identity and access management from microsoft and razor technology

David J. Rosenthal, VP & GM, Razor Technology

@AzureAD

Microsoft MTC, NYC

February, 14, 2017

Mobile-first, cloud-first reality

Data breaches

63% of confirmed data breaches

involve weak, default, or stolen

passwords.

63% 0.6%IT Budget growth

Gartner predicts global IT spend

will grow only 0.6% in 2016.

Shadow IT

More than 80 percent of employees

admit to using non-approved

software as a service (SaaS)

applications in their jobs.

80%

Enterprise Mobility + Security The Microsoft vision

Identity Driven Security

Managed Mobile Productivity

Comprehensive Solution

AppsDevices DataUsers

Azure Active Directory as the control plane

Identity as the core of enterprise mobility

Single sign-onSelf-service

Simple connection

On-premises

Other directories

Windows ServerActive Directory

SaaSAzure

Publiccloud

CloudMicrosoft Azure Active Directory

CustomersPartners

37 KAzure AD

Premium/EMS

users

>110kthird-party

applications used

with Azure AD

>1.3

billion authentications every

day on Azure AD

More than

750 Muser accounts on

Azure AD

Azure AD

Directories

>10 M

>85% of Fortune 500

companies use

Microsoft Cloud

(Azure, O365, CRM

Online, and PowerBI)

Every Office 365 and Microsoft Azure customer uses Azure Active Directory

Microsoft’s “Identity Management as a Service (IDaaS)”

for organizations.

Millions of independent identity systems controlled by

enterprise and government “tenants.”

Information is owned and used by the controlling

organization—not by Microsoft.

Born-as-a-cloud directory for Office 365. Extended to

manage across many clouds.

Evolved to manage an organization’s relationships with

its customers/citizens and partners (B2C and B2B).

Identity is the new control plane

Azure Active Directory at the core of your business

1000s of apps, 1 identity

Manage access at scale

Cloud-powered protection

Enable business without borders

"Azure AD Premium makes life simpler

for the business and for employees.

It gives them access to enterprise

applications from any device with a

single sign-on that is secure and reliable.

That is fundamental in increasing the

adoption of cloud technology.”

- Kapil Mehta, Productivity &

Directory Services Manager

1000s of apps,1 identity

Single sign-on

for SaaS apps

Single

sign-on

for mobile

apps

Support for

lift-and-shift

of traditional

apps to the

cloud

Secure remote

access to

on-premises

app

Connect your

on-premises

identities

to the cloud

"With Azure Active Directory

integrated into Smartsheet,

our employees don’t need to

remember another sign-in.

They can use one credential

to get to all their

applications.”

- Mike KirkpatrickDirector of Marketing, Ontario Division, Canadian Cancer Society

“The company uses Microsoft Azure Active Directory Premium, another part of Microsoft EMS, to manage the authentication of all 1,600 employees to all company applications. It used Azure AD Premium to provide SSO access to a wide number of applications, including Concur, Oracle, ADP, and Meraki, with more to come.”

“We were surprised to see that 90 percent of the SaaS apps in use at Mattamy were already endorsed for single sign-on within Azure Active Directory Premium”

- Aaron PaisVice President of ITl, MattamyHomes

Azure Active Directory Connect and Connect Health

*

MIM

*

Microsoft AzureActive Directory

HR apps

OTHER DIRECTORIES

PowerShell

SQL (ODBC)

LDAP v3

Web Services ( SOAP, JAVA, REST)

Connect and sync on-premises directories with Azure Active Directory

1000s OF APPS, 1 IDENTITY


Web apps

(Azure Active Directory Application Proxy)

Integrated

custom appsSaaS apps

OTHER DIRECTORIES

2700+ pre-integrated popular

SaaS apps and self-service integration via

templates

Connect and sync on-premises directories

with Azure

Easily publish on-premises web apps via

Application Proxy + custom apps

Microsoft Azure

DMZ

https://appX-contoso.msappproxy.net/


Single Sign-on to on-premises applications

Application

Proxy

User

Azure or 3rd Party IaaS

connector

connectorconnector


connector

app app app app

DMZ

https://appX-contoso.msappproxy.net/


Access even more on-premises web applications

Application

Proxy

User

Azure or 3rd Party IaaS

connector

connectorconnector


connector

app app app appOther LoBapps

A mobile authenticator application for all platforms


Converges the existing Azure Authenticator and all

consumer Authenticator applications.

