WEBVTT 0:00:02.660000 --> 0:00:08.760000 You were talking about Azure security and identity, the place that you 0:00:08.760000 --> 0:00:13.700000 really need to start is Azure Active Directory or Azure AD. 0:00:13.700000 --> 0:00:15.820000 That's what this video is about. 0:00:15.820000 --> 0:00:19.560000 It's about giving a very high level overview of Azure AD. 0:00:19.560000 --> 0:00:23.300000 Now, if you are already familiar with Azure AD, then frankly, you can 0:00:23.300000 --> 0:00:28.040000 probably skip this video and go on and dive into the other topics. 0:00:28.040000 --> 0:00:31.080000 But if you're not familiar, if you're not sure you're familiar, let's 0:00:31.080000 --> 0:00:33.380000 talk about what we're going to talk about. 0:00:33.380000 --> 0:00:37.820000 We're going to start out really kind of talking about cloud-based authentication 0:00:37.820000 --> 0:00:45.080000 and identity. What is it, what's the idea here, why do we care? 0:00:45.080000 --> 0:00:46.880000 Then we'll get into the Azure AD. 0:00:46.880000 --> 0:00:47.900000 So what is Azure AD? 0:00:47.900000 --> 0:00:51.600000 How does it play in that particular arena? 0:00:51.600000 --> 0:00:55.220000 And then we'll take a look at hybrid identity, which is a very common 0:00:55.220000 --> 0:00:58.120000 implementation with Azure AD. 0:00:58.120000 --> 0:01:02.260000 And in terms of topics, the last thing we'll talk about is what are your 0:01:02.260000 --> 0:01:06.780000 options for authentication, particularly if you're in a hybrid scenario. 0:01:06.780000 --> 0:01:11.700000 And we'll finish out with a very high level overview of managing Azure 0:01:11.700000 --> 0:01:17.060000 AD, just really the tools in the Azure portal. 0:01:17.060000 --> 0:01:19.860000 And kind of what we can do there and just a little bit of navigation, 0:01:19.860000 --> 0:01:24.940000 not going into any depth on that because there are many videos that go 0:01:24.940000 --> 0:01:30.240000 into depth on various topics within there within the INE catalog. 0:01:30.240000 --> 0:01:33.620000 So let's go ahead and let's jump in. 0:01:33.620000 --> 0:01:39.320000 So we want to talk about cloud-based identity and authentication. 0:01:39.320000 --> 0:01:46.360000 And if we think about it at the highest level, we have some cloud application. 0:01:46.360000 --> 0:01:48.580000 Maybe it's Microsoft 365. 0:01:48.580000 --> 0:01:51.160000 Maybe it's Azure itself, right? 0:01:51.160000 --> 0:01:54.240000 Because you can kind of think of Azure as a cloud-based application. 0:01:54.240000 --> 0:02:00.640000 And the very simplest, we have some sort of user, and that user wants 0:02:00.640000 --> 0:02:04.840000 to have access to that cloud application. 0:02:04.840000 --> 0:02:10.940000 Well, in order to facilitate that, we could either build that kind of 0:02:10.940000 --> 0:02:17.360000 capability directly into the cloud application or, and this is typically 0:02:17.360000 --> 0:02:24.840000 the case, we can have a third party perform the identity and the authentication 0:02:24.840000 --> 0:02:30.820000 management. Now, we're going to talk about this with Azure AD, not surprisingly. 0:02:30.820000 --> 0:02:34.100000 This is absolutely not specific to Azure AD. 0:02:34.100000 --> 0:02:37.480000 You can think of Google, Facebook, right? 0:02:37.480000 --> 0:02:42.080000 So many cloud providers will actually provide this authentication service. 0:02:42.080000 --> 0:02:46.540000 But of course, we are going to talk about this as it applies in the Azure 0:02:46.540000 --> 0:02:49.540000 environment. Okay, so what is this process? 0:02:49.540000 --> 0:02:51.660000 How would we go about working with this? 0:02:51.660000 --> 0:02:55.660000 Well, if I think about, I've still got that user, right? 