A comprehensive identity and access management cloud solution. It combines directory services,...
-
Upload
kelly-watts -
Category
Documents
-
view
219 -
download
4
Transcript of A comprehensive identity and access management cloud solution. It combines directory services,...
Microsoft Azure Active Directory Premium
Eran Dvir – Program Manager Azure AD
CDP-B312
A comprehensive identity and access management cloud solution.
It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers
It is available in 3 editions: free, Basic and Premium
What is Azure Active Directory?
Identity as the control plane
Azure Active Directory editions feature comparison + Office 365 IAM featuresAzure AD Free Azure AD Basic
Azure AD Premium
Office 365 IAM features
Common Features
Directory as a Service 500,000 Object Limit
No Object Limit No Object Limit
No Object limit for Office 365 user accounts
User/Group Management (add/update/delete) Yes Yes Yes Yes
SSO to pre-integrated SAAS Applications /Custom Apps 10 apps per user 10 apps per user No Limit 10 apps per user
User-Based access management/provisioning Yes Yes Yes Yes
Self-Service Password Change for cloud users Yes Yes Yes Yes
Identity Synchronization Tool (Windows Server AD integration, Multi Forest) Yes Yes Yes Yes
Security Reports 3 Basic Reports 3 Basic ReportsAdvanced Security
Reports 3 Basic Reports
Cloud App Discovery* Yes(Basic) Yes(Basic) Yes(Advanced)** Yes(Basic)
Premium+ Basic Features
Group-based access management/provisioning Yes Yes
Self-Service Password Reset for cloud users Yes Yes
Company Branding (Logon Pages/Access Panel customization) Yes Yes
SLA Yes Yes Yes
Premium Features
Identity Synchronization Tool advanced write-back capabilities * (FY15 Roadmap) Yes
Self-Service Group Management Yes
Self-Service Password Reset/Change with on-premises write-back Yes
Advanced Usage Reporting Yes
Multi-Factor Authentication (Cloud and On-premises (MFA Server)) YesLimited Cloud only
features for accessing Office 365
Azure AD Application proxy* Yes
MIM CAL + MIM Server Yes
Administrative Delegation* (FY15 Roadmap) Yes*Features in Preview (Sept 2014) or in the roadmap
** Advanced functionality on Cloud App Discovery is in the roadmap for FY15 H2
10 Apps per user : Every user can have a different set of Apps, up to ten. MS Online apps (e.g. O365) are counted among these 10.
Demo companyTailspin
Company OverviewEnterprise historically deployed on-premisesStarted to move to cloud applications:
Office 365Workday HRSalesforceMarketing applications (Twitter,
Facebook, etc)
Some peopleDrew FogartyDirector Marketing• Manages one or more departments• Authorizes use of SaaS apps for her departments (ex: performance management, expense
reports, customer engagement).• Doesn’t want to be blocked by IT
Melvin WallenMarketing lead• Manages six marketing specialists• Responsible for granting, approving or validating his reports’ access to resources like apps and
documents
Irwin McCraySocial media specialist - Starting today• Very sophisticated consumer or technology
Demo
First day at work
Azure AD Premium
Putting it all together
ApplicationsPassword managementAccess managementReports
Overview
Applications
Pre-integrated:Provisioning – Inbound or OutboundSingle Sign-on – Federated, Password or ExistingShared accounts
Add your own:Cloud applications – Single tenanted, multi tenanted or GalleryOn-premises – publish an on-premises application for Azure AD access
Applications - Key concepts
Import Workday users and groups to Azure AD
Users are provisioned or joined when they become Workday workers and get accounts. Groups are provisioned and managed from Workday provisioning groups.