MFA for any account, enterprise or consumer and

3rd party : Push Notifications/OTP

Device Registration (workplace join)

SSO to native mobile apps - Certificate-based SSO

Future: Sign in to a device (Windows Hello), app, or

website without a password

AzureActive Directory

Lift-and-shift on-premises

apps to Azure IaaS

On-premises

Azure AD Connect

Windows Server Active Directory

Your Azure IaaS workloads/apps

Azure AD

Domain Services

Your virtual network

Azure


Your domain controller as a service for lift-and-shift scenarios

Kerberos

NTLM

LDAP

Group Policy


“We give them a username and

password, and they’re able to reset

their own passwords through Azure

Active Directory. This is important,

because we have such a small IT staff.”

- Scott Bentzel

Director of IT

Better connect with

your consumers and

partners

Ease of use

for end users

Anytime,

anywhere

productivity

“The company also chose Azure Active Directory to simplify identity management for vendors and employees. With Azure Active Directory, the company provides fast, highly secure access to external vendors, cutting onboarding time from months to less than a week..”

- Johan KrebbersIT Chief Technology Officer, Royal Dutch Shell

“…because we’re now able to give employees their own accounts, we can safely and securely send human resources documents in digitized form even if they are highly confidential, which eliminates traditional mailing.

- Ryuji KatayamaDepartment Manager of the IT Planning Department, Corporate Strategy Division, Village Vanguard

“We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.”

Manage your account, apps, and groups

Company-branded, personalized application Access Panel:

http://myapps.microsoft.com

+ iOS and Android Mobile Apps

Integrated end user experiences

Self-service password reset

Application access requests

Integrated Office 365 app launching

ENABLE BUSINESS WITHOUT BORDERS



Collaborate with partners: B2B collaboration

Share without complex

configuration or duplicate users

Partners

of all sizesYou manage

access

“We needed to quickly & cost effectively stand up new IT infrastructure, including extranet applications

for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and

secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.” 3,000+ partners

Intune/MDM

auto-enrollment

Azure Active Directory Join makes it possible

to connect work-owned Windows 10 devices

to your company’s Azure Active Directory

Enterprise-compliant services

SSO from the desktop to cloud and

on-premises applications with no VPN

Support for hybrid environments

MDM auto-enrollmentWindows 10 Azure AD

joined devices


Enterprise State Roaming

Superior economics

Identity experience engine

Consumer identity and access management in the cloud

Cross-platform

Identity management for consumers

“By using Azure Active Directory B2C we were able to build a fully

customized login page without having to build custom code.

Additionally, with a Microsoft solution in place, we alleviated all

our concerns about security, data breaches, and scalability."

- Rafael de los Santos, Head of Digital, Real Madrid


Without Azure Active Directory

integrated with our 2,100 customers’

AD databases, we simply could not

manage all the passwords and logon

activities of the many hundreds of

thousands of teachers and students

who make up our customer base.”

- Evan Clark

Founder & CEO


Advanced

user

lifecycle

managementMonitor your

identity bridge

Low IT

overhead

“Without Azure Active Directory integrated with our 2,100 customers’ AD databases, we simply could not manage all the passwords and logon activities of the many hundreds of thousands of teachers and students who make up our customer base.”

- Evan ClarkFounder & CEO, ClickView

“We want to ensure that we’re keeping our operating costs as low as possible to focus our budget on more productive areas of the business. With the help of Azure Active Directory Premium, I’m managing ten times the number of SaaS applications with the same size team. “Daniel Birmingham: Identity Solutions ArchitectWhole Foods Market

“We will be able to walk in with the computers, connect them to the Internet, and be done. User identity, SaaS access management, mobile device management—all accessible with a few clicks on a web-based console.”

- Arvid JohanssonCIO, SATS ELIXIA

Centralized access administration for pre-integrated SaaS apps and other cloud-based apps

Dynamic groups, device registration, secure business processes with advanced access management capabilities

Comprehensive identity and access management console

MANAGE ACCESS AT SCALE

IT professional

Provisioning and deprovisioning with customization options

MANAGE ACCESS AT SCALE

Monitor and gain insights into the identity infrastructure used

to extend on-premises identities to Azure Active Directory and

Office 365.

