WEBVTT 0:00:03.700000 --> 0:00:10.300000 Users have passwords and thus users need to maintain those passwords. 0:00:10.300000 --> 0:00:13.240000 If you're on-prem, that's pretty straightforward. 0:00:13.240000 --> 0:00:15.420000 If you're in Azure itself, that's pretty straightforward. 0:00:15.420000 --> 0:00:19.260000 It gets a little more interesting when we're looking at hybrid identity 0:00:19.260000 --> 0:00:23.120000 password management and that's what we're going to talk about in this 0:00:23.120000 --> 0:00:30.540000 video. The idea being that you really want your users to have one place 0:00:30.540000 --> 0:00:33.280000 where they update their passwords. 0:00:33.280000 --> 0:00:37.240000 And know that as soon as that password is updated or administratively, 0:00:37.240000 --> 0:00:42.260000 maybe as soon as you disable an account, that that's actually going to 0:00:42.260000 --> 0:00:46.080000 go ahead and be enforced. 0:00:46.080000 --> 0:00:49.060000 And so that's really what we're talking about here. 0:00:49.060000 --> 0:00:53.580000 And what I want to do to start out is I want to talk about Azure AD hybrid 0:00:53.580000 --> 0:00:56.480000 passwords and what the options are and kind of whiteboard that out a little 0:00:56.480000 --> 0:01:01.320000 bit. Then I'm going to demonstrate how you can change those settings and 0:01:01.320000 --> 0:01:03.620000 what the impact of changing those settings would be. 0:01:03.620000 --> 0:01:09.980000 So let's go ahead and draw out what some of these options are. 0:01:09.980000 --> 0:01:15.540000 Now, if I've got, you think about the three components here, I've got 0:01:15.540000 --> 0:01:27.540000 my Azure AD tenant, I've got my on-prem environment, and I've got my user. 0:01:27.540000 --> 0:01:35.380000 That's supposed to be a beret, but it kind of looks like an umbrella. 0:01:35.380000 --> 0:01:39.400000 And really, there's four things because there's some cloud application 0:01:39.400000 --> 0:01:45.680000 that the user actually wants to access, right? 0:01:45.680000 --> 0:01:47.760000 So get the cloud app, right? 0:01:47.760000 --> 0:01:52.360000 The user tries to access the cloud app, the cloud app says, yeah, you 0:01:52.360000 --> 0:01:54.660000 can't do that, I don't know who you are. 0:01:54.660000 --> 0:01:58.120000 So redirects the user over to Azure Active Directory because that's been 0:01:58.120000 --> 0:02:01.000000 configured for the cloud app, right? 0:02:01.000000 --> 0:02:11.620000 Now, Bob, let's say, and this is Bob, Bob has an account in Active Directory 0:02:11.620000 --> 0:02:14.360000 on-premises. And what I don't want is I don't want Bob to have a different 0:02:14.360000 --> 0:02:19.660000 account in Azure AD, and I don't want Bob to have a different password. 0:02:19.660000 --> 0:02:25.400000 So the kind of baseline default synchronization option, if this is a AD 0:02:25.400000 --> 0:02:36.240000 Connect over here, is password hash sync. 0:02:36.240000 --> 0:02:40.340000 Now, you don't have to do it that way, there's other options as well. 0:02:40.340000 --> 0:02:43.600000 But Bob's password, along with Bob's account, is gonna get synchronized 0:02:43.600000 --> 0:02:45.900000 up into Active Directory. 0:02:45.900000 --> 0:02:50.260000 But now, that's all fine, Bob can log in, log in through Active Directory. 0:02:50.260000 --> 0:02:55.160000 But what if I don't, either, A, I don't want that password to be up in 0:02:55.160000 --> 0:02:59.420000 Active Directory, even though it's a hash and it's fine, right? 0:02:59.420000 --> 0:03:03.860000 Or, I just want Bob, Bob's gonna update Bob's password, I want that password 0:03:03.860000 --> 0:03:05.460000 update to happen in one place. 