###BeginCaseStudy###
Case Study: 1
VanArsdel, Ltd
Overview
VanArsdel, Ltd. builds skyscrapers, subways, and bridges. VanArsdel is a leader in using
technology to do construction better.
Overview
VanArsdel employees are able to use their own mobile devices for work activities because
the company recognizes that this usage enables employee productivity. Employees also
access Software as a Service (SaaS) applications, including DocuSign, Dropbox, and Citrix.
The company continues to evaluate and adopt more SaaS applications for its business.
VanArsdel uses Azure Active Directory (AD) to authenticate its employees, as well as MultiFactor Authentication (MFA). Management enjoys the ease with which MFA can be enabled
and disabled for employees who use cloud-based services. VanArsdel’s on-premises directory
contains a single forest.
Helpdesk:
VanArsdel creates a helpdesk group to assist its employees. The company sends email
messages to all its employees about the helpdesk group and how to contact it. Configuring
employee access for SaaS applications is often a time-consuming task. It is not always
obvious to the helpdesk group which users should be given access to which SaaS
applications. The helpdesk group must respond to many phone calls and email messages to
solve this problem, which takes up valuable time. The helpdesk group is unable to meet the
needs of VanArsdel’s employees.
However, many employees do not work with the helpdesk group to solve their access
problems. Instead, these employees contact their co-workers or managers to find someone
who can help them. Also, new employees are not always told to contact the helpdesk group
for access problems. Some employees report that they cannot see all the applications in the
Access Panel that they have access to. Some employees report that they must re-enter their
passwords when they access cloud applications, even though they have already authenticated.
Bring your own device (BYOD):
VanArsdel wants to continue to support users and their mobile and personal devices, but the
company is concerned about how to protect corporate assets that are stored on these devices.
The company does not have a strategy to ensure that its data is removed from the devices
when employees leave the company.
Customer Support
VanArsdel wants a mobile app for customer profile registration and feedback. The company
would like to keep track of all its previous, current, and future customers worldwide. A
profile system using third-party authentication is required as well as feedback and support
sections for the mobile app.
Migration:
VanArsdel plans to migrate several virtual machine (VM) workloads into Azure. They also
plan to extend their on-premises Active Directory into Azure for mobile app authentication.
Business Requirements
Hybrid Solution:
• A single account and credentials for both on-premises and cloud
applications
• Certain applications that are hosted both in Azure and on-site must be
accessible to both VanArsdel employees and partners
• The service level agreement (SLA) for the solution requires an uptime
of 99.9%
• The partners all use Hotmail.com email addresses
Mobile App:
VanArsdel requires a mobile app for project managers on construction job sites. The mobile
app has the following requirements:
• The app must display partner information.
• The app must alert project managers when changes to the partner
information occur.
• The app must display project information including an image gallery to
view pictures of construction projects.
• Project managers must be able to access the information remotely and
securely.
Security:
• VanArsdel must control access to its resources to ensure sensitive
services and information are accessible only by authorized users and/or
managed devices.
• Employees must be able to securely share data, based on corporate
policies, with other VanArsdel employees and with partners who are located
on construction job sites.
• VanArsdel management does NOT want to create and manage user
accounts for partners.
Technical Requirements
Architecture:
• VanArsdel requires a non-centralized stateless architecture fonts data
and services where application, data, and computing power are at the logical
extremes of the network.
• VanArsdel requires separation of CPU storage and SQL services
Data Storage:
VanArsdel needs a solution to reduce the number of operations on the contractor information
table. Currently, data transfer rates are excessive, and queue length for read/write operations
affects performance.
• A mobile service that is used to access contractor information must
have automatically scalable, structured storage
• Images must be stored in an automatically scalable, unstructured form.
Mobile Apps:
• VanArsdel mobile app must authenticate employees to the company’s
Active Directory.
• Event-triggered alerts must be pushed to mobile apps by using a
custom Node.js script.
• The customer support app should use an identity provider that is
configured by using the Access Control Service for current profile registration
and authentication.
• The customer support team will adopt future identity providers that are
configured through Access Control Service.
Security:
• Active Directory Federated Server (AD FS) will be used to extend AD
into Azure.
• Helpdesk administrators must have access to only the groups of Azure
resources they are responsible for. Azure administration will be performed by
a separate group.
• IT administrative overhead must be minimized.
• Permissions must be assigned by using Role Based Access Control
(RBAC).
• Line of business applications must be accessed securely.
###EndCaseStudy###
You are designing a plan to deploy a new application to Azure. The solution must provide a single
sign-on experience for users.
You need to recommend an authentication type.
Which authentication type should you recommend?
A.
SAML credential tokens
B.
Azure managed access keys
C.
Windows Authentication
D.
MS-CHAP
Explanation:
A Microsoft cloud service administrator who wants to provide their Azure Active Directory (AD) users
with sign-on validation can use a SAML 2.0 compliant SP-Lite profile based Identity Provider as their
preferred Security Token Service (STS) / identity provider. This is useful where the solution
implementer already has a user directory and password store on-premises that can be accessed
using SAML 2.0. This existing user directory can be used for sign-on to Office 365 and other Azure
AD-secured resources.Use a SAML 2.0 identity provider to implement single sign-on
https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx?f=255&MSPPError=-2147217396