Microsoft Azure Active Directory Premium

Eran Dvir – Program Manager Azure AD

CDP-B312

A comprehensive identity and access management cloud solution.

It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers

It is available in 3 editions: free, Basic and Premium

What is Azure Active Directory?

Identity as the control plane

Azure Active Directory editions feature comparison + Office 365 IAM featuresAzure AD Free Azure AD Basic

Azure AD Premium

Office 365 IAM features

Common Features

Directory as a Service 500,000 Object Limit

No Object Limit No Object Limit

No Object limit for Office 365 user accounts

User/Group Management (add/update/delete) Yes Yes Yes Yes

SSO to pre-integrated SAAS Applications /Custom Apps 10 apps per user 10 apps per user No Limit 10 apps per user

User-Based access management/provisioning Yes Yes Yes Yes

Self-Service Password Change for cloud users Yes Yes Yes Yes

Identity Synchronization Tool (Windows Server AD integration, Multi Forest) Yes Yes Yes Yes

Security Reports 3 Basic Reports 3 Basic ReportsAdvanced Security

Reports 3 Basic Reports

Cloud App Discovery* Yes(Basic) Yes(Basic) Yes(Advanced)** Yes(Basic)

Premium+ Basic Features

Group-based access management/provisioning Yes Yes

Self-Service Password Reset for cloud users Yes Yes

Company Branding (Logon Pages/Access Panel customization) Yes Yes

SLA Yes Yes Yes

Premium Features

Identity Synchronization Tool advanced write-back capabilities * (FY15 Roadmap) Yes

Self-Service Group Management Yes

Self-Service Password Reset/Change with on-premises write-back Yes

Advanced Usage Reporting Yes

Multi-Factor Authentication (Cloud and On-premises (MFA Server)) YesLimited Cloud only

features for accessing Office 365

Azure AD Application proxy* Yes

MIM CAL + MIM Server Yes

Administrative Delegation* (FY15 Roadmap) Yes*Features in Preview (Sept 2014) or in the roadmap

** Advanced functionality on Cloud App Discovery is in the roadmap for FY15 H2

10 Apps per user : Every user can have a different set of Apps, up to ten. MS Online apps (e.g. O365) are counted among these 10.

Demo companyTailspin

Company OverviewEnterprise historically deployed on-premisesStarted to move to cloud applications:

Office 365Workday HRSalesforceMarketing applications (Twitter,

Facebook, etc)

Some peopleDrew FogartyDirector Marketing• Manages one or more departments• Authorizes use of SaaS apps for her departments (ex: performance management, expense

reports, customer engagement).• Doesn’t want to be blocked by IT

Melvin WallenMarketing lead• Manages six marketing specialists• Responsible for granting, approving or validating his reports’ access to resources like apps and

documents

Irwin McCraySocial media specialist - Starting today• Very sophisticated consumer or technology

Demo

First day at work

Azure AD Premium

Putting it all together

ApplicationsPassword managementAccess managementReports

Overview

Applications

Pre-integrated:Provisioning – Inbound or OutboundSingle Sign-on – Federated, Password or ExistingShared accounts

Add your own:Cloud applications – Single tenanted, multi tenanted or GalleryOn-premises – publish an on-premises application for Azure AD access

Applications - Key concepts

Import Workday users and groups to Azure AD

Users are provisioned or joined when they become Workday workers and get accounts. Groups are provisioned and managed from Workday provisioning groups.

Ongoing synchronization:GroupsUsersGroup membership

Inbound provisioning - WorkdayUPN:• Workday userID

or…• Workday userID +

default domain

Group:Workday provisioning group name

Workday to Azure AD – User attributesAzure AD Workday

jobTitle Business_Title

givenName First_Name

surName Last_Name

department Job_Family_ID

preferredLanguage Locale_ID

manager Manager_Reference

Address (streetAddress; city; state; country; postalCode)

Municipality, Country_Region_Reference, Country_Reference, Postal_Code

displayName Formatted_Name

telephoneNumber Phone_Data 'Work'

mailNickname User_ID

physicalDeliveryOfficeName Work_Space__Reference

mobilePhone Phone_Data Mobile'

Automatic provisioning:Profiles or roles and existing assignments are imported on first syncAssigned users are provisioned to the applicationAccounts mapping - application user ID and Azure AD UPN

Automatic de-activationThe user is deactivated in application (cannot log-in by any means)

Account is disabled or deleted in Azure ADAll assignments are removedOn hard-delete of Azure AD account application user ID is randomized