0:02:55.660000 --> 0:02:58.620000 So I've got my user and I saw the cloud application. 0:02:58.620000 --> 0:03:02.780000 But when the user tries to go to the cloud application, the user's not 0:03:02.780000 --> 0:03:05.620000 authenticated. The cloud application is going to be, yeah, you know, I 0:03:05.620000 --> 0:03:06.900000 really don't know who you are. 0:03:06.900000 --> 0:03:13.060000 And furthermore, we did not want to have to build and maintain an authentication 0:03:13.060000 --> 0:03:16.740000 and identity provider capability directly in there because I've done that 0:03:16.740000 --> 0:03:19.360000 and it is painful, right? 0:03:19.360000 --> 0:03:20.240000 Not something you want. 0:03:20.240000 --> 0:03:23.180000 You don't want to be responsible for the security of those accounts and 0:03:23.180000 --> 0:03:24.120000 everything else. 0:03:24.120000 --> 0:03:30.140000 So what you do is that cloud application ends up bouncing you over to 0:03:30.140000 --> 0:03:33.600000 some provider. Again, in our case, Azure AD, right? 0:03:33.600000 --> 0:03:38.580000 And you provide some kind of credentials, right? 0:03:38.580000 --> 0:03:40.200000 You put in the username and password. 0:03:40.200000 --> 0:03:42.380000 We'll talk about options there. 0:03:42.380000 --> 0:03:46.180000 Okay, and Azure AD goes and says, yep, you know what? 0:03:46.180000 --> 0:03:48.380000 You actually are who you are. 0:03:48.380000 --> 0:03:55.540000 So here, here's what is generically referred to as a token. 0:03:55.540000 --> 0:04:01.620000 Now, some purists will say because this uses something called SAML security 0:04:01.620000 --> 0:04:03.560000 application markup language. 0:04:03.560000 --> 0:04:07.960000 It's not technically a token, but honestly, it's fine. 0:04:07.960000 --> 0:04:08.920000 Just think of it as a token. 0:04:08.920000 --> 0:04:15.420000 A token is a signed set of what are called claims. 0:04:15.420000 --> 0:04:18.160000 Now, a claim is a piece of information about a person. 0:04:18.160000 --> 0:04:21.660000 It could be their account ID. 0:04:21.660000 --> 0:04:24.500000 It could be their first name, their email address. 0:04:24.500000 --> 0:04:28.120000 There's many different pieces of information that can be included in a 0:04:28.120000 --> 0:04:32.400000 claim, but it verifies the identity of the user. 0:04:32.400000 --> 0:04:35.940000 And it says not only verifies the identity, but it says, okay, this identity 0:04:35.940000 --> 0:04:39.420000 was verified by this particular provider, right? 0:04:39.420000 --> 0:04:40.960000 And so then we've got this token. 0:04:40.960000 --> 0:04:46.200000 So what happens is that token then gets sent, you know, we even draw a 0:04:46.200000 --> 0:04:48.280000 little token here. 0:04:48.280000 --> 0:04:50.160000 Okay, sent over to the cloud application. 0:04:50.160000 --> 0:04:54.680000 Now, at this point, the cloud application sees the token and it sees the 0:04:54.680000 --> 0:04:57.440000 fact that the token is signed. 0:04:57.440000 --> 0:05:03.480000 And to facilitate this, there has to be a trust relationship set up between 0:05:03.480000 --> 0:05:04.700000 these two systems. 0:05:04.700000 --> 0:05:07.260000 There's a variety of ways you can do that. 0:05:07.260000 --> 0:05:08.960000 And in fact, they may need to communicate. 0:05:08.960000 --> 0:05:10.640000 They will need to communicate. 0:05:10.640000 --> 0:05:14.840000 You may hear something called STS, which is secure token service. 0:05:14.840000 --> 0:05:18.400000 And it's a standardized way for back -end systems to communicate, but we're 0:05:18.400000 --> 0:05:19.880000 not into development in this course. 0:05:19.880000 --> 0:05:22.820000 So you don't need to worry about that too much right now. 0:05:22.820000 --> 0:05:27.420000 But in any case, the user goes and says, ah, okay, here's my identity. 