Mastering Identity and Access Management with Microsoft Azure is a crisp and practical, hands-on guide containing project scenarios/illustrations that is tailored to genuine hybrid and cloud-only challenges. Developers, security specialists, IT consultants, and architects are the audience for this book. With it, you get a complete companion for solving key topics in the field of identity and access management through all related Microsoft technologies and practice-related crisp and clear content that helps you to put the theory into practice. The book delves into the Microsoft 365 Security and Compliance plans and other Azure services related to identity and access management topics.
The book is divided into three parts. In the first part, crucial identity management topics are covered, such as identity synchronization as a whole, including monitoring and protection topics, in a cloud-only and hybrid world. The second part provides all the essentials and in-depth knowledge pertaining to the different authentication methods you can use and how you can securely publish and expose your applications with on-premise technologies and the Azure AD feature set. The final part of the book focuses entirely on the Microsoft information protection technologies. Another highlight is the more than 40 playbooks you receive to support the learning process through practical tips. With this great resource, you get an information package that also covers the functionality of Windows 10 and Windows Server 2016/2019.
How does this edition differ from the first edition of the book, and why a second edition with more than 85% new content?
First of all, many thanks to all the readers and the valuable feedback I received. I was happy to listen!
Since writing the first edition of the book back in 2016, many features have been completely updated, added, changed, or even removed. The Microsoft Azure world is changing very rapidly, from a pure infrastructure to an object and service-oriented environment. For this reason, it is necessary to include a variety of developmental aspects in the book. Some functions are currently changing their entitlement entirely to the cloud.
However, no overall solution for sustainable identity and access management in a hybrid cloud environment is currently available to fulfill all the different aspects. For this reason, the basics for individual services must be developed to ensure a better shift of the functions.
Another important reason for me to write an updated edition was that I heard from readers and workshop attendees that they require more technical guidance and less information on the decision manager side. This brought me to an approach whereby I provide more than 40 hands-on guides in the book, where you can test all the related information in a practical and guided manner. Furthermore, our workshop attendees and customers found it very hard to find qualified and working lab examples in a compressed form to save time and effort.
Many of you and our attendees loved the structure of the three scenarios in the first book. Frequently, however, I received a request to provide the theory and practical guidance in technology or topic-based flows so as to make it easier to follow, if you are just interested in specific topics, or if you want to use the book as a living reference.
At the time of writing the first book, the Azure information protection technology was not available in the complete approach that it is available today. Since this technology is now mature and an integral aspect of access management, in my view, additional chapters for this topic are an absolute necessity.
Windows Server 2019 is also available to use, so I updated the book to work with the new server version, with a primary focus on hybrid cloud scenarios.
This book is designed for cyber security specialists, system and security engineers, developers and IT consultants/architects who wish to plan, design, and implement identity and access management solutions with the help of Microsoft Azure technology.
Chapter 1, Building and Managing Azure Active Directory, explains how to configure a suitable Azure AD tenant for a cloud-only approach. You will also learn how to configure and manage users, groups, roles, and administrative units to provide a user and group-based application and self-service access, including the related audit functionality.
Chapter 2, Understanding Identity Synchronization, explains the most important identity synchronization scenarios and tools for successful implementation of a complete hybrid identity life cycle management. We will run through the different processes, the Active Directory user account cleanup for a hybrid environment, and all the crucial identity synchronization aspects and steps in Azure Active Directory Connect.
Chapter 3, Exploring Advanced Synchronization Concepts, teaches you the advanced synchronization concepts. In particular, we will look into the synchronization rules and the declarative provisioning and expressions concept and use them directly in real-world examples.
Chapter 4, Monitoring Your Identity Bridge, explains the various monitoring capabilities for the identity bridge that's constructed by Azure AD Connect, the Active Directory itself and, if used, the Active Directory Federations Services (ADFS) and the Web Application Proxy. We'll investigate the Azure AD Monitoring and Logs' functionalities, the Azure AD Health Service, and the Azure Security Center.
Chapter 5, Configuring and Managing Identity Protection, demonstrates how to protect your identities against today's attacks. We will work through the different cloud services that can help you protect your environment so that you can plan and implement the features for your requirements.
Chapter 6, Managing Authentication Protocols, teaches you the basic authentication protocols you need to know for handling ADFS and Azure AD integrations. Additionally, you will benefit from a vast array of validated and recommended material to facilitate a deep dive into every critical authentication and authorization protocol.
