A little over a year into my IT journey after coming from years of blue collar work, going for my AZ104 per my company requiring it, your videos are so helpful especially with how daunting all of this new info is but you break it down really well and explain it very practically. Thanks so much for all you do John. Cheers mate.
John. You are a legend! You continue to be an excellent trainer and font of MS knowledge. I remember starting out my IT journey over 20 years ago, and watching your material along the way has been priceless. Thank-you!
This is very well explained and enjoyable. Over the years I have gained familiarity with legendary names such as John Savill and Laura Hunter and their books must form a part of the library of any serious IT professional. Having this topic explained by one of the professionals in the field is just great - don'tcha just love UA-cam ?
Excellent explanation video. As with most things Microsoft the "suggested" method keeps changing. I've been looking into WHB and this just makes those decisions even more confusing. But hey, that's why I get paid the mediocre bucks!
Honestly I always didn't like AD topics but after watching this video I have realized what I was missing and how interesting it is. Also it is very imp concept to understand while implementing Azure solutions in Enterprises
Hi John, Nice video and awesome explanation. Really enjoying watching your videos in youtube and Pluralsight. Could you please consider making a video about Azure AD join. Regards.
Thanks John. Excellent video. The only thing I need to work out now is the point made at T:1120 and why when using password hash even if password was locked or expired it would still work. Surely that is a security risk? So our password policy rules do not apply on prem as AAD policy applies only?
If the device is rebooted or a user sign-out of their profile does the refresh token get removed? Will the initial auth need to take place again against the PTA or ADFS (if used)?
Is there any chance you'd be looking to provide an update to this video to include Continuous Access Evaluation impact to token lifetime and the impacts? This video is great at painting the picture on AT and RT's. I've back to this video several times or referenced to customers or colleagues.
@John, please see my questions below. 1. What is a Primary Refresh Token (PRT) used for with SSO, the MS recommendation for Windows 10 and Windows Server 2016 or newer? Is a PRT just the first RT you receive in the authn process? 2. What is the first token named that a federated identity provider gives you, before AAD gives you the AT and RT?
Prt is special token on brokers for sso across apps. Not sure what you mean for 2nd, you mean saml maybe? There are lots of docs about this stuff, just search on ms. Good luck
Overall, I was wondering if PRT and RT were the same thing. It sounds like PRT is ‘only’ a recommendation and only for making the SSO process more guaranteed? And, a RT is only if your AT expires after 60 minutes when trying to access a service? - In the video, I see you went from listing a “T” to a RT in the federated example. I was thinking that meant the “T” could be something different than an RT?
14:40 the federation server becomes a single point of failure when using federated authentication? if that on-premise server is down users won't be able to authenticate to anything?
Hi John, please help me understand this. I have understood your token authentication concept. But when i go through the MS pages the authentication method is different from the token one, here is a link docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-how-it-works. Please help me understand is token authentication different from Pass through/federation one etc?
Federation just adds a step in the initial authentication but after you have the SAML from federation you then get the refresh token from AAD and it is then used for the access tokens used by services that trust AAD.
Hi John, I'm confused about one point. In your first cloud transaction flow, the initial client request to exchange goes directly to the exchange server. However in your first client request to SharePoint, the request does not go to SharePoint. How does this happen? How does the browser "know" to send the refresh token to Azure? I am assuming that the user is requesting a SharePoint URL in the browser. Is this incorrect?
I'm not following. I understand that AAD issues the tokens. How does the user request access to SharePoint? How is the token involved before the browser connects to SharePoint? Are you simply short-cutting the initial connection to the SharePoint host in your diagram? Wouldn't a re-direct from the SharePoint server to the AAD server be necessary?
Great video as always, even if it is an old one from you. But isnt the reality that refresh tokens and access tokens are for authorization and not authentication? Rather Azure AD uses OpenID Connect for authentication (ID token) and for authorization OAuth 2.0 is used (refresh and access token)?
Thank you, John, for the explanation of how Access and Refresh tokens work in relation to Cloud and ADFS-based architectures! It was really helpful while I am trying to understand the various Token properties (listed here: docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes) to troubleshoot an issue. By the way, what happens to Access Token 1 after you've received AT2 from SharePoint? Does AT1 become invalid or does it continue getting a new one issued by Exchange with the updated Refresh Token received from SharePoint? Or... does trying to access Exchange again issue AT3 and invalidate AT1 and AT2 after the default 1 hour lifetime?
Access tokens remain valid for their lifetime and are app specific. The refresh token slides its window each time its used as an updated one is sent back.
It is my understanding that PHS results in "almost SSO" in that it is necessary to re-authenticate when going to a new application, albeit with the same password. PTA, on the other hand, results in seamless SSO in which the new application comes up immediately without this re-authentication set. In the description of the token flow, I did not see why this would be the case. Nor did you mention this difference. Is my understanding of the "almost SSO" limitation of PHS incorrect?
You can achieve seamless sign on with both PTA and PHS by enabling the seamless sign-on capability. The experience is the same as SSO with federation. If the client has line of sight to a DC they seamlessly connect.
