azure ad iam for hybrid enterprises -ebc final may
TRANSCRIPT
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
1/20
MICROSOFT CONFIDENTIAL
Keith BrintzenhofeGroup Program ManagerAzure AD Identity & Access Management
Azure Active Directoryfor the Hybrid Enterprise
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
2/20
Windows Azure
Agenda
Azure AD and the Hybrid EnterpriseAzure AD Identity & Access Management ScenariAzure AD Premium
Q&A
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
3/20
Azure Active Directory: The Vision
A modern, cloud based identity management serviceproviding federation, directory services, device
registration, user provisioning, application accesscontrol & data protection.
A natural extension to on premises directories, thecombination of Windows Server AD and WindowsAzure AD lets you secure todays hybrid enterprise.
On-premises and cloud Active Directorymanaged as one Consistent identities for on-premises and cloud
applications Easy end user experience with single sign on
and self-service features
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
4/20
Azure Active Directory and the Hybrid Enterprise
Azure Active Directory
On-premises and private cloud
Other apps
Other Directories
Self-Service
Identity Management
Windows ServerActive Directory
Sync
HR
Active Directory Federation Services
Other Directories
Devices
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
5/20
Windows Azure
Azure AD Identity and Access Management Scena
Simplify access and control of SaaS applicationsReduce IT burden with self-service IAMImprove security posture with cloud services
Easily meet reporting requirementsRapidly develop and deploy new enterprise capabi
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
6/20
Azure AD directorymanagement
Manage users in your cloud directory Management portal PowerShell Programmatic Graph API
Assign familiar user names in domains yourorganization already uses
Self-service verification of your domains
Integrate with existing directories Sync users into your cloud directory from a Windows
Server AD, LDAP, or other existing directory Users can access their cloud resources with their
Windows Server AD username and password
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
7/20
Cloud App Discovery
Fortune 500 company with 60,000+ international employees Worried about corporate data leakage
Departments are adopting multiple subscriptions to SaaS appswithout IT involvement
Need inventory of applications to begin gaining control and toenable SSO
Features used Endpoint agent for application discovery with ability to distribute
using SCCM
Interactive dashboard:
View total number of SaaS apps in use
View number of users using SaaS apps
View top SaaS apps with categories in use
See usage graphs for SaaS apps that can be pivoted on users,web requests or volume of data exchanged with the
application
Drill down into specific applications for targeted information
Easily integrate an application with Azure Active Directory
Discover all SaaS apps in use within your orga
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
8/20
Simplify access and control of SaaS applicatioSaaS App Management Professional services company, 4500
employees Interested in Office 365, Workday, Salesforce,
Yammer and other SaaS applications Needs centralized management of employee
access to SaaS applications
Features used
Windows Azure AD single sign on (SSO) for SaaSapplications Automated user provisioning and de-provisioning
to SaaS applications Access Panel at myapps.microsoft.com Company-branded sign-in and app access
experience
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
9/20
SaaS App User Provisioning
Fortune 500 company with 100,000+international employees
Needed automated user provisioning anddeprovisioning to SaaS apps includingServiceNow
ServiceNow also requires group objects
Features used Synchronize across on-premises data sources
and into Windows Azure AD Windows Azure AD provides user and group
provisioning to ServiceNow and other SaaSapps
Simplify access and control of SaaS applicatio
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
10/20
Simplify access and control of SaaS applicatio
Windows Azure AD Connector Fortune 500 company with 100,000+
international employees Multiple data sources on-premises Need to provision users and groups to Windows
Azure AD for control of SaaS
Features used Synchronize on-premises data sources to
Windows Azure AD Group-based application assignment in WAAD Incorporate users from HR sources such as SAP,
PeopleSoft and Oracle
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
11/20
Understand the ROI on SaaS applications
Usage and Business reporting Large multi-national enterprise
Seeking to evaluate application usageand access patterns
Features used Application dashboard
Cross company application usage
Detailed usage for specific apps
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
12/20
Self-service identity and access management
Self-Service Password Reset for Users