0:05:27.420000 --> 0:05:32.260000 My identity was provided, was proven by Azure AD. 0:05:32.260000 --> 0:05:37.140000 And here it is. And the application goes, okay, look, I didn't identify 0:05:37.140000 --> 0:05:41.400000 you, but I see that you've got this information that was signed and it's 0:05:41.400000 --> 0:05:45.660000 accurate. And it's not been modified and it's signed by a signature that 0:05:45.660000 --> 0:05:49.080000 I trust. Ergo, understand who you are. 0:05:49.080000 --> 0:05:50.340000 We're good, right? 0:05:50.340000 --> 0:05:55.760000 And then if the service, the application needs more identity information, 0:05:55.760000 --> 0:06:03.180000 they can always call back to Azure AD and get that information via a full 0:06:03.180000 --> 0:06:07.980000 REST API. So that's really when we talk about cloud-based authentication 0:06:07.980000 --> 0:06:10.580000 identity, that's what we're looking at. 0:06:10.580000 --> 0:06:13.240000 And really again, very generic how that applies. 0:06:13.240000 --> 0:06:19.140000 It's all based on web standards, but that is how the Azure AD environment 0:06:19.140000 --> 0:06:24.020000 works. Now, what all is Azure AD? 0:06:24.020000 --> 0:06:31.960000 First of all, Azure AD is a cloud solution for authentication and identity. 0:06:31.960000 --> 0:06:37.700000 There are currently over 3000 independent software vendors who have registered 0:06:37.700000 --> 0:06:42.440000 cloud apps so that they can be integrated into Azure AD. 0:06:42.440000 --> 0:06:50.880000 Everything from Salesforce, Microsoft 365, formerly Office 365, to a wide 0:06:50.880000 --> 0:06:51.720000 range of things. 0:06:51.720000 --> 0:06:55.580000 One of my favorite apps, Concur, when I used to travel a lot. 0:06:55.580000 --> 0:06:58.340000 All of these things are registered. 0:06:58.340000 --> 0:07:01.380000 And last time I checked, I haven't checked in a while, there were eight 0:07:01.380000 --> 0:07:03.580000 different construction apps, right? 0:07:03.580000 --> 0:07:07.800000 For helping to manage construction applications or construction businesses. 0:07:07.800000 --> 0:07:11.160000 And not that there's anything spectacular, but we're not talking about 0:07:11.160000 --> 0:07:12.700000 these broad-based systems. 0:07:12.700000 --> 0:07:17.780000 Also very specific industry-specific applications, cloud applications 0:07:17.780000 --> 0:07:19.640000 that are registered. 0:07:19.640000 --> 0:07:21.900000 You can also integrate your own custom applications. 0:07:21.900000 --> 0:07:27.680000 These can be applications that you build from scratch to be integrated 0:07:27.680000 --> 0:07:30.120000 into the Azure AD environment. 0:07:30.120000 --> 0:07:34.500000 Or they could be existing applications that you essentially retrofit Azure 0:07:34.500000 --> 0:07:37.500000 AD in as an authentication mechanism. 0:07:37.500000 --> 0:07:40.640000 Now obviously, there's got to be some give and take, but it's a very flexible 0:07:40.640000 --> 0:07:43.020000 identity management system. 0:07:43.020000 --> 0:07:45.420000 You can also integrate this with on-premises. 0:07:45.420000 --> 0:07:47.700000 I mentioned hybrid identity. 0:07:47.700000 --> 0:07:49.440000 We'll talk about that in just a moment. 0:07:49.440000 --> 0:07:53.560000 You can federate with SSO systems. 0:07:53.560000 --> 0:07:57.380000 Things like Active Directory, Federation Services. 0:07:57.380000 --> 0:08:03.080000 Things like Ping Federation Services and many others can all integrate 0:08:03.080000 --> 0:08:07.640000 so that if you've already got a single sign-on solution, you can extend 0:08:07.640000 --> 0:08:13.740000 that solution out into your cloud applications that are managed through 0:08:13.740000 --> 0:08:20.640000 Azure. And there's also a host, a wealth of additional security services. 