Академический Документы
Профессиональный Документы
Культура Документы
Abstract
This guide helps you deploy a unified identity and access management solution with Microsoft Azure Active Directory. The
primary emphasis is on managing identity lifecycle across your corporate employees and thousands of seasonal and
temporary staff.
Intended Audience
Identity Architects, Deployment Advisors, and System Integrators
Microsoft Corporation
Managing Identity Lifecycles at Scale
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The descriptions of other companies’ products in this document, if any, are provided only as a
convenience to you. Any such references should not be considered an endorsement or support by
Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the
descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For
authoritative descriptions of these products, please consult their respective manufacturers.
© 2016 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without
express authorization of Microsoft Corp. is strictly prohibited.
Microsoft and Windows are either registered trademarks of Microsoft Corporation in the United States
and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
Table of Contents
Overview ................................................................................................................................... 4
Reference ................................................................................................................................ 27
Overview
Azure Active Directory (AD) Premium enables you to create a unified identity and access management
(IAM) system that integrates different kinds of identities from multiple sources within your organization.
Azure AD Premium makes it easier to cope with typical IAM challenges such as the following:
▪ Multiple identity repositories. Without a single authoritative source of identity, such as an Active
Directory forest, Human Resources (HR) system, Lightweight Directory Access Protocol (LDAP)
directory, relational database, and so on, some organizations have no unique identity for employees,
particularly casual workers.
▪ Different identity types. Different categories of people, such as kiosk workers, full-time employees,
hourly wage workers, consumers, suppliers, partners and so on have differing identity needs and
characteristics.
▪ Disjointed or ad-hoc tools and solutions. The typical organic evolution of many organizations’ IT
systems results in multiple, often incompatible solutions to address IAM challenges like group
management, remote access, password management, provisioning, business to business collaboration
and so on.
▪ Differing regulatory requirements. Specific industry sectors may need to address defined regulatory
requirements. One example in the retail industry is Payment Card Industry (PCI).
▪ Multiple stakeholders. To compete effectively, modern agile organizations may define multiple
reporting lines and areas of responsibility that span different business units within in the organization.
Azure AD gives you effective solutions for extending on-premises identities into the cloud through single
sign-on or same sign-on authentication techniques in order to address the above challenges.
The following illustration provides an example of the “identity lifecycle at scale” solution that uses Azure
AD cloud services to integrate with a complex retail on-premises infrastructure.
Key Concepts
The following sections provide background to help you understand the benefits and technical
considerations of deploying and managing Azure AD.
Azure AD Connect
Azure AD Connect integrates on-premises identity systems, such as Windows Server Active Directory,
LDAP directories and transactional databases, with Azure Active Directory. It also connects and
authenticates your users to Office 365, Azure and thousands of Software as a Service (SaaS) applications.
This integration includes on-premises identity synchronization to and from the cloud and, optionally,
single sign-on configuration with Active Directory Federation Services (AD FS).
Single Sign-On
Single sign-on lets you access all the resources you need to do business by signing in once using a single
user account. After signing on via password, Personal Identification Number (PIN), or smartcard, you can
run any of your authorized applications or connect to shares and data stores without having to
authenticate a second time.
Same Sign-On
Same Sign-On enables use of the same set of credentials to access multiple resources. For example, an
information worker logged onto his Windows computer with a username and password can go to a cloud
resource and supply the same username and password to get access. Azure AD enables same sign-on
through password hash synchronization.
Identity Namespace
The Identity Namespace is the suffix of the UPN. In the case of bob@contoso.com, the identity
namespace is “contoso.com.” The Identity Namespace is also known as the domain or UPN suffix.
Tenant Name
The Azure AD Tenant name is a string, e.g., “Contoso,” that you set when creating a tenant account in the
Azure management portal. The tenant name is prepended to the onmicrosoft.com domain to create the
initial tenant domain and UPN, in the form contoso.onmicrosoft.com. This name will be exposed to end
users in some scenarios, so selecting the tenant name is a critical factor in the user experience. See Key
Considerations – Tenant Name
Kiosk Worker
Kiosk workers are users whose primary job does not involve the continual use of a dedicated device or
computer. Examples include sales staff in retail stores, factory workers, or stores operatives. Typically,
these employees do not require access to on-premises resources. Therefore, they might not even have an
account in Active Directory—their identities are instead stored in the HR system. Azure AD enables these
users to complete tasks like accessing SaaS applications for time card management (clocking in and out),
collaborating, or initiating self-service HR queries such as holiday requests.
Information Worker
Information workers are typically full-time employees. These users create and consume internal
information and therefore require access to corporate data. Information workers include members of the
marketing, sales or design departments and so on, and may manage other employees. They use
dedicated devices or computers joined to the on-premises directory, and their identities are stored in
Active Directory or another directory service.
