experience. See Key Considerations – Tenant NameKiosk WorkerKiosk workers are users whose primary job does not involve the continual use of a dedicated device or computer. Examples include sales staff in retail stores, factory workers, or stores operatives. Typically, these employees do not require access to on-premises resources. Therefore, they might not even have an account in Active Directory—their identities are instead stored in the HR system. Azure AD enables these users to complete tasks like accessing SaaS applications for time card management (clocking in and out), collaborating, or initiating self-service HR queries such as holiday requests. Information WorkerInformation workers are typically full-time employees. These users create and consume internal information and therefore require access to corporate data. Information workers include members of the marketing, sales or design departments and so on, and may manage other employees. They use dedicated devices or computers joined to the on-premises directory, and their identities are stored in Active Directory or another directory service. Identity LifecycleThe Identity Lifecycle consists of phases within the IDaaS solution. These phases include the following elements:Figure 2: Identity LifecycleBuild Your Identity Organization TeamsIdentity Organization teams and responsibilitiesTeamResponsibilitiesIdentity Architecture / Development teamDesigns the solution in cooperation with the stakeholders.Owns the development process and creates the user acceptance environments.Implements prototypes and drives approvals.Documents the solution design and operational procedures for hand-off to the operations team.On-premises Identity Operations teamManages on-premises identity sources such as Active Directory Forests, LDAP directories, HR systems, and Federation Identity Providers.Perform any remediation tasks needed before synchronizing objects to the cloud.Provide the service accounts required for directory synchronization to take place.Provide access to configure federation to Azure AD.Application Technical OwnersOwn the cloud apps and services that will integrate with Azure AD.Provide the applications’ identity attributes that need to be synchronized.Azure AD AdministratorManages the Azure AD configuration. Provides credentials to configure the synchronization service.Database teamOwns the database infrastructure. Procures any SQL Server instance(s) that a deployment requires, based on corporate work teamOwns the network infrastructure. Provides the required access at the network level for the synchronization service to access the data sources and cloud services (firewall rules, ports opened, IPsec rules and so on).Privacy and Compliance teamCertifies that the solution meets the organizational or governmental regulatory and information security requirements. Provides the necessary security oversight and approves the data being synchronized.Help DeskManages the support incidents connected to the migration process.Azure Subscription AdministratorManages the Azure AD subscriptions in the company.Learn More: Assign administrator roles in Azure Active Directory, Office 365Configure the PrerequisitesBefore you design your Identity Lifecycle at Scale solution, review the following process for configuring the prerequisites:Process for configuring prerequisitesSetup Common Infrastructure1.Create Azure AD Tenant(s).Azure AD Tenant is the home for your organization’s directory in the cloud.Get an Azure AD Tenant 2.Create and configure custom domains.Users reach your cloud and on-premises resources through domains.Add Domain3.Identify Information Worker (B2E) identities and separate them from B2B (partner) and B2C (consumer) identities that might be present in on-premises directories.Different identities have different roles in your organization.Azure AD B2B collaborationAzure AD B2C 4.Identify the on-premises directories to synchronize with Azure AD.Examples include on-premises Active Directory Forest(s), HR databases etc.Connectors Topologies for Azure AD ConnectKiosk Worker5.Identify data sources for kiosk worker identities.These are the repositories that store the kiosk employees’ information. Examples include HR systems, relational databases, or even text files or spreadsheets.6.Identify SaaS applications for kiosk workers.Applications have different requirements for user information, expressed as identity claims, and may support user provisioning.7.Identify the attributes of kiosk worker identities and normalize them across all sources.Identify name, phone number, employee ID, and so on, on each data source, and record the semantics and possible values of rmation Worker8.Filter out accounts that do not need to be synchronized.Only specific users, groups and device objects needs to be synchronized with Azure AD.Prepare for directory syncAzure AD Connect sync: Configure Filtering 9.Define a strategy to identify objects uniquely.This establishes the immutable link between an on-premises object and its manifestation in the cloud.Azure AD Connect: Design concepts10.Identify the attributes of initial Azure AD workloads.Define the information on each object that you want to be available in the cloud.Azure AD Connect sync: Attributes synchronized to Azure Active Directory11.Define features for Azure AD synchronization for on-premises objects.Check items such as whether to write back passwords/devices, synchronize passwords, or propagate accounts