Azure Active Directory provides identity and access management capabilities that enable enterprises to securely manage access to thousands of cloud, mobile, and on-premises applications using a single identity for each user. The document discusses features of Azure Active Directory including single sign-on, user lifecycle management, integration with on-premises directories, security capabilities like multifactor authentication and conditional access, and tools for IT administration and end user self-service. Case studies are presented that highlight how various large companies leverage Azure Active Directory.
Identity and Access Management from Microsoft and Razor Technology
1. David J. Rosenthal, VP & GM, Razor Technology
@AzureAD
Microsoft MTC, NYC
February, 14, 2017
2. Mobile-first, cloud-first reality
Data breaches
63% of confirmed data breaches
involve weak, default, or stolen
passwords.
63% 0.6%
IT Budget growth
Gartner predicts global IT spend
will grow only 0.6% in 2016.
Shadow IT
More than 80 percent of employees
admit to using non-approved
software as a service (SaaS)
applications in their jobs.
80%
3. Enterprise Mobility + Security
The Microsoft vision
Identity Driven Security
Managed Mobile Productivity
Comprehensive Solution
AppsDevices DataUsers
5. Azure Active Directory as the control plane
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other
directories
Windows Server
Active Directory
SaaSAzure
Public
cloud
CloudMicrosoft Azure Active Directory
Customers
Partners
6. 37 K
Azure AD
Premium/EMS
users
>110k
third-party
applications used
with Azure AD
>1.3
billion
authentications every
dayonAzureAD
More than
750 M
user accounts on
Azure AD
Azure AD
Directories
>10 M
>85%
of Fortune 500
companies use
Microsoft Cloud
(Azure, O365, CRM
Online, and PowerBI)
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
Microsoft’s “Identity Management as a Service (IDaaS)”
for organizations.
Millions of independent identity systems controlled by
enterprise and government “tenants.”
Information is owned and used by the controlling
organization—not by Microsoft.
Born-as-a-cloud directory for Office 365. Extended to
manage across many clouds.
Evolved to manage an organization’s relationships with
its customers/citizens and partners (B2C and B2B).
7. Identity is the new control plane
Azure Active Directory at the core of your business
1000s of apps,
1 identity
Manage access
at scale
Cloud-powered
protection
Enable business
without borders
8. "Azure AD Premium makes life simpler
for the business and for employees.
It gives them access to enterprise
applications from any device with a
single sign-on that is secure and reliable.
That is fundamental in increasing the
adoption of cloud technology.”
- Kapil Mehta, Productivity &
Directory Services Manager
1000s of apps,
1 identity
Single sign-on
for SaaS apps
Single
sign-on
for mobile
apps
Support for
lift-and-shift
of traditional
apps to the
cloud
Secure remote
access to
on-premises
app
Connect your
on-premises
identities
to the cloud
9. "With Azure Active Directory
integrated into Smartsheet,
our employees don’t need to
remember another sign-in.
They can use one credential
to get to all their
applications.”
- Mike Kirkpatrick
Director of Marketing, Ontario
Division, Canadian Cancer Society
“The company uses Microsoft
Azure Active Directory
Premium, another part of
Microsoft EMS, to manage
the authentication of all 1,600
employees to all company
applications. It used Azure AD
Premium to provide SSO
access to a wide number of
applications, including
Concur, Oracle, ADP, and
Meraki, with more to come.”
“We were surprised to see that
90 percent of the SaaS apps
in use at Mattamy were
already endorsed for single
sign-on within Azure Active
Directory Premium”
- Aaron Pais
Vice President of ITl, Mattamy
Homes
10. Azure Active Directory Connect
and Connect Health
*
MIM
*
Microsoft Azure
Active Directory
HR apps
OTHER DIRECTORIES
PowerShell
SQL (ODBC)
LDAP v3
Web Services
( SOAP, JAVA, REST)
Connect and sync on-premises
directories with Azure Active Directory
1000s OF APPS, 1 IDENTITY
11. 1000s OF APPS, 1 IDENTITY
Web apps
(Azure Active Directory
Application Proxy)
Integrated
custom apps
SaaS apps
OTHER DIRECTORIES
2700+ pre-integrated popular
SaaS apps and self-service integration via
templates
Connect and sync on-premises directories
with Azure
Easily publish on-premises web apps via
Application Proxy + custom apps
Microsoft Azure
12. DMZ
https://appX-contoso.msappproxy.net/
1000s OF APPS, 1 IDENTITY
Single Sign-on to on-premises applications
Application
Proxy
User
Azure or 3rd Party IaaS
connector
connectorconnector
Microsoft Azure
Active Directory
connector
app app app app
13. DMZ
https://appX-contoso.msappproxy.net/
1000s OF APPS, 1 IDENTITY
Access even more on-premises web applications
Application
Proxy
User
Azure or 3rd Party IaaS
connector
connectorconnector
Microsoft Azure
Active Directory
connector
app app app app
Other LoB
apps
14. A mobile authenticator application for all platforms
1000s OF APPS, 1 IDENTITY
Converges the existing Azure Authenticator and all
consumer Authenticator applications.
MFA for any account, enterprise or consumer and
3rd party : Push Notifications/OTP
Device Registration (workplace join)
SSO to native mobile apps - Certificate-based SSO
Future: Sign in to a device (Windows Hello), app, or
website without a password
15. Azure
Active Directory
Lift-and-shift on-premises
apps to Azure IaaS
On-premises
Azure AD Connect
Windows Server
Active Directory
Your Azure IaaS
workloads/apps
Azure AD
Domain Services
Your virtual network
Azure
1000s OF APPS, 1 IDENTITY
Your domain controller as a service for lift-and-shift scenarios
Kerberos
NTLM
LDAP
Group Policy
16. Enable business
without borders
“We give them a username and
password, and they’re able to reset
their own passwords through Azure
Active Directory. This is important,
because we have such a small IT staff.”
- Scott Bentzel
Director of IT
Better connect with
your consumers and
partners
Ease of use
for end users
Anytime,
anywhere
productivity
17. “The company also chose
Azure Active Directory to
simplify identity management
for vendors and employees.
With Azure Active Directory,
the company provides fast,
highly secure access to
external vendors, cutting
onboarding time from
months to less than a week..”
- Johan Krebbers
IT Chief Technology Officer, Royal
Dutch Shell
“…because we’re now able to
give employees their own
accounts, we can safely and
securely send human
resources documents in
digitized form even if they are
highly confidential, which
eliminates traditional mailing.
- Ryuji Katayama
Department Manager of the IT
Planning Department, Corporate
Strategy Division, Village Vanguard
“We needed to quickly and cost
effectively stand up new IT
infrastructure, including
extranet applications for
thousands of business partners.
Azure Active Directory B2B
collaboration provides a simple
and secure way for partners,
large and small, to use their
own credentials to access
Kodak Alaris systems.”
18. Manage your account, apps, and groups
Company-branded, personalized
application Access Panel:
http://myapps.microsoft.com
+ iOS and Android Mobile Apps
Integrated end user experiences
Self-service password reset
Application access requests
Integrated Office 365 app launching
ENABLE BUSINESS WITHOUT BORDERS
19. ENABLE BUSINESS WITHOUT BORDERS
Microsoft Azure
Active Directory
Collaborate with partners:
B2B collaboration
Share without complex
configuration or duplicate users
Partners
of all sizes
You manage
access
“We needed to quickly & cost effectively stand up new IT infrastructure, including extranet applications
for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and
secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.”3,000+ partners
20. Intune/MDM
auto-enrollment
Azure Active Directory Join makes it possible
to connect work-owned Windows 10 devices
to your company’s Azure Active Directory
Enterprise-compliant services
SSO from the desktop to cloud and
on-premises applications with no VPN
Support for hybrid environments
MDM auto-enrollment
Windows 10 Azure AD
joined devices
ENABLE BUSINESS WITHOUT BORDERS
Enterprise
State Roaming
21. Superior economics
Identity experience engine
Consumer identity and access
management in the cloud
Cross-platform
Identity management for consumers
“By using Azure Active Directory B2C we were able to build a fully
customized login page without having to build custom code.
Additionally, with a Microsoft solution in place, we alleviated all
our concerns about security, data breaches, and scalability."