Chapter 7, Deploying Solutions on Azure AD and ADFS, explains how to configure Azure AD and ADFS to handle your application requirements. You will install the service and the authentication platform to gather all the knowledge required in order to emerge victorious in this field of technology.
Chapter 8, Using the Azure AD App Proxy and the Web Application Proxy, covers the publishing of applications through the Azure AD Application Proxy and the Windows Server Web Application Proxy. We will configure a number of applications, including the first conditional access scenarios.
Chapter 9, Deploying Additional Applications on Azure AD, explains the concept of single- and multi-tenant applications and the differences between the two. Furthermore, you will configure the two types of application, including the transition process from single- to multi-tenant.
Chapter 10, Exploring Azure AD Identity Services, explains the different Azure AD identity services and ADFS as on-premise identity services. We will look at the Azure AD B2B and B2C functionality and explain the main concepts regarding these technologies.
Chapter 11, Creating Identity Life Cycle Management on Azure, covers different identity life cycle scenarios. With a strong focus on a complete Azure AD B2B management, we will provide you with all the requisite information and configuration tasks to offer comfortable and secure application access to your users.
Chapter 12, Creating a New Security Culture, explains why organizations need to build a strong security culture to provide a suitable information protection solution. You will get a clear and crisp overview to understand the three key factors and the four main pillars of a strong security culture.
Chapter 13, Identifying and Detecting Sensitive Data, teaches you why identifying and detecting sensitive data is a critical process inside an information protection solution. You will work through all the related technologies and configure a number of solutions.
Chapter 14, Understanding Encryption Key Management Strategies, explains how to use the three crucial, and different, deployment models and the role played by the Azure Key Vault service. Furthermore, you will learn how the Azure Rights Management Services uses the various keys on client applications.
Chapter 15, Configuring Azure Information Protection Solutions, shows you how to start an Azure information protection project and provides you with best practices and configuration tips for successful implementation.
Chapter 16, Azure Information Protection Development Overview, provides you with a solid foundation for using the Microsoft Information Protection developer resources for gathering more in-depth knowledge to handle this service in terms of troubleshooting or developing your extension.
To use the book efficiently, you should have some understanding of security solutions, Active Directory, access privileges/rights, and authentication methods. Programming knowledge is not required but will be helpful for using PowerShell or working with APIs to customize your solutions. Working through the first edition of the book is not a requirement for following the chapters in this book.
During the book, we will work entirely on the Azure platform itself. The only requirement is to have an internet connection and a Microsoft or Apple client computer. The labs can be undertaken free of charge for the duration of the several trial versions we use. We highly recommend that you shut down your virtual machines on Azure to save the runtime for working with your practical guidance. In Chapter 7, Deploying Solutions on Azure AD and ADFS, we will provide you the architecture overview with all the requisite information for sizing and the different products we use and will reference in the chapters. We also provide you the guidance to create public certificates with Let's Encrypt. One small cost requirement exists. If you want to run all the different labs, you need to have three public DNS domains registered, including access to the related public DNS. Bear in mind that this lab is for studying and testing functionality and not a representation of a productive environment. Follow the instructions in the chapters to arrange the correct resources. All the scripts and demo files are covered in the example code files, which you can download on the web page provided in the download the example code files section.
You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.
You can download the code files by following these steps:
- Log in or register at www.packt.com.
- Select the
SUPPORTtab. - Click on
Code Downloads & Errata. - Enter the name of the book in the
Searchbox and follow the onscreen instructions.
Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:
- WinRAR/7-Zip for Windows
- Zipeg/iZip/UnRarX for Mac
- 7-Zip/PeaZip for Linux
The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Mastering-Identity-and-Access-Management-with-Microsoft-Azure.Second-Edition. In case there's an update to the code, it will be updated on the existing GitHub repository.
We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/9781789132304_ColorImages.pdf
There are a number of text conventions used throughout this book.
CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Open your Visual Studio and the solution file from the code package named WebApp-RoleClaims-DotNet.sln."
A block of code is set as follows:
$ServicePrincipalName="RMSPowerShell" Connect-AadrmService $bposTenantID=(Get-AadrmConfiguration).BPOSId Disconnect-AadrmService Connect-MsolService New-MsolServicePrincipal -DisplayName $ServicePrincipalName
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
$cred = Get-Credential
Install-AIPScanner -SqlServerInstance YD1APP01 -ServiceUserCredentials $credAny command-line input or output is written as follows:
$ImportFile = Import-csv "$dirpath\ADUsers.csv" $TotalImports = $importFile.Count
Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click on Add New Rule and select Inbound."
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packt.com.