A presentation at a technology meetup. Roy Kim will walk through various access scenarios and capabilities using Azure AD services and features to access SharePoint 2013/2016 server. This will include a comparison between AD Connect + Azure Application Proxy to publish an internal SharePoint application and 3rd Party Auth0 to assist in federating Azure AD and SSO integration. And also the recently supported Azure AD SAML 1.1 Token. Roy will go through a demo, its architecture, and commentary of pros and cons. At the end you will have a good understanding of the technology capabilities to determine supporting access and user management scenarios.

1. Azure AD Login Scenarios
with SharePoint 2013/2016
Azure AD, Azure Application Proxy,
AD Connect,
AAD Non-Gallery AppMay 16, 2017
Roy Kim
@RoyKimYYZ
www.roykim.ca

2.  Roy Kim
 Independent Consultant
 15+ years work experience in consulting for enterprise
applications involving SharePoint, Azure, Office 365 and
.NET development
 Microsoft MVP
 University of Toronto – Computer Science graduate
 rkim@roykim.ca
 Twitter: @roykimYYZ
 Blog: roykim.ca
 Slideshare: www.slideshare.netroykimtoronto
About Me

3.  Azure AD Overview
 Publishing with Azure Application Proxy and Azure AD Connect
 Azure AD with Auth0 SSO Broker
 Azure AD with Extranet User Manager
 Publishing SP with Azure AD Non-Gallery App with SAML Claims
 Azure AD Features
 Q&A
Agenda

4. Use cases
 External Access
 Azure AD App Proxy
 3rd Party SSO Brokers
 Single Sign On
 Conditional Access
 Sign In and Audit Logs
Identity and Access Management to Applications

5. Client
•Desktop, Native
Mobile
•Browser Web Apps
•Server, Console apps
Identity
•Corporate AD/LDAP
•Application
username/password
•Internet social
accounts
Sign In &
Authentication
Protocol
•Windows / Kerberos
•OpenID Connect,
OAuth
•SAML, WS-Fed
•Certificate /
Password-less
•and more
Web Application
•Claims Aware
•Standard / Non
claims aware
Authentication Stack
Some of the pieces of an authentication stack
.. can get complex ..

6. Azure AD
6
https://redmondmag.com/articles/2015/05/29/active-directory-for-windows-10-mobile.aspx

7. Azure AD
 Azure AD
 Multi-tenant
 Platform as a Service
 Identity management service. Azure AD combines core directory services,
advanced identity governance,
 Application access management
 Azure AD B2B
 A feature of Azure AD. That is to add a 'guest' user type
 In simplified terms, any active email address that is either ‘wrapped’ by a
Microsoft Account or is any Azure AD account
 Azure AD B2C
 Authenticate with:
 Social Accounts (such as Facebook, Google, LinkedIn, and more)
 Enterprise Accounts (using open standard protocols, OpenID Connect or SAML)
 Local Accounts (email address and password, or username and password)
 Azure AD and Azure AD B2C are separate product offerings and cannot
coexist in the same tenant.
 A tenant represents a collection of identities to be used with relying party
applications.
7

8. Azure AD B2B
8
https://www.youtube.com/watch?v=Wo5J61Hp_Z0

9. Properties of an AAD B2B collaboration user
9
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-user-properties
i.e. AAD Account
Non-typical cases

10. Azure AD B2C
10
https://blogs.technet.microsoft.com/enterprisemobility/2015/11/02/a-look-inside-azuread-b2c-with-kim-cameron/
Custom

11. Evaluating 4 Architecture Patterns
Let’s evaluate three architectural patterns with some demos!
11
Azure AD Application
Proxy with Windows
Authentication
Azure AD + 3rd Party
Auth0 Single Sign On
cloud broker
claims based
authentication
3rd Party Extranet User
Manager as the Identity
Provider
claims based
authentication
Azure AD Enterprise Non-
Gallery Application
SAML claims based
authentication