- Rafael de los Santos, Head of Digital, Real Madrid
ENABLE BUSINESS WITHOUT BORDERS
22. Without Azure Active Directory
integrated with our 2,100 customers’
AD databases, we simply could not
manage all the passwords and logon
activities of the many hundreds of
thousands of teachers and students
who make up our customer base.”
- Evan Clark
Founder & CEO
Manage access
at scale
Advanced
user
lifecycle
management
Monitor your
identity bridge
Low IT
overhead
23. “Without Azure Active
Directory integrated with our
2,100 customers’ AD
databases, we simply could
not manage all the passwords
and logon activities of the
many hundreds of thousands
of teachers and students who
make up our customer base.”
- Evan Clark
Founder & CEO, ClickView
“We want to ensure that we’re
keeping our operating costs as
low as possible to focus our
budget on more productive
areas of the business. With the
help of Azure Active Directory
Premium, I’m managing ten
times the number of SaaS
applications with the same size
team. “
Daniel Birmingham: Identity
Solutions Architect
Whole Foods Market
“We will be able to walk in
with the computers, connect
them to the Internet, and be
done. User identity, SaaS
access management, mobile
device management—all
accessible with a few clicks on
a web-based console.”
- Arvid Johansson
CIO, SATS ELIXIA
24. Centralized access administration for pre-integrated
SaaS apps and other cloud-based apps
Dynamic groups, device registration, secure business
processes with advanced access management capabilities
Comprehensive identity and access management console
MANAGE ACCESS AT SCALE
IT professional
Provisioning and deprovisioning with customization
options
25. MANAGE ACCESS AT SCALE
Monitor and gain insights into the identity infrastructure used
to extend on-premises identities to Azure Active Directory and
Office 365.
Monitor:
• The Azure AD Connect sync engine health
• ADFS infrastructure health
• On-premises AD Domain Services health
26. Cloud-powered
protection
Protect against
advanced threats
Conditional access
to resources
Compliance Reporting
Mitigate
administrative
risks
Identity is the new firewall of the future. We can’t
continue to use our old way of controlling
application access, because business isn’t
happening exclusively in our network anymore.
With Azure Active Directory Premium, we can
stay in control, no matter where our users roam.
Will Lamb: Infrastructure Coordinator
Whole Foods Market
27. “By deploying Azure MFA the
bank secured access to corporate
data. Also there is no need for the
end user to receive any trainings
or carry additional components
with them, such as tokens. “It was
important for us to increase
security without sacrificing end
user experience. We could
achieve this thanks to Azure
MFA.”
Fikri Bülent Çelik
Technology and Infrastructure
Department Manager, TKFB
With Azure AD Premium, Bristow Group
now has the capabilities for multifactor
authentication; access control
(dependent upon device health and user
location); holistic security reports; audits;
and alerts. Azure Active Directory makes
the work of a busy and mobile workforce
easier, secures data and protects access
to the company’s assets both in the cloud
and on-premises.
- Kapil Mehta
Productivity & Directory Services Manager, Bristow
Group Inc.
“Vetco uses Microsoft Azure
Active Directory Premium (part
of the Microsoft Enterprise
Mobility Suite) to help
safeguard access to data
through multifactor
authentication.”
30. CLOUD-POWERED PROTECTION
Identity Protection at its best
Risk severity calculation
Remediation recommendations
Risk-based conditional access automatically
protects against suspicious logins and
compromised credentials
Gain insights from a consolidated view of
machine learning based threat detection
Leaked
credentials
Infected
devices Configuration
vulnerabilities
Risk-based
policies
MFA Challenge
Risky Logins
Block attacks
Change bad
credentials
Machine-Learning Engine
Brute force
attacks
Suspicious sign-
in activities
31. CLOUD-POWERED PROTECTION
Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools
Security/Monitoring/Reporting
SolutionsNotifications
Data Extracts/Downloads
Reporting APIs
Apply Microsoft learnings to your
existing security tools
Microsoft machine - learning engine
Leaked
credentials
Infected
devices Configuration
vulnerabilities
Brute force
attacks
Suspicious sign-
in activities
32. CLOUD-POWERED PROTECTION
Discover, restrict, and monitor privileged identities
Enforce on-demand,just-in-timeadministrativeaccess when needed
Provides more visibilitythrough alerts, auditreports and access reviews
Global
Administrator
Billing
Administrator
Exchange
Administrator
User
Administrator
Password
Administrator
33. CLOUD-POWERED PROTECTION
How time-limited activation of privileged roles works
MFA is enforced during the activation process
Alerts inform administrators about out-of-band changes
Users need to activate their privileges to perform a task
Users will retain their privileges for a pre-
configured amount of time
Security admins can discover all privileged
identities, view audit reports and review everyone
who has is eligible to activate via access reviews
Audit
SECURITY
ADMIN
Configure Privileged
Identity Management
USER
PRIVILEGED IDENTITY MANAGEMENT
Identity
verification
Monitor
Access reports
MFA
ALERT
Read only
ADMIN PROFILES
Billing Admin
Global Admin
Service Admin
34. CLOUD-POWERED PROTECTION
Removes unneeded permanent
admin role assignments
Limits the time a user has admin
privileges
Ensures MFA validation prior to
admin role activation
Reduces exposure
to attacks
targeting admins
Separates role administration
from other tasks
Adds roles for read-only views
of reports and history
Asks users to review and justify
continued need for admin role
Simplifies
delegation
Enables least privilege role
assignments
Alerts on users who haven’t
used their role assignments
Simplifies reporting on admin
activity
Increases visibility
and finer-grained
control
35. Microsoft Advanced Threat Analytics
brings the behavioral analytics concept
to IT and the organization’s users.
An on-premises platform to identify advanced security attacks and insider
threats before they cause damage
DETECT ATTACKS BEFORE THEY CAUSE DAMAGE
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection
36. Discovery
Gain complete visibility and
context for cloud usage and
shadow IT—no agents required
Data control
Shape your cloud environment with
granular controls and policy setting
for access, data sharing, and DLP
Threat protection
Identify high-risk usage and security
incidents, detect abnormal user
behavior, and prevent threats
Integrate with existing security, mobility, and encryption solutions
37. Azure Information
Protection
Protect your data,
everywhere
Microsoft Cloud App Security
Azure Active Directory
Detect threats early
with visibility and
threat analytics
Advanced
Threat Analytics
Extend enterprise-grade
security to your cloud
and SaaS apps
Intune
Protect your users,
devices, and apps
Manage identity with hybrid
integration to protect application
access from identity attacks
Enterprise Mobility +Security
The Microsoft solution
38. Transportation, Logistics, Oil-Gas Retail, Hospitality and Travel
HealthConstruction, Professional Services
Government, Banking, Insurance
Education, Nonprofit
39. • Advanced user lifecycle
management
• Low IT overhead
• Monitor your identity bridge
• Cloud-connected seamless
authentication experience
• Single sign-on to 1000s pre-
integrated apps/ Your own apps
• Secure remote access to on-premises
apps
• SSO to mobile apps
• Support for lift-and-shift to the
cloud
• Control access to resources
• Safeguard user authentication
• Respond to advanced threats with
risk-based policies and monitoring
• Mitigate administrative risks
• Governance of on-premises and
cloud identities
• Ease of use for end users
/Integration with Office
• Cross-organization collaboration
• Any time, any place productivity
with Windows 10
• Support for consumer facing
applications
1000s of apps,
1 identity
Provide one persona to the
workforce for SSO to 1000s of
cloud and on-premises apps
Manage access
at scale
Manage identities and
access at scale in the cloud
and on-premises
Cloud-powered
protection
Ensure user and admin
accountability with better
security and governance
Enable business
without borders
Stay productive with universal
access to every app and
collaboration capability
40. Azure Active Directory as the control plane
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other
directories
Windows Server
Active Directory
SaaSAzure
Public
cloud
CloudMicrosoft Azure Active Directory
Customers
Partners
41. Razor will:
Retain control of sensitive documents locally and
over email
Automatically protect mail containing privileged
information
Ensure files stored in SharePoint are rights
protected
Razor’s Fast Deployment for Enterprise Mobility Suite provides remote deployment assistance for Azure
Active Directory Premium, Intune, and Azure Rights Management Premium.