Identity Lifecycle
The Identity Lifecycle consists of phases within the IDaaS solution. These phases include the following
elements:
Learn More: Assign administrator roles in Azure Active Directory, Office 365
Information Worker
8. Filter out accounts that do not need to be synchronized. Prepare for directory sync
Only specific users, groups and device objects needs to be synchronized with Azure Azure AD Connect sync: Configure
AD. Filtering
9. Define a strategy to identify objects uniquely. Azure AD Connect: Design concepts
This establishes the immutable link between an on-premises object and its
manifestation in the cloud.
10. Identify the attributes of initial Azure AD workloads. Azure AD Connect sync: Attributes
Define the information on each object that you want to be available in the cloud. synchronized to Azure Active
Directory
11. Define features for Azure AD synchronization for on-premises objects. Integrating your on-premises
Check items such as whether to write back passwords/devices, synchronize identities with Azure Active Directory
passwords, or propagate accounts to the cloud automatically.
12. Define the authentication approach (Federation or password hash sync). Federated Identity Pattern
Determine whether you want Azure AD or the on-premises federation service to Implementing password
perform authentication. In addition, determine whether you want to keep the on- synchronization with Azure AD
premises usernames and domain names or clean them up. Connect sync
13. Remediate on-premises identities. Prepare directory attributes for
Prepare all identities for error-free synchronization to the cloud. synchronization with Office 365 by
using the IdFix tool
▪ How to onboard new identities that are not on-premises (kiosk workers)
▪ How to synchronize identities that are already on-premises (information workers)
▪ What to expect during each phase of the identity lifecycle
The options described assume that the provisioning and de-provisioning of these new identities ties into
the company’s HR application as the authoritative identity source. In the following diagrams, the on-
premises synchronization component is a generic process replaceable with any of the options described
in the subsequent section Synchronize on-premises identities (Information Workers).
Advantages Tradeoffs
▪ Kiosk Worker identities now stored in Azure AD, while the ▪ Additional effort to design, implement, test and maintain
HR system remains the authoritative source. the integration layer.
▪ Disparate tools and workflows required to manage the
identity lifecycle for all the relevant identities.
Advantages Tradeoffs
▪ Simple integration, fully automated through the SaaS HR ▪ Inbound provisioning limited to Workday as the data
application. source and a very narrow set of attributes.
Learn More: Inbound Provisioning
▪ Disparate tools and workflows required to manage the
identity lifecycle for all identities.
Advantages Tradeoffs
▪ Kiosk worker identities only present in Azure AD. ▪ Additional complexity from designing, implementing,
▪ Write-back opportunity through the MIM connector testing and maintaining the MIM 2016 connectors and
infrastructure. rules.
▪ Disparate tools and workflows required to manage the
identity lifecycle for all identities.
Figure 6: Kiosk and information workers consolidated on-premises and synchronized to Azure AD
Advantages Tradeoffs
▪ Single cloud synchronization strategy through Azure AD ▪ Additional complexity from designing, implementing,
Connect. testing and maintaining the MIM 2016 connectors and
▪ Common tools to manage all identities in on-premises rules.
Active Directory. ▪ Greater loading on the on-premises Active Directory from
▪ Common tools to unify the user experience, such as the kiosk identities, which affects factors such as the size of
federated login, password management, and so on. the directory information tree and replication latency.
▪ Provision of additional features through MIM connector ▪ More identities on-premises, generating more risk of
infrastructure. unintended access to on-premises resources.
Helpful Tips
Since kiosk users will not log onto the on-premises Active Directory, consider the aspects below for Password Hash Sync domains:
Run the following PowerShell cmdlets from the Azure AD Connect Server to synchronize the passwords of kiosk workers who
are marked as “users must change password at next logon” (common case when creating new user accounts):
Import-Module ADSync
Set-ADSyncAADCompanyFeature `
-ConnectorName "<case sensitive aad connector name>" `
-ForcePasswordResetOnLogonFeature $true
Contact Microsoft Support to enable expiration of the password in the cloud. This is needed because passwords in the cloud
are marked to never expire when synchronized from on-premises.
If you disable the Kiosk workers’ user accounts on premises based on your security policies, then you need to perform the
following steps to allow users to change their passwords in the cloud and write back on-premises:
1. Re-execute the Azure AD Connect wizard, unchecking the password write back checkbox.
Advantages Tradeoffs
▪ MIM supports multiple types of connectors so you can ▪ Initial deployment and ongoing maintenance requires a
connect directly to multiple data sources. complex engagement from the Azure AD product group,
Learn More: Connectors Microsoft Premier Support, Microsoft Consulting Services,
▪ You benefit from optimizations and investments in Azure or a Microsoft Partner.
AD Connect. Improvements come automatically.
Advantages Tradeoffs
▪ This option is easier to implement if you have already ▪ Capabilities of the MIM connector to the cloud are limited
deployed MIM in your organization. compared to Azure AD Connect, which has features such
▪ You benefit from optimizations and investments in Azure as write-back.
AD Connect. Improvements come automatically. ▪ May not be a future-proof solution.