Schema mapping modificationsProvisioning and usage reports

Outbound provisioning

Salesforce – Default attribute mappingSalesforce attribute Azure AD attribute

IsActive IsSoftDeleted

Alias userPrincipalName

Email Mail

EmailEncodingKey “ISO-8859-1”

LanguageLocaleKey “en_us”

FirstName givenName

LastName surname

LocaleSidKey preferredLanguage

TimeZoneSidKey “America/Los_Angeles”

Username userPrincipalName

UserPermissionsCallCenterAutoLogin False

UserPermissionsMarketingUser False

UserPermissionsOfflineUser False

Multiple users can access the same account

Protect organizational accounts:Administrator controls passwordGroup based assignment to individualsA user can have access to more then one shared accountCan coexist with user personal accounts

Password are protected in your Azure AD tenant.

Shared accounts

Integrate on-prem apps with Azure ADEnd-user portal – Access Panel

Azure AD authentication capabilities:

Username and password synced from on-prem ADFederated login to on-prem or other federation serversMulti-factor authenticationCustomized login screenAuthorization based on user or groupsSSO to Office365, thousands of SaaS apps and all applications integrated with AAD

Reports, auditing and security monitoring based on big data and machine learning.

Azure Active Directory

Resource ResourceResource

Corp

ora

te

Netw

ork

DM

Z

Connector Connector

Application Proxy

Access Panel Portal

Authentication + MFA

Reporting & Auditing

Security Monitoring

Authorization

Direct user assignmentGroup membership assignment

Groups can be managed on WSAD, Workday or AzureADAssignments are constantly updated to reflect ongoing group membershipSelf service group management on AzureAD or on-premises can be used to delegate access control.

Assignment OptionsDepending on application types:

Default or Application roleSKU/licenseManaged password

Application assignments

Consistent with application assignment experienceSupports direct assignment to users or by group membershipSupported licenses:

Enterprise Mobility Suite (Intune, Azure AD RMS, Azure AD Premium)Azure AD PremiumAzure AD BasicOffice 365

License management

Demo

Applications

Self-service Password Management

Password change and resetAzure AD for cloud usersWindows Server AD for federated SSO and password hash sync users

Supports FIM/MIM on-premises password sync solutionsPassword management in Azure and Windows Server AD can co-exist

Password complexityWindows Server AD - Enforce on premise policy including complexity, age, and historyAzure AD pre-canned - strong (default) or weak

Customized user experiences

Password management: Administrator

Password complexity

Password expiry

User password

Password expiry policy

Azure AD password management

Set-msoluser –UserPrincipalName <UserPrincipalName> -PasswordNeverExpires <Boolean>

Set-MsolUserPassword –UserPrincipalName <UserPrincipalName> –NewPassword <New Password> -ForceChangePassword <Boolean>

Set-MsolPasswordPolicy -DomainName  <Domain Name> -NotificationDays <Number Of Days> –ValidityPeriod <Number Of Days>

Set-msoluser –UserPrincipalName <UserPrincipalName> -StrongPasswordRequired <Boolean>

Identity proofConfigurable for required and allowed types

Includes phone, text, email, secret questions

RegistrationForced registration on access to MyApps.microsoft.comSynchronize from On-premises or WorkdayPrivate mobile phone numberAttestation for registration data

Notifications to users and adminsRegistration and activity reportsCommon uses

Preregister user

Password reset: administration

Common uses:First use/Account activation Forgot my passwordAdmin security reset

Self-service:Company brandedRegistration – setting/updating/verifying account recovery information.Reset - Guided experience only shows available gates Change user password

Password management: End user

How it works

Password management writeback

DMZ

When password writeback is enabled Azure AD connect creates a private service

bus session and listens for password updates

Azure Service

Bus

TailspinOnline.com corpnet

Azure AD Connect

AD DS

FIM/MIM

Applications

Password management writeback

DMZ

Is the user federated SSO or password

sync

Azure Service

Bus

TailspinOnline.com corpnet

Azure AD Connect

AD DS

FIM/MIM

Applications

?

Password management writeback

DMZ

For on-premises user:Azure AD sends the

password to the Azure AD connect and attempts to set it on Windows Server

AD

Azure Service

Bus

TailspinOnline.com corpnet

Azure AD Connect

AD DS

FIM/MIM

Applications

Password management writeback

DMZ

The user is informed of the results and can try again if they fail to meet password

requirements.

