Transcript Empowering people-centric IT Unified device management Desktop Virtualization Hybrid Identity Access and information protection Users Devices Apps Data Hybrid Identity √ Unify your environment Enable users Protect your data Create a centralized identity across on-premises and cloud Use identity.

Empowering
people-centric IT
Unified device
management
Desktop
Virtualization
Hybrid Identity
Access and
information
protection
Users
Devices
Apps
Data
Hybrid Identity
√
Unify your environment
Enable users
Protect your data
Create a centralized identity
across on-premises and cloud
Use identity federation to
maintain centralized
authentication and securely
share and collaborate with
external users and businesses
Provide users with self-service
experiences to keep them
productive
Enforce strong authentication when
users access resources and apply
conditional access controls to
sensitive company information
Configure single sign-on across all
company applications
Ensure compliance with
governance, attestation and
reporting
Enable single sign-on for users
across all the resources they need
access to
A centralized and consistent corporate identity
givenName
surname
Samantha
Dearing
employeeID
007
Database
title
Coordinator
Exchange
e-mail
[email protected]
LDAP
telephone
555-123-4567
HR
System
Identity attributes are often located in
multiple repositories
SQL Web Services PowerShell
(ODBC) (SOAP, JAVA, REST) LDAP v3
Identity Manager creates a compilation of
these attributes with validation and keeps this
in sync with all identity realms
givenName Samantha
surname
Dearing
title
Coordinator
E-mail
[email protected]
employeeID 007
telephone 555-123-4567
Common Identity with Sync and Federation
*Coming Soon
Synchronization
*Write back of attributes to support
cloud first and co-existence
User attributes are synchronized including the password
hash, Authentication can be completed against either
Azure or Windows Server Active Directory
Federation
AD FS provides conditional access to
resources, Work Place Join for device
registration and integrated Multi-Factor
Authentication
User attributes are synchronized, Authentication is
passed back through federation and completed
against Windows Server Active Directory
*Direct to cloud identity sync
Web Services
*Coming Soon
LDAP v3
(SOAP, JAVA, REST)
Azure Active Directory Sync provides
the ability to sync disparate on-premises
identity repositories directly to Azure
Active Directory
PowerShell
SQL
(ODBC)
Identity Federation
Organizations can connect to SaaS
applications running in Azure, Office 365 and
3rd party providers
Enhancements to AD FS include simplified
deployment and management
Published
applications
Organizations can federate
with partners and other
organizations for seamless
access to shared resources
Conditional access with multi-factor
authentication is provided on a perapplication basis, leveraging user identity,
device registration & network location
Office 365 & Windows Intune Identity Models
Cloud Identity
Single identity in the cloud suitable for small
organizations with no integration to onpremises directories
Directory Sync
Single identity suitable for medium
and large organizations with passwords
stored both on-premises and in the
cloud without federation
Federated Identity
Single federated identity and credentials
suitable for medium and large
organizations, passwords stored only
on-premises
Provide users with self-service experiences
Users can edit their profile
details to update and add
missing information
Users can reset their passwords
significantly reducing help desk
burden and costs.
Users can onboard new users
and contractors into their
teams and provide access to
required resources
Self-service group
management, including
dynamic membership
calculation in these groups
and distribution lists, based
on the user’s attributes.
All changes and updates are
workflow and policy driven with
approval routing as appropriate
*Cloud based self-service experiences
*In Preview
Users can manage access requests through
self-service group management
Users can edit their profile
details to update and add
missing information
Users can easily access the SaaS
apps they need, using their existing
Active Directory credentials.
Self Service Password
change and reset for
cloud users
Leverage existing investments in
Active Directory for a single set
of user credentials
Provide users with single sign-on experiences
Users gain seamless access to Office
365, Windows Intune and other
Microsoft cloud apps
Users can sign onto 3rd party SaaS
apps with their company
credentials
Sync or federate users to Azure Active
Directory for single sign-on to cloud
apps
Users can access all their
company resources with a
single set of credentials
Leverage existing investments in
Active Directory for a single set
of user credentials
SQL Web Services PowerShell
(ODBC) (SOAP, JAVA, REST) LDAP v3
Single sign-on to Office 365 and Windows Intune
Directory Sync
When an Active Directory user logs on,
their synchronized credentials are used to
authenticate against Azure Active
Directory
Cloud Identity
A user with a cloud only identity can sign in to Office
365 and Windows Intune using their Azure Active
Directory credentials
Federated Identity
When an Active Directory user logs on, the
authentication is passed back and validated
against Windows Server Active Directory
Active Directory for the cloud
Leverage cloud platforms to run
Windows Server Active Directory and
Active Directory Federation Services to
reduce infrastructure on-premises.
Manage Active Directory
using Windows PowerShell,
use the improved deployment
experience and leverage the
Active Directory
Administrative Center for
centralized management
Run Active Directory at
scale with support for
virtualization and rapid
deployment through
domain controller cloning.
Developers can integrate
applications for single
sign-on across onpremises and cloudbased applications.
Activate clients running
Office on at least
Windows 8 or Windows
Server 2012
automatically using
existing Active
Directory infrastructure.
Azure Active Directory
PowerShell LDAP v3
SQL Web Services
(ODBC) (SOAP, JAVA, REST)
Easily add custom cloud-based apps.
Facilitate developers with identity
management.