Figure 9: Integrate multiple repositories to Active Directory with MIM and use Azure AD Connect to connect to the cloud
Advantages Tradeoffs
▪ MIM supports multiple types of connectors so you can ▪ You need enough Client Access Licenses (CALs) to
connect directly to multiple data sources. incorporate users who have lacked on-premises accounts
Learn More: Connectors into your directory.
▪ You benefit from optimizations and investments in Azure ▪ Additional Infrastructure may be required.
AD Connect. Improvements come automatically.
▪ New identities from disparate HR systems get the same
authentication experience once they are integrated into
the on-premises Active Directory.
Helpful Tips
Since kiosk users will not log onto the on-premises Active Directory, consider the aspects below for Password Hash Sync domains:
Run the following powershell cmdlets from the Azure AD Connect Server to synchronize the passwords of kiosk workers who
are marked as “users must change password at next logon” (common case when creating new users):
Import-Module ADSync
Set-ADSyncAADCompanyFeature `
-ConnectorName "<case sensitive aad connector name>" `
-ForcePasswordResetOnLogonFeature $true
Contact Microsoft Support to enable expiration of the password in the cloud. This is needed because passwords in the cloud
are marked to never expire when synchronized from on-premises.
If you disable the Kiosk worker user accounts on premises based on your security policies, then you need to perform the
following steps to allow users to change their passwords in the cloud and write back on-premises:
1. Re-execute the Azure AD Connect wizard, unchecking the password writeback checkbox.
2. Update the file “%ProgramFiles%\Microsoft Azure AD
Sync\Bin\Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.dll.config” to contain the following
value:
<add key="ConvertChangePasswordToResetPasswordForDisabledUser" value="true"/>
Re-execute the Azure AD Connect wizard, checking the password writeback checkbox
Servicing
Expected experience on password lifecycle events with self-service password management enabled.
Mark account as disabled/deleted Immediate After a sync cycle After a sync cycle After a sync cycle
in Azure AD with on-premises with on-premises from HR SaaS app
Block new logins to Azure AD Immediate After a sync cycle Immediate After a sync cycle
with on-premises from HR SaaS app
Invalidate existing Azure AD Immediate
sessions
Invalidate existing SaaS Dependent on the application. Azure AD cannot control the cookie lifetime of
Application sessions applications.
Disable/Delete user profiles in 5 minutes by default, after the account is marked as disabled in Azure AD. (Configurable
SaaS applications that support through provisioning properties.)
outbound provisioning
Disable/Delete user profiles in Manual clean-up required.
SaaS applications that do not
support outbound provisioning
Helpful Tips
Modeling access to resources through Azure AD groups will give you self-service group management, delegated
administration and attribute-based access control to applications and license assignment.
Learn More: Managing access to resources with Azure Active Directory groups
Control functions such as auditing and attestation are built into Azure AD reporting.
Learn More: Azure Active Directory audit report events
Password management available through Azure AD for both on-premises and cloud identities. enables self-service password
reset and change, as well as account unlock, freeing up help desk resources.
Learn More: Getting started with Password Management
SharePoint
Yammer
Having on-premises domain names or user accounts that should not be moved to the cloud is common.
For example, names associated with old branding, domain names from acquired companies, domains
from unused geographies or cost centers and bad usernames should not be migrated or synchronized
with the cloud.
The following table provides typical requirements, how they can be met with Azure AD, and the tradeoffs
of each option:
Sign-in Experience
Deploying the cloud identity solution gives users single sign-on to SaaS applications including Office 365
and other services configured by the Azure AD tenant owner. The following table lists some important
items to consider when you get close to launching the solution’s infrastructure for your information and
kiosk workers:
User Interface look and feel Before launching your cloud identity solution, it is important to determine branding,
and appreciate its effect on the user experience. Ideally, you want to provide branding
for information workers and kiosk workers that resembles their on-premises login
experience.
Learn More: Add company branding to your sign-in and Access Panel pages
Organizational Security
Using Azure AD, IT administrators can more easily identify and mitigate security threats, address
regulatory compliance requests, and meet the reporting requirements of business owners.
For a general discussion of security in the cloud, see the following articles:
The following table maps Azure AD Connect roles to organizational team structure.
Because the identity system controls access to many high-value business assets, the identity service
should be considered a key security asset and a likely target for attack. Organizations need to implement
appropriate controls to protect their sensitive data, whether this data is hosted on-premises or in the
cloud. Learn more via the links provided:
Privacy
▪ Which attributes are sent to the cloud? Azure AD Connect sync: Attributes synchronized to Azure
Active Directory
▪ How is privacy managed in the Azure Cloud? Microsoft Trust Center- Privacy
Compliance
▪ What cloud certifications does Azure have? Microsoft Trust Center- Compliance
▪ What cloud certifications does Azure have for the retail industry? Microsoft Trust Center- PCI
Operations
▪ Operational guide for Azure AD Connect. Azure AD Connect sync: Operational tasks and consideration
▪ Azure AD Connect Health. Monitor your on-premises identity infrastructure and synchronization
services in the cloud
Reference
For more information about Azure Active Directory, see https://azure.microsoft.com/en-
gb/services/active-directory/