MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... ·...
Transcript of MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... ·...
![Page 1: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/1.jpg)
Digicomp Microsoft Evolution Day 2015 1
MIM 2016
Oliver Ryf
Partner:
![Page 2: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/2.jpg)
2Digicomp Microsoft Evolution Day 2015
Agenda
Begrüssung
Vorstellung Referent
PowerShell Desired State Configuration
F&A
Weiterführende Kurse
![Page 3: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/3.jpg)
3Digicomp Microsoft Evolution Day 2015
Vorstellung Referent
Seit 1991 IT-Trainer
1995 MCSE und MCT
Seit 2000 diverse Projekte im Bereich Windows/Office Migrationen, Active Directory, Infratruktur, Hyper-V und Azure Cloud
Seit 2006 Trainer bei Digicomp
Seit 2014 Principal Consultant und Cloud Archiect bei UP-Great AG Fehraltorf
![Page 4: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/4.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
IAM – Eine umfassende Lösung
• Active Directory ist die primäre Authentication Quelle in den Firmen
• Active Directory Federation Services integriert AD mitAzure AD und MFA
• Web Application Proxy arlaubt die Edge pre-authentication
• Ermöglicht Conditional Access für Ressourcen
Identity Manager
• Bietet Self-Service Identity management
• Automatisiert das Lifecycle Management überheterogene Plattformen
• Erlaubt das definieren von umfangreichen Policies zum erzwingen von Unternehmensrichtlinienfür Identity und Access
Azure Active Directory
• Cloud directory
• Cloud Authentication
• Azure Active Directory Premium enthält Multi-Factor Authentication, und Server und Benutzer CALs für Identity Manager
Windows Server
Microsoft Identity Manager
![Page 5: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/5.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
MIM für durchgängige IAM Policies
On-premises and private cloud
Azure Active Directory
Azure ADApp Proxy
Your apps
![Page 6: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/6.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
Identity Stores
Policies and
Workflow
Clients
WindowsOutlookPortal Custom
Identity Manager Capabilities
Cloud Services Databases Directories Applications
Identity Manager Platform Scenarios
Request Permission AuthN AuthZ ActionService DB
Identity
Synchronization
Role
ManagementCertificate
Management
Group
Management
Password
Reset
![Page 7: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/7.jpg)
7Digicomp Microsoft Evolution Day 2015
MIM 2016
Up-To-Date
Updated platform support
Certificate Management updated
Self-service account unlock hinzugefügt!!
Privileged Access Mgmt
Improved protection of admins
Just In Time (JIT) admin access
Auditing for alerts and reports
![Page 8: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/8.jpg)
8Digicomp Microsoft Evolution Day 2015
MIM 2016
Hybrid IAM
Self-service password reset with Azure MFA as a gate
Hybrid reporting
AAD and Office365 integration
![Page 9: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/9.jpg)
Privileged Access Management
![Page 10: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/10.jpg)
10Digicomp Microsoft Evolution Day 2015
Privileged Accounts – Das Risiko
Research & Preparation
First WorkstationCompromised
24-48 Hours
Domain AdminCompromised
Data Exfiltration (Attacker Undetected)
11-14 months
Attack Discovered
![Page 11: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/11.jpg)
Die Lösung: Just-in-Time Admin Access
Prepare
Which users have privileged access rights based on AD groups?
