I'm not following the normal module order from the learning objectives for a fairly simple reason. I'm trying to follow it more in the manner which an Enterprise Organisation would (should?) implement their migration from on-premises infrastructure to the cloud.

Managing Azure Identities

A critical part of moving to the cloud is to ensure that security and identity management is appropriately taken care of. As part of that, we'll look at managing identity in the shift to the cloud.

Versions

Free

• Directory as a Service
• Self service password change
• Single Sign on
• Basic reports and user/group/device provisioning and registration

Basic (adds)

• Group based access management
• Self service password reset for cloud users
• Company branding
• App proxy
• SLA

Premium (adds)

• Self service functionality (groups, dynamic groups, app management, applications)
• Self service password reset with on-premises write back
• Advanced reporting
• Cloud/On-premises MFA
• Automated password rollover
• Connect health
• Advanced usage reports

Premium 2 (adds)

• Identity protection
• Privileged identity management
  Special note - you can have only P2, only P1, or both

Integrating Azure Active Directory (AAD)

1. Synchronization
   • Synchronize user and password
2. Federation
   • Synchronize user
   • Requires a Federation Server
   • Authentication is passed back to the on-premises server. More seamless. Enables MFA
3. Passthrough authentication
   • Passwords are stored on the server
   • Requires AD Connect and agents which listen to a queue. No inbound requests

So we link Azure Active Directory with our on-premises directory, and we have an extended identity platform into the Azure cloud. Given identity is crucial to ongoing business as usual, monitoring tools exist.

Monitoring Azure AD

• Health reports available from agents within the Portal
• Anomoly Reports
• Integrated Application reports
• Error Reports
• User specific reports
• Activity Logs
• Enterprise Applications
• Users/Groups
• Audit logs

Azure Active Directory Business to Consumer (AAD B2C)

• Requires a separate tenant.
  • One tenant holds the infrastructure and internal identity
  • One tenant holds the consumer identity
• Allows consumer access using
  • Microsoft account
  • Google account
  • LinkedIn
  • Amazon

Note: Need to understand what fields need to be filled in to set up external authentication provider

Azure Active Directory Business to Busines (AAD B2B)

• Allows a user to authenticate from a trusted exteernal source, whilst the organisation controls authorization of access to assets
• Understand a viral tenant
• Understand bulk import

Azure Active Directory Domain Services

• Provides an alternative to standing up replicated Domain Controllers as IaaS services.
• No schema extensions
• No trusts
• No LDAP write
• No geo-distributed deployments
  Note: Understand the difference between an AAD device join (prefer end user devices) and an AAD-DS device join (prefer server devices)

Finally : Understand the differences between Active Directory and Azure Active Directory