0:03:05.460000 --> 0:03:10.820000 Well, I have a few different options for facilitating this. 0:03:10.820000 --> 0:03:16.660000 One option is to have password hash synchronization, so that kind of baseline, 0:03:16.660000 --> 0:03:20.800000 but to activate password right back. 0:03:20.800000 --> 0:03:32.400000 If I activate password right back, what that means is when Bob updates 0:03:32.400000 --> 0:03:36.660000 his password, that password, the next time there's a synchronization, 0:03:36.660000 --> 0:03:40.980000 is gonna end up, even though he updated it through Azure Active Directory, 0:03:40.980000 --> 0:03:44.380000 it will end up synchronizing all the way back to Active Directory. 0:03:44.380000 --> 0:03:45.840000 That's pretty cool. 0:03:45.840000 --> 0:03:50.680000 There's easy ways for Bob not only to change his password, but you can 0:03:50.680000 --> 0:03:54.180000 actually set it up so that Bob can have password reset as well. 0:03:54.180000 --> 0:03:57.040000 Okay, now in order to have password right back, you have to have one of 0:03:57.040000 --> 0:04:00.340000 the premium subscriptions for that account. 0:04:00.340000 --> 0:04:03.380000 So it's gotta be associated with the Azure Active Directory and you have 0:04:03.380000 --> 0:04:06.500000 to have a license associated or assigned to that account, that's going 0:04:06.500000 --> 0:04:08.540000 to take advantage of password right back. 0:04:08.540000 --> 0:04:10.500000 Now you're not limited to that option. 0:04:10.500000 --> 0:04:12.800000 There's a couple other options as well. 0:04:12.800000 --> 0:04:15.920000 Okay, one option, I just deleted two me things. 0:04:15.920000 --> 0:04:18.340000 We're still gonna have this AAD Connect here. 0:04:18.340000 --> 0:04:24.020000 Okay, but rather than synchronizing over the, synchronizing the password 0:04:24.020000 --> 0:04:31.740000 over to AAD, we're gonna install another agent, which is the pass through. 0:04:31.740000 --> 0:04:35.180000 And that is not how you spell pass through, I know that, but it fits. 0:04:35.180000 --> 0:04:37.160000 All right, the pass through agent. 0:04:37.160000 --> 0:04:39.560000 Okay, and what's gonna happen in this case? 0:04:39.560000 --> 0:04:42.480000 Okay, Bob goes through the same process. 0:04:42.480000 --> 0:04:44.540000 This is transparent to Bob. 0:04:44.540000 --> 0:04:46.200000 Okay, Bob's gonna go through the same process. 0:04:46.200000 --> 0:04:51.000000 Bob's going to then enter Bob's credentials, we'll say username and password, 0:04:51.000000 --> 0:04:55.660000 right? And they're sitting securely, actually in a queue in Azure AD. 0:04:55.660000 --> 0:04:59.100000 And then this agent is going to go, it's gonna see that something's in 0:04:59.100000 --> 0:05:01.800000 the queue, and it's gonna pull it down. 0:05:01.800000 --> 0:05:04.720000 Okay, and then the agent, which of course has to be given the appropriate 0:05:04.720000 --> 0:05:10.980000 rights, is going to actually authenticate against active directory locally, 0:05:10.980000 --> 0:05:13.280000 with those credentials. 0:05:13.280000 --> 0:05:18.100000 And assuming that is successful, the agent is going to pass those credentials 0:05:18.100000 --> 0:05:20.660000 back into Azure Active Directory. 0:05:20.660000 --> 0:05:24.780000 Now there's a few advantages to this architecture. 0:05:24.780000 --> 0:05:32.020000 One is that your any changes that occur in the actual Active Directory 0:05:32.020000 --> 0:05:36.120000 are going to be immediately implemented, right? 0:05:36.120000 --> 0:05:40.120000 That could be a password change, that could also be an account disabling. 0:05:40.120000 --> 0:05:42.400000 All right, so if you disable an account and you're using pass through 0:05:42.400000 --> 0:05:44.200000 agent, that's immediately disabled. 0:05:44.200000 --> 0:05:48.960000 If you're using AAD Connect, that account may still be live in Azure Active 0:05:48.960000 --> 0:05:50.800000 Directory until the next synchronization. 