Azure 70-532 - Guide

5/28/2019 Bookshelf
Module 11: Securing Azure Web Applications
Contents:
Th Th Th
is is is
do do do
cu cu cu
me m en me
as ntb as tb as nt
elModule elo be
No
ho
ktr on
gs
overview No
ho
ktr ng No
h ok
trip
lon
gs
un i pat h to un ipa st un ath to
As thy oA As
au y8 ho au 89 sh au y8 ho
tho 9@ kT tho @ o kT tho 9@ kT
Lesson 1: r ize Azure
dc
g m ail
Active
rip Directory riz
ed gm
ail rip riz
ed gm
ail rip
op .co ath co .co ath co .co ath
ies m y. p ies m y. pie m y.
all all sa
Lesson 2: AzureweAD o Directories ow llo
ed w ed
d! ! !
Lesson 3: Azure AD Offerings
Lesson 4: Azure Key Vault
Lab: Integrating Azure Active Directory with the Events Administration

Th Th Th
is
do Portal is
do
is
do
cu cu cu
me m en me
as ntb as tb as nt
elModule elo be
No
ho
ktr on
gs
review and takeawaysN ho
ktr ng No
h ok
trip
lon
gs
un i pat h to ou ipa st un ath to
As na thy oA As
au y8 ho u 89 sh au y8 ho
tho 9@ kT tho @ o kT tho 9@ kT
riz g ma rip riz gm rip riz gm rip
ed ath ed ail ath ed ail ath
co il.c co .co co .co
pie om y. p ies m y. pie m y.
sa all sa
llo ow llo
we w
Module overview d! ed
!
ed
!
Just like on-premises applications, applications in the cloud need streamlined

security mechanisms that are flexible. Azure Active Directory is an identity provider
that
Th can provide identity and access functionality
Th for your custom applications or
is is
do do
SaaS applications.
cu
me Lesson 1, “Azure Active Directory”,
cu
me introduces the Azure AD
as nt as nt
ho be ho be
kt lon kt lon
N N
https://skillpipe.com/#/reader/book/63339aa8-3526-4d88-8838-1654479abfd3 1/30
5/28/2019 Bookshelf
service. Lesson 2, “Azure AD Directories”, details how to create a directory in Azure

AD. Lesson 3, “Azure AD Offerings”, describes the various offerings available in
Azure AD such as B2B, B2C, and multi-factor authentication. Lesson 4, “Azure Key
Vault”, introduces the Azure Key Vault service designed to manage secrets for
workloads and applications.
hisT Th Th
Objectives
do
c
is
do
cu
is
do
cu
um m me
en en nt
as tb a tb as be
After
No completing
ho
ktr
elo
ng this module, you will be able No ktrto:sho elo
ng No
h ok
trip
lon
gs
un i pat h s to un i p ath st un ath to
As oA As
au y8 h a u y 8 sh au y8 ho
tho 9@ o kT t h ori 9@ ok tho 9@ kT
riz gm r z gm Tri riz gm rip
ed i p e pa ed
• Describe cthe op Azure
a il.c
o AD a thservice.
y
d co
p
a il.c
o thy co
pie
ail
.co ath
y.
ies m . ies m . sa m
all all llo
ow ow w
ed ed ed
• Explain the features ! that are available for the directories in Azure ! AD. !
• Describe the Microsoft Azure Multi-Factor Authentication service.
Lesson
Th
is
do
cu
1: Azure Active Directory
Th
is
do
cu
Th
is
do
cu
me me me
as ntb as nt as nt
ho elo ho be h be
ktr ng ktr lon ok lon
No ipa st No ipa gs No trip gs
un thy oA un thy to un ath to
AzureautAD
ho provides89
@
sa
hosuite of services that you can au integrate
t h 89
@
with
As
ho custom au
tho
y8
9@
As
ho
riz g kT o r i g kT riz gm kT
ed ma rip ze m rip ed rip
applications,coon-premises
pie
il.c
om
athmachines, existing domains,
y.
d cand third-party
o pie
ail
. com
ath services.
y. co
pie
ail
.co ath
y.
sa sa sa m
llo llo llo
we we w ed
d! d! !
This lesson describes the Azure AD service and its features and benefits.
Lesson objectives
After completing this lesson, you will be able to:
Th Th
is is
do do
cu cu
me me
• as
ho
ntb
elo as
ho
nt
be
kt n kt lon
N N
5/28/2019 Bookshelf
Explain the benefits of Active Directory in Azure.
• List the Active Directory services in Azure.
Azure Active Directory Overview

Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
ktr ng ktr ng ok lon
No ipa st No ipa st No trip gs
un thy oA un thy oA un ath to
au 89 sh au 89 sh au y8 As
tho @ ok tho @ o tho 9@ ho
riz gm Tri riz gm kT riz gm kT
ed ail pa ed ail rip ed ail rip
co .co thy co .co ath co .co ath
p ies m . p ies m y. pie m y.
all all sa
ow ow llo
ed ed w ed
! ! !
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Azure Active Directory (Azure AD) is a service that offers the identity and access
capabilities of Active Directory for use with your applications whether they are on
premise or hosted in the cloud. Azure AD can be used to:
• ThImplement
is single sign-on (SSO) and sign-out
Th for your custom line of business
is
do do
c
um applications and various third-party software
um c
(LOB) en en as a service (SaaS) providers.
as tb as tb
ho elo ho elo
N kt n N kt n
5/28/2019 Bookshelf
• Query and modify directory objects including users, applications, and groups by
using a standard API.
• Integrate your cloud applications and SaaS applications with your existing on-
premises identity management systems by syncing identities and optionally
credentials.
Th Th Th
is is is
do do do
cu cu cu
me m en me
as ntb as tb as nt
ho elo ho elo h be
ktr ng ktr canngbe used to authenticate to ok lon
With
No identity
un ipa sync, s t your existing corporate credentials
oA
No
un ipa st
oA
No
un
trip
ath
gs
to
au thy a thy au y8 As
8 s h u 8 sh ho
new orthexisting
ori
ze
9 @ applications
gm
o kT that are hosted in Azure.t h ori
z
These 9@
gm credentials
ok
Tri can also be tho
riz
9@
gm kT
dc ail ripa e d a p ed ail rip
.co SaaSthyapplications such as Dropbox, co il.c a thy co .co ath
used with third-partyop
ies m . pieIntuit,
sa
omor Skype. . Azure AD pie
sa m y.
all llo llo
ow
also offers a self-service ed
!
portal where your users can optionally we manage their own
d!
w ed
!
passwords or groups. By using the password write-back feature, the updated
password hash is then duplicated back to your on-premises Active Directory
instance.
Application
Th
is
developers can use Azure AD asTan
his identity provider in their custom Th
is
do do do
cu
applications cu
to provide a true SSO experience to users. An existing application can cu
me me me
as nt a nt as nt
be be be
be ho
No updatedktr tolonuse
g a specific Azure AD tenant N forshidentity.
ok
trip
lonYour SaaS applications can
gs No
h ok
trip
lon
gs
un i pat h s to o u a to un ath to
A na thy As As
also bea uth modified
ori
y 89
@
to ssupport
ho Azure AD as an identity uth provider.
o
89
@ ho au
tho
y8
9@ ho
ze g k Tri r i z g kT riz gm kT
dc m ail pa e dc m ail rip ed ail rip
op .co thy o . c ath co .co ath
ies m . p ies o m y. pie m y.
all all sa
Azure AD is already llo
o we in use by many cloud services today, such o we as Microsoft Intune w ed
d! d! !
and Office 365. These services rely on the identity management capabilities provided
by Azure AD. These capabilities include a cloud-based store for directory data and a
core set of identity services including user logon processes and authentication and
federation services.
Th Th
is is
do do
Relationship
cu
m
between Active Directory and Azure
cu
m
AD
en en
as tb as tb
ho elo ho elo
N kt n N kt n
5/28/2019 Bookshelf
Similar to how Active Directory serves as the data store for identities in your on-
premises environment, Azure AD provides a repository for all of your organization’s
directory data in the cloud, so that it can be readily available to all the services you
have subscribed to. Similar to how an LOB application might use Lightweight
Directory Access Protocol (LDAP) to access data in your local Active Directory, third-
party cloud applications can interact with your data in Azure AD by using the Graph
Th Th Th
API.
is
do
is
do
is
do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
No
Local No No trip gs
un or cloud
ipa
thy
applications
st
oA use a similar methodology
un ipa to access
thy
st
o A identity data stored un ath to
As
au 8 s h au 8 sh au y8 ho
tho 9@ ok tho 9@ ok tho 9@
in a directory.
riz
ed gm Tri riz
ed gm Tri riz
ed gm kT
rip
co a il.c pa co a il.c pa co ail ath
pie om thy pie om thy pie .co y.
sa . sa . sa m
llo llo llo
we we w ed
d! d! !
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
FIGURE 11.1: ACTIVE w
! DIRECTORY AND AZURE AD
ed ed ed
! !
Azure AD Services
Th Th
is is
do do
cu cu
me me
as n tb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Azure
Th AD is composed of multiple features. This
Th module focuses on two of these Th
is is is
do do do
features,
cu directories and Multi-Factor Authentication.
m
cu
m
cu
me
en en nt
as tb as tb as be
ho elo ho elo h ok lon
No ktr ng No ktr ng No trip gs
un ipa st un ipa st un ath to
thy oA thy oA
Directory
au
tho Services89 sh
ok
au
tho 89 sh
o
au
tho
y8
9@
As
ho
riz @ riz @ kT riz kT
ed gm Tri ed gm rip ed gm rip
co a il.c pa co ail ath co ail ath
thy piestore.corelated .co
Azure AD provides pie
sa
conceptual
om . directories where you can sa m y.user accounts. pie
sa m y.
llo llo llo
Directories can store we identities
d! synced from on premises systems, we
d! identities created
w ed
!
in Azure, and third-party identities. These identities can then be configured for use
with SaaS applications.
Multi-Factor Authentication
T
his his T
Multi-Factor
do
c
Authentication offers a second layer doof authentication for your
c
um um
en that is completely managed. Your administrators
applications en simply need to
as tb as tb
ho e lon e ho lon
N kt N kt
5/28/2019 Bookshelf
configure Multi-Factor Authentication and your applications can take advantage of the
feature by using Azure AD as the authentication (identity) provider. Multi-Factor
Authentication supports authentication from mobile apps, text messages, or phone
calls.
Access Control Service

Th Th Th
is is is
do do do
cu cu cu
Note:
me ACS is a deprecated service. You mighteinherit applications that use this
nt nt
m me
nt
as be as be as be
hservice
ok lobecause ho
the service is still operational. lon h ok lon
No tr ng N ktr g No trip gs
un ipa st ou ipa st un ath to
thy oA na thy oA As
au 89 sh u 89 sh au y8 ho
tho @ ok tho @ o kT tho 9@ kT
riz gm Tri riz gm rip riz gm rip
ed ail pa ed ail ath ed ail ath
co .co thy co .co y. co .co y.
p ies m . p ies m pie m
Access Control service
all (ACS) is a service in Azure that federates
all multiple identity sa
o o llo
we we w ed
! d ! d !
providers to a single set of standardized claims. Normally you would need to write
code for each identity provider and handle their claims in a custom manner. ACS
allows you to add identity providers that implement OAuth 2.0 and map their claims to
a new set of claims. For example, you can use ACS to map the claims from
Microsoft, Google, Yahoo, and Facebook to a single set of claims that your
Th Th Th
application
is
do can easily expect. This greatly simplifies
is
do the amount of code that is is
do
cu cu cu
me me me
necessary
as ntto support multiple identity providers.a ACSntalso supports identity providers
b s b as nt
be
No usektrWS-Trust ng ktr ng trip
thatun ipa s t or WS-Federation as theirNoprotocols.
un ipa ACS s t can also optionally host No
un ath
gs
to
thy oA thy oA As
au 8 s h a u 8 sh au y8 ho
tho 9@ o t h 9 ok tho 9@
a logon page riz
e
forgmyour kapplication.
Tr o riz
e
@
gm Tr riz
ed gm kT
rip
dc ail ipa dc ail ipa ail ath
op .co thy op .co thy co .co y.
ies m . ies m . pie m
all all sa
ow ow llo
ed ed in scenarios that w ed
ASP.NET identity provides
! similar functionality and is largely used! !
were previously appropriate for ACS.
Lesson 2: Azure AD Directories