Ongoing synchronization:GroupsUsersGroup membership
Inbound provisioning - WorkdayUPN:• Workday userID
or…• Workday userID +
default domain
Group:Workday provisioning group name
Workday to Azure AD – User attributesAzure AD Workday
jobTitle Business_Title
givenName First_Name
surName Last_Name
department Job_Family_ID
preferredLanguage Locale_ID
manager Manager_Reference
Address (streetAddress; city; state; country; postalCode)
Municipality, Country_Region_Reference, Country_Reference, Postal_Code
displayName Formatted_Name
telephoneNumber Phone_Data 'Work'
mailNickname User_ID
physicalDeliveryOfficeName Work_Space__Reference
mobilePhone Phone_Data Mobile'
Automatic provisioning:Profiles or roles and existing assignments are imported on first syncAssigned users are provisioned to the applicationAccounts mapping - application user ID and Azure AD UPN
Automatic de-activationThe user is deactivated in application (cannot log-in by any means)
Account is disabled or deleted in Azure ADAll assignments are removedOn hard-delete of Azure AD account application user ID is randomized
Schema mapping modificationsProvisioning and usage reports
Outbound provisioning
Salesforce – Default attribute mappingSalesforce attribute Azure AD attribute
IsActive IsSoftDeleted
Alias userPrincipalName
Email Mail
EmailEncodingKey “ISO-8859-1”
LanguageLocaleKey “en_us”
FirstName givenName
LastName surname
LocaleSidKey preferredLanguage
TimeZoneSidKey “America/Los_Angeles”
Username userPrincipalName
UserPermissionsCallCenterAutoLogin False
UserPermissionsMarketingUser False
UserPermissionsOfflineUser False
Multiple users can access the same account
Protect organizational accounts:Administrator controls passwordGroup based assignment to individualsA user can have access to more then one shared accountCan coexist with user personal accounts
Password are protected in your Azure AD tenant.
Shared accounts
Integrate on-prem apps with Azure ADEnd-user portal – Access Panel
Azure AD authentication capabilities:
Username and password synced from on-prem ADFederated login to on-prem or other federation serversMulti-factor authenticationCustomized login screenAuthorization based on user or groupsSSO to Office365, thousands of SaaS apps and all applications integrated with AAD
Reports, auditing and security monitoring based on big data and machine learning.
Azure Active Directory
Resource ResourceResource
Corp
ora
te
Netw
ork
DM
Z
Connector Connector
Application Proxy
Access Panel Portal
Authentication + MFA
Reporting & Auditing
Security Monitoring
Authorization
Direct user assignmentGroup membership assignment
Groups can be managed on WSAD, Workday or AzureADAssignments are constantly updated to reflect ongoing group membershipSelf service group management on AzureAD or on-premises can be used to delegate access control.
Assignment OptionsDepending on application types:
Default or Application roleSKU/licenseManaged password
Application assignments
Consistent with application assignment experienceSupports direct assignment to users or by group membershipSupported licenses:
Enterprise Mobility Suite (Intune, Azure AD RMS, Azure AD Premium)Azure AD PremiumAzure AD BasicOffice 365
License management
Demo
Applications
Self-service Password Management
Password change and resetAzure AD for cloud usersWindows Server AD for federated SSO and password hash sync users
Supports FIM/MIM on-premises password sync solutionsPassword management in Azure and Windows Server AD can co-exist
Password complexityWindows Server AD - Enforce on premise policy including complexity, age, and historyAzure AD pre-canned - strong (default) or weak
Customized user experiences
Password management: Administrator
Password complexity
Password expiry
User password
Password expiry policy
Azure AD password management
Set-msoluser –UserPrincipalName <UserPrincipalName> -PasswordNeverExpires <Boolean>
Set-MsolUserPassword –UserPrincipalName <UserPrincipalName> –NewPassword <New Password> -ForceChangePassword <Boolean>
Set-MsolPasswordPolicy -DomainName <Domain Name> -NotificationDays <Number Of Days> –ValidityPeriod <Number Of Days>
Set-msoluser –UserPrincipalName <UserPrincipalName> -StrongPasswordRequired <Boolean>
Identity proofConfigurable for required and allowed types
Includes phone, text, email, secret questions
RegistrationForced registration on access to MyApps.microsoft.comSynchronize from On-premises or WorkdayPrivate mobile phone numberAttestation for registration data
Notifications to users and adminsRegistration and activity reportsCommon uses
Preregister user
Password reset: administration
Common uses:First use/Account activation Forgot my passwordAdmin security reset
Self-service:Company brandedRegistration – setting/updating/verifying account recovery information.Reset - Guided experience only shows available gates Change user password
Password management: End user
How it works
Password management writeback
DMZ
When password writeback is enabled Azure AD connect creates a private service
bus session and listens for password updates
Azure Service
Bus
TailspinOnline.com corpnet
Azure AD Connect
AD DS
FIM/MIM
Applications
Password management writeback
DMZ
Is the user federated SSO or password
sync
Azure Service
Bus
TailspinOnline.com corpnet
Azure AD Connect
AD DS
FIM/MIM
Applications
?
Password management writeback
DMZ
For on-premises user:Azure AD sends the
password to the Azure AD connect and attempts to set it on Windows Server
AD
Azure Service
Bus
TailspinOnline.com corpnet
Azure AD Connect
AD DS
FIM/MIM
Applications
Password management writeback
DMZ
The user is informed of the results and can try again if they fail to meet password
requirements.