Azure Service

Bus

TailspinOnline.com corpnet

Azure AD Connect

AD DS

FIM/MIM

Applications

Does NOT meet history requirements

Your password does not meet the password history requirements

Please try again…

Password management writeback

DMZ

Azure AD sends the password to the Azure AD connect and attempts to set it on Windows Server

AD

Azure Service

Bus

TailspinOnline.com corpnet

Azure AD Connect

AD DS

FIM/MIM

Applications

Password management writeback

DMZ

The user is informed of the results and can try again if they fail to meet password

requirements.

Azure Service

Bus

TailspinOnline.com corpnet

Azure AD Connect

AD DS

FIM/MIM

Applications

SuccessPassword has been reset!!!

Password management writeback

DMZ

Azure Service

Bus

TailspinOnline.com corpnet

Azure AD Connect

AD DS

FIM/MIM

Applications

Success

FIM/MIM sync pushes password to other applications

Demo

Setting up SSPR

Delegated access management

Administrator controls:ApplicationsShared accountsSKUs/Licenses

Delegate controls:Self-service workflow and approvalAdd and remove users

End userSelf-service access request

Overview

Demo

Access to Twitter

Reporting

Rule based (free)Sign ins from unknown sourcesSign ins after multiple failuresSign ins from multiple geographies

Specialized information

Sign ins from possibly infected devicesSign ins from IP addresses with suspicious activity

Machine learningIrregular sign in activity

Security reports

CombinedUsers with anomalous sign in activity

ActionsReset passwordManage Multi-factor authIgnore event

Download reports

ActivityAudit (free)Password reset activityPassword reset registration activity

Application ManagementApplication usageAccount provisioning activity (free)Account provisioning errors (free)

Operational reports

Overview

Reporting services

User Activity and Devices

SaaS Apps

Location

UI

Notifications

APIs

Demo

Reports

Related content

Microsoft Solutions Experience Location (MSE)

Tue, Oct 28 3:15 PM-4:30 PM EM-B214 Privileged Access Management for Active Directory

Wed, Oct 29 8:30 AM-9:45 AM EM-B316 Directory Integration: Creating One Directory with Active Directory and Azure Active Directory

Wed, Oct 29 3:15 PM-4:30 PM EM-B319 Microsoft Identity Manager vNext Overview

Wed, Oct 29 3:15 PM-4:30 PM CDP-B210 Cloud Identity: Microsoft Azure Active Directory Explained

Wed, Oct 29 5:00 PM-6:15 PM EM-B318 Free Your Apps: Introducing Microsoft Azure Active Directory Application Proxy and Windows Server Web Application Proxy

Thu, Oct 30 10:15 AM-11:30 AM CDP-B312 Microsoft Azure Active Directory Premium, in Depth

Fri, Oct 31 2:45 PM-4:00 PM EM-B313 Microsoft Azure Multi-Factor Authentication Deep Dive: Securing Access on Premises and in the Cloud

Thu, Oct 30 12:00 PM-1:15 PM EM-B310 Active Directory + BYOD = Peace of Mind

Thu, Oct 30 5:00 PM-6:15 PM DEV-B322 Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management

Fri, Oct 31 8:30 AM-9:45 AM CDP-B207 Securing Organizations: Azure Active Directory Intelligence as a Differentiator

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

Developer Network

http://developer.microsoft.com

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Come visit us in the Microsoft Solutions Experience (MSE)!Look for the Cloud and Datacenter Platform area TechExpo Hall 7

For more informationWindows Server Technical Previewhttp://technet.microsoft.com/library/dn765472.aspx

Windows Server

Microsoft Azure

Microsoft Azurehttp://azure.microsoft.com/en-us/

System Center

System Center Technical Previewhttp://technet.microsoft.com/en-us/library/hh546785.aspx

Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack

Azure

Implementing Microsoft Azure Infrastructure Solutions

Classroomtraining

Exams

+

(Coming soon)Microsoft Azure Fundamentals

Developing Microsoft Azure Solutions

MOC

10979

Implementing Microsoft Azure Infrastructure Solutions

Onlinetraining

(Coming soon)Architecting Microsoft Azure Solutions

(Coming soon)Architecting Microsoft Azure Solutions

Developing Microsoft Azure Solutions

(Coming soon)Microsoft Azure Fundamentals

http://bit.ly/Azure-Cert

http://bit.ly/Azure-MVA

http://bit.ly/Azure-Train

Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal

2 5 5MOC

20532

MOC

20533

EXAM

532EXAM

533EXAM

534

MVA MVA

Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC

TechEd Mobile appPhone or Tablet

QR code

Evaluate this session

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.