0:05:50.800000 --> 0:05:54.920000 Now you could force synchronization, but this kind of does it on its own. 0:05:54.920000 --> 0:06:02.160000 Also, the actual credentials, the password hash is not stored in Azure 0:06:02.160000 --> 0:06:06.740000 AD, although the credentials are entered into Azure AD by the end user, 0:06:06.740000 --> 0:06:09.600000 but they're not checked until they are pulled down and checked against 0:06:09.600000 --> 0:06:11.880000 the local Active Directory. 0:06:11.880000 --> 0:06:14.840000 There are some disadvantages to this. 0:06:14.840000 --> 0:06:16.760000 One is performance, right? 0:06:16.760000 --> 0:06:19.240000 Because you're adding this asynchronous process. 0:06:19.240000 --> 0:06:25.860000 It's pretty fast, but that Bob's going to log in and until that agent 0:06:25.860000 --> 0:06:30.540000 is available, the pass through agent, and it checks, Bob's sitting there 0:06:30.540000 --> 0:06:33.100000 waiting for the credentials to be pulled. 0:06:33.100000 --> 0:06:35.260000 Again, all transparent to Bob. 0:06:35.260000 --> 0:06:39.180000 And also, of course, if that pass through agent goes down, you no longer 0:06:39.180000 --> 0:06:41.700000 have Azure AD authentication. 0:06:41.700000 --> 0:06:43.300000 But that is another way. 0:06:43.300000 --> 0:06:48.660000 So we can have one way of managing a single password by using password 0:06:48.660000 --> 0:06:53.980000 hash synchronization with WriteBack, and that's where the user would typically, 0:06:53.980000 --> 0:06:57.100000 I mean, they technically could manage their passwords in either place, 0:06:57.100000 --> 0:06:59.460000 but you'd want them to manage one or the other. 0:06:59.460000 --> 0:07:05.780000 And there's some good self-service options going through that myapps.muckleshoff 0:07:05.780000 --> 0:07:10.000000 .com. Then we have pass through where everything is managed and maintained 0:07:10.000000 --> 0:07:13.820000 in the on-premises and just one password. 0:07:13.820000 --> 0:07:15.480000 Now, there's an alternative. 0:07:15.480000 --> 0:07:18.820000 I can clear enough of this out that we'll get there. 0:07:18.820000 --> 0:07:21.520000 Not quite. Well, close. 0:07:21.520000 --> 0:07:27.180000 All right. So rather than using an agent that is attached to Azure AD 0:07:27.180000 --> 0:07:33.800000 Connect, I can actually set up Active Directory Federation Services or 0:07:33.800000 --> 0:07:37.540000 other federators. 0:07:37.540000 --> 0:07:43.680000 And without going into all of the details of ADFS here, what happens in 0:07:43.680000 --> 0:07:46.140000 this architecture? 0:07:46.140000 --> 0:07:50.700000 So if I've got a cloud app, the cloud app is using Azure AD for authentication. 0:07:50.700000 --> 0:07:54.600000 Azure AD is configured to work with ADFS. 0:07:54.600000 --> 0:07:59.820000 The user will actually be redirected to a public endpoint for ADFS. 0:07:59.820000 --> 0:08:02.300000 And that public endpoint is provided by what's called a web application 0:08:02.300000 --> 0:08:06.120000 server. All kinds of things that go into that that are not important here 0:08:06.120000 --> 0:08:10.860000 is big picture. And the user actually submits their own credentials through 0:08:10.860000 --> 0:08:14.220000 ADFS. Those credentials are verified. 0:08:14.220000 --> 0:08:18.960000 And then those credentials actually get passed back to AD, which converts 0:08:18.960000 --> 0:08:24.420000 them into their own token, which then gets sent back to the user, and 0:08:24.420000 --> 0:08:26.580000 then eventually back to the cloud app. 0:08:26.580000 --> 0:08:30.360000 Lots of arrows. Now, why am I bringing all these up together? 0:08:30.360000 --> 0:08:31.800000 Because I'm not going to talk about all these. 