Th Th
is is
do do
Azure cADen
cu
um directories provide a logical way to group meyour users and applications.
n
as tb as tb
ho elo ho elo
N kt n N kt n
5/28/2019 Bookshelf
This lesson introduces directories and details the different components and
integrations available for Azure AD.
Lesson objectives
Th Th Th
is is is
do do do
cu cu cu
• Describe
me
nt how users and third-party accountsa canebe
nt added to a directory.
m me
nt
a b
sh elo b sh elo as be
ok o h ok lon
No trip ng No ktr ng No trip gs
un at h st un ipa st un ath to
• oA thy oA
Describe
a uth ythe
89 integration
@
sh
o
of SaaS applications aand
u t h Azure
8 9@
directories.
sh
ok
au
tho
y8
9@
As
ho
ori gm kT ori gm Tri riz gm kT
ze ripa ze pa ed rip
dc ail thy d co a il.c thy co ail ath
op .co p o pie .co y.
• Describe thesAzure ie
all
m .
AD Graph API. ie sa m . sa m
ow llo llo
ed we w ed
! d! !
Managing Directories
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Th Th
is is
do do
cu cu
me me
as n tb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Directories
Th provide a simple and logical way Ttoh group related identities. A directory Th
is is is
do do do
can consist
cu
m of the following three types of identities:cu
m
cu
me
en en nt
as tb as tb as be
thy oA thy oA
• au
Users
tho synced 89 from o
au
sh existing Active Directory installations
t h 89 (on-premise sh
ok identities) au
tho
y8
9@
As
ho
riz @ kT o riz @ riz kT
ed gm r e gm Tri ed gm rip
a il.c i p a d a il.c pa ail ath
co om thy co om thy co .co y.
pie . pie . pie
• Users added manually s all to the directory (cloud-only identities) s all sa m
ow ow llo
ed ed w ed
! ! !
• Third-party accounts (third-party identities)
You can manage directories from a variety of locations. This list of locations is not
intended
Th
is
to be exhaustive. Th
is
do do
cu cu
me me
as n tb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
The various management experiences for Azure AD can all be used together.
Th Th Th
is is is
do do do
cu cu cu
me men me
FIGURE
as
h
11.2:
tb
e AZURE AD MANAGEMENT
n as
ho
tb
elo as
h
nt
be
ok lon ktr ng ok lon
No trip gs No ipa st No trip gs
un at h to un thy oA un ath to
au y8 As a u 8 sh au y8 As
t 9 h t 9 tho 9@ ho
Microsoft hori Intune
ze
@
gm Account
o kT Portal and Office 365 oAdmin
h
riz @
gCenter
m
ok
Tri riz gm kT
dc ail ripa e d a pa ed ail rip
op .co thy co il.c thy co .co ath
ies m . p ies o m . pie m y.
You can use an account all portal to manage your Office 365 orall Microsoft Intune sa
ow ow llo
ed ed w ed
subscription and specify ! the users who can access its various services.
the ! From !
account portal, you can perform tasks such as manually adding user accounts and
security groups, setting up and managing service settings, checking service status,
and accessing online help. Users can also access these account portals but only to
change their password or to access the various services for which they have been
Th Th Th
assigned
is
do licenses. is
do
is
do
cu cu cu
me men me
as ntb as tb as nt
ho elo ho elo h be
No No No trip gs
Microsoft
un ipa Azure
thy
s t Management Portal
oA un ipa
thy
st
oA un ath to
au 8 s a u 8 sh au y8 As
tho 9@ ho t h o 9@ ok tho 9@ ho
riz gm kT riz gm Tri riz gm kT
e ripa e ed rip
You can use d c the Azure
op
ail
.co Management
thy Portal to manage d the
co services
a il.c passociated
ath with co ail
.co ath
ies m . p ies o m y. pie m y.
sa
your Azure subscription. all
ow If you have an existing Azure subscription all
ow that is using your llo
w
ed ed ed
! ! !
Microsoft account, you also can use the Management Portal to manage your
directory. Most Azure subscriptions include a default Azure AD instance. When you
sign up for Azure as an organization, a directory tenant is automatically created for
you based on the value you provide in the Organization Name field during sign-up.
Th Th
is is
Windows
do
cu PowerShell do
cu
me me
as ntb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
You can use the Microsoft Azure Active Directory Module for Windows PowerShell
cmdlets to accomplish many Azure AD tenant-wide administrative tasks.
Administrative tasks, such as user management and domain management, and
configuring SSO can be automated by using Windows PowerShell scripts or by using
a service such as Azure Automation.
This his T Th
Integrating
do On-Premises Directories with Azuredo AD
is
do
cu cu cu
me men me
as ntb as tb as nt
If yourhoorganization
elo has an on-premises directory hoservice, elo you can integrate it with h be
No i p s N o i p st No trip gs
at h to ath ath to
yourunaAzure
uth AD
y 89 directory.
A sh One of the primary un
benefits
a u t
of y setting
8 9
o A up directory
sh
un
au
tho
y8
9@
As
ho
ori @ o kT h ori @ ok kT
z gm z gm Tri riz gm
integration dcapabilities
e
co a il.c such
ri p a thy
as directory sync or SSO, e d is
co that a after
il.c you’ve
pa
thy
configured ed
co ail
.co
rip
ath
pie om . pie om . pie m y.
the sync operation, sa sa sa
llo all the cloud services that you have subscribed llo to in your Azure llo
we we w ed
d d!
AD tenant can utilize !the data that is now provisioned and updated in your cloud !
store. Various sync options are available including:
• Syncing identity from Active Directory to Azure AD
• ThSyncing
is identity and password hash from TActive
his Directory to Azure AD Th
is
d oc d oc do
um um cu
en en me
as tb as tb as nt
• Syncing
ho
kt
elo
identity
ng and password hash fromNActive
ho Directory
ktr
elo
ng to Azure AD and h ok
be
lon
N ou rip st ou ipa st No trip gs
na a thy oA na thy o un ath to
enabling
uth password
89
@
sh writeback
o uth 89
@
As
ho au
tho
y8
9@
As
ho
ori gm kT ori g kT riz gm kT
ze rip ze m rip ed rip
dc ail ath dc ail ath co ail ath
op .co y. op .co y. pie .co y.
ies m ies m sa m
all all llo
ow ow w
ed ed ed
! ! !
Writeback is a feature that allows your existing Active Directory identity to be updated
when a change occurs in Azure AD. When you sync identity and password hash, it is
important to remember that you are creating two identities. Managing these identities
and their sync relationship is a key part of designing authentication schemes for
cloud applications.
Th Th
is is
do do
cu cu
me me
as ntb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
Directory Users
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Th Th Th
is is is
do do do
cu cu cu
me m en me
You acan
sh directly tb n
elo create accounts in a directory for as every
ho
t b user who accesses your
elo as
h
nt
be
ok ng ktr ng ok lon
No trip s N i s t when they are no longer No trip gs
services.
un
au
You
ath also to can manage the accounts or
As
o un delete
a
p aththem oA un
au
ath to
As
y8 h u y 8 sh y8 ho
tho 9@ o kT t h o 9@ ok tho 9@ kT
needed. rBy ize default,
dc
gm
ail
usersripa do not have administrator rizpermissions,
e d
gm
a
Tbut
rip you can riz
ed gm
ail rip
op .co thy co il.c ath co .co ath
pie om y. pie y.
optionally assign ies permissions
all
m . to them. There are three types s all
of users that you can sa m
ow ow llo
w
create by using the eManagement d! Portal: ed
!
ed
!
• New user in your directory or organization
• User with an existing Microsoft account