Sync identity or provide federated
identity for single sign-on
Choose among hundreds of popular
SaaS apps from a pre-populated
application gallery.
Add multi-factor authentication for
additional user identity verification
Comprehensive cloud based identity and access
management combining directory services, identity
governance, application access management and a
developer’s identity management platform
Administrators have access to security
reporting that tracks inconsistent access
patterns and view users who signed in from
unknown sources
1. Users attempts to login or
perform an action that is subject
to MFA
2. When the user authenticates,
the application or service
performs a MFA call
3. The user must respond to the
challenge, which can be
configured as a txt, a phone call
or using a mobile app
Devices
User
Apps & Data
4. The response is returned to the
app which then allows the user to
proceed
Protect Data with Rights Management
Integration with SharePoint
and Exchange
Automatically identify and
classify data based on content
with automatic encryption
Securely share
documents with
colleagues and
business partners
Hybrid options
across Windows
Server and Azure
Rights Management
Easy to use with integration with
Office 2010/13, Windows Shell
Extensions and cross platform
clients
Maintain governance and compliance
Enable users with self-service access
request and approval
Enforce segregation of duties
by defining incompatible
permissions and roles
Perform attestation by regularly
ensuring access rights are
maintained and allow managers
to review and approve existing
access rights of users
Easily define and manage
access based on user roles
Demonstrate that access rights comply
with organizational policies and
industry regulations
Workload: SharePoint with conditional access & MFA
Users can connect to a published on-premises SharePoint server
that has been integrated with AD FS.
Through conditional access policies we can enforce additional
authentication and authorization requirements, such as device
registration.
With integrated MFA, AD FS facilitates the device registration
process and allows the user to continue and gain access to the
SharePoint site.
Hybrid Identity Review
√
Unify your environment
Enable users
Protect your data
Create a centralized identity
across on-premises and cloud
Use identity federation to
maintain centralized
authentication and securely
share and collaborate with
external users and businesses
Provide users with self-service
experiences to keep them
productive
Enforce strong authentication when
users access resources and apply
conditional access controls to
sensitive company information
Configure single sign-on across all
company applications
Ensure compliance with
governance, attestation and
reporting
Enable single sign-on for users
across all the resources they need
access to
Session
Title
Timeslot
FDN02
Enabling Enterprise Mobility with Windows Intune, Microsoft Azure, and Windows Server
Monday, May 12 11:00 AM - 12:00 PM
PCIT-B212
Design Considerations for BYOD
Tuesday, May 13 10:15 AM - 11:30 AM
PCIT-B213
Access Control in BYOD and Directory Integration in a Hybrid Identity Infrastructure
Wednesday, May 14 3:15 PM - 4:30 PM
PCIT-B310
Empowering Your Users and Protecting Your Corporate Data
Monday, May 12 1:15 PM - 2:30 PM
PCIT-B313
Hybrid Identity: Extending Active Directory to the Cloud
Monday, May 12 4:45 PM - 6:00 PM
PCIT-B314
Understanding Microsoft’s BYOD Strategy and an Introduction to New Capabilities in
Windows Server 2012 R2
Tuesday, May 13 8:30 AM - 9:45 AM
PCIT-B321
Deploying the New RMS for Cloud-Friendly and Cloud-Reluctant Customers
Tuesday, May 13 5:00 PM - 6:15 PM
PCIT-B322
Deploying and Managing Work Folders
Wednesday, May 14 10:15 AM - 11:30 AM
PCIT-B324
How to Rapidly Design and Deploy an Active Directory Federation Services Farm: The Do's
and the Don'ts
Wednesday, May 14 8:30 AM - 9:45 AM
PCIT-B326
Providing SaaS Single Sign-on with Microsoft Azure Active Directory
Thursday, May 15 10:15 AM - 11:30 AM
PCIT-B327
Introducing Web Application Proxy in Windows Server 2012 R2: Enable Work from
Anywhere
Wednesday, May 14 3:15 PM - 4:30 PM
PCIT-B328
Microsoft Identity Manager vNext Overview
Wednesday, May 14 5:00 PM - 6:15 PM
PCIT-B330
Active Directory + BYOD = Peace of Mind
Thursday, May 15 8:30 AM - 9:45 AM
Hybrid Identity
http://aka.ms/hybrididentity
Access & Information Protection
http://aka.ms/aip
Windows Server 2012 R2
http://aka.ms/ws2012r2
Azure Active Directory
http://aka.ms/azureactivedirectory
Identity Manager
http://aka.ms/identitymanager
Hybrid Identity Whitepaper
http://aka.ms/hybrididentitywp
Hybrid Identity Datasheet
http://aka.ms/hybrididentityds
Active Directory Deployment and Management Enhancements
http://go.microsoft.com/?linkid=9838440
Enabling Secure Remote Users with RemoteApp, DirectAccess and DAC
http://go.microsoft.com/?linkid=9838462
Migrating Active Directory to Windows Server 2012 R2
http://go.microsoft.com/?linkid=9842894
Implementing a Basic PKI in Windows Server 2012 R2
http://go.microsoft.com/?linkid=9842895
Windows Server 2012 R2: New Features in AD FS
http://go.microsoft.com/?linkid=9842896
Workplace Join
http://go.microsoft.com/?linkid=9836553
Work Folders
http://go.microsoft.com/?linkid=9839828
AD FS and Claims apps
http://go.microsoft.com/?linkid=9836552
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn