AAD Pass-through OR Password Hash OR Office 365 modern authentication ?

AAD Pass-through OR Password Hash OR Office 365 modern authentication ?

Hi All,

We all know that there are multiple ways of authentication setup when we think of office apps or Azure or office365. But when we want to evaluate, we should know what exactly these process or authentication types provide as services and most importantly we should know on the suitability of needs and compliance of the organization on the authentication process.

As I know, major enterprises will not go with Password hash due to needs of controlling rights requirement at on-premises level. But its good option to choose if you keeping your office365 auth separate from ADFS. This will help to reduce the CAPEX and OPEX costs to companies.

** Again, its individual company decision to choose one.

Below is the summary of three different authentication process available and I have provided some of the links at the end if you require deep dive.

AAD Pass-Through

Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience – one less password to remember and reduces IT help-desk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory.

AAD passthrogh

This is a process which depends on the Domain Controller on premises and needs its availability.

Password Hash / Password Synchronization:

This is a process in which AD connect is in place and stores a password in an encrypted way in Azure AD with the secure channel. This sync will happen every two minutes between AD domain controller and Azure AD, this has the option right back and administrator should be using Azure portal not the Office portal if this solution is in place.  This is something we can opt for a solution at DRC.

password hash

Supported scenarios by Pass-through:

  • User sign-ins to all web browser-based applications
  • User sign-ins to Office applications that support modern authentication(Below Explained): Office 2016, and Office 2013 with modern authentication
  • User sign-ins to Skype for Business that support modern authentication, including Online & Hybrid topologies.
  • Azure AD domain joins for Windows 10 devices
  • Exchange Active-sync support

What is modern authentication?

Modern authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card, and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.

Unsupported scenarios:

  • User sign-ins to legacy Office client applications: Office 2010, and Office 2013 without modern authentication. Organizations are encouraged to switch to modern authentication, if possible. Modern authentication allows for Pass-through Authentication support. It also helps you secure your user accounts by using conditional access features, such as Azure Multi-Factor Authentication.
  • User sign-ins to Skype for Business client applications without modern authentication.
  • User sign-ins to Power-Shell version 1.0. We recommended that you use Power-Shell version 2.0.
  • App passwords for Multi-Factor Authentication. • Detection of users with leaked credentials.
  • Azure AD Domain Services needs Password Hash Synchronization to be enabled on the tenant. Therefore tenants that use Pass-through Authentication only don’t work for scenarios that need Azure AD Domain Services.

Important: As a workaround for unsupported scenarios only, enable Password Hash Synchronization on the Optional features page in the Azure AD Connect wizard.

Note: Enabling password hash synchronization gives you the option to fail-over authentication if your on-premises infrastructure is disrupted. This fail-over from Pass-through Authentication to Active Directory password hash synchronization is not automatic. You’ll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you’ll require help from Microsoft Support to turn off Pass-through Authentication.

Happy Reading

Cheers

Below are some links, which will give you a deep dive:

Azure Stack Usage and Billing

Azure Stack Usage and Billing

This write up explains you that how Azure Stack usage is processed under:

  • Enterprise Agreement
  • Cloud Service Provider (CSP)

Brief about Azure Stack licensing models:

Consumption

  • No upfront licensing fees: don’t pay until you use the service
  • Same subscriptions, monetary commitment, invoice as Azure
  • EA and CSP channels

Capacity

  • Fixed fee, annual subscription, based on number of physical cores
  • No usage metering or connection to commerce
  • EA channel only (no CSP)

Azure Stack usage reporting:

Azure Stack usage reporting - flow

Core Design

We will learn on how charging meters exactly work till we receive usage report with billing.

Base is Azure Stack Resources, process of having your meter data transferred to azure is explained in the following section, each resources provider will record the service usage (Usage Record- Details will be tagged with GUID of subscription) every hour and send Usage Record to Usage Service and it stores the info in Usage DB which is local in the stack. In usage DB two services will have access, those are Usage Service and Usage Bridge (Will be active every hour at least). Usage Bridge connects to Azure public cloud.

Usage Bridge is the one which will pass the data to usage gateway within Azure public cloud, once the data processed at usage gateway, it will be submitted to commerce of Azure. The Commerce will be submitting data to billing portal ad Azure usage API. The data of usage will be processed as Azure usage metering like it is been used in Azure Public. There is no technical difference in the metering services for Azure and Azure Stack as process is similar. The meters are kept separate as charging model is different for azure stack. Only two ways available to distinguish your azure stack usage in billing and those are, region of Azure datacenter which will be called as “AzureStack region” for Stack usage(Billing portal use this). Other one is category of metering services to charge you on the usage is different from Azure public category (Azure Usage API will use this).

Mapping usage for commerce processing, usage gateway performs the following mappings (3 types of operations will happen at Azure Stack Usage Gateway)

Mapping Usage for commerce processing

  • Mapping Local subscription  to Azure Subscription, which is similar to mapping local API data to Azure API.
  • The meter IDs are diff in stack and in commerce, meters itself which are built in the stack are different compared to commerce. The stack resource providers generate more than 20 kinds of those. But Microsoft will be charging using 6 meters. But remaining meters will help partners or company to charge end customer for another usage, example: D series machines is deployed in the stack and Microsoft is charging using only one meter “Base VM size hours” for raw VM OR “Windows VM Size Hours” for VM with MS OS License. Apart from this you might be willing to charge on the size of RAM used in the machine, which you can charge using the “VM Size Hours” meter. This meter will capture most of the other data for extra charge by service provider, user workloads should run in the user/local subscriptions.

Meters used by Microsoft are listed below:

Meters used by Microsoft1

Meters used by Microsoft

 

 

  • There is need of adjusting of time stamp for meters associated with usage, this is not always but may be required. Example : Network Outage, in case of outage the usage records might not get submitted on the same day and it will be submitted to commerce on next available day but commerce might reject the record. Hence Usage Gateway will modify the time stamp accordingly, this does not mean original time stamp will be erased! The original time stamp details will be kept under additional information data with usage record while submitting it to commerce. So you can view all the data in the bill, this data will help customers to review local subscriptions and this will intern help to create charges internally to the Bus if needed.

Usage reporting should be deployed and configured. Most of the scenarios you will have OEM deploying the same. Usage in the SDK is free but we can configure for testing and see in the azure billing section on how it will get billed. (Soon I will build a usage report using SDK)

Registration script:

(A deployment engineer will run this for you!)

Add-AzsRegistration -CloudAdminCredential $cloudAdminCredential -AzureDirectoryTenantName $azureDirectoryTenantName  -AzureSubscriptionId $azureSubscriptionId -PrivilegedEndpoint $privilegedEndpoint -BillingModel <PayAsYouUse or Capacity>

Documentation in GitHub > Azure Stack Tools > Registration

Usage Reporting for EA customers

  • EA with Azure enrollment
  • Azure subscription
  • Registration using EA Azure subscription
  • Usage reported via Azure EA portal and in usage reports

Usage Reporting for Service Providers

Direct CSP Tier1 partners, owns the Azure stack and operates it. These guys will register the CSP- Azure Stack, Internal CSP tenant has to be created for dummy use and CSPs are allowed to create this tenant as Subscription as zero showed below, this will allow CSPs to register the Azure Stack under it. While adding new or existing customer, CSPs have to create the AAD tenants and CSP azure subscriptions, then add these subscriptions under registration. End customer will not see their usage in their portal or their bill, these will be available in in your CSP subscription.

Each of these end customer might have multiple local subscriptions under one Azure stack subscription, billing data are passed in similar way like explained above. Looks similar to below:Direct CSP

The Direct CSP operates Azure Stack

  • Create tenants, and Azure subscriptions in Partner Center (same as Azure)
  • Update Azure Stack registration with tenants and subscriptions
  • Usage reported in Recon file and through Partner Center APIs

 

InDirect CSPThe Indirect CSP Partner operates Azure Stack, most of the distributors carry out these models:

  • Create tenants, and Azure subscriptions in Partner Center (same as Azure)
  • Update Azure Stack registration with tenants and subscriptions
  • Usage reported in Recon file and through Partner Center APIs

Within Azure Stack We can build our own billing commerce using local API metering and these data will be saved in Azure commerce for 180 days for us to retrieve and use. Where should I get usage data?

