© The Author(s), under exclusive license to APress Media, LLC, part of Springer Nature 2023
S. LadAzure Security For Critical Workloads https://doi.org/10.1007/978-1-4842-8936-5_2

2. Identity and Access Management with Azure Active Directory

Sagar Lad1  
(1)
Navsari, India
 

Identity and access management (IAM) is the process of authenticating and authorizing security principles. Enterprises should govern and configure identity and access management to make sure that services, applications, users, and groups have correct access to data.

Azure Active Directory is an enterprise identity service that provides single sign-on (SSO) , multifactor authentication (MFA) , and conditional access to protect against security attacks.

This chapter covers the following topics:

  • Identity protocols and application types

  • Azure Active Directory security model

  • Active directory federation services

  • Azure AD Application Proxy

  • Azure AD B2B and B2C for external partners

  • PIM Azure AD Identity protection hybrid implementation

  • Single sign-on with Azure AD

Identity Protocol and Application Types

Microsoft Azure has an identity platform that allows developers to build different types of applications for various business needs. They can create single page applications, web applications, mobile apps, and services.

Single Page Applications

In recent years, web applications have become more popular and so advanced that developers can create sophisticated client applications. These client-side applications are also known as single sided page applications (SPA) .

Let’s look at how to create, configure, and use Azure AD applications to use the data returned from Microsoft Graph with the OAuth 2.0 protocol.

Modern web applications are written in languages like Vue, React, and Angular. The easiest way to use Microsoft Identity for authentication purposes is to obtain access tokens to authorize requests and secure endpoints.

First, a single page application has to be registered as a new app using Azure AD . This does the authentication and obtains access tokens using Microsoft Graph. Once the application is created using Azure AD, you configure it with the single page application. You can do this by using the Azure AD Admin Center at https://aad.portal.azure.com , as shown in Figure 2-1.

A screenshot displays the Azure active recovery page. The page includes an overview, preview features, and diagnosis, solve problems and manage options. In the manage option, app registration is selected.

Figure 2-1

Azure AD app registration

Once the Azure AD application is configured, you have to make sure that the redirect URI of the app points to the URL of the SPA. See Figure 2-2.

A screenshot represents the configure single page application, which contains redirect U R ls, front channel logout U R L, and grant type of Azure A D S P A.

Figure 2-2

Azure AD single page app configuration

Web Apps with Sign In and API Calling

Developers can use Microsoft Identity to add authentication to a web app and require users to sign in to the web application. Once users are signed in and the user grants consent, the web application will obtain a token from Azure AD and use it to request data from the web APIs . In the second phase, you can enable the application to call the web API on behalf of the single sign-on users.

OAuth 2.0 authorization code grant flow: OAuth 2.0 authorization code flow is common when websites or custom applications use Azure AD as a federated authentication provider. When the application wants users to sign in or needs access to the token, it redirects users using Azure AD authentication. See Figure 2-3.

A screenshot depicts the application client, which contains authorization request, grant, access token, and protected resource as well as user, service A P I of the authorization server, and resource server.

Figure 2-3

OAuth 2.0 Flow

As shown in Figure 2-3, the application client will create an authorization request to the user or resource owner. Once the resource owner receives the request, it will grant authorization. Clients then accept the authorization using the service API, which will then generate an access token . Based on the access token, the service provider will protect the resource and serve the client request.

The next step is to create a server-side web application that will allow users to sign in and grant the app permission to act on behalf of the end user.

Now you create a single tenant Azure AD application . From the Azure Portal, select Azure Active Directory. See Figure 2-4.

The six model diagrams represent the azure services such as create resource, resource groups, azure A D privileged, log analytics workspaces, azure active directory, and Microsoft sentinel.

Figure 2-4

Azure Active Directory

Select App Registration from the Azure Active Directory and click New Registration. Then provide a name and the account type to create an application. On the identity page, select the application ID and directory ID. See Figures 2-5 and 2-6.

