Okay so coming up we are going to take a look at a new way you can harnness the power of cloud authentication while still keeping your passwords on-premises using Azure Active Directory Pass Through Authentication and Seamless Single Sign-on capabilities. We're going to show you how you can securely use Azure Active Directory to validate passwords against on-premises Active directory without the need for an expensive on-premises infrastructure and how you can automatically sign in your users when they're at work. So please join me with a nice round of applause for Alex Simons, director of Azure Active Directory Product Management. [Applauding] Thanks, Simon. Thank you for taking us through a little bit of password authentication here. What is the idea of pass through authentication and why would people want it with Active Directory? That's a great question Simon, so look today we're announcing the general availability of Pass Through Authentication. It's a great new way to take the power of Azure Active Directory and use it for all the things that people do like they get to cloud apps and they manage passwords and usernames they take care of group assignments they worry about how their users can get single single sign-on and they do things like conditional access. But you can now do all of that without having to have any kind of expensive on-premise infrastructure while still keeping your passwords securely on-premise. Well that sounds like a really great idea but why does it actually matter to be able to do this? Well I mean the thing you got to keep in mind is that your identity control plane is a really important capability, right? You want to be able to reach out to the cloud and control all of these different cloud apps and devices, right? And so pass-through authentication gives you a really easy way to do that without having to run a giant ADFS server farm ring on premises. How have people done this in the past? What has been the traditional way that people have actually had their configuration in place? Yeah well so traditionally there have been three different options people have used. The first thing they've done is they've just synced their usernames up into the cloud. And then they've had a different username, a different password on-premise and one in the cloud. So you could use the same username but you didn't have the same passwords. Then some people use our password hash sync, that takes a hash of a hash of your password Copies that up to the cloud and then you can sign in with the same username and password in both and this is pretty popular particularly with smaller businesses right where they just want something simple and fast. Now if you're a big enterprise you probably use Active Directory Federation Services (ADFS) Now this has the advantage that when someone goes to authenticate with Azure AD, their passwords are back on premise and you get to use all of the advantages of things like smart cards and third-party MFA providers that a ADFS has traditionally integrated with that weren't available in the cloud. When we start thinking about password authentication what's actually the difference there and how have we put password authentication into practice? Well so the way this works Simon is you install a small connector on premise. That connector can sit on the ad connect server it can sit on your AD Server. In fact we recommend you put in a bunch of different places. Now when a user goes to authenticate they put their username and password in write in the same form as Azure AD as normal and that we take it and then we encrypt it and put it onto a queue. And so up in that queue in the cloud it's sitting there waiting for the agent to come check. So the agent calls out and brings down that encrypted username and password. And that I presume is actually an outbound configuration. So over HTTPS and probably port 443 to make it secure? Yeah that's right it's a nice thing because there's no inbound traffic into your firewall it's all outbound so that's a good security practice. And then the agent takes the private key that it only it knows it cracks the username and password, plays it against your AD on-premise, figures out if what the results are and then passes those back up to Azure ad in the cloud. Right and then Azure AD can do all the things that normally does. For instance you know it can let the user know that their approved or it can go and force them to do a multi-factor authentication. But you know all of the value that you get from Azure Active Directory conditional access and identity protection now are available to you using this technique. So it sounds like it's actually a far simpler mechanisms put in place then being able to have to deploy say Active Directory Federation Services. Yeah it's much much simpler to get up and running than it is to run a bunch of ADFS servers. I tell you what should we take a look at a demo? Yeah let's do that. So if we can switch over to the machine here. So look this looks just like your normal in fact if you're looking at the new login experience for Azure AD, right? So it looks just like a normal one but is using passwords pass through authentication. So I'm Abby Spencer at Woodgrove. I go ahead and I click Next. Oh hey that looks really standard right, I'm going to put in my password. And there I'm logged in. It's just like your normal thing. But what happened here is it went all the way back to my on-premise Active Directory validated by username and password but it then also adheres to all of the rules that my on premise directory have. Like when I have to change my passwords, what hours I can log in and all of those things that maybe you've invested in over time and your on-premise AD can now be used from the cloud without having to have an ADFS server. So what was really happening behind the scenes there? Well so in that one right what happened was the user, well it was just like we talked about before right so the agent went out to the cloud, picked up the encrypted username and password and brought it back on premise, played it against AD, got back the success criteria and let me login. Now I don't have MFA turned on so that's ok, right? Now let's go ahead and take a look at the seamless SSO right? Because that's the other thing that we're now seeing is GA. So if we go over I'm going to switch to a different machine. So here you can see, well first let me show you. I'm logged in on this domain joined machine, right? so the previous one wasn't domain joined this one is I'm logged in as Abbie, here. And then I'm going to bring up and just to prove it works, I'm going to do this in chrome, too. Alright so here I am in a Chrome browser. I'm just gonna go to the my apps panel now you have to pay attention this little flash you just saw there, that's Azure AD asking for a Kerberos token from Windows. Windows client gets the Kerberos token passes it to Azure AD and boom! I'm signed in no username a password at all. How does actually work behind the scenes what are we doing with that Kerberos authentication? Yeah so this one's particularly cool right so what's happening in the Kerberos authentication is when we run Azure AD Connect it creates a machine account in my on-premise directory right that represents Azure AD in the cloud. So now when I go to log in to Azure AD, Azure AD asks my PC hey give me a kerb ticket right and since the PC has visibility of the