Microsoft Cloud Identity What IT architects need to know about designing

identity for organizations using Microsoft cloud

for Enterprise Architects

services and platforms

This topic is 1 of 5 in a series 1 2 3 4 5

Introduction to identity SaaS

Software as a Service
Azure PaaS Azure IaaS

with Microsoft’s cloud

Microsoft 365 Your LOB application on
Your LOB application
virtual machines
Microsoft Intune

Dynamics CRM Your mobile app LOB app

Integrating your identities with the Microsoft cloud provides access to a
broad range of services and applications.
Azure Active Directory (Azure AD) integration supports:
• Identity management for applications across all categories of
Microsoft’s cloud (SaaS, PaaS, IaaS).
Extend your on-
• Consolidated identity management for third-party cloud applications Azure AD
premises AD DS
in your portfolio. Domain
Azure AD Services to your Azure
• Collaboration with partners. virtual machines
• Management of customer identities.
• Integration with web-based applications located on-premises.
For line of business (LOB) applications hosted on virtual machines in Your on-premises AD DS
Azure IaaS, you can use Domain Services in Azure AD or you can extend
your on-premises Active Directory Domain Services (AD DS) environment.

Use Azure AD as your Identity as a Service provider

Azure AD is a leading provider of cloud-based Identity as a
Service (IDaaS) and provides a broad range of capabilities for
enterprise organizations. Click each box for more information.
Azure AD

On-premises User accounts Devices Partner Customer Application Administration

infrastructure collaboration account integration
integration management

Synchronization or Mobile device Secure Self-registration for Pre-integrated with Reporting

federation of MyApps Panel management with collaboration with your customers thousands of SaaS
identities Intune your business using a unique applications
partners using identity or an Global telemetry
Azure AD B2B existing social and machine
Multi-factor
Self-service Windows 10 Azure collaboration identity with Deep integration learning
authentication
password reset with AD Join and SSO Azure AD B2C with Microsoft 365
(MFA)
write back to on-
premises directories Enterprise scale
Conditional access Device registration Cloud App
to resources and and management Discovery
Azure AD applications for non-Windows Worldwide
Application Proxy devices (iOS, availability
PaaS application
for authentication Android, Mac)
Behavior and risk- integration
against on-
premises web- based access Connect Health
based applications control with Azure AD Domain
Azure AD Identity Services
Protection

Integration with
other cloud
providers

Azure AD editions

Free Office 365 apps Premium P1 Premium P2

Core identity and access Free edition capabilities plus Office 365 apps edition capabilities plus Premium P1 edition
management features. features for identity and access advanced features for password and group capabilities plus identity
management. access management, hybrid identities, and protection and governance
Included with Azure, Conditional Access. features.
Dynamics 365, Intune, and Included with Office 365 E1, E3,
Power Platform. E5, F1, and F3. Included with Microsoft 365 E3 and E5, Included with Microsoft
Enterprise Mobility + Security (EMS) E3 and E5, 365 E5 and EMS E5, or as
or as separate licenses. separate licenses.

For more information, see Azure AD pricing.

Identity roadmap for Microsoft 365 Manage identity and access learning path Define a hybrid identity adoption strategy
htt ps://docs.microsoft.com/learn/path s/manage-
More information
htt ps://aka. ms/m365edeployid htt ps://azure.microsoft .com/documentation/
identit y-and-access articles/active-directory-hybrid-identit y-design-
considerations-identit y-adoption-strategy/

September 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at cloudadopt@microsoft.com.
 Microsoft Cloud Identity What IT architects need to know about designing
identity for organizations using Microsoft cloud

for Enterprise Architects

services and platforms

This topic is 2 of 5 in a series 1 2 3 4 5

Azure AD integration capabilities

Azure AD provides a broad range of capabilities that allow you to centralize
and simplify identity management while integrating applications across
environments and with partners and customers.

Integration across Microsoft’s cloud Windows 10 Azure AD Join

The foundational architectural steps you take with Microsoft 365 for identity Join Windows 10 devices to Azure AD and provision these with Microsoft 365
integration provide a single architecture for adoption of workloads across services and applications within minutes when the device is configured
Microsoft's cloud, including PaaS workloads in Azure as well as other SaaS during the out-of-box experience.
workloads, such as Dynamics CRM Online.