Monitor:

• The Azure AD Connect sync engine health

• ADFS infrastructure health

• On-premises AD Domain Services health


Protect against

advanced threatsConditional access

to resources

Compliance Reporting

Mitigate

administrative

risks

Identity is the new firewall of the future. We can’t

continue to use our old way of controlling

application access, because business isn’t

happening exclusively in our network anymore.

With Azure Active Directory Premium, we can

stay in control, no matter where our users roam.

Will Lamb: Infrastructure Coordinator

Whole Foods Market

“By deploying Azure MFA the bank secured access to corporate data. Also there is no need for the end user to receive any trainings or carry additional components with them, such as tokens. “It was important for us to increase security without sacrificing end user experience. We could achieve this thanks to Azure MFA.”

Fikri Bülent ÇelikTechnology and Infrastructure Department Manager, TKFB

With Azure AD Premium, Bristow Group

now has the capabilities for multifactor

authentication; access control

(dependent upon device health and user

location); holistic security reports; audits;

and alerts. Azure Active Directory makes

the work of a busy and mobile workforce

easier, secures data and protects access

to the company’s assets both in the cloud

and on-premises.

- Kapil Mehta

Productivity & Directory Services Manager, Bristow

Group Inc.

“Vetco uses Microsoft Azure Active Directory Premium (part of the Microsoft Enterprise Mobility Suite) to help safeguard access to data through multifactor authentication.”

Conditions

Allow access or

Block access

Actions

Enforce MFA per

user/per app

User, App sensitivity

Device state

LocationUser

NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES

CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT

MFA

IDENTITY PROTECTION

Risk

CLOUD-POWERED PROTECTION


Text messages

Phone calls

Mobile apps


Identity Protection at its best

Risk severity calculation

Remediation recommendations

Risk-based conditional access automatically protects against suspicious logins and compromised credentials

Gain insights from a consolidated view of machine learning based threat detection

Leaked credentials

Infected devices Configuration

vulnerabilities Risk-based

policies

MFA Challenge Risky Logins

Block attacks

Change bad credentials

Machine-Learning Engine

Brute force attacks

Suspicious sign-in activities


Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools

Security/Monitoring/Reporting SolutionsNotifications

Data Extracts/Downloads

Reporting APIs

Apply Microsoft learnings to your existing security tools

Microsoft machine - learning engine

Leaked credentials

Infected devices Configuration

vulnerabilities Brute force

attacksSuspicious sign-

in activities


Discover, restrict, and monitor privileged identities

Enforce on-demand, just-in-time administrative access when needed

Provides more visibility through alerts, audit reports and access reviews

Global Administrator

Billing Administrator

Exchange Administrator

User Administrator

Password Administrator


How time-limited activation of privileged roles works

MFA is enforced during the activation process

Alerts inform administrators about out-of-band changes

Users need to activate their privileges to perform a task

Users will retain their privileges for a pre-configured amount of time

Security admins can discover all privileged identities, view audit reports and review everyone who has is eligible to activate via access reviews

Audit

SECURITY ADMIN

Configure Privileged

Identity Management

USER

PRIVILEGED IDENTITY MANAGEMENT

Identity

verificationMonitor

Access reports

MFA

ALERT

Read only

ADMIN PROFILES

Billing Admin

Global Admin

Service Admin


Removes unneeded permanent

admin role assignments

Limits the time a user has admin

privileges

Ensures MFA validation prior to

admin role activation

Reduces exposure to attacks targeting admins

Separates role administration

from other tasks

Adds roles for read-only views

of reports and history

Asks users to review and justify

continued need for admin role

Simplifies delegation

Enables least privilege role

assignments

Alerts on users who haven’t

used their role assignments

Simplifies reporting on admin

activity

Increases visibility and finer-grained control

Microsoft Advanced Threat Analytics

brings the behavioral analytics concept

to IT and the organization’s users.