12. 12
AZURE APPLICATION PROXY
Azure Application Proxy
 Remote Access
 Single Sign-on experience
 Windows Integrated Authentication / Kerberos
Constrained Delegation
 Install App Proxy connector in internal network
AD Connect
 Sync on-prem AD accounts to Azure AD tenant.
Note: Not the other way around.
 Install AD Connect in internal network

13. 13
AZURE APPLICATION PROXY + AAD CONNECT
On-Premises Network OR
Azure IaaS Virtual Network
Azure AD Connect
Azure
Active Directory
Azure Application
Proxy Connector
Work account
Microsoft account
AAD Users
Synced AD Users
Guest Users *
Azure PaaS Services
AD Users
MS Access Panel
myapps.microsoft.com
Enterprise Applications
Microsoft Account
Azure AD
Tenant
SP DB
Sync
Outbound
443
Internet
User
My SharePoint App
Azure
Active Directory
Partner Azure
AD Tenant
access
invite
invite
https://roykimspublishedsharepoint-
spb2b.msappproxy.net/
* Guest users wouldn’t be able to access the on-premises application

14. 14
AZURE APPLICATION PROXY DEMO
User Authentication Scenarios
 Access points
 Application sign in Url
 MS Access Panel – https://myapps.microsoft.com
 Employees login with their corporate credentials.
 No OOTB automatic external user sign-up (AD B2B).
 Need to create starting from on-premises AD. But not IT support friendly.
 Note: There used to be user write back from Azure AD to on-premises
AD.
 External user sign in (AD B2B)
 Self Service Password Reset for employee accounts
IT/Application Admin responsibility
 Add new external user (AD B2B guest user)

15. 15
AZURE APPLICATION PROXY SUMMARY
Pros
 Easily publish on-premises application without added ADFS and
Web Application Proxy
Cons
 Adding Azure AD guest users requires on-prem AD account added
with same domain.
 There used to be user write-back in AAD Connect
Good fit for organizations that just want to easily publish on-premises
Applications with limited Azure AD B2B requirements.

16. 16
AUTH0 SSO BROKER
Auth0
 Authenticate and authorize apps and APIs with any
identity provider running on any stack on any device or
cloud
 Platform as a Service
 Single Sign On Broker
 No need for ADFS.
 Require application public end point to support ‘Reply
Url’ where the application expects to receive the SAML
token.
 Alternatives: OneLogin, Okta, Ping Identity, AWS Cognito,
EUM
 Gartner’s IAM Magic Quadrant 2017

17. 17
AUTH0 SSO BROKER
On-Premises Network OR
Azure IaaS Virtual Network
Enterprise Connection
- Azure AD tenant
Azure PaaS Services
Users
Auth0 (3rd Party PaaS)
Auth0
Claims
Provider
Client
- SharePoint App
Registration
- Auth0 Login Page
SSO Integration
- SharePoint
SP DB
Azure
Active Directory
Work account
Microsoft account
AAD Users
Synced AD Users
Guest Users
MS Access Panel
myapps.microsoft.com
Azure
Active Directory
Partner Azure
AD Tenant
Microsoft Account
Azure AD
Tenant
‘SPB2C’
Enterprise Applications
Published SharePoint App
DMZ
1 Direct access
2 Redirect
direct internet access

18. 18
AUTH0 SSO BROKER
Pros
 Single Sign On
 Role based access with role claim
 Support SAML 1.1 to work SharePoint Server. Also supports
SAML 2.0, Open ID, Oauth, etc.
 No need for WAP and ADFS
Cons
 Added licensing cost
 May lose its competitive value if Azure AD grows in its
capabilities

19. 19
EXTRANET USER MANAGER
Extranet User Manager
 https://www.extranetusermanager.com
 Delegated external user management
 Self-registration
 Local SQL accounts or federation with Microsoft Azure AD, Microsoft
accounts, Facebook, and Google
 Password management and Multi-Factor Authentication
 Azure App Service or on premise IIS hosting