With this foundation, you can add other applications to Microsoft's cloud and
apply the same set of authentication and identity security features for access
to these apps. For example, you can develop new line of business (LOB)
applications using cloud-native features in Microsoft Azure and integrate
these apps with your Azure AD tenant. This includes your custom SharePoint
add-ins.

SaaS Azure PaaS

Software as a Service

Microsoft 365 Your provider-hosted

SharePoint add-in

Microsoft Intune
Your LOB application

Dynamics CRM Windows 10 automatically authenticates with Azure AD and your on-
premises AD DS, providing single-sign on without the need for Active
Directory Federation Services (AD FS).

Windows 10
Your Azure AD tenant Your Azure AD tenant

Your on-premises datacenter Your on-premises AD DS

Single sign-on to other SaaS apps in your Azure AD My Apps portal

environment The My Apps portal at https://myapplications.microsoft.com/ is a web-based
portal that allows users with an organizational account in Azure AD to view
You can greatly simplify the management of identity across your organization and launch cloud-based applications to which they have been granted
by configuring single-sign on to other SaaS applications in your environment. access.
See the Azure Marketplace for apps that are already integrated. By doing this,
you can manage all identities in the same place and apply the same set of
security and access policies across your organization, such as multi-factor
authentication (MFA).

SaaS
Software as a Service

Microsoft 365
If you are a user with Azure AD Premium P1 or P2, you can also use self-
service group management capabilities through the Access Panel
Applications page at https://account.activedirectory.windowsazure.com/r#/.
This page is separate from the Azure portal and does not require users to
have an Azure subscription.

Your Azure AD tenant

Continued on next page

 Azure AD B2B collaboration Azure AD B2C collaboration
Azure AD B2B Collaboration enables secure collaborate between business-to- Azure AD B2C is a highly available, global identity management service for
business partners. These new capabilities make it easy for organizations to consumer-facing applications that scales to hundreds of millions of identities.
create advanced trust relationships between Azure AD tenants so they can It can be easily integrated across mobile and web platforms. Your consumers
easily share business applications across companies without having to can log on to all your applications through fully customizable experiences by
manage additional directories or incurring the overhead of managing partner using their existing accounts or by creating new credentials.
identities.
Here is an example for the fictional Proseware organization.
With 6 million organizations already using Azure AD, chances are good that
your partner organization already has an Azure AD tenant, so you can start
collaborating immediately. But even if they don't, Azure AD's B2B capabilities
make it easy for you to send them an automated invitation which will get Azure PaaS
them up and running with Azure AD in a matter of minutes.

SaaS Proseware’s Proseware’s

Software as a Service consumer-facing Azure AD
Web site B2C tenant
Azure AD B2B
collaboration
relationship
Salesforce

Proseware’s
Azure AD tenant
Your partner’s Customers
Your Azure AD
Azure AD
tenant
tenant

Application Proxy Domain services

Microsoft Azure AD Application Proxy lets you publish web applications Azure AD Domain Services provides managed cloud based domain services
inside your private network—such as SharePoint sites, Outlook Web Access, such as domain join, group policy, LDAP & Kerberos/NTLM authentication in
and Internet Information Services (IIS)-based apps—and provide secure Azure IaaS that are fully compatible with Active Directory Domain Services
access to users outside your network. Employees can log into your on- (AD DS). You can join Azure virtual machines to an Azure-based AD DS
premises web apps remotely on their own devices and authenticate through domain without the need to deploy domain controllers. Because Azure AD
this cloud-based proxy. Domain Services is part of your existing Azure AD tenant, users can login
using the same credentials they use for Azure AD.
By using Azure AD Application Proxy you can protect on-premises web apps
with the same requirements as other cloud-based applications with MFA, This managed domain is a standalone domain and is not an extension of
device requirements, and other conditional access requirements. You also your organization’s on-premises domain or forest infrastructure. However, all
benefit from built in security, usage, and administration reports. user accounts, group memberships, and credentials synchronized from the
your on-premises AD DS are available in this managed domain.
Azure AD Application Proxy works by installing a slim Windows service called
an Application Proxy Connector inside your network. This Connector
maintains an outbound connection from within your network to the Azure Azure IaaS
AD Application Proxy service. When users access a published web app, the
proxy uses this connection to provide access.
Virtual network