Azure Commerce/Partner Center

  • Chargeable meters only
  • Central view of all your Azure Stacks and Azure
  • Probably already doing it

Azure Stack Usage APIs

  • More usage meters
  • No time advantage
  • Need to run collection on each Azure Stack
  • Usage data retained for 180 days

Local usage meters

Resource provider Meter name Description
Network Static IP Address Usage Count of IP addressess used
  Dynamic IP Address Usage Count of IP addressess used
Storage TableCapacity Total capacity consumed by tables
  PageBlobCapacity Total capacity consumed by page blobs
  QueueCapacity Total capacity consumed by queue
  BlockBlobCapacity Total capacity consumed by block blobs
  TableTransactions Table service requests (in 10,000s)
  TableDataTransIn Table service data ingress in GB
  TableDataTransOut Table service data egress in GB
  BlobTransactions Blob service requests (in 10,000s)
  BlobDataTransIn Blob service data ingress in GB
  BlobDataTransOut Blob service data egress in GB
  QueueTransactions Queue service requests (in 10,000s)
  QueueDataTransIn Queue service data ingress in GB
  QueueDataTransOut Queue service data egress in GB
Compute Base VM Size Hours Number of vcores times minutes the VM ran
  Windows VM Size Hours Number of vcores times minutes the VM ran
  VM size hours Captures both Base and Windows VM. Does not adjust for vcores
Key Vault Key Vault transactions Number of REST API requests received by Key Vault data plane

Soon Microsoft will release AppService meter (vcores); meter will be chargeable

Current list : Local Meter ID list update

Azure Commerce meters

Resource GUID Service Name Service Type Resource Name Direct Unit of Measure
0c1fecb6-52d8-4130-bbfa-f79e6a5b056d Storage Standard Disks Storage 1 GB
190c935e-9ada-48ff-9ab8-56ea1cf9adaa App Service   App 1 Core Hour
3e59e16d-a651-4979-a727-423969613c6b Virtual Machines   VM Admin 1 Core Hour
44ca5145-137d-4740-9845-b08784206c45 Storage Standard Disks Storage Admin 1 GB
5849dc2e-ac2e-489f-a53c-b2dfb0f5bdff Storage Tables Storage 1 GB
5bfe1d6a-bdf3-4cfe-8d36-a1c8e4734921 Storage Queues Storage 1 GB
7bc19779-56bc-474d-8c88-36fbd79ae004 Virtual Machines   VM 1 Core Hour
8767aeb3-6909-4db2-9927-3f51e9a9085e Storage Block Blob Storage Admin 1 GB
8a913f38-33b4-4772-9488-e89522fc09e5 Storage Block Blob Storage 1 GB
8e9d8811-9f3d-4567-8258-0ba581c143b8 Storage Queues Storage Admin 1 GB
d30b4825-579c-4463-a83e-cbd0e04dff81 Virtual Machines   Windows VM Admin 1 Core Hour
daa83056-2903-4286-826b-564f3037bf61 Storage Tables Storage Admin 1 GB
dba5e57a-99ce-4843-b7a6-1d70f36fa1a1 App Service   App Admin 1 Core Hour
fb8c0713-ea20-40bf-901f-5560fd3f6330 Virtual Machines   Windows VM 1 Core Hour

Hope this is been informative to understand the Azure Stack metering and usage reporting services. Please evaluate the same by commenting and sharing the suggestions in comments section below.

If you have questions, you can share it with me.

 

 

OME – Office 365 Message Encryption (Safeguarding Email Communication, Next Game Changer by AIP)

OME – Office 365 Message Encryption (Safeguarding Email Communication, Next Game Changer by AIP)

Safeguarding Email Communication – Next Game Changer by AIP (Azure information Protection)

Safeguarding the email in Office 365 – eliminate the secure email!!! This is advanced solution from AIP team. Before we start exploring how security of email is structured, we will try to understand what is AIP?

