Empowering people-centric IT Unified device management Desktop Virtualization Hybrid Identity Access and information protection Users Devices Apps Data Hybrid Identity √ Unify your environment Enable users Protect your data Create a centralized identity across on-premises and cloud Use identity.
Download ReportTranscript Empowering people-centric IT Unified device management Desktop Virtualization Hybrid Identity Access and information protection Users Devices Apps Data Hybrid Identity √ Unify your environment Enable users Protect your data Create a centralized identity across on-premises and cloud Use identity.
Empowering people-centric IT Unified device management Desktop Virtualization Hybrid Identity Access and information protection
Users Devices Apps Data
Hybrid Identity
Unify your environment Create a centralized identity across on-premises and cloud Use identity federation to maintain centralized authentication and securely share and collaborate with external users and businesses √ Enable users Provide users with self-service experiences to keep them productive Enable single sign-on for users across all the resources they need access to Protect your data Enforce strong authentication when users access resources and apply conditional access controls to sensitive company information Configure single sign-on across all company applications Ensure compliance with governance, attestation and reporting
A centralized and consistent corporate identity
HR System
givenName surname employeeID Samantha Dearing 007
Database
title Coordinator Identity Manager creates a compilation of these attributes with validation and keeps this in sync with all identity realms
givenName surname title E-mail Coordinator [email protected]
employeeID 007 telephone Samantha Dearing 555-123-4567 Exchange
e-mail [email protected]
LDAP
telephone 555-123-4567 Identity attributes are often located in multiple repositories SQL (ODBC) Web Services (SOAP, JAVA, REST) PowerShell LDAP v3
Common Identity with Sync and Federation
Synchronization Write back of attributes to support cloud first and co-existence Federation User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory
Direct to cloud identity sync Web Services
(SOAP, JAVA, REST)
LDAP v3 PowerShell SQL
(ODBC) Azure Active Directory Sync provides the ability to sync disparate on-premises identity repositories directly to Azure Active Directory
Identity Federation
Organizations can connect to SaaS applications running in Azure, Office 365 and 3 rd party providers Organizations can federate with partners and other organizations for seamless access to shared resources Enhancements to AD FS include simplified deployment and management Conditional access with multi-factor authentication is provided on a per application basis, leveraging user identity, device registration & network location Published applications
Office 365 & Windows Intune Identity Models
Cloud Identity Single identity in the cloud suitable for small organizations with no integration to on premises directories Directory Sync Single identity suitable for medium and large organizations with passwords stored both on-premises and in the cloud without federation Federated Identity Single federated identity and credentials suitable for medium and large organizations, passwords stored only on-premises
Provide users with self-service experiences
Users can reset their passwords significantly reducing help desk burden and costs.
Users can edit their profile details to update and add missing information Users can onboard new users and contractors into their teams and provide access to required resources Self-service group management, including dynamic membership calculation in these groups and distribution lists, based on the user’s attributes.
All changes and updates are workflow and policy driven with approval routing as appropriate
Cloud based self-service experiences
Users can manage access requests through self-service group management Users can edit their profile details to update and add missing information Users can easily access the SaaS apps they need, using their existing Active Directory credentials.
Self Service Password change and reset for cloud users Leverage existing investments in Active Directory for a single set of user credentials
Provide users with single sign-on experiences
Users gain seamless access to Office 365, Windows Intune and other Microsoft cloud apps Users can sign onto 3 apps with their company credentials rd party SaaS Sync or federate users to Azure Active Directory for single sign-on to cloud apps Users can access all their company resources with a single set of credentials Leverage existing investments in Active Directory for a single set of user credentials SQL (ODBC) Web Services (SOAP, JAVA, REST) PowerShell LDAP v3
Single sign-on to Office 365 and Windows Intune
Directory Sync When an Active Directory user logs on, their synchronized credentials are used to authenticate against Azure Active Directory Cloud Identity A user with a cloud only identity can sign in to Office 365 and Windows Intune using their Azure Active Directory credentials Federated Identity When an Active Directory user logs on, the authentication is passed back and validated against Windows Server Active Directory
Active Directory for the cloud
Leverage cloud platforms to run Windows Server Active Directory and Active Directory Federation Services to reduce infrastructure on-premises.
Manage Active Directory using Windows PowerShell, use the improved deployment experience and leverage the Active Directory Administrative Center for centralized management Run Active Directory at scale with support for virtualization and rapid deployment through domain controller cloning.
Developers can integrate applications for single sign-on across on premises and cloud based applications.
Activate clients running Office on at least Windows 8 or Windows Server 2012 automatically using existing Active Directory infrastructure.
Azure Active Directory
Easily add custom cloud-based apps. Facilitate developers with identity management.
PowerShell SQL (ODBC) LDAP v3 Web Services (SOAP, JAVA, REST) Sync identity or provide federated identity for single sign-on Choose among hundreds of popular SaaS apps from a pre-populated application gallery.
Add multi-factor authentication for additional user identity verification Comprehensive cloud based identity and access management combining directory services, identity governance, application access management and a developer’s identity management platform Administrators have access to security reporting that tracks inconsistent access patterns and view users who signed in from unknown sources
User
Devices Apps & Data
1. Users attempts to login or perform an action that is subject to MFA 2. When the user authenticates, the application or service performs a MFA call 3. The user must respond to the challenge, which can be configured as a txt, a phone call or using a mobile app 4. The response is returned to the app which then allows the user to proceed
Protect Data with Rights Management
Automatically identify and classify data based on content with automatic encryption Integration with SharePoint and Exchange Securely share documents with colleagues and business partners Hybrid options across Windows Server and Azure Rights Management Easy to use with integration with Office 2010/13, Windows Shell Extensions and cross platform clients
Maintain governance and compliance
Enable users with self-service access request and approval Enforce segregation of duties by defining incompatible permissions and roles Perform attestation by regularly ensuring access rights are maintained and allow managers to review and approve existing access rights of users Easily define and manage access based on user roles Demonstrate that access rights comply with organizational policies and industry regulations
Workload: SharePoint with conditional access & MFA
Users can connect to a published on-premises SharePoint server that has been integrated with AD FS. Through conditional access policies we can enforce additional authentication and authorization requirements, such as device registration.
With integrated MFA, AD FS facilitates the device registration process and allows the user to continue and gain access to the SharePoint site.
Hybrid Identity Review
Unify your environment Create a centralized identity across on-premises and cloud Use identity federation to maintain centralized authentication and securely share and collaborate with external users and businesses √ Enable users Provide users with self-service experiences to keep them productive Enable single sign-on for users across all the resources they need access to Protect your data Enforce strong authentication when users access resources and apply conditional access controls to sensitive company information Configure single sign-on across all company applications Ensure compliance with governance, attestation and reporting
http://aka.ms/enterprise mobilitysuite http://aka.ms/microsoftintune http://aka.ms/configmgr http://aka.ms/hi http://aka.ms/aip http://aka.ms/virtualdesktop
http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://developer.microsoft.com