A screenshot represents the overview containing preview features, diagnose and solve problems, manage include users, groups, external identities, roles and administrators, and administrative units.

Figure 2-5

Azure Active Directory app registration

A screenshot represents the overview, diagnose and solve problems, new registration, endpoints, troubleshooting, all, owned, and deleted applications of azure active directory new app registration.

Figure 2-6

Azure Active Directory new app registration

With OAuth 2.0, four parties are typically involved in the authentication and authorization exchange. When such authentication or authorization happens, the flows are called authentication flows or auth flows. See Figure 2-7.

A flow diagram represents the user, email and password, client I D, secret, username, password, scopes, i d token, access token, refresh token, and link of the authentication flow.

Figure 2-7

Authentication flow

  • Authorization server : The Microsoft Identity platform, also known as IdP or the identity provider, handles the end user information, related access, and the relationship between the requestor and server for the authentication flow . The server generates the security tokens to grant, deny, or revoke access to the resources.

  • Client: In OAuth, clients are generally end users or applications that request access to a protected resource. Clients can be end users or an applications that are requesting access to the resource.

  • Resource owner : In the authentication flow, the resource owner is typically an end user that owns the protected resources and data on your behalf. For example, if you want to get information from the Azure Active Directory using the Graph API, you can create a service principal in Azure AD with the required permissions to call the graph API to find the relevant information. See Figure 2-8.

A model diagram represents the azure active directory, which contains M S I, function app, Microsoft graph, get access token, and G E T or groups of azure A D graph A P I.

Figure 2-8

Azure AD Graph API

  • Resource server : The resource server provides access to the resource’s own data. It is a web API that relies on authorization to perform the authentication from bearer tokens that are issued by the authorization server . This grants the required access to the resources.

During the OAuth flow , there are various tokens involved in the communication. These tokens are used to ensure, verify, and grant/deny access to the protected resource. There are three types of bearer tokens used by Microsoft Identity Platform :

  • Access tokens : Access tokens are generated and issued by the authorization server to the client application. These access tokens contain the permissions that clients have requested to access the specific resources. See Figure 2-9.

A model diagram depicts a client with a refresh and an access token to the A U T H server, as well as a client with a protected resource and an access token to the resource server of web app access tokens.

Figure 2-9

Access tokens

  • ID tokens : They are used by the authorization server . When the end users or clients try to sign in, the server will gather basic information about the users to serve the client requests. See Figure 2-10.

The two model diagrams of the I D token depict assert the user s identity or user I D, and the access token represent the optional, to retrieve consented user info.

Figure 2-10

ID tokens

  • Refresh tokens : End users and clients use refresh tokens to request new access tokens or ID tokens from the authorization servers . See Figure 2-11.

A model diagram represents the client, authorization server, resource server, refresh token, access token, and protected resource of refresh tokens.

Figure 2-11

Refresh tokens

Azure Active Directory Security Model

Azure Active Directory plays a very important role in defining the strategy of identity and access management . It helps scale the solution, save on costs, and improve the overall security. Organizations must use a combination of on-premises and cloud-only accounts so that users can access both types of accounts. Managing users, applications, and access on both on-premises and on cloud has major challenges.

Azure Active Directory creates common user identities for authentication and authorization to all Azure resources, which is known as the hybrid identity . There are three methods for creating the hybrid identity:

  • Password hash synchronization

  • Passthrough authentication

  • Federation

Let’s go through a checklist to deploy the recommended actions to secure organizations :
  1. 1.

    Make strong credentials.

     
  2. 2.

    Reduce areas to attack.

     
  3. 3.

    Automate the threat response.

     
  4. 4.

    Use cloud intelligence.

     
  5. 5.

    Enable self-service.

     
An identity assessment score is an automated assessment of the Azure AD tenant’s identity security configuration. Your identity secure score reflects how well your organization is aligned with Microsoft's best practice recommendations. See Figure 2-12.

A screenshot represents the secure score for identity is 40.34 percent, comparison, score history for 7 days, improvement actions, score impact, and user impact of azure A D identity score.