0:08:31.800000 --> 0:08:33.700000 Because these are really options. 0:08:33.700000 --> 0:08:36.480000 Those are really the three main options that are going to allow you to 0:08:36.480000 --> 0:08:41.360000 have a single point of management for your user passwords. 0:08:41.360000 --> 0:08:46.820000 Now, beyond that, there are definite reasons for using really any one 0:08:46.820000 --> 0:08:52.140000 of these three. The simplest would be having your password hash synchronization 0:08:52.140000 --> 0:08:53.740000 with right back. 0:08:53.740000 --> 0:08:56.900000 Of course, that does require a license. 0:08:56.900000 --> 0:08:59.780000 And there's some delay, of course, because of synchronization. 0:08:59.780000 --> 0:09:03.380000 At the other end of the spectrum, there's ADFS, which is incredibly powerful. 0:09:03.380000 --> 0:09:08.140000 It can be used actually for many things beyond Azure AD Federation with 0:09:08.140000 --> 0:09:14.140000 on-prem. But because it is powerful, it is also more complex to set up 0:09:14.140000 --> 0:09:14.860000 and keep running. 0:09:14.860000 --> 0:09:16.300000 It's not horrible. 0:09:16.300000 --> 0:09:20.280000 But in fact, the complexity of ADFS is pretty much the reason why there 0:09:20.280000 --> 0:09:22.100000 is password authentication. 0:09:22.100000 --> 0:09:26.840000 It's kind of a lightweight version of a similar thing, at least functionally. 0:09:26.840000 --> 0:09:30.660000 And that the passwords are always maintained on-prem. 0:09:30.660000 --> 0:09:33.780000 But rather than installing a whole other service, you're just installing 0:09:33.780000 --> 0:09:37.040000 kind of a little agent on top of Azure AD Connect. 0:09:37.040000 --> 0:09:42.200000 So those are our options for hybrid authentication. 0:09:42.200000 --> 0:09:48.100000 Now, what I want to do is I want to go ahead and demonstrate this. 0:09:48.100000 --> 0:09:56.040000 So I am going to pop over to my virtual machine. 0:09:56.040000 --> 0:09:57.720000 This is a machine that I've already got set up. 0:09:57.720000 --> 0:10:00.740000 I already have synchronization set up with this. 0:10:00.740000 --> 0:10:03.480000 This is a domain controller. 0:10:03.480000 --> 0:10:08.780000 And the domain that it manages is iNIDashdemo.com. 0:10:08.780000 --> 0:10:16.860000 That domain is synchronizing with my Azure AD tenant. 0:10:16.860000 --> 0:10:23.300000 And my Azure AD tenant has a custom domain name that I've added and configured, 0:10:23.300000 --> 0:10:26.040000 which is iNIDashdemo.com. 0:10:26.040000 --> 0:10:28.260000 That's going to be important. 0:10:28.260000 --> 0:10:34.420000 And I've got Azure AD Connect set up and running and synchronizing. 0:10:34.420000 --> 0:10:37.880000 I've got a couple of users. 0:10:37.880000 --> 0:10:45.100000 From over on the other side, I've got Bob Smith, who is a Windows Server 0:10:45.100000 --> 0:10:47.200000 Active Directory user. 0:10:47.200000 --> 0:10:52.140000 And I've got iNIDashrocksberry, who is also a Windows Server Active Directory 0:10:52.140000 --> 0:10:57.280000 user. And what I want to do right now, they're set up with password hash 0:10:57.280000 --> 0:11:00.840000 authentication. So their identities and the hash of their password have 0:11:00.840000 --> 0:11:02.940000 been synchronized into Azure AD. 0:11:02.940000 --> 0:11:07.200000 And you can see other videos where I just log in as Bob Smith. 0:11:07.200000 --> 0:11:09.700000 Not terribly exciting, but it does work. 0:11:09.700000 --> 0:11:13.600000 What I want to do now is I want to change that a little bit. 0:11:13.600000 --> 0:11:17.360000 And I want to change the way that password synchronization works. 0:11:17.360000 --> 0:11:26.880000 To do that, I'm actually going to rerun, let's see here, there we go, 0:11:26.880000 --> 0:11:31.540000 the Azure AD Connect service here. 0:11:31.540000 --> 0:11:35.180000 And when I rerun this, there's like several of these. 