Enterprise Auth(n) Solutions
With Microsoft’s Active Directory stepping up to the plate as the preferred and predominate underlying service-platform for cloud Enterprise user authentication and authorization, we are commonly asked, “How are businesses routinely maintaining compliance for those necessary underlying service accounts which support and make the whole darn thing function?” From a top down view, let’s ensure we’re clear what is being discussed.
Azure AD shepherds authentication and authorization for nearly the complete suite of Office 365 SaaS based, including: • SharePoint Online team sites • OneDrive for Business • Skype for Business • Office 365 mobile apps • Mobile Device Management • InTune • Enterprise Mobility Suite (EMS) • Exchange Online • Self Service Password Reset Portal • Groups (next evolution of email distribution lists) • Planner (lite version of Project)
Making partial or full use of many new services available through the new Azure AD Connect suite of services, including Azure AD premium, there are specific permissioning requirements which businesses ought to grasp, adopt and appropriately implement. Yes, these new “rich” features are rapidly coming available, and cleverly being adopted. Why be left behind?
Another subtle, but certainly important, piece of this provisioning puzzle is how to best to implement these services for 1.) On-premises, and 2.) Azure AD? • Password Sync • Password Write-Back • Exchange Hybrid • Device & Group Write Back
Additional deployment considerations:
Azure Health and Alerting Services. Will the business integrate their new Azure AD with on-premises services providing much needed health monitoring and alerting purposes for: • Directory Sync • ADFS servers • Web Application Proxy • Active Directory Domain Controllers
We are commonly asked; “What are the appropriate rights required to create and maintain such a hybrid deployment between the On-premises world and their Cloud Azure Active Directory?”.
DTS Advocates simple solutions, devoid of complications, yet effective with properly defined requirements that align to business needs.
When determining how best to setup and maintain your service account roles, it is extremely important, and cannot be overstressed, to provide your dedicated service account(s) only with the necessary access rights. Any security expert will demand a least privileged access model/approach providing (only) the minimal level of privileges. Depending on which service is being implemented will directly determine the access rights for both their on-prem and in the cloud implementation. Azure AD Connect: Accounts and permissions
When slicing and dicing the elements together, another important piece of the puzzle is proper network port assignment. The particular services deployed will directly determine what and how to open the network. Hybrid Identity Required Ports and Protocols – see Figure 1.1 below.
New brilliant services are being brought to the market with dependencies on your Active Directory working in a secure fashion with your Cloud Azure AD environment. Ensure you make the best of it. e.g. GA for Azure AD auth(n) in SQL Database and SQL Data Warehouse
Warmest Regards, SHAWN MAY DTS Inc. | Principal Architect & CEO (888) 589-2999 | www.yourDTS.com Specializing in Cloud & Infrastructure Solutions
Dynamic Technical Solutions is routinely engaged by enterprise companies for guidance and implementation of cloud and infrastructure solutions. We do not write software or sell hardware. Our expertise lies in business requirements gathering, project planning/vetting, security and implementation. With over 20 years architecting and engineering business solutions, DTS is your trusted Microsoft Partner. No job is too big.