0:08:20.640000 --> 0:08:22.720000 There's multi-factor authentication. 0:08:22.720000 --> 0:08:27.600000 There's conditional access that only allows access to applications if 0:08:27.600000 --> 0:08:31.500000 the user and their system meets certain requirements. 0:08:31.500000 --> 0:08:35.580000 There's identity protection where Azure AD and, frankly, Microsoft are 0:08:35.580000 --> 0:08:39.620000 going to be running, monitoring and analytics and artificial intelligence 0:08:39.620000 --> 0:08:44.840000 to look for attacks on your identities. 0:08:44.840000 --> 0:08:47.280000 So this is what Azure AD does. 0:08:47.280000 --> 0:08:52.580000 Now what I want to do is talk about one of the very common use cases for 0:08:52.580000 --> 0:08:56.340000 Azure AD, which is hybrid identity. 0:08:56.340000 --> 0:09:01.220000 Now with hybrid identity, what you have, you have that scenario where 0:09:01.220000 --> 0:09:04.140000 I've got a user. 0:09:04.140000 --> 0:09:08.920000 And that user goes out to a cloud application, the cloud application bounces 0:09:08.920000 --> 0:09:12.220000 back, and then the user needs to authenticate. 0:09:12.220000 --> 0:09:16.880000 Well, if this is all we have, then that user's identity has to be created 0:09:16.880000 --> 0:09:20.240000 and managed in that authentication identity service. 0:09:20.240000 --> 0:09:30.420000 However, in many cases, you probably already have an on-premises environment. 0:09:30.420000 --> 0:09:35.320000 And in that on-premises environment, there's a pretty decent chance that 0:09:35.320000 --> 0:09:39.020000 you've got Active Directory and you've got a domain controller where you've 0:09:39.020000 --> 0:09:43.700000 got hundreds or thousands or tens of thousands of accounts. 0:09:43.700000 --> 0:09:46.600000 And what you really don't want to do is you don't want to have those accounts 0:09:46.600000 --> 0:09:51.460000 and have a whole separate set of accounts that not only do you have to 0:09:51.460000 --> 0:09:56.240000 manage in two different places, but if we have that, then the user has 0:09:56.240000 --> 0:10:00.580000 to have two separate logins for everything they're doing for your organization. 0:10:00.580000 --> 0:10:01.800000 And we don't want that. 0:10:01.800000 --> 0:10:02.720000 Nobody wants that. 0:10:02.720000 --> 0:10:10.460000 So what you can do is you can instead, say you know what, we don't want 0:10:10.460000 --> 0:10:13.580000 to have to manage these accounts. 0:10:13.580000 --> 0:10:19.640000 In fact, what we want to do is we want to take these accounts here and 0:10:19.640000 --> 0:10:21.980000 we want to get them up to here. 0:10:21.980000 --> 0:10:25.580000 Well, the way you do that is through hybrid identity. 0:10:25.580000 --> 0:10:31.940000 And there is a service, Azure AD Connect, Azure Active Directory Connect. 0:10:31.940000 --> 0:10:38.860000 And it is at the heart of everything that you're going to do with your 0:10:38.860000 --> 0:10:40.800000 hybrid identity. 0:10:40.800000 --> 0:10:45.080000 So I go into my on-premises environment, I install Azure AD Connect, I 0:10:45.080000 --> 0:10:50.480000 configure Azure AD Connect so that my on-premises accounts are synchronizing 0:10:50.480000 --> 0:10:55.420000 up into my authentication and identity service. 0:10:55.420000 --> 0:10:58.940000 In this case, Azure AD. 0:10:58.940000 --> 0:11:03.200000 Now, what are our authentication options? 0:11:03.200000 --> 0:11:04.980000 That's the next thing that we're going to talk about. 0:11:04.980000 --> 0:11:12.100000 So, okay, we've got this flow, but what do we do with this flow? 0:11:12.100000 --> 0:11:18.920000 And that's where we come in to our authentication options. 