Carol Wapshere, MVP Identity Management Specialist UNIFY Solutions @miss_miis Important for every component! Security Policy Anywhere that digital identities live Governance Directory Logon method, password management, MFA Logon Provisioning Includes create, update and delete of objects;

Download Report

Transcript Carol Wapshere, MVP Identity Management Specialist UNIFY Solutions @miss_miis Important for every component! Security Policy Anywhere that digital identities live Governance Directory Logon method, password management, MFA Logon Provisioning Includes create, update and delete of objects; 

Carol Wapshere, MVP
Identity Management Specialist
UNIFY Solutions
@miss_miis
Important for every
component!
Security
Policy
Anywhere that digital
identities live
Governance
Directory
Logon method, password
management, MFA
Logon
Provisioning
Includes create, update and
delete of objects; Granting
and revoking of access
Authentication
Audit
Reporting
Authorization
Access management –
initial and ongoing
Access
Control
Mobility
Development
Identity standards and
toolkits for developers
Analysis
Data
Quality
Mobile devices, remote
access for mobile users
Directory
Logon
Authentication
Provisioning
Authorization
Access
Control
Development
Directory


Logon
Enhancements to ADFS include simplified
deployment and management
Logon to SaaS applications in
Windows Azure and other providers
Firewall
Firewall
Conditional access with multifactor authentication is provided on
a per-application basis
Published
applications
•
•
•
•
•
Part of Remote Access Server role in Windows Server 2012 R2
Replaces ADFS Proxy
Publish applications for external use (like TMG/UAG)
Multi-Factor Authentication
Variable authentication based on device and location
Voice call
SMS
Smartphone App
Provisioning
Automate the process of
on-boarding new users
Real-time de-provisioning
from all systems to prevent
unauthorized access and
information leakage
LDAP
Automatically synchronize all
user information to different
directories across the enterprise
Built-in workflow for
identity management
Certificate Management
Access
Control
Mobility
• AD includes a new “device” object class for registering
mobile devices.
• Registration does not make the device “managed”, only
“known”.
• Certificate dropped on the device – this becomes the
second authentication factor.
• Workplace Join end point is published using the Web
Application Proxy
Users can register BYO
devices for single sign-on
and access to corporate
data with Workplace Join.
As part of this, a certificate
is installed on the device
Registration end point published
on the Web Application Proxy.
Registered device then works as a
second factor for authentication
when accessing applications and
services.
Device Registration
Service
AD with 2012 R2
schema extensions
including device
object class
Development
POST
https://graph.windows.net/contoso.com/users?api-version=2013-04-05
HEADERS
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….
BODY
{
"accountEnabled":true,
"userPrincipalName":"[email protected]",
"displayName":"New User",
"passwordProfile":{ "password":"VStrongP@ssword1", "forceChangePasswordNextLogin":true},
"mailNickname":"NewUser"
}
RESPONSE: 201 Created
Notes:
(1)the password must meet the tenant’s Accepted password complexity requirements.
(2 )the minimum set of properties to create a user is shown in the example above.
Graph URL
(static)
Tenant of interest –
can be tenant’s
verified domain or
objectId.
Specific entity type, such as users,
groups, contacts, tenantDetails, roles,
applications, etc.
https://graph.windows.net/contoso.com/users?apiversion=2013-04-05&$filter=state eq ‘WA’
API version
OData filter on particular attribute values
Follow relationships – memberOf, manager …
Differential Query – changes since last query
Security
Policy
Audit
Governance
Reporting
Analysis
Data
Quality
Dir
Logon
Prov
AuthN
AuthZ
Mob
AC
Dev
Internal:
Corporate
AD
Application
managed
Extranet:
Web App Proxy
Device
Join
Claims based
ADFSDomain
External:
DMZ
Internal: FIM
Trusted Partner
WindowsIdP
Identity
Providers
External:
Self-Reg
Portal
Trusted
IdP
Foundation
Managed IdP +
Application: Own Id Store
Password Reset
http://channel9.msdn.com/Events/TechEd/Australia/2013
http://www.microsoftvirtualacademy.com/
http://technet.microsoft.com/en-au/
http://msdn.microsoft.com/en-au/