Vartti tunnista

Azure Active Directory

Mika Seitsonen

Kouluttajanne Mika Seitsonen

• Faktat• M.Sc., University of Nottingham, U.K.• DI, Lappeenrannan teknillinen yliopisto• Co-author of "Inside Active Directory"

• Sovelto• Senior-konsultti, vt. osaamisaluevastaava:

Teknologia-asiantuntijat• Microsoft Certified Trainer (MCT) vuodesta

1997, Microsoft Certification ID 414xxx• MCSE: Communications• MCSA: Office 365, Windows 2008, Windows 7• MS: Implementing Microsoft Azure

Infrastructure Solutions

• Yhteystiedot• e-mail mika.seitsonen@sovelto.fi• Twitter @MikaSeitsonen

• Moottoriurheil(ija)un innokas seuraaja• Kuvattuna Päijänteen Ympäriajo:ssa 2009

Identity considerations: Cloud, Sync or Federated?

Cloud identity provides a solution where all identity resides in the cloud

Federated identity allows customers to retain all authentication on-premises

Identity sync enables customers to bridge their existing identity into the cloud

B2B federated identity allows customers to securely share and collaborate with each other

Self-service Singlesign on

•••••••••••

Username

Identity as the control plane

Simple connection

Cloud

SaaSAzure

Office 365Publiccloud

Other Directories

Windows ServerActive Directory

On-premises Microsoft Azure Active Directory

A comprehensive identity and access management cloud solution.

It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers

It is available in 3 editions: free, Basic and Premium

What is Azure Active Directory?

No Object Limit No Object Limit

No Limit

Advanced Security

Reports

Yes(Advanced)**

Premium

+ Basic

Features

Group-based access management/provisioning Yes Yes

Self-Service Password Reset for cloud users Yes Yes

Company Branding (Logon Pages/Access Panel customization) Yes Yes

SLA Yes Yes

Kurantti informaatio osoitteessa

https://msdn.microsoft.com/en-us/library/dn532272.aspx

Azure Active Directory Connect*

Microsoft AzureActive Directory

Other Directories

PowerShell

LDAP v3

SQL (ODBC)

Web Services ( SOAP, JAVA, REST)

*

Azure Active Directory Connect

Consolidated deployment assistant for your identity bridge components

Progressive learning while configuring the components

ADFS is optional

DirSync

Azure Active Directory Sync

FIM+Azure Active Directory Connector

Sync Engine

Microsoft Azure

Microsoft Azure

SaaS appsMicrosoft AzureActive DirectoryOther Directories

Microsoft Azure Active Directory

Identities and applications in one place.

Web Apps

(Azure Active Directory Application Proxy)

SaaS apps Integrated

custom apps

Other Directories

Microsoft AzureActive Directory

Co

rpo

rate

N

etw

ork

DM

Z

https://app1-

contoso.msappproxy.net/

A connector that auto connects to the cloud service

http://app1

IT professional

alerts.

alerts.

How it works

http://myapps.microsoft.com

http://myapps.microsoft.com

Azure Active Directory 12-month investments

Business to Business Business to

Consumers

Device Registration

Administrative Units

Cloud Domain Joined

(Windows 10)

Conditional Access

Roles Based Access Control

Today RBAC to Azure

Subscription

Tomorrow RBAC to 3rd Party SASS apps

Reade

r

SasS

SasS

Contributor

SasS

Owne

r

SasS

SasS

SasS

Sas

S

Sas

S

Reade

r

ContributorOwne

r

Assign roles to users and groups

at subscription, resource group, or

resource level

Assignments inherit down the

hierarchy

Use built-in roles with pre-

configured permissions (at

preview)

Create custom roles (post

preview)

B2B: cross-organization collaboration

“I need to let my partners access my company’s apps using their own credentials.”

Share without complex

configuration or duplicate

users.

A user at a large partner may log into

my company’s apps with their Active

Directory usernames and passwords.

A user at a smaller partner may log

into my company’s apps with their

Office 365 usernames and passwords.

Admin configures sharing for

cloud apps.

“I can’t email my 25 MB file and need

to share it with a partner using

Box.com.”

Seamlessly provide Azure

Active Directory to customers

& partners

For example, a user at a partner can

set up everyone in their company.

Users can bring their own email-based

or social identities.

Contoso

Azure Active Directory

Global admins

Org-wide permissions

Manage global settings

Create structure and policy

Delegate permissions and resources

Regional admins

Manage regional users,

devices, and applications

Set local policy

Regional policy and app

management

“Must login with MFA”

“Have license/access to regional

apps”

Support for distributed

organizational models

Autonomous mgmt. while

keeping common identity and

org boundary

Delegate administration to

subsidiaries

User management

App procurement and mgmt.

Scope policy

US East Germany India

AsiaEuropeNorth Am

Administrative Units: In private preview

Azure Active Directory B2C offering is tailored for enterprises who serve large populations (100’s of thousands to millions) of individual customers, and whose business success depends upon consumer adoption of web applications for improving customer satisfaction and reducing operational costs.

Azure Active Directory B2C(Business-to-Consumer )

Azure Active Directory B2C will include :

Self-Service User registration

Login with Social IdP or create your own credentials

Optional MFA

Bulk user import tools

SSO to multiple web sites

User interface customization

Cloud Domain Join makes it possible to connect work-owned Windows devices to your company’s Azure Active Directory tenancy in the cloud. Users can sign-in to Windows with their cloud-hosted work credentials and enjoy modern Windows experiences.

Cloud Domain Joined Devices

Enterprise compliant Services

Roaming Settings, Windows backup/Restore, Store access…

Data stored in enterprise compliant backend services on Azure.

No need to add a personal Microsoft account.

SSO from the desktop to org resources

SSO from desktop to Office 365 and 1,000’s of enterprise apps, websites and resources.

Access enterprise-curated Store and install apps using a work account.

Management

Automatic MDM enrollment during first-run experience.

Support for hybrid environments

Traditional Domain Joined PCs also benefit from Cloud Domain Join functionality when the on-prem Active Directory is connected with an Azure Active Directory in the cloud.

Cloud Domain Join

Mitä sinun pitää tehdä (ellet ole jo tehnyt)

• Luo ja sen jälkeen kokeile maksutonta Office 365 -tilausta• http://products.office.com/fi-FI/try

• Luo ja sen jälkeen kokeile maksutonta Intune-tilausta• http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/try.aspx

• Muista kirjautua O365-tililläsi

• Luo ja sen jälkeen kokeile maksutonta Azure-tilausta• http://azure.microsoft.com

• Huom: vaatii luottokortin numeron, luottokorttia ei laskuteta

26

Lisäinformaatiota

• EMS-testiympäristö minuuteissa käyttöönhttp://simon-may.com/get-started-enterprise-mobility-suite-minutes/

• Oma labra pystyynhttp://blogs.technet.com/b/mydigitalworkthoughts/

27

Sovelton kursseja aiheen tiimoilta

• Microsoft kumppaneille• Business Anywhere (vain Microsoft-kumppaneille) 26.1. tai 4.5.

• Partner Practice Enablement: Microsoft Enterprise Mobility Suite (EMS) 23.-24.2. tai 23.-24.3.

• Kaikille asiantuntijoille• Microsoft Intune hallinta 22.-23.4.

• 55065 Microsoft Azure IT-asiantuntijoille 11.-13.3.

• 20533 Implementing Microsoft Azure Infrastructure Solutions 13.-15.4.

• 20532 Developing Microsoft Azure Solutions 10.-13.3.

28

KIITOS!

29