Figure 2-12

Azure AD identity score

This identity score helps you achieve the following:

  • Measure identity security posture

  • Identify and list security improvements

  • Measure the success of your security improvements

Let’s now look at the best security practices for Azure AD in detail.

Make Strong Credentials

There are various types of attacks happening that impact your software applications. They can include phishing attacks, consent phishing, and password-based attacks.

In order to prevent these attacks, it is recommended to enable multifactor authentication for your application and make sure that your credentials are strong. In order to easily enable a basic level of the identity security, you can use the one-click enablement with Azure AD’s security defaults. See Figure 2-13.

A circular model depicts the Azure A D conditional access, which contains I F, THEN, allow access require M F A, force password reset, deny access, limit access, privileged user, user and session risk.

Figure 2-13

Azure AD security defaults

This security default ensures that you can enable Azure AD MFA for the tenant users and blocks the sign in using the traditional protocol. Many organizations use complex password expiration rules. As per the standard recommendations , it is advised to use Azure AD password protection, which is a dynamic banned password feature that prevents users from setting passwords that are easy to guess. See Figure 2-14.

A screenshot indicates password protection, custom banned passwords enforce custom list is yes or no, enable password protection on windows server active directory is yes or no, and mode of enforced and audit.

Figure 2-14

Azure AD password protection

There are two types of banned password lists:

  • Global banned password list

  • Custom banned password list

    • Brand names

    • Product names

    • Locations such cities and headquarters

    • Company-specific internal terms

    • Abbreviations

It is also recommended to set the password expiration policy for the whole enterprise to ensure that passwords can’t be hacked. See Figure 2-15.

A screenshot indicates password protection, custom banned passwords enforce custom list is yes or no, enable password protection on windows server active directory is yes or no, and mode of enforced and audit.

Figure 2-15

Azure AD password expiration policy

In order to set the password expiration policy , you need to sign in and access Microsoft 365 admin accounts. As an admin, you can set the passwords to expire after a certain number of days or never expire based on certain requirements. It is recommended to use multifactor authentication to secure these passwords. See Figure 2-16.

A model diagram represents the password, multiplicator authentication, and logged in of M F A.

Figure 2-16

Multifactor authentication

Microsoft also provides recommendations for selecting passwords.

Resisting Common Attacks

This involves choosing whether users enter passwords from trusted devices and the length and uniqueness of the passwords. Figure 2-17 illustrates a brute force attack .

A model diagram depicts the operation of a botnet brute force attack, which includes an attacker, a C 2 server, a botnet of controlled devices, repeated login attempts, and the target website.

Figure 2-17

Brute force attack

  • Restrict successful attacks : Resisting a hacker’s attack is about restricting access to a specific service and limiting damage when the user password is stolen. For example, social networking credentials won’t make your bank account vulnerable . Figure 2-18 shows some common cybersecurity attacks .

The six model diagrams represent the malware, D D o S, phishing, S Q L injection attacks, cross site scripting, or X S S, botnets of common cyber security attacks.

Figure 2-18

Common cybersecurity attacks

  • Understand human nature: It is very important to understand human nature because the research shows that every rule set on the users will result in better password quality.

As an admin, you can set the password expiration policy to require strong passwords and minimize attacks:
  1. 1.

    Go to the Microsoft 365 Admin Center and click the Security and Privacy tab.

     
  2. 2.

    Select the password expiration policy.

     
  3. 3.

    If you don’t allow users to set/change passwords , uncheck the box to Set Passwords to Never Expire.

     
  4. 4.

    Set the password expiration date. Choose a number of days from 14 to 730. See Figure 2-19.

     

A flowchart of the key steps of a brute force attack. It includes an attacker, a guess list of username and password combinations, and repeats login attempts until one is successful and successful credential validation.

