The Latest
174 views
5 minute read

Hybrid Identity Is The Core Of Modern Workforce

Val Komarovskiy, MBA
Val Komarovskiy, MBA
Total
0
Shares
0
0
0
0

Active Directory – refresher!

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services that run on a Windows Server. Active Directory is used to store and manage information about network resources, including user accounts, computers, and other devices, as well as application-specific data such as Group Policy settings. It provides centralized authentication and authorization for users and computers, as well as network-wide management of security and access control.

Active Directory (AD) was first introduced in 1999 as a part of Windows 2000 Server. It was designed to replace the previous Windows NT Domain service and provide a more robust, scalable and integrated directory service for Windows networks.

The first version of AD, known as Active Directory 2000, was based on the Lightweight Directory Access Protocol (LDAP) and provided a hierarchical structure for storing and organizing information about network resources. In Windows Server 2003, Microsoft released an updated version called Active Directory 2003 which added several new features such as improved scalability, support for Group Policy, and the ability to create multiple domains within a single forest.

In 2008, Windows Server 2008 released with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) which improved the scalability and performance of the directory service.

In 2012, Windows Server 2012 was released with Active Directory 2012 which introduced the concept of a “domain tree” and “forest” which allowed for more flexible and efficient management of network resources.

In 2016, Windows Server 2016 was released with Active Directory 2016 which improved the security and scalability of AD.

In recent years, Microsoft has been introducing new features to the service like Azure AD Domain Services which allows to use Azure AD as a replacement of on-premise AD and also Microsoft is introducing new features to AD like AAD Authentication for RDS and AD Authentication for Azure file shares.

Azure Active Directory

Azure Active Directory (Azure AD) is a cloud-based identity and access management service provided by Microsoft. It is built on top of the same technology as the on-premises Active Directory (AD) and is designed to work seamlessly with other Microsoft cloud services such as Office 365 and Microsoft Intune.

Azure AD provides a variety of features to help organizations manage and secure access to their resources, including:

  • User and group management
  • Authentication and single sign-on (SSO)
  • Multi-factor authentication (MFA)
  • Conditional access
  • Identity protection
  • Device management
  • Application management

Azure AD can be used to manage identities for cloud-based applications such as Office 365 and for on-premises applications that are integrated with Azure AD through the use of Azure AD Connect. It can also be used to authenticate users for access to resources in the Azure cloud platform. With Azure AD, organization can manage their identities, applications and devices from a single location and synchronize a number of objects from on-prem Active Directory.

Hybrid AD Identity

 A hybrid AD identity is a combination of on-premises Active Directory (AD) and Azure Active Directory (Azure AD) that allows organizations to use their existing on-premises AD identities and infrastructure to authenticate users and manage access to both on-premises and cloud-based resources.

With a hybrid AD identity, organizations can synchronize their on-premises AD identities to Azure AD using Azure AD Connect. This allows users to use the same set of credentials for both on-premises and cloud-based resources, and also allows for single sign-on (SSO) to cloud-based resources such as Office 365, without the need for additional passwords.

Additionally, a hybrid AD identity can also be used to provide conditional access to cloud-based resources based on the user’s location or the device they are using, or to apply multi-factor authentication (MFA) for added security.

In a hybrid AD identity, organization can use their on-premise AD as the primary source of identity and use Azure AD as the identity bridge to replicate on-prem Account information, passwords and resources the account is authorized to access in the enterprise and beyond.

Azure AD Connect

Azure AD Connect is a tool developed by Microsoft that allows organizations to synchronize their on-premises Active Directory (AD) identities with Azure Active Directory (Azure AD). It is used to create a hybrid identity solution that allows users to use the same set of credentials for both on-premises and cloud-based resources and enables single sign-on (SSO) to cloud-based resources such as Office 365.

Azure AD Connect is used to perform the following tasks:

  • Synchronization: It synchronizes user, group, and other identity-related information from on-premises AD to Azure AD. This allows users to use the same credentials for both on-premises and cloud-based resources.
  • Authentication: It allows users to authenticate to on-premises resources using their Azure AD credentials, and also allows users to authenticate to cloud-based resources using their on-premises AD credentials.
  • Federation: It allows organizations to federate their on-premises AD identities with Azure AD, enabling SSO to cloud-based resources such as Office 365.
  • Group Policy: It allows organizations to manage Group Policy settings for both on-premises and cloud-based resources using Azure AD.
  • Multi-Factor Authentication: It allows organizations to use Azure Multi-Factor Authentication (MFA) for added security for on-premises and cloud-based resources.
  • Conditional Access: It allows organizations to use Azure Conditional Access to control access to cloud-based resources based on the user’s location, device, or other factors.

Overall, Azure AD Connect is a key component of a hybrid AD identity solution, allowing organizations to manage and secure access to both on-premises and cloud-based resources from a single location.

Credentials store for Hybrid Identity

In a hybrid AD identity, where credentials are stored depends on the type of resource that the user is trying to access and where the account was originally created. The original realm of the account will depend on which directory is authoritative for that account and where the credentials are stored.

On-prem AD accounts are replicated to Azure AD unless they are filtered by AD Connect.

For those on-prem accounts, the on-prem AD is authoritative for the account and its credentials.

Any changes to the on-prem account must be made in-prem, unless additional features are implemented that allow some records to be changed in Azure AD, such as the account password if write-back is enabled.

If the account or identity was created in the cloud first, Azure AD is the authoritative record keeper for that identity. The account will not be written back to on-prem AD and Azure AD will remain as the authoritative source for any identify changes.

For on-premises resources, the credentials are typically stored in the organization’s on-premises Active Directory (AD) domain controllers. This includes user accounts, group membership, and other identity-related information.

For cloud-based resources, the credentials are stored in Azure Active Directory (Azure AD). This includes user accounts, group membership, and other identity-related information that has been synchronized from the on-premises AD using Azure AD Connect.

When a user attempts to access a cloud-based resource, their credentials are first verified against the on-premises AD and then passed to Azure AD for authentication. If the user’s credentials are valid, the user is granted access to the resource.

It is important to note that the credentials are not stored in multiple places, but are synchronized between on-premises AD and Azure AD using Azure AD Connect, and the primary source of identity is the on-premise AD.

In addition, with the use of Azure AD Connect and federation, organization can also use other identity providers like Google, Facebook and more as a secondary or additional identity source, but the primary source of identity will still be the on-premise AD.

Follow us on YouTube youtube.com/legasystems

Post Views: 174
Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Val Komarovskiy, MBA
Val Komarovskiy, MBA
Solving complex business problems and alleviating technical pain points to improve efficiency and reduce risks. .............................................................................................................. LegaSystems – Lead Systems ArchitectㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤNortheastern High Tech MBA AlumniㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤKatharine Gibbs College AlumniㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤNortheastern Business School / MIS Alumni Information Security Focused Microsoft Evangelist
Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts