Hybrid identities

Start course


This course covers the Secure Resources part of the 70-534 exam, which is worth 20-25% of the exam. The intent of the course is to help fill in an knowledge gaps that you might have, and help to prepare you for the exam.


Welcome back. In this lesson, we'll be talking about hybrid identity management and identity providers.

It would be also for developers and for solutions architects to have one source for identity management and that's it. And if it could just be Azure AD, then it would be a cloud native method, and it would make new development much easier. However, we live in the real world and that's unlikely. So, we need to handle hybrid identity approaches and manage those identities.

So, in this lesson we'll be talking about synchronizing our on-prem AD with Azure AD, and we'll talk about federated identity. Let's start out with syncing on-prem with Azure AD.

So, let's talk about Azure AD Connect. Azure AD Connect is the new way to sync on-prem and Azure AD. Let's check out how to actually use it. We're going to create a new AD user here.

We'll add Martha Jones, so we need to fill out this form. Great, now it just wants a password. And then we'll confirm the password. There we go. I'm not gonna make Martha reset the password on next login mostly because she's not real. So we'll click finish, and there we go. Okay, we have a local user for our on-prem active directory.

Now, let's check our Azure AD. I want to show you that the only user here are accounts that are mine, the original Microsoft account that I used to set up this Azure account. And then we have this other one, which is the user I added earlier in the course.

So, let's download and install Azure AD Connect. And it's downloading now, so it's just gonna take a second. And now that we are done, we can run the executable. We have two options here. We have the express settings, which in this case will be perfect.

It's gonna work out just right. And we have the custom option. The express as it says on the installer, is for cases where you have a single forest. I'm gonna show you what options exist on a customized before we jump back to express.

Customize allows us to do things like use an existing SQL database, or existing service accounts. So, if you need the flexibility it's there; however, in this case, let's just go back to express. So first we need to use the Azure credentials. Okay, let's fill that...perfect.

This is that user that I created earlier in the course if you remember. And next it wants our on-prem AD user. So let's fill that out. And click next. Okay, at this point, the connect process is upset at me. I'm using a fake domain from my on-prem AD, and it doesn't match what's in Azure AD.

This shouldn't be the case for you, so you shouldn't be seeing this message. However, I'm going to ignore it, since for this demo, it really doesn't matter. And so, let's jump forward to the end of the process. This is going to take a moment so, I'm not going to make you watch all of that.

Alright, welcome back. Now, if we reload the page for our Azure AD, you can see that we have Martha Jones. And now we can drill into the record and see the details.

The default time to sync is something like every 30 minutes; however, it is configurable. If you have the sync engine installed, then you can run the get, dash, AD sync scheduler powershell command to fetch information about it, such as the sync interval.

And then, if you want to, you can change that with the set, dash, AD sync scheduler command and you can adjust several of the parameters there. Okay, let's talk about some of the exam objectives that are related to federated identity.

The first is ACS, which stands for access control service. ACS was a way to handle federated identity and Azure; however, it has been deprecated, and its functionality is now part of Azure Active Directory. AD FS stands for active directory federation services. And it allows you to use your on-prem AD as an identity provider.

So you'd be able to continue to use your on-prem AD and it would serve as the source of truth for user identity. While ACS is deprecated, AD FS is alive and well. It can be used with Azure Ad Connect to serve as the same identity provider that it did with ACS.

And that would allow for things such as better password policies, or the ability to enforce scheduled login times and things like this. Though, there's also more setup and maintenance involved. I mentioned that ACS was basically rolled into Azure AD and the result of that was Azure AD B2C.

This allows for custom identity providers as well as common social media identity providers. That includes things like Facebook, Google, LinkedIn, among others. This is extremely useful, because it allows users to log in with an account that's already set up.

That's one fewer password that they have to remember. It puts the burden of securing those credentials on the social media providers as well, which is an added bonus. And it makes for less development on our end.

So, we have a lot of value in Azure AD B2C, so let's see how to actually use it. Let's set up a new Azure AD directory with B2C enabled, and then configure an identity provider. Now, we start out in the classic portal and create a new directory.

And the only real difference between this and the one we did before is that we're gonna enable this B2C checkbox. Once the directory is set to B2C you can't undo it, so make sure that's what you want to do. Now it's gonna take just a moment to complete the process. Okay, we've jumped forward.

Now that it's done, we can click manage, and it's gonna open up the new portal. So the new portal has all of the B2C options. We have the applications option, though we don't have any yet. And then we have things like identity providers and this is where we can specify those different providers.

Let's add one now so you can see how they're configured. Since I regularly use the Google Cloud, I'm gonna jump into the developer console because it's already familiar to me, so I'm gonna use that as the provider here. So we'll click add, and we'll give it a name.

And then, we're gonna select the type. Again, we're gonna use Google. And now we need to provide our client ID and our secret ID. So, those are gonna come from the Google developer console.

Let's jump into the console here. And now we'll go down to credentials. And let's click on create credentials. The thing we want is an OAuth client ID. And now, it wants to know the type of application this is. Let's select a web application for this example. And we'll select create at the bottom.

So, it's gonna provide us with the ID and the secret key. So, as the name suggests this really should be kept secret, though I'm gonna remove this after the demo so it's not really a problem, but make sure you keep yours secret.

We're gonna click on the copy button. We'll switch tabs and then just paste it in. And we'll do it once more with the secret key. We'll copy and we'll go back and paste it in Azure...perfect.

And now we can click okay at the bottom of this blade and complete the process. And there it is. We have an identity provider. So now we can use a local account as well as using a Google account to allow users to log into our app.

I'm not gonna go and deploy an actual app to demonstrate this, I'll save that for a development course; however, there is on more cool feature that is worth talking about as an architect. This is the ability to customize the different flows. It's listed here under policies and you can see that we have options for common work flows.

We have a signup and sign in, as well as password reset. And then we have a couple others. Let's demonstrate this with the sign up policy. By adding a new policy, we can customize the info that we get from the users of our site, as well as how the signup form should look. And we can select which providers this applies to.

So I'm gonna select both. And then we can select which properties we want to collect from the user at sign up. So let's select a few here.

Okay, next we have application claims, which are the claims returned in a token after successfully authenticating the user. And we'll select a few. Perfect. And then we have multi-factor authentication; however, it's a tough one to demonstrate so I'm gonna leave this disabled.

And then, here's my favorite part. We can select the page UI customization, and this allows us to use the Azure supplied page or a URL to our own styled page, and this will allow us to have forms built without having to write any code. This makes for a great way to add or remove fields without needing to push code changes.

Okay, that's gonna wrap up this lesson. In our next lesson, we'll be talking about data security solutions, so if you're ready to keep going, then let's get started with the next lesson.

About the Author

Learning paths15

Ben Lambert is a software engineer and was previously the lead author for DevOps and Microsoft Azure training content at Cloud Academy. His courses and learning paths covered Cloud Ecosystem technologies such as DC/OS, configuration management tools, and containers. As a software engineer, Ben’s experience includes building highly available web and mobile apps. When he’s not building software, he’s hiking, camping, or creating video games.