Azure Service
Bus
TailspinOnline.com corpnet
Azure AD Connect
AD DS
FIM/MIM
Applications
Does NOT meet history requirements
Your password does not meet the password history requirements
Please try again…
Password management writeback
DMZ
Azure AD sends the password to the Azure AD connect and attempts to set it on Windows Server
AD
Azure Service
Bus
TailspinOnline.com corpnet
Azure AD Connect
AD DS
FIM/MIM
Applications
Password management writeback
DMZ
The user is informed of the results and can try again if they fail to meet password
requirements.
Azure Service
Bus
TailspinOnline.com corpnet
Azure AD Connect
AD DS
FIM/MIM
Applications
SuccessPassword has been reset!!!
Password management writeback
DMZ
Azure Service
Bus
TailspinOnline.com corpnet
Azure AD Connect
AD DS
FIM/MIM
Applications
Success
FIM/MIM sync pushes password to other applications
Demo
Setting up SSPR
Delegated access management
Administrator controls:ApplicationsShared accountsSKUs/Licenses
Delegate controls:Self-service workflow and approvalAdd and remove users
End userSelf-service access request
Overview
Demo
Access to Twitter
Reporting
Rule based (free)Sign ins from unknown sourcesSign ins after multiple failuresSign ins from multiple geographies
Specialized information
Sign ins from possibly infected devicesSign ins from IP addresses with suspicious activity
Machine learningIrregular sign in activity
Security reports
CombinedUsers with anomalous sign in activity
ActionsReset passwordManage Multi-factor authIgnore event
Download reports
ActivityAudit (free)Password reset activityPassword reset registration activity
Application ManagementApplication usageAccount provisioning activity (free)Account provisioning errors (free)
Operational reports
Overview
Reporting services
User Activity and Devices
SaaS Apps
Location
UI
Notifications
APIs
Demo
Reports
Related content
Microsoft Solutions Experience Location (MSE)
Tue, Oct 28 3:15 PM-4:30 PM EM-B214 Privileged Access Management for Active Directory
Wed, Oct 29 8:30 AM-9:45 AM EM-B316 Directory Integration: Creating One Directory with Active Directory and Azure Active Directory
Wed, Oct 29 3:15 PM-4:30 PM EM-B319 Microsoft Identity Manager vNext Overview
Wed, Oct 29 3:15 PM-4:30 PM CDP-B210 Cloud Identity: Microsoft Azure Active Directory Explained
Wed, Oct 29 5:00 PM-6:15 PM EM-B318 Free Your Apps: Introducing Microsoft Azure Active Directory Application Proxy and Windows Server Web Application Proxy
Thu, Oct 30 10:15 AM-11:30 AM CDP-B312 Microsoft Azure Active Directory Premium, in Depth
Fri, Oct 31 2:45 PM-4:00 PM EM-B313 Microsoft Azure Multi-Factor Authentication Deep Dive: Securing Access on Premises and in the Cloud
Thu, Oct 30 12:00 PM-1:15 PM EM-B310 Active Directory + BYOD = Peace of Mind
Thu, Oct 30 5:00 PM-6:15 PM DEV-B322 Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management
Fri, Oct 31 8:30 AM-9:45 AM CDP-B207 Securing Organizations: Azure Active Directory Intelligence as a Differentiator
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Come visit us in the Microsoft Solutions Experience (MSE)!Look for the Cloud and Datacenter Platform area TechExpo Hall 7
For more informationWindows Server Technical Previewhttp://technet.microsoft.com/library/dn765472.aspx
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center Technical Previewhttp://technet.microsoft.com/en-us/library/hh546785.aspx
Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
Azure
Implementing Microsoft Azure Infrastructure Solutions
Classroomtraining
Exams
+
(Coming soon)Microsoft Azure Fundamentals
Developing Microsoft Azure Solutions
MOC
10979
Implementing Microsoft Azure Infrastructure Solutions
Onlinetraining
(Coming soon)Architecting Microsoft Azure Solutions
(Coming soon)Architecting Microsoft Azure Solutions
Developing Microsoft Azure Solutions
(Coming soon)Microsoft Azure Fundamentals
http://bit.ly/Azure-Cert
http://bit.ly/Azure-MVA
http://bit.ly/Azure-Train
Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal
2 5 5MOC
20532
MOC
20533
EXAM
532EXAM
533EXAM
534
MVA MVA
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
Evaluate this session
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.