Thank you for the quick reply. I have PHS implemented, but I get a login screen even when I log into another Micosoft Cloud app. For example, I might be logged into office.com, but when I bring up Dynamics I get another login screen. When I bring up SalesForce, I get another. Is there an obvious configuration error that has been made?
Seamless sign on is an additional step after PHS. Search on the Microsoft docs for seamless sign on and it will guide you through the additional settings on the clients.
But, There are disadvantage of using PHS (Password hash synchronization) which exporting your identities password to the cloud and most organisation will not permit based on regulator instructions. PTA (Pass-thru Authentication) used for Azure Cloud Service but cant be used with other Services Provider. I see ADFS is the best Option in regards of security, usability and compatibility
Well you are not exporting the password. its a hash of a hash that can't be reversed. In my experience many organizations ARE sending the hash of the hash as the benefits such as breach replay protection outweigh any perceived risk of hash of hash. Risk vs reward :-) ADFS has its own challenges maintaining, having internet facing, keeping updating and available or can't authenticate etc. Ultimately companies choice but most are moving away from federation. With cloud auth there is native protection from various types of attack just built in you don't get with ADFS on its own.
@@NTFAQGuyI love hardware, the Surface Hub looks more expensive and higher tech than dell or hp products, had one as well in the office, great product to look at...honestly good job at the videos they are great!
A little over a year into my IT journey after coming from years of blue collar work, going for my AZ104 per my company requiring it, your videos are so helpful especially with how daunting all of this new info is but you break it down really well and explain it very practically. Thanks so much for all you do John. Cheers mate.
Great video,
I am explaining federation services for 12 years now, this is one of the best explanations I know.
Will use it in my classes.
Thank you!
John. You are a legend! You continue to be an excellent trainer and font of MS knowledge. I remember starting out my IT journey over 20 years ago, and watching your material along the way has been priceless. Thank-you!
You explained this very well. helped me out a lot! keep up the good work.
Excellent video. Very straightforward, and easy to understand.
The kind of explanation I was looking for! Clear and simple thank you!!
I find your video series the most useful and informative on youtube in regards to Azure. Great job!
Wow, thanks!
Great video. Enough detail on all aspects to get my head around it all.
This is very well explained and enjoyable. Over the years I have gained familiarity with legendary names such as John Savill and Laura Hunter and their books must form a part of the library of any serious IT professional. Having this topic explained by one of the professionals in the field is just great - don'tcha just love UA-cam ?
This is a brilliant presentation! Thanks John, it really helped!
Thanks! Glad it was useful.
Outstanding presentation, thank you.
Excellent explanation video. As with most things Microsoft the "suggested" method keeps changing. I've been looking into WHB and this just makes those decisions even more confusing. But hey, that's why I get paid the mediocre bucks!
Honestly I always didn't like AD topics but after watching this video I have realized what I was missing and how interesting it is. Also it is very imp concept to understand while implementing Azure solutions in Enterprises
That’s awesome to hear, it is cool how the parts all work together!
Ur way is really The best way to explain these topics n make it all sound so easy. Thanks a ton 😊
Most welcome 😊
Thanks for the great explanation!
Great video, very clear as always, Thanks!
This was excellent. Thank you!
Great explanation, you should keep doing more videos.
Thanks. I post about 3 videos a week on my channel.
Good job explaining where to place policies on ADFS vs AAD. Also, those guns are gonna need a bigger shirt pretty soon! 💪🤣😉
lol. thanks. I think :-)
enjoying this video for today learning, thanks a lot!
Hi John,
Nice video and awesome explanation. Really enjoying watching your videos in youtube and Pluralsight. Could you please consider making a video about Azure AD join.
Regards.
an awesome explanation. how much do you bench?
I have seen you on Safari, taking your MCSE courses, thank you
I am going to subscribe in your channel.
Succinctly explained. Thank you.
Excellent explanatory session.
Thank you
Very clear explanation thank you
Thank you!
Best instructor
That’s very kind, thank you!
Thanks!
Awsome !!!
Outstanding presentation. I have one question. When you talk about federated service, can I say Google and Facebook logins are federated services?
Thanks John. Excellent video.
The only thing I need to work out now is the point made at T:1120 and why when using password hash even if password was locked or expired it would still work. Surely that is a security risk?
So our password policy rules do not apply on prem as AAD policy applies only?
Hey John, has the federated view changed in the current world?
great execution. what kind of whiteboard do you use?
Its a Microsoft Surface Hub
Thank you
Thanks
If the device is rebooted or a user sign-out of their profile does the refresh token get removed? Will the initial auth need to take place again against the PTA or ADFS (if used)?
Is there any chance you'd be looking to provide an update to this video to include Continuous Access Evaluation impact to token lifetime and the impacts?
This video is great at painting the picture on AT and RT's. I've back to this video several times or referenced to customers or colleagues.
I’ll do a separate cae video. I’ve talked about it a number of times in my weekly updates.
@@NTFAQGuy thanks. Sure they'll be plenty looking to implement it once it's out of preview.
@John, please see my questions below.
1. What is a Primary Refresh Token (PRT) used for with SSO, the MS recommendation for Windows 10 and Windows Server 2016 or newer? Is a PRT just the first RT you receive in the authn process?
