Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Mastering Identity and Access Management with Microsoft Azure
Mastering Identity and Access Management with Microsoft Azure

Mastering Identity and Access Management with Microsoft Azure: Start empowering users and protecting corporate data, while managing Identities and Access with Microsoft Azure in different environments

Arrow left icon
Profile Icon Jochen Nickel
Arrow right icon
Free Trial
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.6 (5 Ratings)
Paperback Sep 2016 692 pages 1st Edition
eBook
₱1885.99 ₱2694.99
Paperback
₱3367.99
Subscription
Free Trial
Arrow left icon
Profile Icon Jochen Nickel
Arrow right icon
Free Trial
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.6 (5 Ratings)
Paperback Sep 2016 692 pages 1st Edition
eBook
₱1885.99 ₱2694.99
Paperback
₱3367.99
Subscription
Free Trial
eBook
₱1885.99 ₱2694.99
Paperback
₱3367.99
Subscription
Free Trial

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Mastering Identity and Access Management with Microsoft Azure

Chapter 1.  Getting Started with a Cloud-Only Scenario

Before jumping into the architecture and deployment of the Microsoft Azure IAM capabilities, we will first start with a business view to identify the important business needs and challenges of a cloud-only environment and scenario. Throughout this chapter, we will also discuss the main features of and licensing information for such an approach. Finally, we will round up with the challenges surrounding security and legal requirements.

The topics we will cover in this chapter are as follows:

  • Identifying business needs and challenges
  • An overview of feature and licensing decisions
  • Defining the benefits and costs
  • Principles of security and legal requirements

Identifying business needs and challenges

Oh! Don't worry, we don't intend to bore you with a lesson of typical IAM stories - we're sure you've come across a lot of information in this area. However, you do need to have an independent view of the actual business needs and challenges in the cloud area, so that you can get the most out of your own situation.

Common Identity and Access Management needs

Identity and Access Management (IAM) is the discipline that plays an important role in the actual cloud era of your organization. It's also of value to small and medium-sized companies, so that they can enable the right individuals to access the right resources from any location and device, at the right time and for the right reasons, to empower and enable the desired business outcomes. IAM addresses the mission-critical need of ensuring appropriate and secure access to resources inside and across company borders, such as cloud or partner applications.

The old security strategy of only securing your environment with an intelligent firewall concept and access control lists will take on a more and more subordinated role. There is a recommended requirement of reviewing and overworking this strategy in order to meet higher compliance and operational and business requirements. To adopt a mature security and risk management practice, it's very important that your IAM strategy is business-aligned and that the required business skills and stakeholders are committed to this topic. Without clearly defined business processes you can't implement a successful IAM functionality in the planned timeframe. Companies that follow this strategy can become more agile in supporting new business initiatives and reduce their costs in IAM.

The following three groups show the typical indicators for missing IAM capabilities on the premises and for cloud services:

  • Your employees/partners:
    • Same password usage across multiple applications without periodic changes (also in social media accounts)
    • Multiple identities and logins
    • Passwords are written down in Sticky Notes, Excel, etc.
    • Application and data access allowed after termination
    • Forgotten usernames and passwords
    • Poor usability of application access inside and outside the company (multiple logins, VPN connection required, incompatible devices, etc.) 
  • Your IT department:
    • High workload on Password Reset Support
    • Missing automated identity lifecycles with integrity (data duplication and data quality problems)
  • No insights in application usage and security
  • Missing reporting tools for compliance management
  • Complex integration of central access to Software as a Service (SaaS), Partner and On-Premise applications (missing central access/authentication/authorization platform)
  • No policy enforcement in cloud services usage
  • Collection of access rights (missing processes)
  • Your developers:
    • Limited knowledge of all the different security standards, protocols, and APIs
    • Constantly changing requirements and rapid developments
    • Complex changes of the Identity Provider

Implications of Shadow IT

On top of that, often the IT department will hear the following question: When can we expect the new application for our business unit? Sorry, but the answer will always take too long. Why should I wait? All I need is a valid credit card that allows me to buy my required business application, but suddenly another popular phenomenon pops up: The shadow IT! Most of the time, this introduces another problem - uncontrolled information leakage. The following figure shows the flow of typical information - and that which you don't know can hurt!

Implications of Shadow IT

The previous figure should not give you the impression that cloud services are inherently dangerous, rather that before using them you should first be aware that, and in which manner, they are being used. Simply migrating or ordering a new service in the cloud won't solve common IAM needs. This figure should help you to imagine that, if not planned, the introduction of a new or migrated service brings with it a new identity and credential set for the users, and therefore multiple credentials and logins to remember! You should also be sure which information can be stored and processed in a regulatory area other than your own organization. The following table shows the responsibilities involved when using the different cloud service models. In particular, you should identify that you are responsible for data classification, IAM, and end point security in every model:

Cloud Service Modell

IaaS

PaaS

SaaS

   

Responsibility

Customer

Provider

Customer

Provider

Customer

Provider

Data Classification

X

X

X

End Point Security

X

X

X

Identity and Access Management

X

X

X

X

X

Application Security

X

X

X

X

Network Controls

X

X

X

X

Host Security

X

X

X

Physical Security

X

X

X

The mobile workforce and cloud-first strategy

Many organizations are facing the challenge of meeting the expectations of a mobile workforce, all with their own device preferences, a mix of private and professional commitments, and the request to use social media as an additional means of business communication.

Let's dive into a short, practical, but extreme example. The AzureID company employs approximately 80 employees. They work with a SaaS landscape of eight services to drive all their business processes. On premises, they use Network-Attached Storage(NAS) to store some corporate data and provide network printers to all of the employees. Some of the printers are directly attached to the C-level of the company. The main issues today are that the employees need to remember all their usernames and passwords of all the business applications, and if they want to share some information with partners they cannot give them partial access to the necessary information in a secure and flexible way. Another point is if they want to access corporate data from their mobile device, it's always a burden to provide every single login for the applications necessary to fulfil their job. The small IT department with one Full-time Employee (FTE) is overloaded with having to create and manage every identity in each different service. In addition, users forget their passwords periodically, and most of the time outside normal business hours. The following figure shows the actual infrastructure:

The mobile workforce and cloud-first strategy

Let's analyze this extreme example to reveal some typical problems, so that you can match some ideas to your IT infrastructure:

  • Provisioning, managing, and de-provisioning identities can be a time-consuming task
  • There are no single identity and credentials
  • There is no collaboration support for partner and consumer communication
  • There is no Self-Service Password Reset functionality
  • Sensitive information leaves the corporation over email
  • There are no usage or security reports about the accessed applications/services
  • There is no central way to enable Multi-Factor Authentication (MFA) for sensitive applications
  • There is no secure strategy for accessing social media
  • There is no usable, secure, and central remote access portal

    Note

    Remember, shifting applications and services to the cloud just introduces more implications/challenges, not solutions. First of all, you need your IAM functionality accurately in place. You also need to always handle on-premises resources with minimal printer management.

An overview of feature and licensing decisions

With the cloud-first strategy of Microsoft, the Azure platform and their number of services grow constantly, and we have seen a lot of costumers lost in a paradise of wonderful services and functionality. This brings us to the point of how to figure out the relevant services for IAM for you and how to give them the space for explanation. Obviously, there are more services available that stripe this field with a small subset of functionality, but due to the limited page count of this book and our need for rapid development, we will focus on the most important ones, and will reference any other interesting content. The primary service for IAM is the Azure Active Directory service, which has also been the core directory service for Office 365 since 2011. Every other SaaS offering of Microsoft is also based on this core service, including Microsoft Intune, Dynamics, and Visual Studio Online. So, if you are already an Office 365 customer you will have your own instance of Azure Active Directory in place. For sustained access management and the protection of your information assets, the Azure Rights Management services are in place. There is also an option for Office 365 customers to use the included Azure Rights Management services. You can find further information about this by visiting the following link: http://bit.ly/1KrXUxz.

Let's get started with the feature sets that can provide a solution, as shown in the following screenshot:

An overview of feature and licensing decisions

Including Azure Active Directory and Rights Management helps you to provide a secure solution with a central access portal for all of your applications with just one identity and login for your employees, partners, and customers that you want to share your information with. With a few clicks you can also add MFA to your sensitive applications and administrative accounts. Furthermore, you can directly add a Self-Service Password Reset functionality that your users can use to reset their password for themselves. As the administrator, you will receive predefined security and usage reports to control your complete application ecosystem. To protect your sensible content, you will receive digital rights management capabilities with the Azure Rights Management services to give you granular access rights on every device your information is used.

Doesn't it sound great? Let's take a deeper look into the functionality and usage of the different Microsoft Azure IAM services.

Azure Active Directory

Azure Active Directory is a fully managed multi-tenant service that provides IAM capabilities as a service. This service is not just an instance of the Windows Server Domain Controller you already know from your actual Active Directory infrastructure. Azure AD is not a replacement for the Windows Server Active Directory either. If you already use a local Active Directory infrastructure, you can extend it to the cloud by integrating Azure AD to authenticate your users in the same way as on-premise and cloud services.

Staying in the business view, we want to discuss some of the main features of Azure Active Directory. Firstly, we want to start with the Access panel that gives the user a central place to access all his applications from any device and any location with SSO.

Azure Active Directory

Note

The combination of the Azure Active Directory Access panel and the Windows Server 2012 R2/2016 Web Application Proxy / ADFS capabilities provide an efficient way to securely publish web applications and services to your employees, partners, and customers. It will be a good replacement for your retired Forefront TMG/UAG infrastructure.

Over this portal, your users can do the following:

  • User and group management
  • Access their business relevant applications (On-premise, partner, and SaaS) with single-sign-on or single logon
  • Delegation of access control to the data, process, or project owner
  • Self-service profile editing for correcting or adding information
  • Self-service password change and reset
  • Manage registered devices

Azure Active Directory

With the Self-Service Password Reset functionality, a user gets a straight forward way to reset his password and to prove his identity, for example through a phone call, email, or by answering security questions.

Azure Active Directory

Note

The different portals can be customized with your own Corporate Identity branding. To try the different portals, just use the following links: https://myapps.microsoft.com and https://passwordreset.microsoftonline.com.

To complete our short introduction to the main features of the Azure Active Directory, we will take a look at the reporting capabilities. With this feature you get predefined reports with the following information provided. With viewing and acting on these reports, you are able to control your whole application ecosystem published over the Azure AD access panel.

  • Anomaly reports
  • Integrated application reports
  • Error reports
  • User-specific reports
  • Activity logs

Azure Active Directory

From our discussions with customers we recognize that, a lot of the time, the differences between the different Azure Active Directory editions are unclear. For that reason, we will include and explain the feature tables provided by Microsoft. We will start with the common features and then go through the premium features of Azure Active Directory.

Common features

First of all, we want to discuss the Access panel portal so we can clear up some open questions. With the Azure AD Free and Basic editions, you can provide a maximum of 10 applications to every user. However, this doesn't mean that you are limited to 10 applications in total. Next, the portal link: right now it cannot be changed to your own company-owned domain, such as https://myapps.inovit.ch. The only way you can do so is by providing an alias in your DNS configuration; the accessed link is https://myapps.microsoft.com. Company branding will lead us on to the next discussion point, where we are often asked how much corporate identity branding is possible. The following link provides you with all the necessary information for branding your solution:http://bit.ly/1Jjf2nw. Rounding up this short Q&A on the different feature sets is Application Proxy usage, one of the important differentiators between the Azure AD Free and Basic editions. The short answer is that with Azure AD Free, you cannot publish on-premises applications and services over the Azure AD Access Panel portal.

Features

AAD Free

AAD Basic

AAD Premium

Directory as a Service (objects)

500k

unlimited

unlimited

User/Group management (UI or PowerShell)

X

X

X

Access Panel portal for SSO (per user)

10 apps

10 apps

unlimited

User-based application access management/provisioning

X

X

X

Self-service password change (cloud users)

X

X

X

Directory synchronization tool

X

X

X

Standard security reports

X

X

X

High availability SLA (99.9%)

X

X

Group-based application access management and provisioning

X

X

Company branding

X

X

Self-service password reset for cloud users

X

X

Application Proxy

X

X

Self-service group management for cloud users

X

X

Premium features

The Azure Active Directory Premium edition provides you with the entire IAM capabilities, including the usage licenses of the on-premises used Microsoft Identity Manager. From a technical perspective, you need to use the Azure AD Connect utility to connect your on-premises Active Directory with the cloud and the Microsoft Identity Manager to manage your on-premises identities and prepare them for your cloud integration. To acquire Azure AD Premium, you can also use the Enterprise Mobility Suite (EMS) license bundle, which contains Azure AD Premium, Azure Rights Management, Microsoft Intune, and Advanced Threat Analytics (ATA) licensing. You can find more information about EMS by visiting http://bit.ly/1cJLPcM and http://bit.ly/29rupF4.

Features

Azure AD

Premium

Self-service password reset with on-premises write-back

X

Microsoft Identity Manager server licenses

X

Advanced anomaly security reports

X

Advanced usage reporting

X

Multi-Factor Authentication (cloud users)

X

Multi-Factor Authentication (On-premises users)

X

Azure AD Premium reference:

http://bit.ly/1gyDRoN

Note

MFA for cloud users is also included in Office 365. The main difference is that you cannot use it for on-premises users and services such as VPN or web servers.

Azure Active Directory Business to Business

One of the newest features based on Azure Active Directory is the new Business to Business (B2B) capability. The new product solves the problem of collaboration between business partners. It allows users to share business applications between partners without going through inter-company federation relationships and internally-managed partner identities. With Azure AD B2B, you can create cross-company relationships by inviting and authorizing users from partner companies to access your resources. With this process, each company federates once with Azure AD and each user is then represented by a single Azure AD account. This option also provides a higher security level, because if a user leaves the partner organization, access is automatically disallowed. Inside Azure AD, the user will be handled as though a guest, and they will not be able to traverse other users in the directory. Real permissions will be provided over the correct associated group membership.

Azure Active Directory Business to Consumer

Azure Active Directory Business to Consumer (B2C) is another brand new feature based on Azure Active Directory. This functionality supports signing in to your application using social networks like Facebook, Google, or LinkedIn and creating developed accounts with usernames and passwords specifically for your company-owned application. Self-service password management and profile management are also provided with this scenario. Additionally, MFA introduces a higher grade of security to the solution. Principally, this feature allows small, medium and large companies to hold their customers in a separated Azure Active Directory with all the capabilities, and more, in a similar way to the corporate-managed Azure Active Directory. With different verification options, you are also able to provide the necessary identity assurance required for more sensible transactions. Azure B2C takes care about all the IAM tasks for own development application.

Azure Active Directory Privileged Identity Management

Azure AD Privileged Identity Management provides you with the functionality to manage, control, and monitor your privileged identities. With this option, you can build up an Role-based Access Control (RBAC) solution over your Azure AD and other Microsoft online services, such as Office 365 or Microsoft Intune. The following activities can be carried out with this functionality:

  • You can discover the actual configured Azure AD Administrators
  • You can provide just in time administrative access
  • You can get reports about administrator access history and assignment changes
  • You can receive alerts about access to a privileged role

The following built-in roles can be managed with the current version:

  • Global Administrator
  • Billing Administrator
  • Service Administrator
  • User Administrator
  • Password Administrator

Azure MFA

Protecting sensible information or application access with additional authentication is an important task not just in the on-premises world. In particular, it needs to be extended to every sensible cloud service used. There are a lot of variations for providing this level of security and additional authentication, such as certificates, smart cards, or biometric options. For example, smart cards depend on special hardware used to read the smart card and cannot be used in every scenario without limiting the access to a special device or hardware or. The following table gives you an overview of different attacks and how they can be mitigated with a well designed and implemented security solution.

Attacker

Security solution

Password brute force

Strong password policies

Shoulder surfing

Key or screen logging

One-time password solution

Phishing or pharming

Server authentication (HTTPS)

Man-in-the-Middle

Whaling (Social engineering)

Two-factor authentication

Certificate or one-time password solution

Certificate authority corruption

Cross Channel Attacks (CSRF)

Transaction signature and verification

Non repudiation

Man-in-the-Browser

Key loggers

Secure PIN entry

Secure messaging

Browser (read only)

Push button (token)

Three-factor authentication

The Azure MFA functionality has been included in the Azure Active Directory Premium capabilities to address exactly the attacks described in the previous table. With a one-time password solution, you can build a very capable security solution to access information or applications from devices that cannot use smart cards as the additional authentication method. Otherwise, for small or medium business organizations a smart card deployment, including the appropriate management solution, will be too cost-intensive and the Azure MFA solution can be a good alternative for reaching the expected higher security level.

In discussions with our customers, we recognized that many don't realize that Azure MFA is already included in different Office 365 plans. They would be able to protect their Office 365 with multi-factor out-of-the-box but they don't know it! This brings us to Microsoft and the following table, which compares the functionality between Office 365 and Azure MFA.

Feature

O365

Azure

Administrators can enable/enforce MFA to end-users

X

X

Use mobile app (online and OTP) as second authentication factor

X

X

Use phone call as second authentication factor

X

X

Use SMS as second authentication factor

X

X

App passwords for non-browser clients (for example, Outlook, Lync)

X

X

Default Microsoft greetings during authentication phone calls

X

X

Remember Me

X

X

IP Whitelist

X

Custom greetings during authentication phone calls

X

Fraud alert

X

Event confirmation

X

Security reports

X

Block/unblock users

X

One-time bypass

X

Customizable caller ID for authentication phone calls

X

MFA Server - MFA for on-premises applications

X

MFA SDK - MFA for custom apps

X

With the Office 365 capabilities of MFA, the administrators are able to use basic functionality to protect their sensible information. In particular, if integrating on-premises users and services, the Azure MFA solution is needed.

Note

Azure MFA and the on-premises installation of the MFA server cannot be used to protect your Windows Server DirectAccess implementation. Furthermore, you will find the customizable caller ID limited to special regions.

Azure Rights Management

More and more organizations are in the position of providing a continuous and integrated information protection solution to protect sensible assets and information. On the one hand is the department, which carries out its business activities, generates the data, and then processes. Furthermore, it uses the data inside and outside the functional areas, passes it, and runs a lively exchange of information.

On the other hand, revision is required by legal requirements that prescribe measures to ensure that information is dealt with and dangers such as industrial espionage and data loss are avoided. So, this is a big concern when safeguarding sensitive information.

While staff appreciate the many methods of communication and data exchange, this development starts stressing the IT security officers and makes managers worried. The fear is that critical corporate data stays in an uncontrolled manner and leaves the company or moves to competitors. The routes are varied, but data is often lost in inadvertent delivery via email. In addition, sensitive data can leave the company on a USB stick and smartphone, or IT media can be lost or stolen. In addition, new risks are added, such as employees posting information on social media platforms. IT must ensure the protection of data in all phases, and traditional IT security solutions are not always sufficient. The following figure illustrates this situation and leads us to the Azure Rights Management services.

Azure Rights Management

Like its other additional features, the base functional is included in different Office 365 plans. The main difference between the two is that only the Azure RMS edition can be integrated in an on-premises file server environment in order to be able to use the File Classification Infrastructure feature of the Windows Server file server role.

The Azure RMS capability allows you to protect your sensitive information based on classification information with a granular access control system. The following table, provided by Microsoft, shows the differences between the Office 365 and Azure RMS functionality. Azure RMS is included with E3, E4, A3, and A4 plans.

Feature

RMS O365

RMS Azure

Users can create and consume protected content by using Windows clients and Office applications

X

X

Users can create and consume protected content by using mobile devices

X

X

Integrates with Exchange Online, SharePoint Online, and OneDrive for Business

X

X

Integrates with Exchange Server 2013/Exchange Server 2010 and SharePoint Server 2013/SharePoint Server 2010 on-premises via the RMS connector

X

X

Administrators can create departmental templates

X

X

Organizations can create and manage their own RMS tenant key in a hardware security module (the Bring Your Own Key solution)

X

X

Supports non-Office file formats: Text and image files are natively protected; other files are generically protected

X

X

RMS SDK for all platforms: Windows, Windows Phone, iOS, Mac OSX, and Android

X

X

Integrates with Windows file servers for automatic protection with FCI via the RMS connector

X

Users can track usage of their documents

X

Users can revoke access to their documents

X

In particular, the tracking feature helps users to find where their documents are distributed and allows them to revoke access to a single protected document.

Microsoft Azure security services in combination

Now that we have discussed the relevant Microsoft Azure IAM capabilities, you can see that Microsoft provides more than just single features or subsets of functionality. Furthermore, it brings a whole solution to the market, which provides functionality for every facet of IAM. Microsoft Azure also combines clear service management with IAM, making it a rich solution for your organization. You can work with that toolset in a native cloud-first scenario, hybrid, and a complex hybrid scenario and can extend your solution to every possible use case or environment. The following figure illustrates all the different topics that are covered with Microsoft Azure security solutions:

Microsoft Azure security services in combination

Defining the benefits and costs

The Microsoft Azure IAM capabilities help you to empower your users with a flexible and rich solution that enables better business outcomes in a more productive way. You help your organization to improve the regulatory compliance overall and reduce the information security risk. Additionally, it can be possible to reduce IT operating and development costs by providing higher operating efficiency and transparency. Last but not least, it will lead to improved user satisfaction and better support from the business for further investments.

The following toolset gives you very good instruments for calculating the costs of your special environment.

Principles of security and legal requirements

The classification of data, such as business information or personal data, is not only necessary for an on-premises infrastructure. It is the basis for the assurance of business-related information and is represented by compliance with official regulations. These requirements are of greater significance when using cloud services or solutions outside your own company and regulation borders. They are clearly needed for a controlled shift of data in an area in which responsibilities on contracts must be regulated. Safety limits do not stop at the private cloud, and are responsible for the technical and organizational implementation and control of security settings.

The subsequent objectives are as follows:

  • Construction, extension, or adaptation of the data classification to the Cloud Integration
  • Data classification as a basis for encryption or isolated security silos
  • Data classification as a basis for authentication and authorization

Microsoft itself has strict controls that restrict access to Azure to Microsoft employees. Microsoft also enables customers to control access to their Azure environments, data, and applications, as well as allowing them to penetrate and audit services with special auditors and regulations on request.

Note

A statement from Microsoft: Customers will only use cloud providers in which they have great trust. They must trust that the privacy of their information will be protected, and that their data will be used in a way that is consistent with their expectations. We build privacy protections into Azure through Privacy by Design.

You can get all the necessary information about security, compliance, and privacy by visiting the following link http://bit.ly/1uJTLAT.

Summary

Now that you are fully clued up with information about typical needs and challenges and feature and licensing information, you should be able to apply the right technology and licensing model to your cloud-only scenario. You should also be aware of the benefits and cost calculators that will help you calculate a basic price model for your required services. Furthermore, you can also decide which security and legal requirements are relevant for your cloud-only environments.

In the next chapter, we will design a sustainable cloud-only IAM environment. We will discuss the user and group life cycle and the roles and administrative units with the relevant identity reporting capabilities. We look forward to seeing you work on your design in the next chapter.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Deep dive into the Microsoft Identity and Access Management as a Service (IDaaS) solution
  • Design, implement and manage simple and complex hybrid identity and access management environments
  • Learn to apply solution architectures directly to your business needs and understand how to identify and manage business drivers during transitions

Description

Microsoft Azure and its Identity and Access Management is at the heart of Microsoft’s Software as a Service, including Office 365, Dynamics CRM, and Enterprise Mobility Management. It is an essential tool to master in order to effectively work with the Microsoft Cloud. Through practical, project based learning this book will impart that mastery. Beginning with the basics of features and licenses, this book quickly moves on to the user and group lifecycle required to design roles and administrative units for role-based access control (RBAC). Learn to design Azure AD to be an identity provider and provide flexible and secure access to SaaS applications. Get to grips with how to configure and manage users, groups, roles, and administrative units to provide a user- and group-based application and self-service access including the audit functionality. Next find out how to take advantage of managing common identities with the Microsoft Identity Manager 2016 and build cloud identities with the Azure AD Connect utility. Construct blueprints with different authentication scenarios including multi-factor authentication. Discover how to configure and manage the identity synchronization and federation environment along with multi -factor authentication, conditional access, and information protection scenarios to apply the required security functionality. Finally, get recommendations for planning and implementing a future-oriented and sustainable identity and access management strategy.

Who is this book for?

This book is for business decision makers, IT consultants, and system and security engineers who wish to plan, design, and implement Identity and Access Management solutions with Microsoft Azure.

What you will learn

  • Apply technical descriptions and solution architectures directly to your business needs and deployments
  • Identify and manage business drivers and architecture changes to transition between different scenarios
  • Understand and configure all relevant Identity and Access Management key features and concepts
  • Implement simple and complex directory integration, authentication, and authorization scenarios
  • Get to know about modern identity management, authentication, and authorization protocols and standards
  • Implement and configure a modern information protection solution
  • Integrate and configure future improvements in authentication and authorization functionality of Windows 10 and Windows Server 2016

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Sep 30, 2016
Length: 692 pages
Edition : 1st
Language : English
ISBN-13 : 9781785889448
Vendor :
Microsoft
Languages :
Concepts :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Sep 30, 2016
Length: 692 pages
Edition : 1st
Language : English
ISBN-13 : 9781785889448
Vendor :
Microsoft
Languages :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just ₱260 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just ₱260 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 8,675.97
Mastering Identity and Access Management with Microsoft Azure
₱3367.99
Azure for Architects
₱2500.99
Implementing Azure Solutions
₱2806.99
Total 8,675.97 Stars icon

Table of Contents

16 Chapters
1. Getting Started with a Cloud-Only Scenario Chevron down icon Chevron up icon
2. Planning and Designing Cloud Identities Chevron down icon Chevron up icon
3. Planning and Designing Authentication and Application Access Chevron down icon Chevron up icon
4. Building and Configuring a Suitable Azure AD Chevron down icon Chevron up icon
5. Shifting to a Hybrid Scenario Chevron down icon Chevron up icon
6. Extending to a Basic Hybrid Environment Chevron down icon Chevron up icon
7. Designing Hybrid Identity Management Architecture Chevron down icon Chevron up icon
8. Planning Authorization and Information Protection Options Chevron down icon Chevron up icon
9. Building Cloud from Common Identities Chevron down icon Chevron up icon
10. Implementing Access Control Mechanisms Chevron down icon Chevron up icon
11. Managing Transition Scenarios with Special Scenarios Chevron down icon Chevron up icon
12. Advanced Considerations for Complex Scenarios Chevron down icon Chevron up icon
13. Delivering Multi-Forest Hybrid Architectures Chevron down icon Chevron up icon
14. Installing and Configuring the Enhanced Identity Infrastructure Chevron down icon Chevron up icon
15. Installing and Configuring Information Protection Features Chevron down icon Chevron up icon
16. Choosing the Right Technology, Methods, and Future Trends Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.6
(5 Ratings)
5 star 40%
4 star 20%
3 star 0%
2 star 40%
1 star 0%
Michael Lewis Dec 19, 2016
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is a really helpful book when it comes to working with Azure identity and access management. Most of the credit actually belongs to the detailed and thoughtful table of contents. This is logical and laid out the way I think, making it much better than just an index. This also makes it useful because most of us rarely work on this stuff in a linear manner. I was able to trouble shoot whatever issues I was having (most of my focus is on multi-factor authentication and RMS). Recommend this for anyone working in the IAM field
Amazon Verified review Amazon
Mrs D J Fraser Oct 16, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I'm told this is an excellent book if the content appeals!
Amazon Verified review Amazon
Amazon Customer Feb 24, 2019
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
Excellent book. Well written. Easy to understand. A very useful reference.
Amazon Verified review Amazon
Jimmy George Oct 30, 2018
Full star icon Full star icon Empty star icon Empty star icon Empty star icon 2
The product is outdated and has not been revised with new features.
Amazon Verified review Amazon
Robert Seso Jan 02, 2017
Full star icon Full star icon Empty star icon Empty star icon Empty star icon 2
The book is written in broken English and very difficult to follow, at times it feels like the text was translated from German to English using Google translator. I gave up on the first chapter after having to read some sentences several times, translating them in my head from broken English back to German and from there back to correct English to get the point. This is a pity, because the topics covered by the book are very interesting, the author should have written the book in his native language (German) and let a professional translator translate it to English.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.