Th Th
is
• User is
do in another Azure AD directory do
cu cu
me me
as n tb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
You can create new users in the portal by providing the following details about the
user:
• First Name
• Last Name
Th Th Th
is is is
do
• Display do do
m Name
cu cu cu
en m en me
as tb as tb as nt
ho elo ho elo h be
• No Alias
un ipa
thy
st
oA
No
un ipa
thy
st
oA
No
un
trip
ath
gs
to
tho 9@ ok tho @ o tho 9@ ho
ed pa ed rip ed rip
• Role co
pie
a il.c
om thy co
p
ail
.co ath
y. co
pie
ail
.co ath
y.
sa . ies m sa m
llo all llo
we ow w
d! ed ed
! !
After you create a new user, a temporary password is generated. You can then email
this password to the user. On the first login, the user will be prompted to change the
temporary password.
Th Th Th
is is is
do do do
External
cu Users
m
cu
m
cu
me
en en nt
as tb as tb as be
ktr ng ktr ng
To
Noan Azure
un ipa AD
thy
s directory,
to you can add usersNofrom
un
another
ipa
thy
sAzure
to AD directory or No
un
trip
ath
gs
to
au 8 A s a u 8 As au y8 As
tho Microsoft 9@ h tho 9users h tho 9@ ho
users with riz gm accounts.
ok
Tri This enables the external riz @
gm to
ok collaborate with
Tri riz gm kT
ed a p ed a pa ed ail rip
co il.c a co il.c co ath
users who already pie om inthyour
exist y. directory. This is useful forpie collaborating
om thy
. in an pie .co
m y.
sa sa sa
llo llo llo
environment with users we
d! who need to manage directory resources,
we
d! such as
w ed
!
applications, without requiring those users to have an account and credentials in your
directory.
When you add a user from one directory into a new directory, that user is an external
user
Th in the new directory. Initially, the displayTname
is his and user name are copied from
do do
cu cu
the user's me home directory and stamped onto the external
n
me
n
user in the other directory.
as tb as tb
ho elo ho elo
N kt n N kt n
5/28/2019 Bookshelf
From then on, the profile properties of the external user object are entirely
independent. If you make a change to the user in the home directory, such as
changing the user's name, adding a job title, and so on, those changes are not
propagated to the external user account in the other directory.
Applications
T
in Azure AD Th Th
his is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Enterprise developers and SaaS providers can develop commercial cloud services or
LOB applications that can be integrated with Azure AD to provide secure sign-in and
authorization for their services. Azure AD also includes an access panel for users
where they can discover what applications they can access. From this panel, they
Th Th
canisaccess their applications by using SSO. To
do
is integrate an application or a service
do
cu cu
with aAzure m me
en AD, a developer must first register the details about the application with
t a nt
sh be sh be
ok lon o kt lon
N t N
5/28/2019 Bookshelf
Azure AD by using the Management Portal. These steps are similar to the steps for
adding an SSO third-party application to your Azure AD instance.
Single Sign-On
Configuring SSO enables the users in your organization to be automatically signed in

toTany
his
third-party SaaS application using theirTh Azure AD credentials. This Th
is is
do do do
functionality
cu
m provides users with the convenience cof
um remembering a single password cu
me
en en nt
as tb tb
and it halso
ok increases
elo
ng
the organization’s securityasby ho providing
ktr
elo
ng
users with access to as
h ok
be
lon
No trip s N o i p st No trip gs
u a t o u a o un ath to
onlyntheir
au
tho
applications.
thy
89 As
ho
Azure AD can federate its na identity
uth
thy to your
89 As custom application,
ho au
tho
y8
9@
As
ho
riz @ kT ori @ kT riz kT
g m z g m gm
store the custom e dc application’s
ail
.co
ripa
thy
credentials, or integrated with e
co aathird-party
il.c
rip
ath SSO ed
co ail
.co
rip
ath
op m . p o m y. pie m y.
ies ies sa
provider. all
ow
all
ow llo
ed ed w ed
! ! !
User Provisioning
User provisioning enables automated user provisioning and deprovisioning of

accounts in third-party SaaS applications from within the Management Portal by
using
Th
is
your Windows Server Active Directory Tor his Azure AD identity information. When Th
is
do do do
a usercis um given permissions in Azure AD for one of
en
cu these applications, an account can
me
cu
me
as tb a nt as nt
e s be be
be
No
automatically
ho
ktr lo ng created (provisioned) in the target
No
ho SaaS
ktr lonapplication. When a user is
gs No
h ok
trip
lon
gs
un i pat h s to u i p a to un ath to
n thy
deleted a uth or his y 89or her
@
A shinformation changes in Azure
ok
a uth AD, these 89
@
changes
A sh
ok
are also au
tho
y8
9@
As
ho
ori g Tri o r i g Tri riz gm kT
ze m ze m ed rip
reflected ind the co SaaS ail
.co application.
pa
thy User Provisioning allows dc
op your
ail application
.co
pa
thy to co ail
.co ath
pie m . ies m . pie m y.
sa sa
automate identitylllifecycle ow management and enables administrators all
ow to control and llo
w
ed ed ed
! ! !
provide automated provisioning and de-provisioning of user accounts from SaaS
applications.
Access Panel
The
Th access panel in Azure AD offers a singleThdashboard for your organization. Users
is is
do do
cu cu
can access me one or more applications that you manage
n
me from within the Azure AD
n
as tb as tb
ho elo ho elo
N kt n N kt n
5/28/2019 Bookshelf
instance using a single sign-on experience directly from this panel. Users do not
require an Azure or Office 365 subscription to connect to the access panel.
Azure AD Graph
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
m p . m p y. pie m y.
The Graph APIiesprovides
all programmatic access to Azure AD ies through
all REST API sa
llo
ow ow w
ed ed ed
endpoints. This API can ! be used to store and retrieve metadata about ! your users that !
is not part of the typical user profile in Active Directory.
Create, Read, Update and Delete (CURD) Operations
Applications
Th use the Graph API to perform CRUD
Th operations on directory objects in
is is
do do
your Azure
cu
m
AD instance. For example, you can use cu the Graph API to perform the
m
en en
as tb as tb
ho elo ho elo
N kt n N kt n
5/28/2019 Bookshelf
following operations on a user object:
• Create a new user in a specified directory.
• Get detailed properties for a user.
• T Check group membership for a user. Th Th

h is is is
do do do
cu cu cu
me m me
• Update
as be
en
ntthe extended properties (profile) of aauser. tb as nt
be
h lon sh e lon h lon
ok ok ok
No trip gs No trip gs No trip gs
un at h to un ath to un ath to
• au y8 As au y8 As au y8 As
Disable
tho or 9delete
riz @ ha
ok user account. tho
riz
9@ ho
kT tho
riz
9@ ho
kT
ed g ma Tri ed gm rip ed gm rip
co il.c pa co ail ath co ail ath
pie om thy p .co y. pie .co y.
sa . ies m sa m
llo all llo
we ow w
d! ed ed
! !
In addition to users, similar operations are supported for groups and applications in
Azure AD. To call the Graph API on a specific directory, you must register the
application with Azure AD and configure it to allow access to the directory.
Directory
Th Extensions Th Th
is is is
do do do
cu cu cu
me m me
Many as applications
nt
be
require metadata and properties as for
en each user that is not typically
tb as nt
be
ho lo ho elo h ok lon
ktr ng ktr ng
stored
N ou in ipaat standard st
oA
Active Directory user profile.
N o un
The i p athGraph s t API allows you to
oA
No
un
trip
ath
gs
to
na hy a y au y8 As
uth 89 sh u t 8 9 sh tho 9@ ho
register and o riz then@
gmuse kextended
o
Tri properties. For example, h o riz if gyou
@
m
need
ok
Tri to store and riz gm kT
ed a p e d a pa ed ail rip
co il.c a t h c o il.c thy co .co ath
then retrieve the pie Xbox
s
om LiveyID . for each user in a gaming psocial ies oapplication,
m . you must pie
sa m y.
all all llo
ow ow
first register the newedproperty
!
in the directory. You can then useedthis
!
property in w ed
!
subsequent operations because it is not available for every user object in the
directory.
Lesson 3: Azure AD Offerings

Th Th
is is
do do
cu cu
me me
as ntb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
Multi-Factor Authentication is a feature in Azure AD that you can use to provide an

additional layer of authorization to your existing directory accounts. This authorization
could be a phone call, mobile code or custom application. Azure AD B2B and B2C
are services in Azure AD that can extend the reach of your directory to include
partner businesses and customers.
This T Th
This dlesson
o will introduce and dive into varioushisofferings
do in Azure AD. is
do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
No No No trip gs
Lesson
au
un
t
thobjectives
y8
9 sh
ipa st
oA un
au
tho
ipa
thy
89
st
oA
sh
un
au
tho
ath
y8
9@
to
As
ho
ho @ ok @ o kT kT
ri ze gm Tri riz gm rip riz gm rip
dc ail pa ed ail ath ed ail ath
After completing co co
ies thisom
op .c lesson,
thy you will be able to: p .co y. pie .co y.
. ies m sa m
all all llo
ow ow w
ed ed ed
! ! !
• Detail the differences between Azure AD B2B and B2C.
• Describe multi-factor authentication in Azure AD.
• List the multi-factor authentication providers that are available for Azure AD.
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
No No No trip gs
Azure
un
au
AD
thy B2B
8
oA
ipa
s
st un
au
ipa
thy
89
st
oA
sh
un
au
ath
y8
to
As
tho 9@ ho tho @ o tho 9@ ho
riz gm k Tri riz gm kT riz gm kT
all all sa
ow ow llo
ed ed w ed
! ! !
Th Th
is is
do do
cu cu
me me
as n tb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Azure
Th AD business-to-business (B2B) collaboration Th capabilities enable any Th
is is is
do do do
organization
cu
me using Azure AD to work safely and securely
cu
me with users from any other cu
me
as nt a nt as nt
organization,
ho be small or large. Those organizations sh can be be with Azure AD or without, or h be
ktr lon ok lon ok lon
No i p gs No trip gs No trip gs
un at h to u a thy to un ath to
evenawithuth an y IT
89 organization
A sh or without. na
uth 89 As
h au
tho
y8
9@
As
ho
ori @ ok ori @ ok riz kT
ze gm Tri ze gm Tri ed gm rip
dc ail pa d co ail path co ail ath
op .co thy p .co y. pie .co y.
ies m . ies m sa m
Organizations using
all
ow Azure AD can provide access to documents,
all
ow resources, and llo
w
ed ed ed
! ! !
applications to their partners, while maintaining complete control over their own
corporate data. Developers can use the Azure AD business-to-business APIs to write
applications that bring two organizations together in more securely.
Azure
Th
i
AD B2C Th
is
sd do
oc cu
um me
en nt
as tb as be
ho elo ho lon
N kt n N kt
5/28/2019 Bookshelf
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Azure
Th AD B2C is a cloud identity management Th solution for your web and mobile Th
is is is
do do do
applications.
cu
me It is a highly available global service cthat
um scales to hundreds of millions cu
me
n en nt
as tb a tb as be
of identities.
ho
ktr
eBuilt
lo ng on an enterprise-grade secure shplatform,
o ktr
elo Azure AD B2C keeps your
ng
h ok lon
No i p s N o i p st No trip gs
un at h to un ath oA un ath to
applications,
au
th
y8your business,
9
As
h and your customers a protected.
u th
y 8 9 sh au
tho
y8
9@
As
ho
ori @ ok ori @ ok riz kT
ze gm Tri ze gm Tri ed gm rip
dc ail pa d co ail path co ail ath
op .co thy p .co y. pie .co y.
ies m . ies m sa m
With minimal configuration,
all
ow Azure AD B2C enables your application
all
ow to authenticate: llo
w
ed ed ed
! ! !
• Social Accounts (such as Facebook, Google, LinkedIn, and more)
• Enterprise Accounts (using open standard protocols, OpenID Connect or SAML)
• ThLocal
is Accounts (email address and password,
Th
is or username and password)
do do
cu cu
me me
as n tb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
Policies
The extensible policy framework of Azure Active Directory (Azure AD) B2C is the
core strength of the service. Policies fully describe consumer identity experiences
such as sign-up, sign-in, or profile editing. For instance, a sign-up policy allows you to
control behaviors by configuring the following settings:
Th Th Th
is is is
do do do
• Account
cu
me types (social accounts such as Facebook
cu
me or local accounts such as email
cu
me
as nt as nt as nt
be be be
No
addresses)
ho
ktr lonthat consumers can use to sign up
g N
hofor the
ktr loapplication
ng No
h ok
trip
lon
gs
un i pat h s to o u i p a st un ath to
As na thy oA As
au y8 h u 8 sh au y8 ho
tho 9@ o t h 9@ ok tho 9@
• Attributes riz
ed (forgmexample,
kT
ri first name, postal code, ori
and z e shoe gm size) Tto
rip be collected riz
ed gm kT
rip
co a il.c p a d co a il.c ath co ail ath
pie om thy pie om y. pie .co y.
. m
from the consumer sa
llo
during sign-up sa
llo
sa
llo
we we w ed
d! d! !
• Use of Azure Multi-Factor Authentication
• The look and feel of all sign-up pages
• Information (which manifests as claims in a token) that the application receives