Microsoft announced Azure Information Protection (AIP) last year, a new service that builds on both Microsoft Azure Rights Management (RMS) and their recent acquisition of Secure Islands.

Now AIP is Generally Available (GA)! and AIP will deliver the following:

– Classify, label, and protect data at the time of creation or modification.

– Persistent protection that travels with your data.

– Enable safe sharing with customers and partners.

– Simple, intuitive controls help users make the right decisions and stay productive.

– Visibility and control over shared data.

– Deployment and management flexibility. Protect data whether it is stored in the cloud or on-premises, and choose how your encryption keys are managed with Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) options.

Many changes have been made since AIP introduced, mainly on labeling and standardizing labels in global organization in data protection using Microsoft Cloud App Security (MCAS) tool and labels!

AIP team has new set of default labels within Azure.

  • Personal
  • Public
  • General
  • Confidential
  • Highly Confidential

You can have SUB labels too within the above listed labels.

Scope policies: This will help people to control specialized access policy which will have the default labels in it. There will be Global policy which is default and will have default labels.

Every policy which will be created, will also have default labels available and they are allowed to create their own labels likewise they create scope policy. These are all done under admin console in Azure.

Right User Behavior: Is large concern to organizations to allow users to manually classify something or automatically classify the data. Hence it is recommended to use R&R type!

  • Automatic: Automatically classified
  • User Set: User manually classified
  • Recommended & Reclassification: these two will use little bit of automation and user will be getting choice to choose the labeling automatically to classify the data properly if it is wrong.

Security of Email:

Be it a webmail, outlook or Gmail, yahoo etc. No need to buy an MS Office to read the secure email and reduce investment on the e-mail gateway!  This new feature is currently included under Azure Information Protection Premium P2 and some office 365 subscription might include this with Azure RMS.

Assume you sent a secure email to Gmail mailbox from your outlook/webmail using the exchange or office365,  the message say that buy/use a office product to decrypt the email, which was not having great customer experience and this had requirement of mail gateways.

All will be gone soon!

Moving forward AIP will give an option to read the encrypted mail by giving choice to prove who you are.

How?

When a person sends a encrypted email to any end-user, who does not have outlook/webmail to decrypt the message, will be sent email with link, which allows user to access email in HTML format.

The link will have message similarly like below:

 ABC (ABC@office365contoso.onmicrosoft.com) has sent you a message that was protected with Microsoft Office 365.

——-> Click Here to read your message <——-

  (This link will have 3 months validity)

We will Assume that the user is using google mail for now, when he/she hits the link above, it takes request to another tab of browser hitting source of encrypted message. It will allow user to use google account to view the encrypted message by similar process to SSO.

User will receive the code in email and user has to paste the same code in the link to read email online.

There you go! happy reading your secure emails!

Say Bye to MS Exchange Server 2007

Exchange 2007 - End of life Visio.vsdx

On April 11, 2017, Exchange Server 2007 will be End of Life.

If you haven’t already started your migration from Exchange 2007 to Office 365 or Exchange 2016, I would recommend to start it now!

What is end of life ?

Microsoft will not provide the following for Exchange 2007:

  • Free or paid assisted support (including custom support agreements)
  • Bug fixes for issues that are discovered and that may impact the stability and usability of the server
  • Security fixes for vulnerabilities that are discovered and that may make the server vulnerable to security breaches
  • Time zone updates

Above mentioned topics are really important to have updated exchange system within most mid sized and global organizations. It is always good to have global benchmarking of IT security in all applications within a company and best practice to have healthy systems in place with latest ones. Exchange 2016 and Office 365 platforms provide advanced capabilities to empower your users.

Hence, I would strongly recommend and suggest to move your email application!

To learn about your options for migrating from Exchange 2007 to Office 365 or a newer version of Exchange Server, check out Exchange 2007 End of Life Roadmap.