Tuesday, August 14, 2018

Limiting Login Restrictions to Azure AD to Regions

I was running a cloud enablement workshop today for a customer to lay out the options of providing SaaS applications an Identity Provider for SAML2 or OATH2 authentication.  We went through the various options, AD FS, Azure AD, Passthrough and third party providers.

One of the questions that was asked was "Is it possible to limit the Azure AD Regions which a users password hash is synchronised to" - when using Azure AD Connect and Password Hash Synchronisation.

My immediate answer to that question was "No".

The Azure AD architecture has write instances and many "read only" instances in Data Centres all over the world.  It is designed so that any datacentre or country can be lost and identity information will remain available, hence all Azure AD data is in all Azure Datacentres around the globe.

For more information on Azure AD architecture, see the following articles which are good reads:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-architecture

https://cloudblogs.microsoft.com/enterprisemobility/2014/09/02/azure-ad-under-the-hood-of-our-geo-redundant-highly-available-distributed-cloud-directory/

Whilst the user password hashes will be replicated to all Azure datacentres around the globe, it is possible to restrict which countries or regions can authenticate against Azure AD.

This is done through a feature called "Conditional Access" using Location conditions.  For example it is possible for a company to lock down their users in their Azure Tenancy so that only Australian (people connecting from an Australian IP address) can make authentication attempts against Azure AD.

For more information on this feature please read:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

No comments:

Post a Comment