Azure AD

Azure AD (Azure Active Directory)

功能:

Feature	Free	Office 365 Apps (舊稱Basic)	P1	P2
Self-Service Password change	V
Self-Service Password reset		V
MFA		V
Self-Service Password reset and Password writeback			V
Password writeback			V
Security Reports			V
Conditional Access policy(General)			V
Conditional Access policy(Risk-Based)				V
Identity protection(Risk-Based Management)				V
Access Review (Privileged Identity Management (PIM))				V

Azure provides a number of options for Domains

1.Azure AD (and B2B, B2C)

• B2B 用在有其他的合作夥伴，部分用戶存取我們的Azure資源，為這些用戶設定quest account對應這些用戶的email位置
• B2C 用於社群帳號名或社群email帳號，對應Azure AD帳號

2.Hybrid ADDS and Azure AD (混合式身分識別)

 ADDS(on-promise AD)同步Account, group, contact到Azure AD
 
Azure AD 達到混合式身分識別，透過Azure AD Connect設定有三種作法：

1. 密碼雜湊同步處理 Password Hash Synchronization(PHS) : Default選取,可整合無縫式 SSO
2. 傳遞式驗證 Pass-through Authentication(PTA) : 用戶密碼驗證的請不會存在Azure AD，用戶密碼驗證請求會傳送到ADDS驗證(可整合無縫式 SSO)
3. 同盟 Active Directory Federation Services(AD FS) : 同盟有自己的SSO，可整合certificate, smard card, 內部MFA, 3rd 同盟 (但不能整合無縫式 SSO)

無縫式單一登入(Seamless Single Sign-On):

如果需要達成無縫式單一登入(Seamless Single Sign-On)

已登入ADDS(on-promise AD)去存取Azure資源時，不會在跳出驗證視窗

1.需要Azure AD Connect 設定  Password Hash Synchronization(PHS)或Pass-through Authentication(PTA)

2.Seamless SSO is not applicable to Active Directory Federation Services (ADFS)AD同盟

3.Azure AD Domain Services 

   Azure ADDS是PaaS服務
   (1)提供如同on-promise AD的能力(domain-join, group policy, LDAP, Kerberos authentication功能與on-promise AD相容，但不能同盟，且是獨立Domain，不能讓on-promise AD延伸到Azure ADDS)
 Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory

  若要跟Azure AD整合，則是將Azure AD帳號同步到Azure Domain Services


什麼是 Azure Active Directory 的混合式身分識別？
https://docs.microsoft.com/zh-tw/azure/active-directory/hybrid/whatis-hybrid-identity