Figure 2-19

Password expiration policy

You can also sync user password hashes from the on-premises Active Directory to Azure AD. In order to synchronize the password, Azure AD extracts the password from the on-premises Azure Active Directory. Extra security processing has been applied to the password hash before it is synced with Azure Active Directory. See Figure 2-20.

An illustration of password hash synchronization. It includes four types, ransomware, internal security threats, social engineering with phishing, spoofing, and frauds, and attacks on payment systems.

Figure 2-20

Azure AD Password hash synchronization

Active Directory Federation Services

Active Directory Federation Service is a simplified, secured identity federation . Federation mainly consists of a collection of domains with well-established trust between the entities. It can also include a collection of organizations that have established trust to share information and connections.

You can also federate the on-premises server or environment with Azure AD and use this federation with the authentication and authorization . Administrators can implement the access control federation with AD FS and PingFederate. See Figure 2-21.

A model diagram represents the active directory and A D F S, on premises, azure active directory, L O B apps, office 365, and S a a S apps of azure A D federation service.

Figure 2-21

Azure AD federation service

Azure AD Connect enables you to configure federation with the on-premises Active Directory Federation service and Azure AD. Once you federate the on-premises server with Azure AD, all users on the on-premises server can use their on-premises user ID and password to log in and access the application or system. See Figure 2-22.

The two model diagrams represent the on premises active directory, A D F S, azure A D connect D C 1 on the left and azure active directory on the right.

Figure 2-22

On-premises Azure AD federation service

Azure Active Directory allows you to configure federation with on-premises Active Directory Federation Service . Let’s explore the various sign-in options for both cloud and on-premises resources:

  • Password hash synchronization with seamless single sign-on (SSO)

  • Passthrough authentication with seamless single sign-on (SSO)

  • Federated SSO

  • Federation with PingFederate

First you need to understand the authentication methods for the users to sign into Azure AD. Azure AD has various sign-in authentication methods :
  • Cloud authentication : Azure AD handles the authentication process using the cloud to sign in to the application. There are two options for cloud authentication:
    • Password hash synchronization : Enables users to use the username and password that end users are using on the on-premises server without deploying any additional information. See Figure 2-23.

      An illustration of password hash synchronization. It includes an on-premises active directory, password sync, and azure active directory with the user on premise sign on and cloud sign on.

      Figure 2-23

      Azure AD with password hash sync

    • Passthrough authentication : This option is similar to password hash sync, but it provides simple password validation using the on-premises software with strong security and compliance. See Figure 2-24.

      A flow diagram represents the L D A P client with L D A P bind to open L D A P with S A S l to saslauthd with L D A P search, L D A P bind to the active directory of Azure A D.

      Figure 2-24

      Azure AD with passthrough authentication

    • As shown in Figure 2-24, with passthrough authentication , it will create a secure channel to Azure Active Directory. Once the secure channel is established, public and private keys are generated using Azure AD and then you can establish the connection to Azure SQL DB. Once the connection is established, certificates are issued.

  • Federated authentication : With this federation authentication, you can hand over the authentication process to a separate, trusted authentication system, such as AD FS. See Figure 2-25.

A model diagram depicts federated authentication, which includes workflow, an identity provider with trust and a secure token, or an X M L file to a service provider, and a user

Figure 2-25

Azure AD federated authentication

You can change the sign-in method from the federation, password hash synchronization or from passthrough authentication using the tasks available in Azure AD Connect. Select Change User Sign-In from the tasks, as shown in Figure 2-26.

A screenshot represents the additional tasks, such as a view current configuration, change user sign in, refresh directory schema configuration staging mode, and verify A D F S login.

Figure 2-26

Azure AD Connect additional tasks

On the next page, you provide credentials for Azure AD. See Figure 2-27.

A screenshot represents the tasks, connect to azure A D, and user sign in, which contains entering your azure A D credentials in the below username and password boxes.

Figure 2-27

Connect to Azure AD

Now, from the user sign-in page, select the desired user sign-in . See Figure 2-28.