Protect
Step-up lifecycle and AuthNprotection of privileged
user accounts
Operate
Users can request Just In Time (JIT) and Just Enough
administrator access privileges
Monitor
Additional auditing, alerts & reports, of privileged
access requests
![Page 12: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/12.jpg)
12Digicomp Microsoft Evolution Day 2015
Just-in-Time Solution Focus
Domain account Authentication and Authorization
Managing privileged access with:
Step-up and Proof-up
Isolation/scoping of privileges
Additional logging
Customizable workflow
![Page 13: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/13.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
JIT Solution Architecture
Existing
AD Forest(s)WS 2003 or later
Privileged Access Management
Existing FIM
Optionaltrust for admin access
Microsoft Identity Manager
Configured for PAM
AD DS
vNext
Existing Appsaccess requests
User
existing trust
User: PRIV\JenAdmin
Groups:
CORP\Resource Admins
Refresh after: 60 minutes
“Jen”
Group “Resource Admins”
Group: Resource Admins
Domain: CORP
Candidate: Jen
Time based memberships
User “JenAdmin”
![Page 14: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/14.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
Funktionelle Architecture
MIM Service
AD DS
vNext
AuthZ WF Action WFMPR
New-PAMRequest
MIM Service
DB
UserGroupPAM Role
Event Log
PAM Request
Microsoft Identity Manager
PowerShell
runaswhoami /groups
![Page 15: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/15.jpg)
15Digicomp Microsoft Evolution Day 2015
PAM Request
PowerShell
New-PAMRequest
REST API (Webseiten)
![Page 16: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/16.jpg)
16Digicomp Microsoft Evolution Day 2015
![Page 17: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/17.jpg)
17Digicomp Microsoft Evolution Day 2015
![Page 18: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/18.jpg)
18Digicomp Microsoft Evolution Day 2015
![Page 19: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/19.jpg)
19Digicomp Microsoft Evolution Day 2015
![Page 20: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/20.jpg)
20Digicomp Microsoft Evolution Day 2015
![Page 21: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/21.jpg)
21Digicomp Microsoft Evolution Day 2015
![Page 22: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/22.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
![Page 23: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/23.jpg)
Hybrid Identity Management
![Page 24: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/24.jpg)
24Digicomp Microsoft Evolution Day 2015
Hybrid IAM with MIM vNext
Hybrid MIM Reporting
Hybrid Sync
SSPR mit Azure Phone Authentication
O365 Integration
![Page 25: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/25.jpg)
25Digicomp Microsoft Evolution Day 2015
IAM Reporting & Auditing: Status
FIM activity reports delivered via System Center Service Manager
FIM 2010 R2
![Page 26: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/26.jpg)
26Digicomp Microsoft Evolution Day 2015
IAM Reporting & Auditing: Current State
Azure AD activity Reports aus dem Azure Portal
Azure AD Reports
![Page 27: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/27.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
Hybrid Reporting
Adding scenario-based Reporting
Reports can ship withAzure portal updates
Easier to deploy usingcloud storage
Easier to generate custom reports
Reports show on FIM Service DB changes
Reports ship as part of FIM major releases
May require separate SQL and SCDW hosts
Custom reports requires SCDW skills
![Page 28: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/28.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
Hybrid Reporting: Unified Experience
![Page 29: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/29.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
Provisioning and Synchronization
HR system
MIM
Manager
Active Directory
Exchange
LDAP
Oracle DB
Finance
New employeeDeparting employee
![Page 30: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/30.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
Provisioning and Synchronization
HR system
MIM
Manager
Windows ServerActive Directory
LDAP
Oracle DB
Finance
ExchangeOnline
SharePointOnline
Azure
SaaS app
Microsoft AzureActive DirectoryAzure AD Sync
![Page 31: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/31.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
RoadmapAktuellVorher
AAD und MIM Sync
![Page 32: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/32.jpg)
SSPR with MFA Gate
![Page 33: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/33.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
SSPR with Phone AuthN
Neue “Phone Gate” activity fürdie Implementierung einer
zusätzlichenTelefon authN alsTeil eines SSPR Workflows
![Page 34: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/34.jpg)
MIM Modernization
![Page 35: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/35.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
MIM 2016: Moderne Funktionalitäten
Self-service Account Unlock
• Mit BYOD Geräten kann es öfterspassieren, dass Accounts nach einemPasswortwechsel gesperrt werden
• Aktivieren des Self Service Unlocking Accounts (ohne Password Reset)
Certificate Management modernization
• Modern App für self-service
• New REST API
• OAuth 2 enabled
• CM server support for AD multi-forests
Unterstützung “aktueller” Plattformen
• Windows Server 2012 R2 and later, SQL Server 2014, SharePoint 2013, Exchange 2013, Visual Studio 2013, ...
![Page 36: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/36.jpg)
CalibriDigicomp Microsoft Evolution Day 2015
Certificate Management mit einer Windows Store App
![Page 37: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/37.jpg)
37Digicomp Microsoft Evolution Day 2015
F&A
![Page 38: MIM 2016 Oliver Ryf - Amazon Web Servicesdigiblog.s3-eu-central-1.amazonaws.com › app › ... · MIM 2016: Moderne Funktionalitäten Self-service Account Unlock •Mit BYOD Geräten](https://reader030.fdocuments.us/reader030/viewer/2022041023/5ed5d680e7a2f75aeb1aec8d/html5/thumbnails/38.jpg)
38Digicomp Microsoft Evolution Day 2015
Weiterführende Kurse
Firmenspezifische Workshops