0:11:18.920000 --> 0:11:25.940000 Now, with our authentication options, one authentication option, and we 0:11:25.940000 --> 0:11:33.760000 have a number of them, is we've got our accounts down there, and the domain 0:11:33.760000 --> 0:11:38.620000 controller, who actually AD Connect is going to synchronize those accounts 0:11:38.620000 --> 0:11:44.440000 over to here. And so those accounts come from the domain controller. 0:11:44.440000 --> 0:11:47.440000 Now, there's two options with that. 0:11:47.440000 --> 0:12:00.940000 One option is sync without password, preferably properly cap block. 0:12:00.940000 --> 0:12:15.840000 Sync without password or sync with password hash. 0:12:15.840000 --> 0:12:17.280000 Most forgot the word hash. 0:12:17.280000 --> 0:12:21.940000 And once again, terrible hitting that particular caps lock. 0:12:21.940000 --> 0:12:28.400000 So, at a minimum, those are really our two most basic options for authentication 0:12:28.400000 --> 0:12:33.080000 in a hybrid identity, in a hybrid environment, with synchronization without 0:12:33.080000 --> 0:12:36.400000 password hash. That's what you have. 0:12:36.400000 --> 0:12:39.280000 Then the user may have the same account, right? 0:12:39.280000 --> 0:12:44.940000 So, I may be Tracy at INE.com, both when I'm on-premises as well as in 0:12:44.940000 --> 0:12:50.120000 the cloud. But because I'm not replicating or synchronizing that password, 0:12:50.120000 --> 0:12:52.800000 then I'm going to maintain two separate passwords. 0:12:52.800000 --> 0:12:55.000000 Still to me, not ideal. 0:12:55.000000 --> 0:13:00.460000 The next kind of, if you will, step up from that is the sync with password 0:13:00.460000 --> 0:13:04.340000 hash. It doesn't sync your actual password, but what it does is it takes 0:13:04.340000 --> 0:13:08.260000 standardized hash of your password that's in Active Directory, and it 0:13:08.260000 --> 0:13:12.400000 synchronizes that into the Azure AD. 0:13:12.400000 --> 0:13:16.020000 And thus, when you are logging in, you're now going to log in with the 0:13:16.020000 --> 0:13:18.660000 same username and the same password. 0:13:18.660000 --> 0:13:21.280000 But that's not all that we have. 0:13:21.280000 --> 0:13:28.440000 In addition to that, we also have the ability to actually add another 0:13:28.440000 --> 0:13:39.960000 little service. So we can add a service essentially to Azure AD Connect. 0:13:39.960000 --> 0:13:45.100000 And what that's going to do, that's going to be our pass-through, AAD 0:13:45.100000 --> 0:13:51.520000 pass-through agent. 0:13:51.520000 --> 0:13:58.200000 I really want to just type in THRU, but that's irresponsible. 0:13:58.200000 --> 0:14:04.420000 Now, in this case, what happens when the user attempts to connect, I'm 0:14:04.420000 --> 0:14:11.940000 going to just draw this, and is actually redirected back to the authentication 0:14:11.940000 --> 0:14:15.000000 provider. And you're going to log in with the screen that's provided by 0:14:15.000000 --> 0:14:21.300000 that. The user will provide their credentials, but those credentials are 0:14:21.300000 --> 0:14:25.180000 going to go into a queue. 0:14:25.180000 --> 0:14:30.060000 And then that pass-through service is going to, through obviously a secure 0:14:30.060000 --> 0:14:34.720000 connection, check that queue, pull the credentials back, and actually 0:14:34.720000 --> 0:14:37.620000 authenticate you with the domain controller. 0:14:37.620000 --> 0:14:41.620000 And then assuming that the domain controller authenticates you, that data 0:14:41.620000 --> 0:14:45.460000 gets passed back and passed back, and you get your token. 0:14:45.460000 --> 0:14:49.620000 Now, as far as the client, the cloud application is concerned, that token 0:14:49.620000 --> 0:14:53.680000 is always coming from the authentication identity service. 