Azure AD Application Proxy

Azure AD
Your LOB application on
virtual machines

Application Proxy Connector Your Azure AD Domain

organization Services Azure AD

Web app Web app

Synchronization

Your on-premises AD DS

More Microsoft Security Networking Hybrid

cloud IT resources aka.ms/cloudarchsecurity aka.ms/cloudarchnetworking aka.ms/cloudarchhybrid

September 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at cloudadopt@microsoft.com.
Identity and device access policies for baseline, sensitive, and highly regulated protection
Identity and device access policies ensure that only Baseline protection is a minimum level Sensitive protection provides additional Highly regulated protection is for typically small amounts of data
approved users and devices can access your critical apps of security for your identities and security for specific data. Identities and devices that are highly classified, contain trade secrets, or is subject to data
and data. devices that access your apps and data. are subject to higher levels of security and regulations. Identities and devices are subject to much higher levels
device health requirements. of security and device health requirements.

Protection Device type Azure AD conditional access policies Azure AD Identity Protection Intune device compliance Intune app protection
use r risk policy policy policies
level

Baseline Require multi-factor Block clients that don’t Require compliant PCs High risk users must Define compliance policies
authentication (MFA) when support modern change password (one for each platform)
sign-in risk is medium or authentication
high This policy forces users to
PCs change their password
Clients that do not use
modern authentication can when signing in if high risk
Require approved apps bypass Conditional Access activity is detected for their Apply Level 2 App
policies. account. Protection Policies (APP)
This policy enforces mobile
app protection for phones data protection (one for
Phones and and tablets. each platform)
tablets

Require MFA when sign-in Require compliant PCs and

Sensitive risk is low, medium, or high mobile devices

This policy enforces Intune

management for PCs,
phones, and tablets.

Highly Require MFA always

regulated This is also available for all

Office 365 Enterprise plans.

Apply Level 3 APP data

protection

Start by implementing multi-factor authentication (MFA). First, use an For other SaaS apps in your For all Conditional Access Enroll devices for Device compliance policies define the requirements devices App policies define which
Identity Protection MFA registration policy to register users for MFA. environment, configure policies in Azure AD, management with must meet. Intune lets Azure AD know if devices are apps are allowed and what
After users are registered you can enforce MFA for sign-in. single sign-on with Azure configure an Azure AD Intune before compliant. Recommended requirements include: actions these apps can take
Using MFA is recommended before enrolling devices into Intune for AD and apply these policies exclusion group and add implementing device • Use strong passwords at least ten characters long. with your organization
assurance that the device is in the possession of the intended user. or create new Conditional this group to these policies. compliance policies. content.
Access policies. This gives you a way to • Be patched and have anti-virus and firewalls enabled.
allow access to a critical • Use encryption, lock on inactivity, and wipe on multiple
user while you troubleshoot sign-in failures.
access issues for them.
• Not be jailbroken or rooted.

PCs include devices running the Windows or macOS platforms Requires Microsoft 365 E5, Microsoft 365 E3 with the
Identity & Threat Protection add-on, Office 365 with
Phones and tablets include devices running the iOS, iPadOS, or Android platforms For help implementing these policies, including policies for protecting Teams, Exchange email,
EMS E5, or individual Azure AD Premium P2 licenses
and SharePoint sites, see Identity and device access configurations.

September 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at cloudadopt@microsoft.com.
 Microsoft Cloud Identity What IT architects need to know about designing
identity for organizations using Microsoft cloud

for Enterprise Architects

services and platforms

This topic is 3 of 5 in a series 1 2 3 4 5

Integrate your on-premises AD DS accounts with Azure

AD
• Provides access to all of the Microsoft SaaS services. Two identity configurations are recommended: hybrid or federated.
• Provides cloud-based identity options for Azure PaaS and IaaS Using cloud-only accounts is not recommended for enterprise-scale
applications. organizations unless AD DS is not already used on premises.