An on-premises platform to identify advanced security attacks and insider threats before they cause damage

DETECT ATTACKS BEFORE THEY CAUSE DAMAGE

Behavioral

Analytics

Detection of advanced

attacks and security risks

Advanced Threat

Detection

DiscoveryGain complete visibility and

context for cloud usage and

shadow IT—no agents required

Data controlShape your cloud environment with

granular controls and policy setting

for access, data sharing, and DLP

Threat protectionIdentify high-risk usage and security

incidents, detect abnormal user

behavior, and prevent threats

Integrate with existing security, mobility, and encryption solutions

Azure Information

Protection

Protect your data, everywhere

Microsoft Cloud App Security

Azure Active Directory

Detect threats early with visibility and threat analytics

Advanced

Threat Analytics

Extend enterprise-grade

security to your cloud

and SaaS apps

Intune

Protect your users, devices, and apps

Manage identity with hybrid

integration to protect application

access from identity attacks

Enterprise Mobility +SecurityThe Microsoft solution

Transportation, Logistics, Oil-Gas Retail, Hospitality and Travel

HealthConstruction, Professional Services

Government, Banking, Insurance

Education, Nonprofit

• Advanced user lifecycle

management

• Low IT overhead

• Monitor your identity bridge

• Cloud-connected seamless

authentication experience

• Single sign-on to 1000s pre-

integrated apps/ Your own apps

• Secure remote access to on-premises

apps

• SSO to mobile apps

• Support for lift-and-shift to the

cloud

• Control access to resources

• Safeguard user authentication

• Respond to advanced threats with

risk-based policies and monitoring

• Mitigate administrative risks

• Governance of on-premises and

cloud identities

• Ease of use for end users

/Integration with Office

• Cross-organization collaboration

• Any time, any place productivity

with Windows 10

• Support for consumer facing

applications

1000s of apps, 1 identity

Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps


Manage identities and access at scale in the cloud

and on-premises


Ensure user and admin accountability with better security and governance


Stay productive with universal

access to every app and

collaboration capability

Azure Active Directory as the control plane

Identity as the core of enterprise mobility

Single sign-onSelf-service

Simple connection

On-premises

Other directories


SaaSAzure

Publiccloud

CloudMicrosoft Azure Active Directory

CustomersPartners

Razor will:

Retain control of sensitive documents locally and

over email

Automatically protect mail containing privileged

information

Ensure files stored in SharePoint are rights

protected

Razor’s Fast Deployment for Enterprise Mobility Suite provides remote deployment assistance for Azure

Active Directory Premium, Intune, and Azure Rights Management Premium.

Azure Rights Management Premium

Razor will:

Set up users and groups

Enable management of test devices

Optionally connect on-premises Microsoft

System Center Configuration Manager to Intune

for a single pane management experience

Razor will:

Get organizational identities to the cloud

Set up single sign-on for test apps (including

Azure Active Directory Application Proxy apps)

Configure self-service options like password

reset and Azure Multi-Factor Authentication in

the MyApps site

Razor Technology for EMS: Deploy it RightNow included with all EMS services

Azure Active Directory Premium

Microsoft Intune

[email protected]

mailto:[email protected]

Appendix L300 – more detailed slides

Identity as the control plane

On-premises



On-premises


VPN

BYO

SaaSAzure

Cloud

Publiccloud

Customers

Partners


On-premises


VPN

BYO

Microsoft Azure Active Directory

Azure

Cloud

Publiccloud

Customers

Partners

Customers

Azure AD as the control plane

On-premises

Partners

Azure

Cloud

Publiccloud

Microsoft Azure Active Directory

BYO


Directory as a service 500,000 object limit No object limit No object limitNo object limit for Office

365 user accounts

User/group management (add/update/delete)/user-based provisioning, device

registration, User-based access management/provisioning, Basic Security/usage reportsYes Yes Yes Yes

Singe Sign On

10 apps per user (pre-

integrated SaaS and

developer-integrated

apps)

10 apps per user(free

tier + Application proxy

apps)

No limit (free, Basic

tiers +Self-Service

App Integration

templates 1)

10 apps per user (pre-

integrated SaaS and

developer-integrated apps)

Self-service password change for cloud users Yes Yes Yes

Connect (sync engine that extends on-premises directories to Azure Active Directory) Yes Yes Yes

Premium

+ basic

features

Group-based access management/provisioning – Provisioning customization Yes Yes

Self-service password reset for cloud users Yes Yes Yes

Company branding (logon pages/access panel customization) Yes Yes Yes

Application Proxy Yes Yes

SLA Yes Yes Yes

Premium

features

Self-Service Group and app Management/Self-Service application additions/ Dynamic

Groups

P1,P2

Self-service password reset/change/account unlock with on-premises write-back P1,P2

Advanced usage reporting P1,P2

Multi-factor authentication (cloud and on-premises (MFA server)) P1,P2Limited cloud only for Office