2. What is the first token named that a federated identity provider gives you, before AAD gives you the AT and RT?
Prt is special token on brokers for sso across apps. Not sure what you mean for 2nd, you mean saml maybe? There are lots of docs about this stuff, just search on ms. Good luck
Overall, I was wondering if PRT and RT were the same thing. It sounds like PRT is ‘only’ a recommendation and only for making the SSO process more guaranteed? And, a RT is only if your AT expires after 60 minutes when trying to access a service?
- In the video, I see you went from listing a “T” to a RT in the federated example. I was thinking that meant the “T” could be something different than an RT?
14:40 the federation server becomes a single point of failure when using federated authentication? if that on-premise server is down users won't be able to authenticate to anything?
Correct
Hi John, please help me understand this. I have understood your token authentication concept. But when i go through the MS pages the authentication method is different from the token one, here is a link docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-how-it-works. Please help me understand is token authentication different from Pass through/federation one etc?
Federation just adds a step in the initial authentication but after you have the SAML from federation you then get the refresh token from AAD and it is then used for the access tokens used by services that trust AAD.
Hi John, I'm confused about one point. In your first cloud transaction flow, the initial client request to exchange goes directly to the exchange server. However in your first client request to SharePoint, the request does not go to SharePoint. How does this happen? How does the browser "know" to send the refresh token to Azure? I am assuming that the user is requesting a SharePoint URL in the browser. Is this incorrect?
The refresh token is issued by AAD and so its the target for the tokens.
I'm not following. I understand that AAD issues the tokens. How does the user request access to SharePoint? How is the token involved before the browser connects to SharePoint? Are you simply short-cutting the initial connection to the SharePoint host in your diagram? Wouldn't a re-direct from the SharePoint server to the AAD server be necessary?
right, sharepoint will ask for its token and redirect to AAD. I just sped up the flow :-)
Got it! Thank you.
Great video as always, even if it is an old one from you. But isnt the reality that refresh tokens and access tokens are for authorization and not authentication? Rather Azure AD uses OpenID Connect for authentication (ID token) and for authorization OAuth 2.0 is used (refresh and access token)?
Yes Authz primarily
i can easily add/register the app in azure AD for SAML based SSO... ADFS seems irrelevant...
thx +++
Thank you, John, for the explanation of how Access and Refresh tokens work in relation to Cloud and ADFS-based architectures! It was really helpful while I am trying to understand the various Token properties (listed here: docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes) to troubleshoot an issue.
By the way, what happens to Access Token 1 after you've received AT2 from SharePoint? Does AT1 become invalid or does it continue getting a new one issued by Exchange with the updated Refresh Token received from SharePoint? Or... does trying to access Exchange again issue AT3 and invalidate AT1 and AT2 after the default 1 hour lifetime?
Access tokens remain valid for their lifetime and are app specific. The refresh token slides its window each time its used as an updated one is sent back.
@@NTFAQGuy Ah, so each time a New Refresh Token is issued, the same (renewed) RT is used to keep each AT (AT1/AT2) valid? Makes sense. Thank you!
It is my understanding that PHS results in "almost SSO" in that it is necessary to re-authenticate when going to a new application, albeit with the same password. PTA, on the other hand, results in seamless SSO in which the new application comes up immediately without this re-authentication set. In the description of the token flow, I did not see why this would be the case. Nor did you mention this difference. Is my understanding of the "almost SSO" limitation of PHS incorrect?
You can achieve seamless sign on with both PTA and PHS by enabling the seamless sign-on capability. The experience is the same as SSO with federation. If the client has line of sight to a DC they seamlessly connect.
Thank you for the quick reply. I have PHS implemented, but I get a login screen even when I log into another Micosoft Cloud app. For example, I might be logged into office.com, but when I bring up Dynamics I get another login screen. When I bring up SalesForce, I get another. Is there an obvious configuration error that has been made?
Seamless sign on is an additional step after PHS. Search on the Microsoft docs for seamless sign on and it will guide you through the additional settings on the clients.
But, There are disadvantage of using PHS (Password hash synchronization) which exporting your identities password to the cloud and most organisation will not permit based on regulator instructions. PTA (Pass-thru Authentication) used for Azure Cloud Service but cant be used with other Services Provider. I see ADFS is the best Option in regards of security, usability and compatibility
Well you are not exporting the password. its a hash of a hash that can't be reversed. In my experience many organizations ARE sending the hash of the hash as the benefits such as breach replay protection outweigh any perceived risk of hash of hash. Risk vs reward :-) ADFS has its own challenges maintaining, having internet facing, keeping updating and available or can't authenticate etc. Ultimately companies choice but most are moving away from federation. With cloud auth there is native protection from various types of attack just built in you don't get with ADFS on its own.
John SAML
Bring back the Surface Hub for new videos pleaseeeeeeeeeeee!
zero clue why you would care about the hardware I whiteboard on.
@@NTFAQGuyI love hardware, the Surface Hub looks more expensive and higher tech than dell or hp products, had one as well in the office, great product to look at...honestly good job at the videos they are great!
JohnnY Sins?