0:14:53.680000 --> 0:14:57.020000 In our case, of course, Azure Active Directory. 0:14:57.020000 --> 0:15:01.440000 But the AAD pass-through gives you an alternative. 0:15:01.440000 --> 0:15:07.060000 What that allows you to do is say, okay, we don't want to maintain passwords, 0:15:07.060000 --> 0:15:09.340000 even password hashes in the cloud. 0:15:09.340000 --> 0:15:14.060000 Also, if there are changes to an account, such as an account gets disabled, 0:15:14.060000 --> 0:15:17.760000 we want that to be immediately applicable. 0:15:17.760000 --> 0:15:23.560000 Right? So if I go in and let's say I log in through Azure AD, and let's 0:15:23.560000 --> 0:15:28.520000 say I'm using password hash or sync without password hash, and five minutes 0:15:28.520000 --> 0:15:31.860000 before I get log in, or two minutes before I log in, my account for somebody 0:15:31.860000 --> 0:15:33.120000 that gets disabled. 0:15:33.120000 --> 0:15:37.840000 Well, unless that is already synchronized up, if I'm authenticating through 0:15:37.840000 --> 0:15:40.660000 Azure AD, I have to wait, well, I don't have to wait. 0:15:40.660000 --> 0:15:43.160000 I would actually be able to authenticate at that point, right? 0:15:43.160000 --> 0:15:45.040000 You have to wait for that synchronization. 0:15:45.040000 --> 0:15:48.960000 So a lot of times you want to bring that identity and that identity verification 0:15:48.960000 --> 0:15:52.480000 closer back to the source, and really right back to the source, which 0:15:52.480000 --> 0:15:55.700000 would, of course, be the on -premises Active Directory. 0:15:55.700000 --> 0:16:05.640000 Now, there is another option as well, and that other option is to implement 0:16:05.640000 --> 0:16:11.820000 a federator. Okay, and I'm going to go ahead and clear this because there's 0:16:11.820000 --> 0:16:14.240000 a lot on there, so we'll clear that. 0:16:14.240000 --> 0:16:21.360000 Okay, now with the federator, what happens is, you know, I try to authenticate, 0:16:21.360000 --> 0:16:25.440000 I get bounced back up to Azure AD. 0:16:25.440000 --> 0:16:29.240000 But Azure AD does not authenticate me. 0:16:29.240000 --> 0:16:35.180000 Instead, what Azure AD does is it bounces me again over to the federator. 0:16:35.180000 --> 0:16:37.920000 Very common federator is ADFS. 0:16:37.920000 --> 0:16:41.400000 So ADFS is actually handling all of my authentication. 0:16:41.400000 --> 0:16:46.560000 None of it is done through Active Directory, or excuse me, it's all done 0:16:46.560000 --> 0:16:47.320000 through Active Directory. 0:16:47.320000 --> 0:16:49.140000 None of it is done through Azure AD. 0:16:49.140000 --> 0:16:53.560000 What's going to happen is I'm going to present my credentials, and there's 0:16:53.560000 --> 0:16:59.580000 many options, can be used by a password, can be by a matrix, several different 0:16:59.580000 --> 0:17:01.100000 options that I've got. 0:17:01.100000 --> 0:17:03.300000 But in any case, I mean, it's the same basic process. 0:17:03.300000 --> 0:17:04.700000 I'm going to be authenticated here. 0:17:04.700000 --> 0:17:11.940000 Now, when I get authenticated, the federation service is going to, say, 0:17:11.940000 --> 0:17:16.180000 generate a token that says of, that's the token for the federated service 0:17:16.180000 --> 0:17:19.080000 that we'll call it in a little bit, so it doesn't look like of. 0:17:19.080000 --> 0:17:27.060000 Okay, and that token is going to be sent back to Azure AD, my authentication 0:17:27.060000 --> 0:17:28.140000 identity service. 0:17:28.140000 --> 0:17:31.660000 Now, at this point, of course, there's setup. 0:17:31.660000 --> 0:17:35.320000 Azure AD has to trust the federation service. 