365 apps

MIM CAL + MIM server P1,P2

Cloud app discovery P1,P2

Automated password rollover P1,P2

Connect Health P1,P2

Conditional Access (User, Application, Location, Device rules) P1,P2

Identity Protection P2

Privileged Identity Management P2

Yes Yes Yes Yes

MDM auto-enrolment, Self-Service Bitlocker recovery, Additional local administrators

to Windows 10 devices via Azure AD Join, Enterprise State RoamingYes

Cloud-powered

protection

Manage access

at scale

1000s of apps,

1 identity

Enable business

without borders

• Advanced user lifecycle

management

• Low IT overhead

• Monitor your identity bridge

• Cloud-connected seamless

authentication experience

• Single sign-on

• Bring your own apps

• Secure remote access to on-

premises apps

• Support for lift-and-shift to

the cloud

• Control access to resources

• Safeguard user authentication

• Respond to advanced threats with

risk-based policies and monitoring

• Mitigate administrative risks

• Governance of on-premises and

cloud identities

• Ease of use for end users

• Cross-organization collaboration

• Any time, any place productivity

with Windows 10

• Support for consumer facing

applications

A comprehensive identity and

access management cloud

solution for your employees,

partners, and customers.

It combines directory services,

advanced identity governance,

application access management,

and a rich standards-based

platform for developers. B2E B2B B2C

Azure Active Directory Connect

ADFS

Sync engine



Consolidated deployment assistant for your identity bridge components.

All currently available sync engines will be replaced by the sync engine included in the Connect tool.

Assisted deployment of ADFS will be available through Azure Active Directory Connect.

ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios.

DirSync

Azure Active Directory Sync

FIM+Azure Active Directory Connector

ADFS


1st option: Identity + Password (Hash) synchronization

Identity +

Password Hash synchronization

Azure Active Directoryauthenticates user

User



2nd option: Identity synchronization + ADFS

Identitysynchronization

ADFSAuthentication passed toWindows Server Active Directory

via ADFS

User



New option: Identity synchronization + Pass-through authentication with Seamless SSO


Authentication passed toWindows Server Active Directoryvia Pass-through authentication

User

Pass-throughauthentication


Seamless SSO

Pass-through authentication agent


Seamless SSO is now enabled for the 1st option, too: Identity + Password (Hash) synchronization

Identity +


Azure Active Directoryauthenticates user

User


Seamless SSO

Identity Synchronization+ ADFS


More options than ever!

User


Identity Synchronization + Pass-through Authentication + Seamless SSO

ADFS


Identitysynchronization Seamless

SSO

Identity +


Identity Synchronization + Password Hash Synchronization+

Seamless SSO

Seamless SSO

Pass-throughAuthentication

User

Contoso Corpnet

Connector


How it works

User Name

and passwordConnector notified

of request

Connector

validates the

credentials

against AD

Token returned to the

user or further proofs

(MFA) are initiated

1 2

34

5

DC returns

result

Connector returns

result

6

Security Token Service


Contoso Corpnet

5 User sends ticket to Azure AD STS


How seamless SSO works with Pass-through authentication and Password hash synchronization

User enters their username1 401 response to get a Kerberos ticket2

User requests a Kerberos ticket3

6 Token returned to the user or further proofs (MFA) are initiated

4 AD returns Kerberos ticket

Security Token

Service


User

Co

rpo

rate

n

etw

ork


Connectors are deployed usually on corpnet next to resources

Multiple connectors can be deployed for redundancy, scale, multiple sites, and different resources

Users connect to the cloud service that routes their traffic to resources via the connectors

A connector that auto-connects to the cloud service


DM

Z

https://app1-

contoso.msappproxy.net/Application Proxy

http://app1

“We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications

for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and

secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.”