to the cloud automatically.Integrating your on-premises identities with Azure Active Directory 12.Define the authentication approach (Federation or password hash sync).Determine whether you want Azure AD or the on-premises federation service to perform authentication. In addition, determine whether you want to keep the on-premises usernames and domain names or clean them up.Federated Identity PatternImplementing password synchronization with Azure AD Connect sync 13.Remediate on-premises identities.Prepare all identities for error-free synchronization to the cloud.Prepare directory attributes for synchronization with Office 365 by using the IdFix toolAzure AD service limits and restrictionsArchitectural Options forAzure AD Identity SolutionsThree main design aspects apply when managing identities at scale:How to onboard new identities that are not on-premises (kiosk workers) How to synchronize identities that are already on-premises (information workers)What to expect during each phase of the identity lifecycle Onboarding new off-premises identities(Kiosk Workers)The option of a cloud directory opens up a new set of use cases; specifically, enabling identity management for users, such as kiosk workers, who are traditionally not represented in on-premises identity stores, but may have identities stored in the company HR system. This section presents options to create these new identities and enable the new use cases. The options described assume that the provisioning and de-provisioning of these new identities ties into the company’s HR application as the authoritative identity source. In the following diagrams, the on-premises synchronization component is a generic process replaceable with any of the options described in the subsequent section Synchronize on-premises identities (Information Workers).Option 1: Single HR system to Azure AD integrationThe kiosk worker identity gets copied from the master HR system to Azure AD through an integration layer. Microsoft Identity Manager manages this layer using programmatic interfaces such as Azure AD PowerShell or Azure AD.Figure 3: Single HR system to Azure AD integrationAdvantagesTradeoffsKiosk Worker identities now stored in Azure AD, while the HR system remains the authoritative source.Additional effort to design, implement, test and maintain the integration layer.Disparate tools and workflows required to manage the identity lifecycle for all the relevant identities.Option 2: Direct inbound provisioning with WorkdayWith inbound provisioning, every time a new kiosk worker identity is created in Workday, it is automatically added to Azure AD.Figure 4: Direct inbound provisioning with WorkdayAdvantagesTradeoffsSimple integration, fully automated through the SaaS HR application. Inbound provisioning limited to Workday as the data source and a very narrow set of attributes.Learn More: Inbound ProvisioningDisparate tools and workflows required to manage the identity lifecycle for all identities.Option 3: Multiple HR systems to Azure AD integrationIn some cases, such as mergers and acquisitions, multiple HR systems must be integrated into Azure AD. The kiosk worker identity is copied from various source repositories into a single view (metaverse) through an integration layer. Microsoft Identity Manager manages this layer using programmatic interfaces such as Azure AD PowerShell and Azure AD.Figure 5: Multiple HR systems to Azure AD integrationAdvantagesTradeoffsKiosk worker identities only present in Azure AD. Write-back opportunity through the MIM connector infrastructure.Additional complexity from designing, implementing, testing and maintaining the MIM 2016 connectors and rules.Disparate tools and workflows required to manage the identity lifecycle for all identities. Option 4: Kiosk and information workers consolidated on-premises and synchronized to Azure ADCompanies that want to provide a consistent management experience for kiosk and information workers can integrate both kinds of identities into on-premises Active Directory, and use a common synchronization mechanism to propagate the identities into the cloud.Learn More: Synchronize Information WorkerFigure 6: Kiosk and information workers consolidated on-premises and synchronized to Azure ADAdvantagesTradeoffsSingle cloud synchronization strategy through Azure AD mon tools to manage all identities in on-premises Active mon tools to unify the user experience, such as federated login, password management, and so on.Provision of additional features through MIM connector infrastructure.Additional complexity from designing, implementing, testing and maintaining the MIM 2016 connectors and rules. Greater loading on the on-premises Active Directory from the kiosk identities, which affects factors such as the size of the directory information tree and replication latency. More identities on-premises, generating more risk of unintended access to on-premises resources.Helpful TipsSince kiosk users will not log onto the on-premises Active Directory, consider the aspects below for Password Hash Sync domains:Run the following PowerShell cmdlets from the Azure AD Connect Server to synchronize the passwords of kiosk workers who are marked as “users must change password at next logon” (common case when creating new user accounts):Import-Module ADSyncSet-ADSyncAADCompanyFeature ` -ConnectorName "<case sensitive aad connector name>" ` -ForcePasswordResetOnLogonFeature $true Contact Microsoft Support to