Azure Rights Management
Premium
Razor will:
Set up users and groups
Enable management of test devices
Optionally connect on-premises Microsoft
System Center Configuration Manager to Intune
for a single pane management experience
Razor will:
Get organizational identities to the cloud
Set up single sign-on for test apps (including
Azure Active Directory Application Proxy apps)
Configure self-service options like password
reset and Azure Multi-Factor Authentication in
the MyApps site
Razor Technology for EMS: Deploy it Right
Now included with all EMS services
Azure Active Directory
Premium
Microsoft Intune
44. Identity as the control plane
On-premises
Windows Server
Active Directory
45. Identity as the control plane
On-premises
Windows Server
Active Directory
VPN
BYO
SaaS
Azure
Cloud
Public
cloud
Customers
Partners
46. Identity as the control plane
On-premises
Windows Server
Active Directory
VPN
BYO
Microsoft Azure Active Directory
Azure
Cloud
Public
cloud
Customers
Partners
47. Customers
Azure AD as the control plane
On-premises
Partners
Azure
Cloud
Public
cloud
Microsoft Azure Active Directory
BYO
Windows Server
Active Directory
48. Directory as a service 500,000 object limit No object limit No object limit
No object limit for Office
365 user accounts
User/group management (add/update/delete)/user-based provisioning, device
registration, User-based access management/provisioning, Basic Security/usage reports
Yes Yes Yes Yes
Singe Sign On
10 apps per user (pre-
integrated SaaS and
developer-integrated
apps)
10 apps per user(free
tier + Application proxy
apps)
No limit (free, Basic
tiers +Self-Service
App Integration
templates 1)
10 apps per user (pre-
integrated SaaS and
developer-integrated apps)
Self-service password change for cloud users Yes Yes Yes
Connect (sync engine that extends on-premises directories to Azure Active Directory) Yes Yes Yes
Premium
+ basic
features
Group-based access management/provisioning – Provisioning customization Yes Yes
Self-service password reset for cloud users Yes Yes Yes
Company branding (logon pages/access panel customization) Yes Yes Yes
Application Proxy Yes Yes
SLA Yes Yes Yes
Premium
features
Self-Service Group and app Management/Self-Service application additions/ Dynamic
Groups
P1,P2
Self-service password reset/change/account unlock with on-premises write-back P1,P2
Advanced usage reporting P1,P2
Multi-factor authentication (cloud and on-premises (MFA server)) P1,P2
Limited cloud only for Office
365 apps
MIM CAL + MIM server P1,P2
Cloud app discovery P1,P2
Automated password rollover P1,P2
Connect Health P1,P2
Conditional Access (User, Application, Location, Device rules) P1,P2
Identity Protection P2
Privileged Identity Management P2
Yes Yes Yes Yes
MDM auto-enrolment, Self-Service Bitlocker recovery, Additional local administrators
to Windows 10 devices via Azure AD Join, Enterprise State Roaming
Yes
49. Cloud-powered
protection
Manage access
at scale
1000s of apps,
1 identity
Enable business
without borders
• Advanced user lifecycle
management
• Low IT overhead
• Monitor your identity bridge
• Cloud-connected seamless
authentication experience
• Single sign-on
• Bring your own apps
• Secure remote access to on-
premises apps
• Support for lift-and-shift to
the cloud
• Control access to resources
• Safeguard user authentication
• Respond to advanced threats with
risk-based policies and monitoring
• Mitigate administrative risks
• Governance of on-premises and
cloud identities
• Ease of use for end users
• Cross-organization collaboration
• Any time, any place productivity
with Windows 10
• Support for consumer facing
applications
50. A comprehensive identity and
access management cloud
solution for your employees,
partners, and customers.
It combines directory services,
advanced identity governance,
application access management,
and a rich standards-based
platform for developers. B2E B2B B2C
51. Azure Active
Directory Connect
ADFS
Sync engine
1000s OF APPS, 1 IDENTITY
Azure Active Directory Connect
Consolidated deployment assistant
for your identity bridge
components.
All currently available sync engines
will be replaced by the sync engine
included in the Connect tool.
Assisted deployment of ADFS will
be available through Azure Active
Directory Connect.
ADFS is an optional component for
authentication in hybrid
implementation. Password sync can
replace ADFS for more scenarios.