A screenshot depicts the user sign in, which contains select the sign on method, password synchronization, pass through authentication, federation with A D F S, do not configure, and enable single sign on.

Figure 2-28

Connect to Azure AD

Azure AD Application Proxy

Azure AD Application Proxy provides secure, remote access to on-premises web applications. Once they sign in to Azure AD, users can access cloud and on-premises applications using an external URL or an internal application portal. For example, once you set up Application Proxy, it can provide remote access and single-sign on to the remote desktop, SharePoint, Teams, Tableau, Qlik, and so on. See Figure 2-29.

A model diagram represents azure A D application proxy which contains an active directory, H R apps, S a a s apps, cloud hosted apps, and on premises and web apps.

Figure 2-29

Azure AD Application Proxy

Consider these features of Azure AD Application Proxy:

  • Simple to use: End users can access on-premises applications the same way using Microsoft 365 and other SaaS applications with Azure AD.

  • Secure: On-premises applications can use Azure’s authorization control and security analytics. For example, an on-premises application can use conditional access and two-step verification or multifactor authentication to make it more secure. Application Proxy doesn’t require an open, inbound connection using the firewall.

  • Cost-effective: You don’t have to change the network infrastructure or install any additional software in order to use Azure AD Application Proxy.

Azure AD Application Proxy is a feature of Azure AD that accesses on-premises web applications from a remote desktop/client. It includes Application Proxy, which runs in the cloud, and the Application Proxy connector , which runs on the on-premises server.

Application Proxy works with the following:

  • Access to the applications from the Remote Desktop Gateway

  • Rich client apps with the Microsoft Authentication Library

  • Web applications using header access

Application Proxy is recommended for giving remote users access to internal resources. It replaces the need for a VPN or reverse proxy and it is not needed by the internal users of the corporate world or an enterprise company.

Figure 2-29 shows Azure AD and Application Proxy working together to provide a single sign-on to on-premises applications .

First of all, the user has to access the application using the endpoint. The user is then directed to the Azure AD sign-in page. After the user successfully signs in, Azure AD sends the token to the user’s client device. The client will then send the token to Application Proxy, which will retrieve the user’s principal name and security principal name from the token. If the single sign-on is configured, the connector performs an additional authentication on behalf of the users. The connector then sends the request to the on-premises application and then the response is sent through the connector and Application Proxy service to the user. See Figure 2-30.

A model diagram represents the H T T P S, publish to D N S open firewall, multi factor authentication, azure active directory, work account, internet, on premises, and azure A D app proxy connector.

Figure 2-30

Azure AD Application Proxy with conditional access

Azure AD offers an Application Proxy feature that basically allows you to access your on-premises web applications using the remote client. It consists of two main components :

  • Application Proxy Service: It runs in the cloud.

  • Application Proxy Connector: It runs on the on-premises server.

This service and connector interact to securely transmit the user sign-on tokens from Azure AD to the web application.

The following are use cases for Application Proxy:

  • It handles web application using Windows authentication for form-based access

  • It supports applications protected by Remote Desktop Gateway

  • It provides remote users with access to an internal resource without using the reverse proxy or virtual private network. Azure AD Application Proxy is only available with a premium license. See Figure 2-31.

A flow diagram represents the user, azure active directory, D M Z contains connector with apps 1, 2, and 3 of on premises of azure A D application proxy.

Figure 2-31

Azure AD Application Proxy with on-premises

The workflow of the Azure AD Application Proxy is as follows:
  1. 1.

    Once users have access to the application using the endpoint, Application Proxy directs them to the Active Directory sign-in page. When the conditional access policies are enabled, it will check for the conditions and comply with the security requirements.

     
  2. 2.

    If the sign-in is successful, Azure Active Directory will transfer the AD token to the client’s device.

     
  3. 3.

    The client will then transfer the token to Application Proxy and access the token's security principal.

     
  4. 4.

    Application Proxy then sends the request to the Application Proxy connector .

     
  5. 5.

    Connectors then carry out authentication steps, which will then send the requests to the application's internal endpoint and forward the request to the application.