Active Directory you can get a kerb ticket pass it to Azure AD. Azure AD trusts the on-premise directory, cracks the token just like it was an app almost, right? Cracks open that token, sees the username and goes ahead and logs me on into the cloud. Right, now that's really cool because I get all the valid value of my on-premise ad and kerb tickets all done up in the cloud, really easy. And then that kerb ticket is good for 12 hours. So even if I take my laptop and go home right I still get that same experience overnight. And then the worst case let's say the kerb ticket expired right. Then all I'd have to do is log in again like we were seeing earlier with pass authentication. So it really is a really nice simplification. And Seamless SSO like this works with all of our login technologies. It's not just a thing for pass through authentication. You could use it with password sync and you can use it with all of our other authentication technologies as well. That's really cool and it is just that one agent that's deployed on-premises or maybe a couple of agents in order to be able to provide a higher availability scenario. Yeah that's right and those little agents wherever you put them, they're automatically updating and we load balance across them. Right so it's a really great way to make sure you have a high availability, low maintenance deployment of Azure Active Directory. So can you show us how you actually would configure that inside of Azure Active Directory Connect? Yeah let's take a look. So it's super easy to do right? So those of you who've set up Azure AD before have used Azure AD Connect probably. So we've just added in some new options. So when you go into the wizard you want to make sure you click on the customize section. And then you can see here we've now added this option for pass-through authentication. And I want to enable a single sign-on right? And that's it that's the only difference. You know I entered my passwords and stuff like that other things happen. But that's all you've got to do to get it set up using AD Connect. And then what we're going to do is go use our Group Policy editor. So in Group Policy I'm going to go ahead and now there's a trick happening under the covers here right? Azure AD is asking my PC to give us a Kerb token. And the PC doesn't want to do that unless it thinks that Azure AD is in the intranet zone. So what I'm going to do is I'm going to come in to my policies. And under my Windows Components and in Internet Explorer, I'm going to change my site zones a little bit. So let's go ahead we're gonna take a look at the change I've made here. I've moved the two key Azure AD endpoints from being on the Internet into the intranet zone by setting this value to one right. And so now the PC and the browser will do what Azure AD wants. It'll give us a kerb token so we can do that validation because you know you've kind of tricked the PC into what zone you're in. Right but that's all you got to do you push this out using group policy and hey you're all set. actually all the research just a couple of Azure Active Directory settings inside of azure ad connect and a couple of settings inside of Group Policy and then that's going to work for all of your I guess Windows 10 machines but Windows 7 and Windows 8 machines as well? Yeah, it even works for a Mac. Wow, what about other browsers? Yeah so in fact I was showing you works in Chrome. It works in Internet Explorer and it'll be working in Edge really soon. All of these things right it's just we're just using the same standards that Windows has always had. So you can use it back to a lot of old versions. Super nice and it's just using the power of Kerberos. When can folks actually get hold of Azure Active Directory connect with all of these capabilities in there own and and whereabouts can they learn more about what they need to do? Well the easiest thing to do is to go into the portal in fact why don't I show you in the portal where you can get ahold of all this stuff. So I'm here and I'm going to go to the Azure portal. I'm going to show you a couple of cool things. First you can when you've got your agents on-premises, you can monitor them here from your console. So let's go ahead and look at Azure AD connect. And you can see here I've got Federation turned off, I've got seamless single sign-on turn on and then I've got pass-through authentication enabled. And then when I click into this I can see all of the connectors I have. I can see where they are, what IP address they're coming from and what their status is. So if I'm having trouble with the connector, I can tell which one might not be working correctly. But like I was saying this is really nice because you're monitoring these all from the cloud, they all get updated automatically from the cloud, there's no extra overhead for you to take on to run this. And then this is the same place where you can come up here and if you want to download additional connectors. So let's say you want to install them on additional AD DS's, or some other set of servers for your HA you just get all of this right here. Alright so essentially you've got two things, you want to get Azure AD connect and you want to run the group policy tool. Those are the two and the if you want to do high availability just come here and get the MSI. That's really cool and obviously you kind of mentioned it really quickly that your on-premises controls are being enforced as well so if you've got password lockout policies and those kind of things those are actually still going to be used. And I guess you're also going to get some additional protections maybe from Azure Active Directory? It's almost like the best of both worlds. So I'm going to get all of the value I've built up in AD overtime. Like you we're saying lockout policies, and times I can log in and password policies and things like that. But I'm also going to get the value of Azure AD in the Cloud. So for instance I'm going to get DDoS protection. I don't have to worry about how do I protect my ADFS servers anymore. I'm going to get lockout protection from the cloud, I'm going to get all of the things that we do with Azure Identity Protection that you know protect certain IP addresses and make sure that you don't get hit by the hackers. All that value you now can essentially think of the Microsoft cloud protecting your on-premise AD while allowing people to seamlessly authenticate. That's fantastic. And all of that authentication still happening on premises like a lot of people want for their regulatory requirements. That's right, if you have regulatory requirements or really really stiff CSO (Chief Security Officer) or CISO (Chief Information Security Officer) you can you can meet all those requirements. That's fantastic. Alex thank you very much for joining us on the Microsoft Mechanics Live stage. Did you guys like that? Do you think it was useful? Seems like maybe this might be a little bit of a hit product here. Obviously the big news is that this has all gone to general availability this week. Yes, that's right. So you can get hold of it today and you can use it in production. Absolutely fantastic Thank you very much for joining us on the Mechanics stage. And thank you all for watching. Keep watching Microsoft Mechanics on the website as often as you can do so that way you can keep up with the latest in updates. We'll see you next time. Thank you very much.