3000+ partners


Share without complex

configuration or duplicate users

Partners use their own credentials to access

your org

Users lose access when leaving the

partner org

No external directories

No per partner federation

You manage

access

You control partner access in your

directory:

• app assignment

• group membership

• custom attributes

Partners of

all sizes

Bulk invite 1000s at a time

Partners with Azure Active Directory sign

in to accept invite

Other partners simply sign up to

accept invite


“I need to let my partners access my company’s apps using their own credentials”


Partner


Partners use their own

credentials to access your

org

Users lose access when

they leave the partner org

No external directories

No per-partner federation

Partners manage their own credentials

You control partner access

in your directory:

• app assignment

• group membership

• custom attributes

Organizations manage access

Thousands of bulk invites at

a time

Partners with Azure Active

Directory sign in to accept

invite

Other partners simply sign

up to accept invite

Partners of all sizes


Built-in security

features

Security reporting that

tracks inconsistent

access patterns,

analytics, and alerts

Reporting API

Microsoft Azure Active Directory Cloud app discovery

Source: Help Net Security 2014

as many Cloud apps are in use than IT estimates

• SaaS app category

• Number of users

• Utilization volume

Comprehensivereporting

Discover all SaaS apps in use within your organization


Security reporting that tracks inconsistent access patterns, analytics, and alerts

Reporting API

Built-in security features


Step up to Multi-Factor Authentication

X X X X X

X X X X X

X X X X X


A standalone Azure identity and access

management service, also included in

Azure Active Directory Premium

Prevents unauthorized access to both

on-premises and cloud applications by

providing an additional level of

authentication

Trusted by thousands of enterprises

to authenticate employee, customer,

and partner access


Text messages

Phone calls

Mobile apps

Users sign in from any device using their existing username/password.

1

On-premises apps

RADIUSLDAP

IIS RDS/VDI

Windows Server Active Directory or other LDAP

Users must also authenticate using their phone or mobile device before access is granted

2


Multi-factor

authenticationserver

Multi-factor

authenticationserver

MONITOR AND PROTECT

User

Cloud apps


MFA for Office 365/Azure

Administrators

Azure Multi-Factor

Authentication

Administrators can enable/enforce MFA to end users Yes Yes

Use mobile app (online and OTP) as second authentication factor Yes Yes

Use phone call as second authentication factor Yes Yes

Use SMS as second authentication factor Yes Yes

Application passwords for non-browser clients (e.g., Outlook, Lync) Yes Yes

Default Microsoft greetings during authentication phone calls Yes Yes

Suspend MFA from known devices Yes Yes

Custom greetings during authentication phone calls Yes

Fraud alert Yes

MFA SDK Yes

Security reports Yes

MFA for on-premises applications/ MFA server Yes

One-time bypass Yes

Block/Unblock users Yes

Customizable caller ID for authentication phone calls Yes

Event confirmation Yes

Trusted IPs Yes

Analyze1

DETECT ATTACKS BEFORE THEY CAUSE DAMAGE

ATA Analyzes all Active

Directory-related traffic and

collects relevant events from

SIEM

ATA Builds the organizational security

graph, detects abnormal behavior,

protocol attacks and weaknesses and

constructs an attack timeline

ATA automatically learns all entities’

behaviors

Learn2 Detect3


Reduce risks of excessive access to your organization’s data

Dashboards with insights

Policy driven review workflows for governance decisions

Richer auditing to address compliance reporting needs

Decisions at the business level (self-service)

Apps in

Azure

Third-

party apps

& clouds

Apps on-

premises

World of devices

EMPOWER USERS

HR system

LDAP

Oracle DB

Finance

Web apps

Windows Server Active Directory Hybrid

identity

User identities from

multiple repositories

LDAP v3

Windows

PowerShell

Web services

(SOAP, Java,

REST)

Generic SQL

via ODBC

Windows Server Active Directory

Microsoft Azure

Active Directory

VS.

Microsoft’s IAM solution

Apps in

Azure

Third-party

apps &

cloudsMicrosoft Cloud

Microsoft Identity

ManagerApps on-

premises

AAD App

Proxy

Spans cloud and on-premises

Provides full spectrum of services

• Federation

• Identity management

• Device registration

• User provisioning

• Application access control

• Data protection

Modern identity management system

The combination of Windows Server Active

Directory, Microsoft Identity Manager, and

Microsoft Azure Active Directory enables

better security for today’s hybrid enterprise.