0:17:35.320000 --> 0:17:40.920000 The federation service has to be set up with Azure AD as what's called 0:17:40.920000 --> 0:17:42.360000 a relying party. 0:17:42.360000 --> 0:17:44.720000 And there's other videos that talk about that. 0:17:44.720000 --> 0:17:46.440000 Again, this is just high level. 0:17:46.440000 --> 0:17:51.840000 But in any case, I get redirected over to this federated server, federation 0:17:51.840000 --> 0:17:54.700000 server, again, say, ADFS. 0:17:54.700000 --> 0:17:57.880000 I authenticate successfully, and it says, okay, you are who you are, creates 0:17:57.880000 --> 0:18:01.220000 a token, signs it, and sends it on to Azure AD. 0:18:01.220000 --> 0:18:05.480000 The problem is Azure AD can't take that token and send it directly over 0:18:05.480000 --> 0:18:11.260000 to the cloud application, because the cloud application doesn't know who 0:18:11.260000 --> 0:18:17.540000 ADFS is. So what it does is it takes and unpacks that, creates its own 0:18:17.540000 --> 0:18:25.200000 token, and then that token gets sent over to the cloud. 0:18:25.200000 --> 0:18:28.440000 And now the user, when they connect up, they've got that token sent over 0:18:28.440000 --> 0:18:30.120000 with the user request. 0:18:30.120000 --> 0:18:32.020000 And so now the user goes in. 0:18:32.020000 --> 0:18:36.120000 As far as the cloud applications turn, you were authenticated with Azure 0:18:36.120000 --> 0:18:37.940000 AD. It doesn't really matter. 0:18:37.940000 --> 0:18:41.520000 And that is one thing that's important, regardless of which of these approaches 0:18:41.520000 --> 0:18:43.460000 you want to use. 0:18:43.460000 --> 0:18:47.500000 And all of these approaches, you are actually authenticated as far as 0:18:47.500000 --> 0:18:51.600000 the cloud applications concern, Azure AD is authenticating you. 0:18:51.600000 --> 0:18:54.660000 And that is the only way it's going to work with the cloud application. 0:18:54.660000 --> 0:18:57.580000 And that's actually kind of nice, because what it also means is that you 0:18:57.580000 --> 0:19:01.380000 could, for example, switch the way that you're authenticating, or even 0:19:01.380000 --> 0:19:04.240000 have backup authentication modes. 0:19:04.240000 --> 0:19:09.380000 So for example, you may be using ADFS primarily, but you're also synchronizing 0:19:09.380000 --> 0:19:13.840000 password hashes so you can fall back to that if Azure AD goes down. 0:19:13.840000 --> 0:19:17.480000 And all of this would be completely transparent to the applications. 0:19:17.480000 --> 0:19:22.140000 Now that is quite a bit, and we're not going to go into depth on any of 0:19:22.140000 --> 0:19:27.140000 that right now. But what I do want to do as kind of the ending point for 0:19:27.140000 --> 0:19:36.680000 this video is I want to take a look at just the management interface for 0:19:36.680000 --> 0:19:40.840000 Azure AD. So I'm just going to demonstrate Azure AD. 0:19:40.840000 --> 0:19:47.840000 And to do that, I am going to pull up my Azure portal. 0:19:47.840000 --> 0:19:52.900000 So right now I am in the Azure portal and I am logged in and I'm logged 0:19:52.900000 --> 0:19:58.580000 into an Azure AD directory or tenant. 0:19:58.580000 --> 0:20:03.460000 And what I'm going to do is I'm going to go ahead and pop into that tenant. 0:20:03.460000 --> 0:20:11.100000 Now if you have ever managed users, then you are most likely familiar 0:20:11.100000 --> 0:20:14.760000 with the basic things that you do, users and identity. 0:20:14.760000 --> 0:20:17.860000 So I can go and I can find my users, for example. 0:20:17.860000 --> 0:20:22.380000 Okay, and so here are a whole number of users. 0:20:22.380000 --> 0:20:24.420000 I've got this one user here. 0:20:24.420000 --> 0:20:29.980000 I might have noticed I have many users for Tracy because that's me. 0:20:29.980000 --> 0:20:32.900000 And I can go in and I can see the user's profile. 