     
  6. 6.

    Connectors then forward the application’s server response to Application Proxy.

     
  7. 7.

    Application Proxy then transfers the server’s response to the user.

     

Exploring Azure AD B2B and B2C for External Partners

Azure AD B2B (Azure AD Business 2 Business collaboration) focuses on the problem of sharing applications with external users. These users can be suppliers, customers, or partners with whom you want to collaborate. You can invite external users to Azure AD to use your web application. You can also establish a connection between the ADFS server and the partner's application. See Figure 2-32.

A model diagram represents the azure A D B 2 B, which contains PowerShell, graph A P I in that Microsoft azure and azure active directory.

Figure 2-32

Azure AD B2B

You can invite Azure AD B2B users by email:
  1. 1.

    The end user will receive an email with the link to accept the invitation.

     
  2. 2.

    Authentication will happen at the right place once you click the link.

     
  3. 3.

    A trust relationship is established in the background without any configuration.

     
  4. 4.

    The entered credentials will be saved in a guest directory.

     
  5. 5.

    Access control is then managed in a host directory.

     
There are multiple ways to onboard users, depending on the relationship with the external users:

  • Personal email invitation: Access packages (Individuals apply for access using an automated verification process.)

  • Self-service user flows: Bulk invite via CSV upload.

Azure AD B2C (Azure AD business to customers) provides a security and authentication solution for external applications that are independent of your Azure AD. See Figure 2-33.

A flow diagram represents the authentication experience, azure active directory, client, your website, and back office of azure A D B 2 C.

Figure 2-33

Azure AD B2C

The authentication process works the same way as with B2B, but it is not designed to work with internal users and employees, as it is mainly intended for end users. B2C provides complex user flows , such as policies. For example, existing customers with no relationship with the company need to be able to sign into the website and view documents. See Figure 2-34.

The five model diagram represents the azure A D B 2 C flow which contains accept our T and C s, prove who you are, set up a password, set up M F A, and access your documents.

Figure 2-34

Azure AD B2C flow

To make this possible, Azure AD B2C needs to verify the customer’s identity using an API call.

PIM Azure AD Identity Protection Hybrid Implementation

Privileged identity management (PIM) is a service of Azure Active Directory that helps users manage, control, and monitor access to resources within the organization. With PIM, you can secure resources in Azure AD, Azure, and other online services. See Figure 2-35.

The two triangles depict your directory and home directory, which contain resources, member users, and external users.

Figure 2-35

Azure AD Privileged Identity Management

Privileged Identity Management provides time-based and approval-based role activation to avoid the risk of unnecessary access permissions of resources. A few of its features are as follows:

  • Enables just-in time access to Azure AD and resources

  • Assigns timely access to resources using the start and end data

  • Requires additional approval to activate the roles

  • Uses multifactor authentication to activate the roles

  • Conducts access reviews for user roles

  • Exports the audit history for the internal and external audit

For Azure AD roles in privileged identity management, global administrators can manage the assignments for the other administrators. Azure resource roles can only be accessed by the subscription administrators, resource owners, or a resource user administrator. See Figure 2-36.

The six model diagrams depict the just in time access, workflow, justification, and notification, conduct access reviews, enforce M F A for role activation, and prevent removal of the last active global.

Figure 2-36

Just-in time access

Using Azure AD PIM, you can monitor, manage, and control access to your Azure resources. By reducing the number of people who have access, you prevent the following:

  • Attackers or end users who perform brute force attacks on the entire system and find a way to steal information

  • Unauthorized users being able to access data and resources by deleting, updating, or inserting data

Azure AD PIM can manage both Azure AD and Azure roles , and there is some overlap and differences between them. In addition to this, there are certain roles that can’t be managed by Azure AD PIM. See Figure 2-37.

The three model diagrams represent the account administrator, service administrator, and co administrators of azure A D P I M roles.

Figure 2-37

Azure AD PIM roles

These roles can’t be managed by Azure AD PIM.

