CloudFS and Azure AD

Azure AD is Microsoft's Identity Management Service, also known as Identity as a Service (IDaaS). While the name may imply that this is direct replacement for Microsoft Active Directory (AD), a closer examination reveals that it is not a one for one replacement.

Azure AD is focused on managing users, groups and authenticating them for access to cloud applications or to mobile resources. It does not allow for the direct management of computers or servers, as traditional Active Directory does. Nor does it allow for the use of groups to manage access to folders or files on a filesystem. Because of this, the current recommended implementation for customers who do not have an on-premises AD Domain Controller is to create a virtual machine that will be used as a Domain Controller. This virtual domain controller will be connected to Azure AD for identity services and account management. It will allow Panzura Filers to be joined to the domain and managed as they are today.

 

Microsoft Azure Active Directory Domain Services (AD DS)

Please note that Panzura is evaluating Microsoft Azure Active Directory Domain Services in conjunction with Azure AD to determine whether this solution is appropriate for management of Panzura Filers without the use of a traditional Active Directory Domain Controller. This solution is currently under consideration. 

Learn more about Microsoft Azure Active Directory Domain Services.

 

Comparing Active Directory to Azure Active Directory

For more information on the difference between Azure AD and Active Directory, please refer to the chart below from Microsoft's comparison of Azure AD and Active Directory. 

Concept

Active Directory (AD)

Azure Active Directory

Users

   

Provisioning: users

Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager, to integrate with an HR system.

Existing AD organizations use Azure AD Connect to sync identities to the cloud.
Azure AD adds support to automatically create users from cloud HR systems
Azure AD can provision identities in SCIM enabled SaaS apps to automatically provide apps with the necessary details to allow access for users.

Provisioning: external identities

Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users)

Azure AD provides a special class of identity to support external identities. Azure AD B2B will manage the link to the external user identity to make sure they are valid.

Entitlement management and groups

Administrators make users members of groups. App and resource owners then give groups access to apps or resources.

Groups are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group. 
Administrators can use Entitlement management in Azure AD to give users access to a collection of apps and resources using workflows and, if necessary, time-based criteria.

Admin management

Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls.

Azure AD provides built-in roles with its Azure AD role-based access control (Azure AD RBAC) system, with limited support for creating custom roles to delegate privileged access to the identity system, the apps, and resources it controls.
Managing roles can be enhanced with Privileged Identity Management (PIM)to provide just-in-time, time-restricted, or workflow-based access to privileged roles.

Credential management

Credentials in Active Directory is based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.

Azure AD uses intelligent password protection for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. 
Azure AD significantly boosts security through Multi-factor authentication and passwordless technologies, like FIDO2. 
Azure AD reduces support costs by providing users a self-service password reset system.

Apps

   

Infrastructure apps

Active Directory forms the basis for many infrastructure on-premises components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access

In a new cloud world, Azure AD, is the new control plane for accessing apps versus relying on networking controls. When users authenticate, Conditional access (CA), will control which users, will have access to which apps under required conditions.

Traditional and legacy apps

Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users.

Azure AD can provide access to these types of on-premises apps using Azure AD application proxy agents running on-premises. Using this method Azure AD can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps.

SaaS apps

Active Directory doesn't support SaaS apps natively and requires federation system, such as AD FS.

SaaS apps supporting OAuth2, SAML, and WS-* authentication can be integrated to use Azure AD for authentication.

Line of business (LOB) apps with modern authentication

Organizations can use AD FS with Active Directory to support LOB apps requiring modern authentication.

LOB apps requiring modern authentication can be configured to use Azure AD for authentication.

Mid-tier/Daemon services

Services running in on-premises environments normally use AD service accounts or group Managed Service Accounts (gMSA) to run. These apps will then inherit the permissions of the service account.

Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can't be used for other purposes to gain backdoor access.

Devices

   

Mobile

Active Directory doesn't natively support mobile devices without third-party solutions.

Microsoft’s mobile device management solution, Microsoft Intune, is integrated with Azure AD. Microsoft Intune provides device state information to the identity system to evaluate during authentication.

Windows desktops

Active Directory provides the ability to domain join Windows devices to manage them using Group Policy, System Center Configuration Manager, or other third-party solutions.

Windows devices can be joined to Azure AD. Conditional access can check if a device is Azure AD joined as part of the authentication process. Windows devices can also be managed with Microsoft Intune. In this case, conditional access, will consider whether a device is compliant (for example, up-to-date security patches and virus signatures) before allowing access to the apps.

Windows servers

Active Directory provides strong management capabilities for on-premises Windows servers using Group Policy or other management solutions.

Windows servers virtual machines in Azure can be managed with Azure AD Domain ServicesManaged identities can be used when VMs need access to the identity system directory or resources.

Linux/Unix workloads

Active Directory doesn't natively support non-Windows without third-party solutions, although Linux machines can be configured to authenticate with Active Directory as a Kerberos realm.

Linux/Unix VMs can use managed identities to access the identity system or resources. Some organizations, migrate these workloads to cloud container technologies, which can also use managed identities.

 

Leveraging Azure AD for Multi-factor Authentication with Panzura CloudFS

While Panzura does not require file system level Multi-factor Authentication (MFA), some organizations may decide to implement MFA. Panzura CloudFS supports MFA by integrating Azure AD with the organization’s existing Active Directory (AD). This is accomplished by connecting your Active Directory with Azure AD using Azure Directory Domain Services (ADDS). Once the existing AD is connected to Azure AD through ADDS the organization can enable Azure AD’s integrated MFA system to provide an additional layer of security with your on-premise AD and CloudFS. This configuration is supported by Microsoft for both physical and virtual infrastructure located at a physical site, in Azure or within another provider’s cloud such as GCP or AWS.

The below reference architecture and documentation from Microsoft provides guidance on how to implement the necessary infrastructure pieces to support MFA through Azure AD with your existing on-premise infrastructure.

azure-ad