Summary

Tailwind Traders needs to ensure that only its workforce can access its growing set of cloud applications, both from any location and from any device.

In building out its plan, Tailwind Traders learns that:

  • Authentication (AuthN) establishes the user’s identity.
  • Authorization (AuthZ) establishes the level of access that an authenticated user has.
  • Single sign-on (SSO) enables a user to sign in one time and use that credential to access multiple resources and applications.
  • Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Azure AD enables an organization to control access to apps and resources based on its business requirements.
  • Azure AD Multi-Factor Authentication MFA provides additional security for identities by requiring two or more elements to fully authenticate. In general, multifactor authentication can include something the user knows, something the user has, and something the user is.
  • Conditional Access is a tool that Azure AD uses to allow or deny access to resources based on identity signals such as the user’s location.

With these ideas in place, the software development and IT administrator teams can begin to replace their existing authentication systems with ones that use multiple factors and allow access to multiple applications.

Learn more

Here are more resources to help you go further:

  • start free
  • Compare Active Directory to Azure Active Directory docs
  • Azure Active Directory *
  • What is single sign-on (SSO)? docs
  • Azure Active Directory Seamless Single Sign-On
  • What is Azure AD Connect? docs
  • Azure AD Multi-Factor Authentication docs
  • Azure AD Conditional Access entrypoint
  • Microsoft identity platform and OpenID Connect protocol docs
  • Single Sign-On SAML protocol docs

misc sso

  • directory sync: only usernames from on prem ad to aad
  • password hash sync: securely sync hashes of passwords to the cloud
  • in both cases above, auth is in the cloud
  • if on prem is needed, adfs required
  • pass-through auth needs agent in intra and aad connect, zero mngmt and auto update and no additional infrastructure. public key outbound https
  • bridge between on prem and aad. js to get kerberos ticket
  • aad connect cfg. choose pass-through and enable sso, disable pass hashes (wizard), disable federation (blade)
  • group policy, edit site to zone assignment list

< 5: Describe identity, governance, privacy, and compliance features