DirSync
Azure Active
Directory Sync
FIM+Azure Active
Directory Connector
ADFS
52. 1000s OF APPS, 1 IDENTITY
1st option: Identity + Password (Hash) synchronization
Identity +
Password Hash
synchronization
Azure Active Directory
authenticates user
User
Microsoft Azure
Active Directory
53. 1000s OF APPS, 1 IDENTITY
2nd option: Identity synchronization + ADFS
Identity
synchronization
ADFSAuthentication passed to
Windows Server Active Directory
via ADFS
User
Microsoft Azure
Active Directory
54. 1000s OF APPS, 1 IDENTITY
New option: Identity synchronization + Pass-through authentication with Seamless SSO
Identity
synchronization
Authentication passed to
Windows Server Active Directory
via Pass-through authentication
User
Pass-through
authentication
Microsoft Azure
Active Directory
Seamless
SSO
Pass-through
authentication agent
55. 1000s OF APPS, 1 IDENTITY
Seamless SSO is now enabled for the 1st option, too: Identity + Password (Hash) synchronization
Identity +
Password Hash
synchronization
Azure Active Directory
authenticates user
User
Microsoft Azure
Active Directory
Seamless
SSO
56. Identity
Synchronization
+ ADFS
1000s OF APPS, 1 IDENTITY
More options than ever!
User
Identity
synchronization
Identity Synchronization +
Pass-through Authentication
+ Seamless SSO
ADFS
Microsoft Azure
Active Directory
Identity
synchronizationSeamless
SSO
Identity +
Password Hash
synchronization
Identity Synchronization +
Password Hash Synchronization+
Seamless SSO
Seamless
SSO
Pass-through
Authentication
57. User
Contoso Corpnet
Connector
1000s OF APPS, 1 IDENTITY
How it works
User Name
and password
Connector notified
of request
Connector
validates the
credentials
against AD
Token returned to the
user or further proofs
(MFA) are initiated
1 2
34
5
DC returns
result
Connector returns
result
6
Security
Token
Service
Microsoft Azure
Active Directory
58. Contoso Corpnet
5 User sends ticket to Azure AD STS
1000s OF APPS, 1 IDENTITY
How seamless SSO works with Pass-through authentication and Password hash synchronization
User enters their username1 401 response to get a Kerberos ticket2
User requests a Kerberos ticket3
6 Token returned to the user or further proofs (MFA) are initiated
4 AD returns Kerberos ticket
Security Token
Service
Microsoft Azure
Active Directory
User
59. Corporate
network
Microsoft Azure
Active Directory
Connectors are deployed usually on
corpnet next to resources
Multiple connectors can be deployed
for redundancy, scale, multiple sites,
and different resources
Users connect to the cloud service
that routes their traffic to
resources via the connectors
A connector that auto-connects
to the cloud service
1000s OF APPS, 1 IDENTITY
DMZ
https://app1-
contoso.msappproxy.net/
Application Proxy
http://app1
61. “We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications
for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and
secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.”
3000+ partners
ENABLE BUSINESS WITHOUT BORDERS
Share without complex
configuration or duplicate users
Partners use their own credentials to access
your org
Users lose access when leaving the
partner org
No external directories
No per partner federation
You manage
access
You control partner access in your
directory:
• app assignment
• group membership
• custom attributes
Partners of
all sizes
Bulk invite 1000s at a time
Partners with Azure Active Directory sign
in to accept invite
Other partners simply sign up to
accept invite
62. ENABLE BUSINESS WITHOUT BORDERS
“I need to let my partners access my company’s apps using their own credentials”
64. ENABLE BUSINESS WITHOUT BORDERS
Partners use their own
credentials to access your
org
Users lose access when
they leave the partner org
No external directories
No per-partner federation
Partners manage
their own
credentials
You control partner access
in your directory:
• app assignment
• group membership
• custom attributes
Organizations
manage
access
Thousands of bulk invites at
a time
Partners with Azure Active
Directory sign in to accept
invite
Other partners simply sign
up to accept invite
Partners of
all sizes
66. Microsoft Azure Active Directory
Cloud app discovery
Source: Help Net Security 2014
as many Cloud apps are in use
than IT estimates
• SaaS app category
• Number of users
• Utilization volume
Comprehensive
reporting
Discover all SaaS apps in use
within your organization
CLOUD-POWERED PROTECTION
67. Security reporting that tracks inconsistent
access patterns, analytics, and alerts
Reporting API
Built-in security features
CLOUD-POWERED PROTECTION
Step up to Multi-Factor Authentication
X X X X X
X X X X X
X X X X X
68. CLOUD-POWERED PROTECTION
A standalone Azure identity and access
management service, also included in
Azure Active Directory Premium
Prevents unauthorized access to both
on-premises and cloud applications by
providing an additional level of
authentication
Trusted by thousands of enterprises
to authenticate employee, customer,
and partner access
70. Users sign in from any device using
their existing username/password.