Th Th Th
when
is
do the policy run finishes is
do
is
do
cu cu cu
me me me
as n tb a nt as nt
ho e sho be h be
ktr lo ng ktr lon ok lon
No i p s No i p gs No trip gs
un at h to u na a thy to un ath to
au y8 As uth 89 As au y8 As
t 9 ho ho tho 9@ ho
You can rcreate
ho ize
@
gmultiple
m
k T policies of different types in riyour
o
z
tenant
@
g m
and
k T use them in your riz gm kT
dc ail ripa e dc ail rip ed ail rip
o . c t h o . c ath co .co ath
applications as pie needed.
sa
om Policies y. can be reused across applications.
pie
sa
om This
y. flexibility pie
sa m y.
llo llo llo
enables developersweto d! define and modify consumer identity experiences
we
d! with minimal w ed
!
or no changes to their code.
Policies are available for use via a simple developer interface. Your application
triggers a policy by using a standard HTTP authentication request (passing a policy
parameter
Th
is in the request) and receives a customized
Th
is token as response.
do do
cu cu
me me
as ntb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
Multi-factor authentication is an additional layer of security that can protect

applications from unauthorized access if a user's credentials are compromised. To
the end user, they simply provide additional means of authentication that can include
things
Th such as a phone, RSA key, or custom Tdevice. Multi-factor authentication is Th
is his is
do do do
usually cudefined by having the user provide two things:
m
cu
m
cu
me
en en nt
as tb as tb as be
• Something
thy oA thy oA
au
th 89you know:
sh
o
password au
tho 89 sh
o
au
tho
y8
9@
As
ho
@ ori kT riz @ kT riz kT
ze ripgm ed gm rip ed gm rip
dc ail ath co ail ath co ail ath
op .co y. .co y. .co y.
• Something youies have: m trusted ies andmso
device (phone, smartwatch, p
on.) pie
sa m
all a llo llo
ow we w
ed d! ed
! !
Multi-factor authentication's strength is in its multiple layer approach. If a user's

credentials are compromised, a malicious user would still require a trusted device
that is assigned to the same user to compromise the application or its data. Typically
if Tahisuser Th
do loses a trusted device, they report it immediately
is
do and the device can be de- Th
is
do
cu cu cu
me me me
authorized.
a nt a nt as nt
sh be sh be h be
ok lon o
ktr lon ok lon
No trip gs No ipa gs No trip gs
un at h to un thy to un ath to
au y8 As a uth 89 As au y8 As
tho 9@ ho ho tho 9@ ho
Out of the riz box, Azure
ed g ma
kAD
Tri uses passwords as the default
o r i ze
credential
@
g m
k T for user access.
rip riz
ed gm kT
rip
co il.c pa dc ail ath co ail ath
t h o . c .co
pie
sa
om yis
. a service in Azure AD that pimplements
ies o m the
y. previously pie
sa m y.
llo all llo
we o we w
mentioned multi-factor d! authentication pattern. You can use multi-factor d! authentication ed
!
with either Azure AD or an on-premises directory. The second form of authentication
can be a smartphone, a phone number that supports calls or text messages, or a
custom application. When using the Multi-Factor Authentication service with Azure
AD, administrators can enable multi-factor authentication specifically for each
individual
Th
is
user. The Multi-Factor Authentication
Th service supports up to three phone
is
do do
numbersmethat are authorized for use as a second cform
c u um
e
of authentication. The user can
as nt as nt
ho be ho be
kt lon kt lon
N N
5/28/2019 Bookshelf
also opt to use the multi-factor authentication mobile apps that support both push
notifications and one-time pass codes as authentication options.
Multi-Factor Authentication can be enabled for cloud or on-premises applications.
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
No
FIGURE ip11.3: AZURE
st MFA No ipa st No trip gs
un at h o un thy oA un ath to
au y8 As au 89 sh au y8 As
riz gm k Tri riz gm kT riz gm kT
ed ail pa ail ed rip ed ail rip
co thy .co co .co ath co .co ath
Reference
ies Links: p
m pie
https://docs.microsoft.com/azure/multi-factor-
. m y. pie m y.
all s all sa
ow ow llo
authentication/multi-factor-authentication-get-started-server
ed
!
ed
!
w ed
!
A software development kit (SDK) is available to integrate your custom applications

with Azure AD Multi-Factor Authentication. The SDK allows you to use the Multi-
Factor
Th Authentication phone call or text message
Th verification options as part of your
is is
do do
customcumapplication's sign-in process. This is useful cu if you are building a custom
m
en en
as tb as tb
ho elo ho elo
N kt n N kt n
5/28/2019 Bookshelf
application that does not redirect to Azure AD’s sign-in page and instead has a built-
in logon form.
Reference Links: https://docs.microsoft.com/azure/multi-factor-

