Skip to main content

Azure Active Directory

Azure Active directory (AAD) is a Identity as a Service.

This is a smaller subset of Active directory. This is not a replacement to active directory at all.

Azure active directory provides the identity services to the mobile apps and web apps in Private cloud.
These apps may be connected to on-premise applications. So an SSO is enabled for these apps.
So Azure active directory has very simple functionality.
Create Users, Groups. Map groups to network security groups and provide the authentication to the resources.

When you login to Azure portal, right upper corner of the screen has username along with the domain.
Domain or tenant or organization are used interchangeably.

Management of Users and Groups:
  1. Cloud identity (create users manually) 
  2. Directory synchronized identifiers (users are synchronized) 

Add users
Adding a cloud identity users makes the user as Guest
When you do directory synchronization on Premise AD Groups are synched up with Azure AD groups

Custom Domain
You can add your custom domain to AAD
Azure may take up to 72 hours to verify the Domain
You have to create a TXT file and submit for verification

Powershell
  1. MSOnline module (older)
  2. Azure AD V2 module (new)

Custom Directory or Tenant
Click on Create -> New.
Type Directory. Select Azure Active Directory


Select Azure Active Directory

Click Create. You will get a new screen to Create Directory. 
Provide Organization name, Initial domain name and Country or region to create your new directory.

Once the directory is created,  you can switch between the directories.
Look at the left upper corner where you name appears, click on that, you will be shown the directories you have access to.
You can click on the directory and you will be taken to that portal
By default we have one directory assigned when user is created. We are in that default directory.

What is the purpose of Azure Active Directory?
Identification is the primary purpose, especially for Cloud applications.
You can also enable SSO 

Windows Servers Active Directory is not same as Windows Azure Active Directory
Windows Servers AD:
Domin Services
LW Services
Certification services
Federation Services
Rights Management Services

Users
LDAP, DNS, Network Services etc

Azure AD:
AAD - Identity
Azure Access control services (federated identity services from external providers)
Uses REST APIs and Identify protocols

You cannot migrate enterprise application built for Windows Servers AD to Azure AD.
You have to build your services keeping in mind about Azure AD

Office 365
We use these services everyday.
- Exchange online
- Sharepoint online
- Lync online


Azure AD is build to support
- Office 365 applications,
- Cloud applications
- Internet

The technologies that are used within organization for providing SSO are not good enough to span the internet.
So when an application is moved to cloud, user cannot use the advantage of SSO and have to be created a new userid-password.

Traditional tree model access is retrieved by querying using LDAP protocols. (if you want managers manager etc)
The same concept is used in Azure AD and is exposed using a REST API - Graph API

Azure AD is a distributed services that lives in Cloud
It exposes interfaces like 
- Graph API
- Authentication end points for
  - oAUTH
  - SAML protocol
  - WS - Federation

Azure AD is a service, it contains data inside it.
Data is like tenant, users, groups
Each customer can look only his data. He can manage data using Azure portal
For a customer to configure an application, they create an service principal in the tenant.
This is an object that describes the application principal id and secret key. 
App is set up so that it is linked with service principal.

When a user access the application, app redirects it to Azure AD authentication end point.
Azure AD pops up the authentication page and user signs in.
Azure AD then sends the user id, digitally signed in as a token.
App reads the token and in some cases also maintains the DB of user profiles.
Note that app never keeps the user password in DB, authentication is done by Azure AD.
Using the token, app knows the user id and gets the profile information from DB.

If the App requires more information about user, like user manager it can use Graph API and get the information
This kind of scheme will work for, giving SSO
- Office 365 applications
- on premise applications
- applications deployed on Azure
- internet connected applications with Azure AD

To extend this to all service on premise like share point, printer. LOB etc
install Azure AD Federation service. This gives SSO services for everything.
Synch up tool will synch up information between Azure AD and Windows AD. 
You can have authentication done in Windows AD, so that when a user leaves the organization automatically his login is disabled for all applications.

Traditionally if you want to access resources outside of your company, there are limits of firewalls, security, VPN requirements etc.
Also a user need to be created in external resources every time some body needs access. 
To avoid this we can use Federation services. (ADFS)

Azure Active Directory has federation services with many well known applications. 
Organizations can federate with Azure, so that Azure does the required authentication and provide access to the applications.
Administrators can restrict which applications users can access.
Labels:

Comments

Post a Comment

Popular posts from this blog

Kubernetes: 15. Multiple Schedulers

Custom Scheduler Kubernetes allows to create custom schedulers There can be multiple schedulers running at a same time apart from the default scheduler or A custom scheduler can replace the default kube-scheduler to become the default one So a few pods that requires additional checks apart from taints and toleration, node affinity can go through the custom scheduler before getting scheduled on the node Whereas the rest of the pods can go through the default kube-scheduler Create Custom Scheduler We can either download the kube-scheduler and run it as a service or alternatively create it using a static pod Below here we are downloading the binaries to run it The property scheduler-name is used to define the name of the scheduler, if not set then it will be defaulted to default-scheduler For your custom schedulers, update this property name to set a custom name for your scheduler For Static pods, the name can be updated directly in the pod-definition file Use kubectl create -f <pod-de...
Post a Comment
Read more

Kubernetes: 19. Configure Application

Configuring application consists of Configuring commands and arguments on applications Configuring environment variables Configuring secrets Docker Commands docker run ubuntu  -> Runs ubuntu container and exit, container CMD is set to [bash], so the container quitely exits docker run ubuntu echo "Hello World" -> Runs ubuntu container, prints "Hello World" exits quitely. To update the default settings, create your own image from the base image lets call this ubuntu-sleeper image FROM ubuntu CMD sleep 5 CMD can also be mentioned in the JSON format like CMD ["sleep", "5"] Note that with JSON format the first element should always be the command to execute,  for eg, it CANNOT be ["sleep 5"] Run build the new ubuntu-sleeper image and run the new image docker build -t ubuntu-sleeper .  -> Build the image docker run ubuntu-sleeper -> Run the new image So the new image will launch ubuntu container, sleep for 5 seconds and quitely ex...
Post a Comment
Read more

Kubernetes: 8. Labels & Selectors

Labels Labels are a way of grouping the objects While Kubernetes understands the objects it create, it is easier to identify the objects by using custom labels With labels you group the objects by types (Pods, Services, ReplicaSet etc) or by Applications For a pod, labels are defined under the metadata section Selectors Selectors are used to filter the objects using labels defined on them Using kubectl and selector pods can be listed by filtering on the labels attached to them If a Selector has multiple labels, they are understood as logical AND, which means pods must match all labels. pod-definition.yaml apiVersion: v1 kind: Pod metadata:      name: myapp-pod      labels:           app: myapp           location: IN spec:      containers:      - name: nginx-container        image: nginx kubectl get pods ...
Post a Comment
Read more