0:11:35.180000 --> 0:11:37.920000 I always want to make sure I go to the desktop and click this one because 0:11:37.920000 --> 0:11:38.860000 it's the right one. 0:11:38.860000 --> 0:11:42.420000 Now, the first time you run this, it actually sets up Azure AD Connect. 0:11:42.420000 --> 0:11:45.580000 Once it's already installed, this is actually the interface that you use 0:11:45.580000 --> 0:11:48.340000 to change the setting. 0:11:48.340000 --> 0:11:51.860000 So what I'm going to do is click configure. 0:11:51.860000 --> 0:11:54.260000 And so it's like, all right, what do you want to do? 0:11:54.260000 --> 0:11:57.940000 And there's actually a number of things that you can change here. 0:11:57.940000 --> 0:12:02.360000 I can look at privacy settings and customize synchronization options, 0:12:02.360000 --> 0:12:07.280000 device options. I can change user sign in, which is actually what I want 0:12:07.280000 --> 0:12:13.100000 to do. Now, in order to do this, it's going to make me prove that I have 0:12:13.100000 --> 0:12:13.940000 rights to do this. 0:12:13.940000 --> 0:12:28.040000 So, login. All right, we're good. 0:12:28.040000 --> 0:12:35.080000 Now, right now, I am set up with password hash synchronization. 0:12:35.080000 --> 0:12:40.700000 What I want to do is I want to change this over to pass through authentication. 0:12:40.700000 --> 0:12:45.000000 All right, now it wants to make sure that my user account for this is 0:12:45.000000 --> 0:12:47.080000 a cloud only company administrator. 0:12:47.080000 --> 0:12:51.520000 So I can manage it even if things go poorly, which I am, and that's fine. 0:12:51.520000 --> 0:12:54.480000 All right, so I'm going to go ahead and change this up. 0:12:54.480000 --> 0:13:01.720000 Now, in order to do this, I have to activate single sign on. 0:13:01.720000 --> 0:13:03.940000 And I've already actually done that. 0:13:03.940000 --> 0:13:06.000000 It's already checked, so we're good. 0:13:06.000000 --> 0:13:10.640000 And now what single sign on does is it actually sets up a single sign 0:13:10.640000 --> 0:13:11.820000 on for on-prem users. 0:13:11.820000 --> 0:13:16.800000 It actually adds some JavaScript so that when a user goes to a cloud application 0:13:16.800000 --> 0:13:22.680000 that's registered for your Azure AD domain tenant from an on-prem environment, 0:13:22.680000 --> 0:13:27.360000 when they get redirected to Azure AD to authenticate, the JavaScript will 0:13:27.360000 --> 0:13:35.780000 actually pick up their domain authentication and just okay. 0:13:35.780000 --> 0:13:40.020000 So that's telling me that we're ready to configure. 0:13:40.020000 --> 0:13:45.680000 So it's now installing the connect authentication agent for password authentication. 0:13:45.680000 --> 0:13:46.460000 That'll take a few moments. 0:13:46.460000 --> 0:13:50.740000 And when it's done, we're going to come back and take a look at it. 0:13:50.740000 --> 0:14:01.380000 All right, so it looks like our configuration is complete. 0:14:01.380000 --> 0:14:02.760000 So I'm going to exit out of here. 0:14:02.760000 --> 0:14:06.540000 Now, what I'm going to do next is I'm actually going to leave this machine 0:14:06.540000 --> 0:14:09.700000 because this machine is in the domain. 0:14:09.700000 --> 0:14:12.520000 So we'll just sort of pop that down. 0:14:12.520000 --> 0:14:15.260000 You got a nice picture of Hawaii there. 0:14:15.260000 --> 0:14:21.220000 And open in private window and move that over. 0:14:21.220000 --> 0:14:25.280000 All right. So now I'm on my own machine. 0:14:25.280000 --> 0:14:27.440000 And I'm in an in private window. 0:14:27.440000 --> 0:14:30.900000 And so what I'm going to do is I'm going to go to my apps. 0:14:30.900000 --> 0:14:36.920000 dot Microsoft dot com. 0:14:36.920000 --> 0:14:44.280000 And I am going to log in as Bob. 0:14:44.280000 --> 0:14:52.820000 As Bob S at iNidemo.com. 0:14:52.820000 --> 0:15:02.240000 Okay, just going to let me enter the password. 0:15:02.240000 --> 0:15:05.640000 And then it's going to log me in. 0:15:05.640000 --> 0:15:11.220000 Log in, stay signed in. 0:15:11.220000 --> 0:15:14.600000 Great. Let's go ahead and do that. 0:15:14.600000 --> 0:15:17.320000 And that was pretty fast. 0:15:17.320000 --> 0:15:20.940000 And in fact, completely transparent to Bob, right? 0:15:20.940000 --> 0:15:23.260000 Doesn't matter to Bob, Bob's logged in. 0:15:23.260000 --> 0:15:24.440000 Everything is good. 0:15:24.440000 --> 0:15:28.740000 Now, we're going to have a little bit of fun. 0:15:28.740000 --> 0:15:32.220000 And I'm going to pop over. 0:15:32.220000 --> 0:15:37.080000 Into the portal. 0:15:37.080000 --> 0:15:40.760000 Portal. All right. 0:15:40.760000 --> 0:15:46.840000 And what I want to do is I want to go into my virtual machine. 0:15:46.840000 --> 0:15:50.480000 Many of these. My ADDC. 0:15:50.480000 --> 0:15:54.900000 And I am going to stop this virtual machine. 0:15:54.900000 --> 0:16:00.520000 Okay. Now, once that virtual machine is stopped, Bob should not be able 0:16:00.520000 --> 0:16:01.960000 to log in anymore. 0:16:01.960000 --> 0:16:03.660000 So we're going to give this a minute. 0:16:03.660000 --> 0:16:05.200000 Once that's done, we'll come back. 0:16:05.200000 --> 0:16:06.980000 It will be just moments for you. 0:16:06.980000 --> 0:16:17.060000 And we'll test to see if Bob can still log in. 0:16:17.060000 --> 0:16:21.160000 All right. Now, that's a pretty drastic measure. 0:16:21.160000 --> 0:16:25.100000 And I'm not suggesting that this would be the way to stop someone from 0:16:25.100000 --> 0:16:29.580000 logging into Azure AD to just shut down your domain controller. 0:16:29.580000 --> 0:16:32.700000 But again, it's just kind of an easy way for me to show you that connection 0:16:32.700000 --> 0:16:35.740000 between the two and the fact that there's now this dependency. 0:16:35.740000 --> 0:16:41.040000 All right. So I'm going to go in now and I'm going to log in again as 0:16:41.040000 --> 0:16:42.700000 Bob, or at least I'm going to attempt to. 0:16:42.700000 --> 0:16:47.080000 And if all goes well, I'm not going to. 0:16:47.080000 --> 0:16:48.940000 Oh, there we go. 0:16:48.940000 --> 0:16:53.360000 Going to go over to my upset myself.com so far. 0:16:53.360000 --> 0:16:54.960000 So good. All right. 0:16:54.960000 --> 0:17:00.660000 And so we've got Bob S at I need dash demo.com. 0:17:00.660000 --> 0:17:11.540000 It's good. So okay, we got that user put in the password. 0:17:11.540000 --> 0:17:14.300000 And then we wait, right? 0:17:14.300000 --> 0:17:18.280000 And the reason why we're waiting is because it's not there. 0:17:18.280000 --> 0:17:21.360000 All right. That server's not on the other side because Bob's now actually 0:17:21.360000 --> 0:17:24.480000 being authenticated by the on-prem. 0:17:24.480000 --> 0:17:25.480000 And there we go. 0:17:25.480000 --> 0:17:28.780000 It comes back and it tells me that there was a problem processing your 0:17:28.780000 --> 0:17:33.540000 request with the very helpful error code zero. 0:17:33.540000 --> 0:17:37.620000 Okay, but what you will find in Azure AD is intentionally most of the 0:17:37.620000 --> 0:17:43.640000 error codes that you'll find with Azure AD logins are completely unhelpful. 0:17:43.640000 --> 0:17:45.480000 And that's kind of by design, right? 0:17:45.480000 --> 0:17:47.740000 Because you've got security by obfuscation. 0:17:47.740000 --> 0:17:53.280000 All right. And so anyways, those are really the finer points of implementing 0:17:53.280000 --> 0:17:58.020000 hybrid identity password management with Azure AD.