authentication/multi-factor-authentication-sdk
Th Th Th
is is is
do do do
cu cu cu
me m en me
Multi-Factor
ho
aselo Authentication Providers
n tb as
ho
tb
elo as
h ok
nt
be
lon
thy oA thy oA As
au 89 sh au 89 sh au y8 ho
tho @ ok tho @ o kT tho 9@ kT
co .co thy co .co y. co .co y.
p ies m . p ies m pie m
all all sa
ow ow llo
ed ed w ed
! ! !
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
You can use the Multi-Factor Authentication (MFA) service in conjunction with
Windows Server Active Directory Domain Services (AD DS) or Azure AD to help
Th Th
secure
is
do
both cloud and on-premises applications. is Users in your organization have
do
cu cu
many m
different
en options available for their seconda form me of authentication with your
a t nt
sh be sh be
ok lon o kt lon
N t N
5/28/2019 Bookshelf
application when signing in using Azure AD. As an administrator, you can control
which options are available to end users.
Multi-Factor Authentication Apps
Apps are already available in the individual app stores for Windows Phone, Android,
and
Th iOS to integrate with Azure AD Multi-Factor Th Authentication. Users download Th
is is is
thesedoapps
cu
me and activate them by using a setup do
code.
cu
me When the user signs in to your
do
cu
me
as nt a nt as nt
applications,
ho be a notification is pushed to the app on sh their bemobile device. The user can h be
ktr lon ok lon ok lon
No i p g s N o t rip gs No trip gs
u a t o u a to un ath to
thennaimmediately
uth
thy
89 approve
A sh or deny the authentication.
na
uth
tAzure
h y 89 ADAs Multi-Factor
ho au
tho
y8
9@
As
ho
ori @ o k o r @ kT riz kT
z g m Tri ize g m gm
Authentication e d c also ail usespaan
.co thy
open standard for authentication dc aiand
l.c can
rip be used with a
ath ed
co ail
.co
rip
ath
op m . o p o m y. pie m y.
ies ies sa
variety of third-party all
ow multi-factor authentication applications. lThese
al
ow applications llo
ed ed w ed
generate a one-time use ! pass code that the user must enter after! they attempt to log !
on. This behavior is similar to an RSA-key device.
Automated Phone Calls and Text Messages
Users
Th
is
have the option to have an automatic phone Th
is
call or text message placed to Th
is
do do do
their authorized
cu
me mobile device. For the phone call,cum the
en
user only has to answer the cu
me
as nt as tb as nt
b e elo be
call
No
andho press
ktr lonthe pound (#) key on his or her phone
gs No
ho
ktr to completeng the sign-in process. No
h ok
trip
lon
gs
un i pat h to u i p a st un ath to
na usethpass o
For the au text ymessages,
th 89
@
As
ho users are sent a one-time uth y8
9@ code
As that they must enter
ho au
tho
y8
9@
As
ho
ori gm kT ori gm kT riz gm kT
z r ze rip rip
after they eattempt
dc
op
atoil.c log ipon.
ath d co ail
.co ath ed
co ail
.co ath
ies o m y. pies m y. pie m y.
all all sa
ow ow llo
ed ed w ed
! ! !
Lesson 4: Azure Key Vault
Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud
applications and services. By using Key Vault, you can encrypt keys and secrets
Th T
is as authentication keys, storage accounthiskeys, data encryption keys, .PFX files,
(such do do
cu cu
me me
and apasswords)
s
nt
be using keys protected by hardware
a s
security
nt
be modules (HSMs).
ho lon ho lon
N kt N kt
5/28/2019 Bookshelf
This lesson introduces the Azure Key Vault service and describes how to store
secrets in the service.
Lesson objectives
Th Th Th
is is is
do do do
cu cu cu
• Describe
me
nt the Azure Key Vault service.
m en me
nt
a b
sh as tb as be
ok elo ho elo h ok lon
No trip ng No ktr ng No trip gs
un at h st un ipa st un ath to
• oA thy oA
UseuthPowerShell
a y 89
@
sto
ho manage keys in Azure Keyau Vault.
tho 89
@
sh
ok
au
tho
y8
9@
As
ho
ori gm kT riz gm Tri riz gm kT
ze rip ed pa ed rip
dc ail ath co a il.c thy co ail ath
op .co y. pie om pie .co y.
ies m sa . sa m
all llo llo
ow we w
ed d! ed
! !
Azure Key Vault
Every day, more and more application are created and deployed in the cloud. All
those applications need to store application secrets, keys, passwords ant/or other
secrets
Th
is in a safe area. Azure Key vault is theTservice
his to keep these secrets away Th
is
do do do
cu cu cu
from non-authorized
me
n
access. This service allows you me to store:
n
me
nt
as tb as tb as be
thy oA thy oA As
au au au y8
• Application
tho 89
@
sh
secrets
ok tho 89
@
sh
o kT tho 9@ ho
kT
riz g T ma rip riz gm rip riz gm rip
ed a ed ail ath ed ail ath
co il.c thy co .co co .co
p ies om . p ies m y. pie m y.
• Authenticationallkeys all sa
ow ow llo
ed ed w ed
! ! !
• Storage Account keys
• SSL certificates - *.pfx files
• Passwords
Th Th
is is
do do
cu cu
me me
as ntb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
The Azure Key vault service provides a state of the art service to secure your secrets
but also achieve this with High-performance. Microsoft has an SLA of 99.9 % with a
secret processing time of 5 seconds transactions.
Utilization
Th Th Th
is is is
do do do
Using ctheum Azure Key vault service, your development cu
me team can use cryptographic
cu
me
en nt nt
as tb a be as be
keys, hcertificates,
ok elo
ng passwords and other applications
sh
ok secrets lon without the need to h ok lon
No trip s N o t rip gs No trip gs
un at h to u a thy to un ath to
access au them.
tho
y8 The AKey
9@ sh Vault service allows a client
na
uth application89 Asor service to access to
ho au
tho
y8
9@
As
ho
riz o kT ori @ kT riz kT
g m r z g m gm
data using dacoURI without
e ail ipastoring the data locally on their
t
e d c side. ail Thisriwill
pa improve
thy
ed
co ail rip
ath
pie . com hy. o pie . com pie .co y.
sa sa . sa m
security of your application. llo
w
The general steps will be: llo
w
llo
w
ed ed ed
! ! !
1. Developers access keys for development and other environments via URI
2. Administrators change production keys
3.Th Later, administrators can remove permissions

Th to keys. Th
i sd i sd is
oc oc do
um um cu
en en me
as tb as tb as nt
ho elo ho elo h be
tho th tho 9@ ho
Note:
riz Using
ed
@
gm Azure
ok
Tri Key Vault your developer oteam
riz
e
will
@ never
gm
ok have
Tri access to riz
ed gm kT
rip
a
co but iwill p
l.c be able a d a il.c pa ail ath
the keys pie om thy
. to access the resources cthey
op
ies need. o m
thy
.
co
pie .co
m y.
sa a sa
llo llo llo
we we w ed
d! d! !
Lab: Integrating Azure Active Directory with the Events