0:20:32.900000 --> 0:20:40.300000 I can actually look at devices, any licensed like Azure AD premium capabilities 0:20:40.300000 --> 0:20:42.380000 that are associated with this user. 0:20:42.380000 --> 0:20:45.580000 All of those I can manage from the users. 0:20:45.580000 --> 0:20:50.080000 And then I also have groups and I can manage my groups and manage the 0:20:50.080000 --> 0:20:54.200000 way that groups are created and in membership and everything else. 0:20:54.200000 --> 0:20:58.620000 And you can see there's just a number of different capabilities. 0:20:58.620000 --> 0:21:02.120000 If I have custom domain names, I think I have a custom. 0:21:02.120000 --> 0:21:03.860000 Yeah, I do. I've got I need demo. 0:21:03.860000 --> 0:21:09.180000 I need dash demo.com is a verified custom domain name for this tenant. 0:21:09.180000 --> 0:21:16.260000 If I've got any licenses of any capabilities that go beyond just the basic 0:21:16.260000 --> 0:21:19.660000 free Azure AD, I can manage those there. 0:21:19.660000 --> 0:21:27.340000 If I want to set up Azure AD Connect, where did that go? 0:21:27.340000 --> 0:21:29.300000 They move this. There we go. 0:21:29.300000 --> 0:21:30.060000 Azure AD Connect. 0:21:30.060000 --> 0:21:31.400000 You just be near the top. 0:21:31.400000 --> 0:21:35.920000 I can set up Azure AD Connect as well. 0:21:35.920000 --> 0:21:41.740000 Okay, so all of the capabilities that are associated with Azure AD are 0:21:41.740000 --> 0:21:45.680000 going to be managed either through the portal as I'm showing you here 0:21:45.680000 --> 0:21:48.660000 or as with any other capability. 0:21:48.660000 --> 0:21:53.520000 Azure AD actually has a very robust API. 0:21:53.520000 --> 0:21:57.440000 It's actually part of what's called the Microsoft graph, which goes beyond 0:21:57.440000 --> 0:21:59.740000 Azure AD and also includes Microsoft 365. 0:21:59.740000 --> 0:22:04.840000 And I believe Dynamics 365 capabilities as well, but I'm not sure on that 0:22:04.840000 --> 0:22:06.860000 one and it doesn't really matter. 0:22:06.860000 --> 0:22:08.640000 But you could use the API. 0:22:08.640000 --> 0:22:12.280000 There are also a number of command line management tools. 0:22:12.280000 --> 0:22:16.120000 I will tell you that gets a little bit confusing trying to use the command 0:22:16.120000 --> 0:22:21.980000 line tools because there are three or four different power shell command 0:22:21.980000 --> 0:22:25.460000 lit modules that you may have to use. 0:22:25.460000 --> 0:22:28.520000 There's also an Azure CLI. 0:22:28.520000 --> 0:22:31.860000 And personally, I found that working from the command line, there's some 0:22:31.860000 --> 0:22:34.740000 things I actually have to go to a really, I still have to go to a really 0:22:34.740000 --> 0:22:40.280000 old Azure. Well, it's actually not even Azure is Microsoft online. 0:22:40.280000 --> 0:22:45.560000 Commandlets that are part of a Microsoft online. 0:22:45.560000 --> 0:22:51.420000 Group of commandlets, whose name module, I almost forgot that. 0:22:51.420000 --> 0:22:55.860000 I'm sorry, but in any case, so you know, all these different modules, 0:22:55.860000 --> 0:22:59.780000 you can certainly do it, but it can also be a bit challenging. 0:22:59.780000 --> 0:23:02.620000 And that's why I like demonstrating from the portal. 0:23:02.620000 --> 0:23:07.320000 So we talked about, you know, the idea of cloud based identity, how Azure 0:23:07.320000 --> 0:23:11.400000 AD fits into that concept of cloud based identity. 0:23:11.400000 --> 0:23:16.120000 And what are some of the ways that Azure AD can authenticate users to 0:23:16.120000 --> 0:23:17.820000 provide that cloud based identity?