University with 20k current students Existing on-premises password reset
solution in place does not coveralumni and is difficult to manage
Features used Reset of on-premises passwords from
the cloud (pwd. writeback to WSAD) Phone and email verification methods End-user registration of contact
methods Customization of helpdesk URL and
branding of Password Reset Portalwith universitys logo
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
13/20
Custom Branding Financial services firm with 200+ offices
Needs consistent look-and-feel acrossauthentication experiences
Already using Office365 and ActiveDirectory
Features used Sign-in page branded with company
logo and illustration Customized help text on sign-in page Access Panel for end-users customized
with company logo
Self-service identity and access management
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
14/20
Self-service identity and access management
Self-Service Group Management Large multi-national enterprise
Enable distributed group creation andmanagement
Delegated group management End users can create groups, assign users Owner can delegate ownership
Self-service group management Users can search for groups and request to
join Owner approves requests Groups can be set to auto-approve
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
15/20
Multi-Factor Authentication Local government agency
Protect access to sensitive applications Avoid end user lock out using multiple MFA
methods: (Phone App, Call or SMS Mobile,Office, or alternate phone)
Features used Targeted MFA for sensitive accounts
Customization of MFA greetings, fraud alerts,one time bypass capabilities End-user self-service enrollment Audit reports for MFA activity Whitelisting IP Addresses to bypass MFA from
Corpnet Remember this device feature to require MFA
only from un-trusted devices
Improve security posture with cloud services
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
16/20
Security and Usage Reporting
Large multi-national enterprise
Frequent target of attempts to gain
unauthorized access to employeeaccounts
Features used
Anomaly detection:credential sharingcredential misuse/lossbrute force attacksaccess from behind anonymizers
Machine learning
Detection of attacks spanningorganizations
Investigate sign in activity and devices
Admin Notifications
Download data for offline analysis
Improve security posture with cloud services
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
17/20
Rapidly develop and deploy new enterprise capab Write custom LOB applications that integrate with Windows Azure AD
Website applications, web APIs, and native client applications
Users sign in to AD-integrated applications with their cloud identities Single sign-on with Office 365 and other services that use Windows Azure AD
AD-integrated applications can access Office 365 and other web APIs Write powerful applications that access email, calendar, contacts, files, etc. in
Office 365 and other applications
Applications can extend Windows Azure AD schema Read & write attributes which are useful to other applications in the organization
Cross-platform support Web applications and web APIs can run on Windows Azure or other infrastructure Native client applications can run on iOS, Android, and Windows
Open Standards SAML, OAuth 2.0, OpenID Connect, Odata 3.0
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
18/20
Azure Active Directory features comparisonAAD Free AAD Premium Mu
Directory as a Service Yes - up to 500K Objects Yes - No Limit
User/Group Management Yes Yes
SSO to pre-integrated SAAS Applications /Custom Apps Yes Yes
Directory Synchronization Tool (WSAD Extension) Yes YesUser-Based access management/provisioning Yes Yes
Group-based access management/provisioning Yes
Self-Service Group Management for cloud users Yes
Self-Service Change Password for cloud users Yes Yes
Self-Service Reset Password for cloud users Yes
Security Reports Yes Yes
Advanced Security Reporting (machine learning-based) Yes
Usage Reporting Yes
Custom Branding (Logon/Access Panel customization) Yes
MFA (All available features on Windows Azure and on premises) Yes
SLA Yes
FIM CAL + FIM Server Yes
-
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
19/20
Discussion and Next Steps Learn More about Azure Active Directory:
http://azure.microsoft.com/en-us/solutions/identity/ Get started with Cloud App Discovery at
https://appdiscovery.azure.com/ Give us feedback via the forums at http://aka.ms/aadforum
My contact info [email protected]
http://azure.microsoft.com/en-us/solutions/identity/https://appdiscovery.azure.com/http://aka.ms/aadforummailto:[email protected]:[email protected]://aka.ms/aadforumhttps://appdiscovery.azure.com/http://azure.microsoft.com/en-us/solutions/identity/http://azure.microsoft.com/en-us/solutions/identity/http://azure.microsoft.com/en-us/solutions/identity/http://azure.microsoft.com/en-us/solutions/identity/ -
8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May
20/20
MICROSOFT CONFIDENTIAL