Administration Portal
Th Th
is is
do do
Scenario
cu
me
cu
me
as nt as nt
ho be ho be
kt lon kt lon
N N
5/28/2019 Bookshelf
Even though the Contoso Events web application is public, the Administration
application should be locked down to users only from your domain. You have decided
to use Azure AD and ASP.NET identity to provide this functionality. In this lab, you will
create a new ASP.NET project by using the ASP.NET identity framework and
integrate the project with Azure AD. The website will then use your organization
accounts for signing in.
Th Th Th
is is is
do do do
cu cu cu
me m me
Objectives
as
h
tb
e
n as
ho
en
tb
elo as
h
nt
be
ok lon ktr ng ok lon
No trip gs No ipa st No trip gs
After you
a uth completey 89
@
A sthis
ho
lab, you will be able to: a u t h 8 9@
sh
ok
au
tho
y8
9@
As
ho
ori gm kT ori gm Tri riz gm kT
ze ripa ze pa ed rip
dc ail thy d co a il.c thy co ail ath
op .co p o pie .co y.
ies m . ies m . sa m
• Create an Azure a llo AD by using the Management Portal. a llo llo
we we w ed
d! d! !
• Create users in Azure AD by using the Management Portal.
• Create a new MVC project that uses Azure AD organizational accounts for
security.
Th Th Th
is is is
do do do
cu cu cu
me m en me
as ntb as tb as nt
ho elo ho elo h be
Lab ok lon
No setup
ktr
ip
ng
st No ktr
ipa
ng
st No trip gs
un at h oA un thy oA un ath to
au y8 sh au 89 sh au y8 As
tho 9@ ok tho @ o tho 9@ ho
kT kT
Estimated riz Time:gm60 minutes
ed a
Tri
pa
riz
ed gm
ail rip riz
ed gm
ail rip
co il.c thy co .co ath co .co ath
pie om . p ies m y. pie m y.
sa all sa
llo ow llo
we e w ed
The lab steps for thisd!course d! Microsoft Azure.
change frequently due to updates to !
Microsoft Learning updates the lab steps frequently, so they are not available in this
manual. Your instructor will provide you with the lab documentation.
Exercise 1: Create an Azure AD Directory

Th Th
is is
do do
cu cu
me me
as ntb as nt
ho elo ho be
kt n kt lon
N N
5/28/2019 Bookshelf
Exercise 2: Secure an Existing ASP.NET Web Application
Exercise 3: Integrate Azure AD with ASP.NET Identity
Th Th Th
Review
is
do Question(s) is
do
is
do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
Check
No
un Your
th Knowledge
oA
ipa st No
un ipa
thy
st
oA
No
un
trip
ath
gs
to
As
au y8 sh au 89 sh au y8 ho
tho 9@ ok tho @ o kT tho 9@ kT
co .co thy co .co co .co
Discovery p ies
all
m . p ies
all
m y. pie
sa m y.
ow ow llo
e e w ed
d!
What other identity providers d!
could you use with ASP.NET Identity? !
Show solution Reset
Module review and takeaways

Th Th Th
is is is
do do do
cu cu cu
me m efor me
In this
as module, nt
be Azure AD is presented as a solution as nt identity management in many
be as nt
be
ho lo ho lon h ok lon
No ktr ng No ktr gs No trip gs
different
un scenarios.
i pat h s to With the ACS offering, the uthird-partyna
i p a thy SaaS to integration, and Multi- un ath to
au y8 As uth 89 As au y8 As
tho 9@ ho @ ho tho 9@ ho
Factor Authentication,
riz
ed gm kTAzure
rip AD provides unique services
o riz
ed gthat
ma you
k T can use to
rip riz
ed gm kT
rip
co ail ath c il.c ath co ail ath
. co y o o y. .co y.
improve your existing p ies m on-premises identity solution.
. p ies m pie
sa m
all all llo
ow ow w
ed ed ed
! ! !
Note: The ASP.NET Identity framework is a newer way of securing web

applications, and it has certain advantages over Membership and Forms
Authentication.
Th Th
is is
do do
cu cu
Review me Question(s)
n
me
nt
as tb as be
ho elo ho lon
N kt n N kt
5/28/2019 Bookshelf
Check Your Knowledge
Discovery
When you use Azure AD ACS, why should you remap the claims from each identity
provider?
Th Th Th
is
Show is is
do solution Reset do do
cu cu cu
me m en me
as nt as tb as nt
ho be ho elo h be
ktr lon ktr ng ok lon
No i p gs No ipa st No trip gs
au y8 As au 89 sh au y8 As
riz g kT riz gm kT riz gm kT
ed ma rip ed ail rip ed ail rip
co il.c ath co .co ath co .co ath
pie om y. p ies m y. pie m y.
sa all sa
llo ow llo
we ed w ed
d! ! !
Th Th Th
is is is
do do do
cu cu cu
me m en me
as n tb as tb as nt
ho elo ho elo h be
all all sa
ow ow llo
ed ed w ed
! ! !
Th Th
is is
do do
cu cu
me me
as n tb as nt
ho elo ho be
kt n kt lon
N N

Azure 70-532 - Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Azure 70-532 - Guide

Uploaded by

Copyright:

Available Formats

5/28/2019 Bookshelf

Module 11: Securing Azure Web Applications

Lesson 3: Azure AD Offerings

Lesson 4: Azure Key Vault

Lab: Integrating Azure Active Directory with the Events Administration

Just like on-premises applications, applications in the cloud need streamlined

service. Lesson 2, “Azure AD Directories”, details how to create a directory in Azure

• Describe the Microsoft Azure Multi-Factor Authentication service.

Explain the benefits of Active Directory in Azure.

• List the Active Directory services in Azure.

Azure Active Directory Overview

Access Control Service

Lesson 2: Azure AD Directories

store. Various sync options are available including:

• Syncing identity from Active Directory to Azure AD

• New user in your directory or organization

• User with an existing Microsoft account

Configuring SSO enables the users in your organization to be automatically signed in

User provisioning enables automated user provisioning and deprovisioning of

is not part of the typical user profile in Active Directory.

Create, Read, Update and Delete (CURD) Operations

following operations on a user object:

• Create a new user in a specified directory.

• Get detailed properties for a user.

• T Check group membership for a user. Th Th

Lesson 3: Azure AD Offerings

Multi-Factor Authentication is a feature in Azure AD that you can use to provide an

• Describe multi-factor authentication in Azure AD.

• Social Accounts (such as Facebook, Google, LinkedIn, and more)

• Enterprise Accounts (using open standard protocols, OpenID Connect or SAML)

• The look and feel of all sign-up pages

• Information (which manifests as claims in a token) that the application receives

Multi-factor authentication is an additional layer of security that can protect

Multi-factor authentication's strength is in its multiple layer approach. If a user's

Multi-Factor Authentication can be enabled for cloud or on-premises applications.

A software development kit (SDK) is available to integrate your custom applications

Reference Links: https://docs.microsoft.com/azure/multi-factor-

Multi-Factor Authentication Apps

on. This behavior is similar to an RSA-key device.

Automated Phone Calls and Text Messages

• SSL certificates - *.pfx files

2. Administrators change production keys

3.Th Later, administrators can remove permissions

Lab: Integrating Azure Active Directory with the Events

• Create users in Azure AD by using the Management Portal.

Exercise 1: Create an Azure AD Directory

Exercise 2: Secure an Existing ASP.NET Web Application

Exercise 3: Integrate Azure AD with ASP.NET Identity

Show solution Reset

Module review and takeaways

Note: The ASP.NET Identity framework is a newer way of securing web

Check Your Knowledge

You might also like