enable expiration of the password in the cloud. This is needed because passwords in the cloud are marked to never expire when synchronized from on-premises. If you disable the Kiosk workers’ user accounts on premises based on your security policies, then you need to perform the following steps to allow users to change their passwords in the cloud and write back on-premises:Re-execute the Azure AD Connect wizard, unchecking the password write back checkbox.Update the file “%ProgramFiles%\Microsoft Azure AD Sync\Bin\Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.dll.config” to contain the following value:<add key="ConvertChangePasswordToResetPasswordForDisabledUser" value="true"/>Re-execute the Azure AD Connect wizard, checking the password writeback checkboxSynchronize on-premises identities(Information Workers)The following three options enable you to synchronize existing on-premises identity stores—either traditional LDAP-based directories or a custom store, such as a relational database—with Azure AD. The following scenarios apply equally to identities from single or multiple stores.Option 1: Integrate all repositories to the cloud with Azure AD Connect You can engage the services of the Azure AD product group, such as Microsoft Premier Support, Microsoft Consulting Services or a Microsoft Partner to assist you in deploying an advanced customization of Azure AD Connect.Figure 7: Integrate all repositories to the cloud with Azure AD ConnectAdvantagesTradeoffsMIM supports multiple types of connectors so you can connect directly to multiple data sources.Learn More: ConnectorsYou benefit from optimizations and investments in Azure AD Connect. Improvements come automatically.Initial deployment and ongoing maintenance requires a complex engagement from the Azure AD product group, Microsoft Premier Support, Microsoft Consulting Services, or a Microsoft Partner.Option 2: Integrate all repositories to the cloud with MIM Instead of using Azure AD Connect, this option uses the MIM connector for Azure AD.Figure 8: Integrate all repositories to the cloud with MIMAdvantagesTradeoffsThis option is easier to implement if you have already deployed MIM in your organization.You benefit from optimizations and investments in Azure AD Connect. Improvements come automatically.Capabilities of the MIM connector to the cloud are limited compared to Azure AD Connect, which has features such as write-back. May not be a future-proof solution.Option 3: Integrate multiple repositories to Active Directory with MIM and use Azure AD Connect to connect to the cloud This approach combines multiple identity repositories into an Active Directory Forest using Microsoft Identity Manager. The on-premises Active Directory then synchronizes to the cloud through Azure AD Connect.Figure 9: Integrate multiple repositories to Active Directory with MIM and use Azure AD Connect to connect to the cloudAdvantagesTradeoffsMIM supports multiple types of connectors so you can connect directly to multiple data sources.Learn More: ConnectorsYou benefit from optimizations and investments in Azure AD Connect. Improvements come automatically.New identities from disparate HR systems get the same authentication experience once they are integrated into the on-premises Active Directory.You need enough Client Access Licenses (CALs) to incorporate users who have lacked on-premises accounts into your directory.Additional Infrastructure may be required.Helpful TipsSince kiosk users will not log onto the on-premises Active Directory, consider the aspects below for Password Hash Sync domains:Run the following powershell cmdlets from the Azure AD Connect Server to synchronize the passwords of kiosk workers who are marked as “users must change password at next logon” (common case when creating new users):Import-Module ADSyncSet-ADSyncAADCompanyFeature ` -ConnectorName "<case sensitive aad connector name>" ` -ForcePasswordResetOnLogonFeature $true Contact Microsoft Support to enable expiration of the password in the cloud. This is needed because passwords in the cloud are marked to never expire when synchronized from on-premises. If you disable the Kiosk worker user accounts on premises based on your security policies, then you need to perform the following steps to allow users to change their passwords in the cloud and write back on-premises:Re-execute the Azure AD Connect wizard, unchecking the password writeback checkbox.Update the file “%ProgramFiles%\Microsoft Azure AD Sync\Bin\Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.dll.config” to contain the following value:<add key="ConvertChangePasswordToResetPasswordForDisabledUser" value="true"/>Re-execute the Azure AD Connect wizard, checking the password writeback checkboxWhat to expect during each phase of the Identity Lifecycle Azure AD helps IT departments ensure that individual accounts are properly maintained during the identity lifecycle, while following the organization’s policies and procedures for account creation, termination, and other events. This section describes each aspect of the identity lifecycle and what it takes to deliver the corresponding user experience.Creating new identitiesAction: Create New IdentityActionCloud-only IdentityOn-premises IdentityIn WorkdayUser can log in to Azure AD ImmediatelyAfter on-premises sync cycle occursAfter Workday – Azure AD sync cycle occursIdentity entitlements are configuredImmediate if using attribute-based access control. Other techniques require manual intervention.Immediately after an identity is in Azure AD, if using attribute-based access control. Other techniques require manual intervention.Identity profiles created for Office 365 (Exchange Online, SharePoint, Skype for Business, etc.)Once the identities are in the Azure AD Directory, you can assign office 365 licenses which in turn trigger the provisioning process. Learn more: Assign or remove licenses for Office 365 for businessIdentity profiles created for SaaS applications that support provisioningImmediate if using attribute-based access control. Other techniques require manual intervention.Identity profiles created on SaaS Applications that do not support provisioning.Manual intervention required.ServicingExpected experience on password lifecycle events with self-service password management enabled.Action: Update Expired PasswordActionCloud-only IdentityOn-premises IdentityRedirect to Azure AD password change at loginImmediateFor password hash sync tenants, the cloud account password is set to "Never Expire” for users whose passwords synchronize to the cloud. Users can then continue to sign in to cloud services using a synchronized password, even if it has expired in your on-premises environment. The cloud password updates when the password changes in the on-premises environment.For federated tenants, users need to update their password when logging in to the cloud.Redirect to Azure AD password change on existing Azure AD sessionsImmediatePassword change on SaaS application session are redirected to Azure ADDependent on the application. Azure AD cannot control the cookie lifetime of applications.Dependent on the application. Azure AD cannot control the cookie lifetime of applications.Windows receives the new password after it has changed in the cloudAfter a password sync cycle (near real time – within minutes)Action: Password Reset and ChangeActionCloud-only IdentityOn-premises IdentityUser can login to cloud resources with the new password ImmediateAfter a password sync cycle(near real time – within minutes)User can login to on-premises resource with the new password N/AAfter a password sync cycle(near real time – within minutes)Action: Disable / Delete IdentitiesCloud-only IdentityOn-premises Identity In Workdaysynchronized via password hash syncsynchronized via federationMark account as disabled/deleted in Azure ADImmediateAfter a sync cycle with on-premisesAfter a sync cycle with on-premisesAfter a sync cycle from HR SaaS appBlock new logins to Azure ADImmediateAfter a sync cycle with on-premisesImmediateAfter a sync cycle from HR SaaS appInvalidate existing Azure AD sessionsImmediateInvalidate existing SaaS Application sessions Dependent on the application. Azure AD cannot control the cookie lifetime of applications.Disable/Delete user profiles in SaaS applications that support outbound provisioning5 minutes by default, after the account is marked as disabled in Azure AD. (Configurable through provisioning properties.)Disable/Delete user profiles in SaaS applications that do not support outbound provisioningManual clean-up required.Helpful TipsModeling access to resources through Azure AD groups will give you self-service group management, delegated administration and attribute-based access control to applications and license assignment.Learn More: Managing access to resources with Azure Active Directory groupsControl functions such as auditing and attestation are built into Azure AD reporting.Learn More: Azure Active Directory audit report events Password management available through Azure AD for both on-premises and cloud identities. enables self-service password reset and change, as well as account unlock, freeing up help desk resources. Learn More: Getting started with Password ManagementKey Infrastructure Design ConsiderationsThis section covers key considerations and techniques for creating a robust identity infrastructure implementation plan for the future.Tenant Name DesignThe tenant name appears in multiple use cases. For branding purposes, it therefore needs to be considered carefully. Assuming a tenant name of rcdemosnet., information and kiosk workers will see the following:SharePointFigure 10: SharePoint namespace sampleFigure 11: SharePoint namespace sampleYammerFigure 12: Yammer namespace sampleUser Principal Name (UPN) patternsSince cloud identities sign in with a User Principal Name (UPN), defining requirements around domain and user naming is crucial to avoid the cost of having to rework the tenant account later.Having on-premises domain names or user accounts that should not be moved to the cloud is common. For example, names associated with old branding, domain names from acquired companies, domains from unused geographies or cost centers and bad usernames should not be migrated or synchronized with the cloud.The following table provides typical requirements, how they can be met with Azure AD, and the tradeoffs of each option:Typical namespace requirements and tradeoffsRequirementsHow to AccomplishTradeoffsClean up the on-premises namespace to use consistent brandingClean up the information worker usernames used on-premises For example: Instead of jx79872@NA., sign in as joe.smith@) Clean up the UPN attribute on-premisesEach on-premises forest must have a different namespace.Additional testing required of on-premises applications that might have taken a dependency on UPN attribute. Clean up cloud user names and namespaceDo not change on-premises UPNs to avoid impacting legacy applicationsDeploy alternate login ID using AD FS + Azure AD Connect. Learn More: Configuring Alternate Login IDSignificant complexity added to the information worker’s user experience causes challenges in hybrid Office 365 scenarios. Learn More: Configuring Alternate Login ID The following table captures login experience implications with namespaces:Namespace implications for login experienceRequirementsHow to AccomplishTradeoffsSingle Sign-On using on-premises credentials for information workersProvision kiosk workers in a different domain. Federate information workers and use AD FS.Kiosk workers and information workers will have different namespaces.For example: susie@, sbob@stores.) Same Sign-On for information workersCommon namespace for kiosk and information workersUse password hash sync for information workers, and provision kiosk workers in the same domain. Write back capabilities will not be rmation workers will not be able to use desktop SSO Single Sign-On for information workersConsistent identity tools and management for both kiosk and information workersSynchronize kiosk workers to on-premises AD, and use the same tools for kiosk and information workersOn-premises AD grows with identities that will never log in on-premises. New accounts might inadvertently have access to some on-premises resources.Sign-in ExperienceDeploying the cloud identity solution gives users single sign-on to SaaS applications including Office 365 and other services configured by the Azure AD tenant owner. The following table lists some important items to consider when you get close to launching the solution’s infrastructure for your information and kiosk workers:Cloud Identity Solution pre-deployment considerationsItemConsiderationPassword policy for cloud identities Cloud identities and on-premises identities have the following password policy differences:As an administrator, you can configure the following for cloud identities: Password expiration duration Password expiry notificationPassword never expires Azure AD manages the following aspects of the cloud identity password policy:Length requirementsComplexity requirements Password history (duration and how many previous passwords are allowed)Account lockoutLearn More: Password policy in Azure AD Azure AD allows to configure the password validity and notification window using PowerShell. Learn More: Set-MsolPasswordPolicy User Interface look and feelBefore launching your cloud identity solution, it is important to determine branding, and appreciate its effect on the user experience. Ideally, you want to provide branding for information workers and kiosk workers that resembles their on-premises login experience.Learn More: Add company branding to your sign-in and Access Panel pages Organizational SecurityUsing Azure AD, IT administrators can more easily identify and mitigate security threats, address regulatory compliance requests, and meet the reporting requirements of business owners.For a general discussion of security in the cloud, see the following articles:Azure AD Connect account privilegesAzure AD Connect prerequisites URLs and Ports used by Azure AD ConnectSecurity considerations for password hash syncSecurity considerations for Azure CloudClassic Metadirectory Walkthrough: Administering MIIS 2003 InfrastructureAzure AD Connect Health - Frequently Asked Questions (FAQ)Mapping Azure AD Connect Roles to Identity Organization TeamsThe following table maps Azure AD Connect roles to organizational team structure.Azure AD Connect roles and recommended responsibilitiesAzure AD Connect RoleRecommended ResponsibilityADSyncAdminsHave full access to everything in the Sync Engine.Identity Architecture / Development teamADSyncOperatorsHave access to Operations in the Sync Engine only. Can run management agents, view synchronization statistics for each run, and save the run histories to a file.On-Premises Identity Operations teamADSyncBrowse(Password Sync Service Only)Hold permission to gather information about a user's lineage when resetting passwords using Windows Management Interface (WMI) queries. On-Premises Identity Operations teamADSyncPasswordSet(Password Sync Service Only)Hold permission to perform all operations using WMI password management interfaces.On-Premises Identity Operations teamSupport for Privacy, Compliance, and OperationsBecause the identity system controls access to many high-value business assets, the identity service should be considered a key security asset and a likely target for attack. Organizations need to implement appropriate controls to protect their sensitive data, whether this data is hosted on-premises or in the cloud. Learn more via the links provided:PrivacyWhich attributes are sent to the cloud? Azure AD Connect sync: Attributes synchronized to Azure Active Directory How is privacy managed in the Azure Cloud? Microsoft Trust Center- Privacy ComplianceWhat cloud certifications does Azure have? Microsoft Trust Center- ComplianceWhat cloud certifications does Azure have for the retail industry? Microsoft Trust Center- PCI OperationsOperational guide for Azure AD Connect. Azure AD Connect sync: Operational tasks and consideration Azure AD Connect Health. Monitor your on-premises identity infrastructure and synchronization services in the cloud ReferenceFor more information about Azure Active Directory, see ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download