Choose one option

Hybrid identity with password hash synchronization or Federated identity with Active Directory Federation
pass-through authentication Services

Your on-premises network Your on-premises network

AD DS Azure AD Web application AD FS server AD DS Domain Azure AD

Connect proxy Controller Connect

Synchronization Authentication
Synchronization
referral

This are the simplest and recommended options for most enterprise Federation provides additional enterprise capabilities. It is also more complex
organizations. and introduces more dependencies for access to cloud services.
• User accounts are synchronized from your on-premises AD DS to your • All authentication to Azure AD is performed against the on-premises
Azure AD tenant. Your AD DS remains the authoritative source for directory via Active Directory Federation Services (AD FS) or another
accounts. federated identity provider.
• Supports multi-forest synchronization. • Works with non-Microsoft identity providers.
• Users enter the same password for cloud services as they do on- • Password hash sync adds the capability to act as a sign-in backup for
premises. federated sign-in (if the federation solution fails).

Password hash synchronization (PHS) Use federation if:

• Azure AD performs all authentication for cloud-based services and • AD FS is already deployed.
applications. • You use a third-party identity provider.
• A hash of each already hashed password in AD DS is synchronized to Azure • You have an on-premises integrated smart card or other MFA solution.
AD. It is not possible to decrypt or reverse-engineer a hash of a password • You require sign-in audit and/or disablement of accounts.
or to obtain the original hashed password itself.
• Compliance with Federal Information Processing Standards (FIPS).
Pass-through authentication (PTA)
Federated authentication requires a greater investment in
• Azure AD passes all authentication for cloud-based services and infrastructure on-premises.
applications to an AD DS domain controller through an on -premises agent.
• The on-premises servers must be Internet-accessible through a corporate
• Hashed passwords are not stored in Azure AD. firewall. Microsoft recommends the use of Federation Proxy servers
deployed in a perimeter network, screened subnet, or DMZ.
Multi-factor authentication (MFA)
• Requires hardware, licenses, and operations for AD FS servers, AD FS proxy
• User are subject to an additional verification method before completing or Web Application Proxy servers, firewalls, and load balancers.
sign-in.
• Availability and performance are important to ensure users can access
• Applications in Azure can take advantage of the Azure Multi-Factor Microsoft 365 and other cloud applications.
Authentication service.
• Directory synchronization does not provide integration with on-premises If you use federation, be sure to create online administrative accounts so you
MFA solutions. can administer Azure AD if your on-premises identity solution is not available.

Identity configurations for your Microsoft 365 test

environment Federated identity for your Microsoft 365 test environment

More Prepare for directory synchronization to Define a hybrid identity adoption Set up multi-factor authentication for
Microsoft 365 strategy Microsoft 365
information http://go.microsoft.com/fwlink/p/ htt ps://docs.microsoft.com/azure/active-directory/ https://docs.microsoft.com/microsoft-365/
?LinkId=524284 hybrid/plan-hybrid-identit y-design-considerations- admin/security-and-compliance/set-up-
identit y-adoption-strategy multi-factor-authentication

September 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at cloudadop t@microsoft.com.
 Microsoft Cloud Identity What IT architects need to know about designing
identity for organizations using Microsoft cloud

for Enterprise Architects

services and platforms

This topic is 4 of 5 in a series 1 2 3 4 5

Running directory components in Azure IaaS

Deploying directory components to Azure Which components can be put in Azure?
Consider the benefits of deploying directory components to Azure IaaS, especially if • Azure AD Connect
you plan to extend your on-premises AD DS to Azure virtual machines for your line of • Microsoft Active Directory Federation Services (AD FS) with Azure AD Connect
business applications. • Standalone AD DS environments in Azure IaaS

Azure AD Connect
Azure AD Connect Azure AD
Azure AD Connect can be hosted in the cloud using Azure IaaS virtual
syncs to Azure AD
machines. Consider whether these benefits of deploying this workload to
Azure makes sense for your organization:

• Potentially faster provisioning and lower cost of operations On-premises network Azure IaaS
• Increased availability
This solution provides a way to integrate with Azure AD without deploying
additional on-premises components.
Virtual network
For more information, see Deploy Microsoft 365 Directory Synchronization
in Microsoft Azure.