1
On-premises apps
RADIUS
LDAP
IIS
RDS/VDI
Windows Server
Active Directory or other LDAP
Users must also authenticate
using their phone or mobile
device before access is
granted
2
Microsoft Azure
Active Directory
Multi-factor
authentication
server
Multi-factor
authentication
server
MONITOR AND PROTECT
User
Cloud apps
71. CLOUD-POWERED PROTECTION
MFA for Office 365/Azure
Administrators
Azure Multi-Factor
Authentication
Administrators can enable/enforce MFA to end users Yes Yes
Use mobile app (online and OTP) as second authentication factor Yes Yes
Use phone call as second authentication factor Yes Yes
Use SMS as second authentication factor Yes Yes
Application passwords for non-browser clients (e.g., Outlook, Lync) Yes Yes
Default Microsoft greetings during authentication phone calls Yes Yes
Suspend MFA from known devices Yes Yes
Custom greetings during authentication phone calls Yes
Fraud alert Yes
MFA SDK Yes
Security reports Yes
MFA for on-premises applications/ MFA server Yes
One-time bypass Yes
Block/Unblock users Yes
Customizable caller ID for authentication phone calls Yes
Event confirmation Yes
Trusted IPs Yes
72. Analyze1
DETECT ATTACKS BEFORE THEY CAUSE DAMAGE
ATA Analyzes all Active
Directory-related traffic and
collects relevant events from
SIEM
ATA Builds the organizational security
graph, detects abnormal behavior,
protocol attacks and weaknesses and
constructs an attack timeline
ATA automatically learns all entities’
behaviors
Learn2 Detect3
73. CLOUD-POWERED PROTECTION
Reduce risks of excessive access to your organization’s data
Dashboards with insights
Policy driven review workflows for governance decisions
Richer auditing to address compliance reporting needs
Decisions at the business level (self-service)
Apps in
Azure
Third-
party apps
& clouds
Apps on-
premises
76. HR system
LDAP
Oracle DB
Finance
Web apps
Windows Server
Active Directory
Hybrid
identity
User identities from
multiple repositories
LDAP v3
Windows
PowerShell
Web services
(SOAP, Java,
REST)
Generic SQL
via ODBC
Windows Server
Active Directory
Microsoft Azure
Active Directory
VS.
77. Microsoft’s IAM solution
Apps in
Azure
Third-party
apps &
cloudsMicrosoft Cloud
Microsoft Identity
Manager
Apps on-
premises
AAD App
Proxy
Spans cloud and on-premises
Provides full spectrum of services
• Federation
• Identity management
• Device registration
• User provisioning
• Application access control
• Data protection
Modern identity management system
The combination of Windows Server Active
Directory, Microsoft Identity Manager, and
Microsoft Azure Active Directory enables
better security for today’s hybrid enterprise.