MANAGE EVERYTHING

Cloud-ready

identitiesPowerful user

self-service

Enhanced

security

Automatic preparation of

Active Directory identities for

synchronization with Azure

Active Directory

Password reset with Azure Multi-

Factor Authentication

Dynamic groups with approvals and

redesigned certificate management

Hybrid reporting and privileged

access management to protect

administrator accounts

Support for new security protocols

MANAGE EVERYTHING

Cloud-ready


self-service

Enhanced

security

• Standardized Active Directory attributes

and values

• Partitioned identities for synchronization

to the cloud

• Easier-to-deploy reporting connected to


• Preparation of user profiles for Microsoft

Office 365

• Self-service password reset with Multi-


• New REST-based APIs for AuthN/AuthZ

• Self-service account unlock

• Certificate management support for multi-

forest and modern apps

• Privileged user and account discovery

• New Windows PowerShell support and

REST-based API

• Workflow management: elevated just-in-

time administrator access

• Reporting and auditing specific to

privileged access management

MANAGE EVERYTHING

ON-PREMISES HYBRID CLOUD

Managed: Microsoft System

Center Configuration

Manager

On-premises LOB

applications, traditional

productivity

iOS, Android, Windows

Phone, BYOD

Mobile apps, shadow IT SaaS

solutions

Managed: Microsoft Intune

connected to System Center

Configuration Manager

On-premises LOB applications,

managed SaaS, Office 365

hybrid deployment, Azure

Active Directory

implementation

Deployment of cloud-enabled

rich clients

Managed cloud identities with

Multi-Factor Authentication

Managed by EMS:

Combination of mobile clients

(iOS, Android) and cloud-

enabled clients (Windows 10)

Managed SaaS and Office 365

Enterprise, full Azure IAM

Event - Mobility Event-Win 8.x/10

Microsoft Identity Manager 2016

MANAGE EVERYTHING

MIM


Azure AD App Proxy

Azure AD Connect

IAM

On-premises applications


Microsoft Azure

Username

?

Forgot your password?

User

Cloud

On-premises applications

•••••••••••••

IT

User’s identity

Self-service

experiences


Collapse directories

Map multiple identities

Transform usernames and

other attributes

UserExisting apps

Existing FIM

Existing AD

forests

WS 2003 or later

User: PRIV\JenAdmin

Groups: CORP\Resource Admins

Refresh after: 60 minutesGroup “Resource Admins”

Privileged access management

AD DS

Microsoft Identity Manager

Configured for PAM

Group: Resource

Admins

Domain: CORP

Candidate: Jen

Time-based

memberships

User “JenAdmin”

Access

requests

Existing trust

Trust for admin access

Access

requests

Deep dive: DirSync, Azure AD, and MIM Sync

DirSync

Azure Active Directory Sync

FIM Sync(+ Azure Active Directory Connector)


Connect

MIM Sync(+ Azure Active Directory Connector)


Connect

Connect and sync on-premises directories with Azure



Other directories

PowerShell

LDAP v3

SQL (ODBC)

Web services (SOAP, Java, REST)

Azure Active Directory Microsoft Identity Manager

Password reset/management YES YES

Group management YES, not dynamic YES

Provisioning, deprovisioning NO YES

Certificate management NO YES

Role-based access control NO YES

Deep dive: IAM in MIM vs. Azure Active Directory

Microsoft Identity Manager 2016 is also included with Azure Active Directory Premium, which is

part of the Enterprise Mobility Suite.

Microsoft Enterprise Mobility Suite is the most cost-effective way to acquire all included cloud

services: Azure Active Directory Premium, Azure Rights Management, and Intune.

Purchasing

Microsoft Identity

Manager 2016

Licensed on a per-user basis

Client Access License (CAL) Required for each user whose identity is managed

Windows Server license with active

Software Assurance

Required to use the Microsoft Identity Manager 2016 server software as a

Windows Server add-on

Cloud-ready


self-service

Enhanced

security

Automatic preparation of

Active Directory identities for

synchronization with Azure

Active Directory

Password reset with Azure Multi-


Dynamic groups with approvals and

redesigned certificate management

Hybrid reporting and privileged

access management to protect

administrator accounts

Support for new security protocols

Cloud-ready


self-service

Enhanced

security

• Standardized Active Directory attributes

and values

• Partitioned identities for synchronization

to the cloud

• Easier-to-deploy reporting connected to


• Preparation of user profiles for Microsoft

Office 365

• Self-service password reset with Multi-


• New REST-based APIs for AuthN/AuthZ

• Self-service account unlock

• Certificate management support for multi-

forest and modern apps

• Privileged user and account discovery

• New Windows PowerShell support and

REST-based API

• Workflow management: elevated just-in-

time administrator access

• Reporting and auditing specific to

privileged access management