Azure AD Connect Virtual

machine
requests AD DS changes
running
Azure AD
Connect
AD DS

Azure AD Connect with federation SaaS PaaS Other Cloud Applications

Azure AD
If you haven’t already deployed AD FS on-premises, consider whether the
benefits of deploying this workload to Azure makes sense for your Referral by Azure AD to AD DS changes
organization. web proxy location

• Provides autonomy for authentication to cloud services (no on -premises On-premises network Azure IaaS
dependencies).
• Reduces servers and tools hosted on-premises.
• Uses a site-to-site VPN gateway on a two-node failover cluster to connect LB
to Azure. Web
Application
• Uses ACLs to ensure that Web Application Proxy servers can only
Proxy servers
communicate with AD FS, not domain controllers or other servers directly. Site-to-site
VPN
Node 2
This solution works with:
LB
• Applications that require Kerberos.
• All of Microsoft’s SaaS services. Site-to-site
AD FS servers
• Applications in Azure that are Internet-facing. VPN
Azure AD
Domain Controllers Node 1 Domain Controllers
• Applications in Azure IaaS or PaaS that require authentication with your Connect
organization AD DS. Synchronization

For more information, see Deploy high availability federated authentication for
Microsoft 365 in Azure.

Standalone AD DS environment in Azure IaaS

You don’t always need to integrate a cloud application with your on-premises
Azure IaaS
environment. A standalone AD DS domain in Azure supports applications
that are public-facing, such as Internet sites.
This solution works with: Virtual network
• Applications that require NTLM or Kerberos authentication. AD DS & DNS Your IaaS application
• Applications that require AD DS.
• Test and development environments in Azure IaaS.
Also consider whether Azure AD Domain Services can be used instead.

For more information, see Active Directory Domain Services Virtualization.

September 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at cloudadopt@microsoft.com.
 Microsoft Cloud Identity What IT architects need to know about designing
identity for organizations using Microsoft cloud

for Enterprise Architects

services and platforms

This topic is 5 of 5 in a series 1 2 3 4 5

Design domain services for workloads in Azure IaaS

Many LOB solutions that run on virtual machines require AD DS for the Microsoft currently recommends two solutions.
following functionality:

• Support for NTLM, Kerberos, or LDAP-based authentication

• Domain-joined virtual machines
• Group Policy

Use Azure AD Domain Services Extend AD DS to your Azure virtual

AD Domain Services can be enabled in your existing Azure AD tenant. You do
not need to deploy and manage domain controllers.
machines
This configuration is a hybrid deployment of AD DS on-premises and in
This managed domain is a standalone domain and is not an extension of an Azure. It requires:
organization’s on-premises domain/forest infrastructure. However, all user
accounts, group memberships and credentials from the on-premises • A virtual network in Azure IaaS.
directory are available in this managed domain. Users login using the same • A site-to-site VPN or ExpressRoute connection.
corporate credentials they use for Azure AD. • Extending your on-premises, private IP address range to virtual machines
in the virtual network.
• Domain Services is connected to a virtual network in Azure IaaS.
• Deploying one or more domain controllers in the Azure virtual network
• This instance of Domain Services can be used by other virtual networks designated as a global catalog server, which reduces egress traffic across
that are connected to the virtual network configured with Domain the VPN connection
Services.
Azure IaaS
Azure IaaS
Virtual network
Virtual network Virtual network Virtual network
Your LOB application Your AD DS & DNS VPN
gateway
LOB app LOB app LOB app

VPN connection or ExpressRoute

Azure AD Domain Services

When to use which solution

Use Azure AD Domain Services when your applications require domain
services support for: Your on-premises or
• Server application management. private cloud datacenter

• Server login. AD DS VPN device/router

• User authentication over Kerberos, NTLM, or LDAP.
• Directory lookup over LDAP/LDAPS.
For more information, see Common use cases and scenarios.

Extend your on-premises AD DS domain to Azure when you require:

• Schema extensibility. Connectivity options
• Ability to write to existing directory identities. Virtual private network (VPN) ExpressRoute
• Support for applications in Azure virtual networks where network
isolation is a requirement. Site-to-Site A private, dedicated link to Azure
Connect 1–10 sites (including IaaS via a cloud exchange, point-
• Support across multiple Azure subscriptions.
other Azure virtual networks) to a to-point Ethernet, or any-to-any
• Certificate or smartcard-based authentication for applications. single Azure virtual network. (IP VPN) provider.
For more information, see Safely virtualizing Active Directory Domain
• Predictable performance
Services. Point-to-Site
• Lower latencies
Connect a single machine to an
Azure virtual network.

More Microsoft Security Networking Hybrid

cloud IT resources aka.ms/cloudarchsecurity aka.ms/cloudarchnetworking aka.ms/cloudarchhybrid

September 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at cloudadopt@microsoft.com.