20. 20
EXTRANET USER MANAGER
On-Premises Network OR
Azure IaaS Virtual Network
Enterprise Connection
- Azure AD tenant
Azure PaaS Services
Users
EUM (3rd Party PaaS)
EUM Trusted
Identity
Provider
Client
- SharePoint App
Registration
- EUM Login Page
SSO Integration
- SharePoint
SP DB
Azure
Active Directory
Work account
Microsoft account
AAD Users
Synced AD Users
Guest Users
MS Access Panel
myapps.microsoft.com
Azure
Active Directory
Partner Azure
AD Tenant
Microsoft Account
Azure AD
Tenant
‘SPB2C’
Enterprise Applications
Published SharePoint App
DMZ
1 Direct access
2 Redirect
direct internet access;
Or ideally via any
proxy

21. 21
EXTRANET USER MANAGER
Pros
 Single Sign On
 Role based access with role claim
 Support SAML 1.1 to work SharePoint Server. Also supports Open ID
Connect
 No need for WAP and ADFS
Cons
 Added licensing cost

22. 22
AZURE AD NON-GALLERY APP WITH SAML 1.1 TOKEN
 Configure single sign-on with on-premises applications
 As an Azure AD App that is not part of the gallery
 No need to write code.
 Generates a certificate for the app to establish trust with
AAD
 Require Azure AD Premium license
 No need for WAP and ADFS
References:
 Using Azure AD for SharePoint Server Authentication
 Azure Active Directory claims provider for SharePoint 2013 and 2016
View project on GitHub
 Understanding WS-Federation

23. 23
AZURE AD NON-GALLERY APP (ALTERNATE DESIGN)
On-Premises Network; OR
Azure IaaS Virtual Network
Azure PaaS Services
Users
Web Application:
Azure AD Trusted
Identityy Provider
SP DB
Azure
Active Directory
Work account
Microsoft account
AAD Users
Synced AD Users
Guest Users
sts
MS Access Panel
myapps.microsoft.com
Enterprise Application
SP App (non-gallery)
- SAML 1.1 token issuance policy
Azure
Active Directory
Partner Azure
AD Tenant
Microsoft Account
Azure AD
Tenant
direct internet access;
Or ideally via any
proxy

24. 24
AZURE AD NON-GALLERY APP
Pros
 Single Sign On
 The ability to grant permissions to users or in a group; there
by, access a role claim
 No need for ADFS and Web App Proxy
Cons
 Added configuration for SAML based authentication with
SAML 1.1 token support with a PowerShell script.

25. 25
AZURE AD NON-GALLERY APP (ALTERNATE DESIGN)
On-Premises Network; OR
Azure IaaS Virtual Network
Azure PaaS Services
Users
Claims
Provider
SP DB
ADFS
Azure
Active Directory
Work account
Microsoft account
AAD Users
Synced AD Users
Guest Users
sts
MS Access Panel
myapps.microsoft.com
Enterprise Application
SP App (non-gallery)
Azure
Active Directory
Partner Azure
AD Tenant
Microsoft Account
Azure AD
Tenant
Web App
Proxy
Will not work since
requires SAML 1.1
token *
* Should be able to federate and trust Azure AD with SAML 1.1 token issuance policy
* I need to test
Advantage: Able to protect SharePoint app within corporate fire wall and
publish with Azure App Proxy
Azure Application
Proxy Connector

26.  To provide secure sign-in and authorization for their services.
 Any application that wants to use the capabilities of Azure AD must first be
registered in an Azure AD tenant
Azure AD Applications

27. Portal of all Azure AD Applications including Office 365
- Per AD Directory
Access Panel Applications

28. Portal of all Azure AD Applications including Office 365
Per AD Directory
Azure AD APP Self Service

29. AZURE AD - CONDITIONAL ACCESS
Policy: For Azure AD App ‘SP SAML’, require MFA
if guest user, outside of trusted IP locations, device is iOS or windows,
client app is browser or native app

30. Azure AD APP Sign Ins

31. Azure AD Audit Logs

32. Azure AD Summary
32
https://redmondmag.com/articles/2015/05/29/active-directory-for-windows-10-mobile.aspx

33. 33
Q&A
Feel free to contact me!
• @RoyKimYYZ
• rkim@roykim.ca
• www.roykim.ca
• linkedin.com/in/roykimtoronto