Microsoft Azure
Active Directory
78. MANAGE EVERYTHING
Cloud-ready
identities
Powerful user
self-service
Enhanced
security
Automatic preparation of
Active Directory identities for
synchronization with Azure
Active Directory
Password reset with Azure Multi-
Factor Authentication
Dynamic groups with approvals and
redesigned certificate management
Hybrid reporting and privileged
access management to protect
administrator accounts
Support for new security protocols
79. MANAGE EVERYTHING
Cloud-ready
identities
Powerful user
self-service
Enhanced
security
• Standardized Active Directory attributes
and values
• Partitioned identities for synchronization
to the cloud
• Easier-to-deploy reporting connected to
Azure Active Directory
• Preparation of user profiles for Microsoft
Office 365
• Self-service password reset with Multi-
Factor Authentication
• New REST-based APIs for AuthN/AuthZ
• Self-service account unlock
• Certificate management support for multi-
forest and modern apps
• Privileged user and account discovery
• New Windows PowerShell support and
REST-based API
• Workflow management: elevated just-in-
time administrator access
• Reporting and auditing specific to
privileged access management
80. MANAGE EVERYTHING
ON-PREMISES HYBRID CLOUD
Managed: Microsoft System
Center Configuration
Manager
On-premises LOB
applications, traditional
productivity
iOS, Android, Windows
Phone, BYOD
Mobile apps, shadow IT SaaS
solutions
Managed: Microsoft Intune
connected to System Center
Configuration Manager
On-premises LOB applications,
managed SaaS, Office 365
hybrid deployment, Azure
Active Directory
implementation
Deployment of cloud-enabled
rich clients
Managed cloud identities with
Multi-Factor Authentication
Managed by EMS:
Combination of mobile clients
(iOS, Android) and cloud-
enabled clients (Windows 10)
Managed SaaS and Office 365
Enterprise, full Azure IAM
Event - Mobility Event-Win 8.x/10
Microsoft Identity Manager 2016
83. Microsoft Identity Manager 2016
Collapse directories
Map multiple identities
Transform usernames and
other attributes
84. UserExisting apps
Existing FIM
Existing AD
forests
WS 2003 or later
User: PRIVJenAdmin
Groups: CORPResource Admins
Refresh after: 60 minutes
Group “Resource Admins”
Privileged access management
AD DS
Microsoft Identity Manager
Configured for PAM
Group: Resource
Admins
Domain: CORP
Candidate: Jen
Time-based
memberships
User “JenAdmin”
Access
requests
Existing trust
Trust for admin access
Access
requests
85. Deep dive: DirSync, Azure AD, and MIM Sync
DirSync
Azure Active Directory Sync
FIM Sync
(+ Azure Active Directory
Connector)
Azure Active Directory
Connect
MIM Sync
(+ Azure Active Directory
Connector)
Azure Active Directory
Connect
86. Connect and sync on-
premises directories with
Azure
Azure Active
Directory Connect
Microsoft Azure
Active Directory
Other directories
PowerShell
LDAP v3
SQL (ODBC)
Web services
(SOAP, Java, REST)
87. Azure Active Directory Microsoft Identity Manager
Password reset/management YES YES
Group management YES, not dynamic YES
Provisioning, deprovisioning NO YES
Certificate management NO YES
Role-based access control NO YES
Deep dive: IAM in MIM vs. Azure Active Directory
88. Microsoft Identity Manager 2016 is also included with Azure Active Directory Premium, which is
part of the Enterprise Mobility Suite.
Microsoft Enterprise Mobility Suite is the most cost-effective way to acquire all included cloud
services: Azure Active Directory Premium, Azure Rights Management, and Intune.
Purchasing
Microsoft Identity
Manager 2016
Licensed on a per-user basis
Client Access License (CAL) Required for each user whose identity is managed
Windows Server license with active
Software Assurance
Required to use the Microsoft Identity Manager 2016 server software as a
Windows Server add-on
90. Cloud-ready
identities
Powerful user
self-service
Enhanced
security
Automatic preparation of
Active Directory identities for
synchronization with Azure
Active Directory
Password reset with Azure Multi-
Factor Authentication
Dynamic groups with approvals and
redesigned certificate management
Hybrid reporting and privileged
access management to protect
administrator accounts
Support for new security protocols
91. Cloud-ready
identities
Powerful user
self-service
Enhanced
security
• Standardized Active Directory attributes
and values
• Partitioned identities for synchronization
to the cloud
• Easier-to-deploy reporting connected to
Azure Active Directory
• Preparation of user profiles for Microsoft
Office 365
• Self-service password reset with Multi-
Factor Authentication
• New REST-based APIs for AuthN/AuthZ
• Self-service account unlock
• Certificate management support for multi-
forest and modern apps
• Privileged user and account discovery
• New Windows PowerShell support and
REST-based API
• Workflow management: elevated just-in-
time administrator access
• Reporting and auditing specific to
privileged access management