  • Account administrators

  • Service administrators

  • Co-administrators

With respect to Azure AD, there are two roles:

  • Eligible roles: This is the type of role assignment where the end user needs to perform actions to activate and use the role. Once the actions are completed, the role types change from eligible to active. Once users are eligible for the role, they can activate the role using a privileged activity. See Figure 2-38.

A screenshot represents my roles, azure resources, eligible, active, and expired assignments, and eligible assignments containing role, resource, resource type, and membership.

Figure 2-38

Azure AD privileged

  • Active roles: Role assignment that doesn’t require users to perform an action using privileged roles. See Figure 2-39.

A screenshot represents my roles, azure resources, eligible, active, and expired assignments, and active assignments containing role, resource type, membership, and condition.

Figure 2-39

Azure AD PIM active assignments

Let’s now look at the license requirements for users.

PIM Admin

The PIM Admin is the person who activates privileged identity management and provides consent. A global administrator does this task. They are the security administrator of the group that has authority to manage all the security aspects around Azure AD. See Figure 2-40.

A flow diagram depicts the azure A D P I M admin, which contains eligible members, requests to activate a specific role, approve the user, become a full member of the role, and removed from a role at expiration time.

Figure 2-40

Azure AD PIM admin

Approvers

These are users who have the authority to approve or deny the role assignment requests using the PIM.

Access Reviewers

These users have been assigned the role to perform access reviews of the privileged role assignments to the users via PIM-eligible roles.

Single Sign-on with Azure AD

The Azure Active Directory single sign-on (SSO) feature allows users to sign in automatically when their corporate devices are connected to the enterprise corporate network. Once single sign-on is enabled for Azure AD, it allows users to sign in without entering their passwords and usernames.

Seamless SSO can be combined with password hash synchronization or passthrough authentication. You can’t enable SSO with Azure Active Directory Federation. Enterprise organizations can protect sensitive data and applications, both on-premises and in the cloud, with integrated multifactor authentication . See Figure 2-41.

A model diagram depicts the single sign on S A M K protocol labeled as 1 through 7, which is the user tries to access the application, service provider, user, and azure active directory.

Figure 2-41

Single sign-on SAML protocol

SAML 2.0 sends authentication requests and responses to Azure AD using SSO. The cloud service uses HTTP redirection to pass the element to Azure AD. Azure AD then uses HTTP post binding to respond to the cloud service.

In order to configure SSO for Azure AD, you have to follow these steps:
  1. 1.

    Log in to the Microsoft Portal using the following URL: https://portal.azure.com .

     
  1. 2.

    Click the Azure Active Directory and select Manage Applications under the Manage tab. See Figure 2-42.

     

A screenshot represents the azure service, which contains create a resource, azure active directory, azure A D privileged, resource groups, log analytics workspaces, and recent resources.

Figure 2-42

Azure Active Directory

  1. 3.

    Click New Application and choose Create the Enterprise Application. See Figure 2-43.

     

A screenshot of the enterprise applications of azure active directory contains new applications, refresh, preview info, applications found in that name, object and application I D, the home page, and enterprise applications.

Figure 2-43

Azure Active Directory - Enterprise Applications

  1. 4.

    Open the enterprise application. From there, you can configure the application based on the required settings . See Figure 2-44.

     

A screenshot represents the enterprise applications, which contains an overview, new application, refresh, download, manage, and search by application name or object I D.

Figure 2-44

Azure Active Directory - Create Enterprise Applications

Conclusion

This chapter explored various identity protocols and their application types. You also learned about the Azure Active Directory security model and explored the Active Directory federation service and Azure AD Application Proxy, which is used to connect cloud applications with on-premises applications. You also learned about Azure AD B2B and B2C, which are for external partners using Azure AD. The chapter also quickly walked through the PIM implementation and its features using Azure AD and a hybrid implementation. In the end, you explored the single sign-on implementation using Azure AD.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.133.150.56