identity and access management from microsoft and razor technology
TRANSCRIPT
Mobile-first, cloud-first reality
Data breaches
63% of confirmed data breaches
involve weak, default, or stolen
passwords.
63% 0.6%IT Budget growth
Gartner predicts global IT spend
will grow only 0.6% in 2016.
Shadow IT
More than 80 percent of employees
admit to using non-approved
software as a service (SaaS)
applications in their jobs.
80%
Enterprise Mobility + Security The Microsoft vision
Identity Driven Security
Managed Mobile Productivity
Comprehensive Solution
AppsDevices DataUsers
Azure Active Directory as the control plane
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
CloudMicrosoft Azure Active Directory
CustomersPartners
37 KAzure AD
Premium/EMS
users
>110kthird-party
applications used
with Azure AD
>1.3
billion authentications every
day on Azure AD
More than
750 Muser accounts on
Azure AD
Azure AD
Directories
>10 M
>85% of Fortune 500
companies use
Microsoft Cloud
(Azure, O365, CRM
Online, and PowerBI)
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
Microsoft’s “Identity Management as a Service (IDaaS)”
for organizations.
Millions of independent identity systems controlled by
enterprise and government “tenants.”
Information is owned and used by the controlling
organization—not by Microsoft.
Born-as-a-cloud directory for Office 365. Extended to
manage across many clouds.
Evolved to manage an organization’s relationships with
its customers/citizens and partners (B2C and B2B).
Identity is the new control plane
Azure Active Directory at the core of your business
1000s of apps, 1 identity
Manage access at scale
Cloud-powered protection
Enable business without borders
"Azure AD Premium makes life simpler
for the business and for employees.
It gives them access to enterprise
applications from any device with a
single sign-on that is secure and reliable.
That is fundamental in increasing the
adoption of cloud technology.”
- Kapil Mehta, Productivity &
Directory Services Manager
1000s of apps,1 identity
Single sign-on
for SaaS apps
Single
sign-on
for mobile
apps
Support for
lift-and-shift
of traditional
apps to the
cloud
Secure remote
access to
on-premises
app
Connect your
on-premises
identities
to the cloud
"With Azure Active Directory
integrated into Smartsheet,
our employees don’t need to
remember another sign-in.
They can use one credential
to get to all their
applications.”
- Mike KirkpatrickDirector of Marketing, Ontario Division, Canadian Cancer Society
“The company uses Microsoft Azure Active Directory Premium, another part of Microsoft EMS, to manage the authentication of all 1,600 employees to all company applications. It used Azure AD Premium to provide SSO access to a wide number of applications, including Concur, Oracle, ADP, and Meraki, with more to come.”
“We were surprised to see that 90 percent of the SaaS apps in use at Mattamy were already endorsed for single sign-on within Azure Active Directory Premium”
- Aaron PaisVice President of ITl, MattamyHomes
Azure Active Directory Connect and Connect Health
*
MIM
*
Microsoft AzureActive Directory
HR apps
OTHER DIRECTORIES
PowerShell
SQL (ODBC)
LDAP v3
Web Services ( SOAP, JAVA, REST)
Connect and sync on-premises directories with Azure Active Directory
1000s OF APPS, 1 IDENTITY
1000s OF APPS, 1 IDENTITY
Web apps
(Azure Active Directory Application Proxy)
Integrated
custom appsSaaS apps
OTHER DIRECTORIES
2700+ pre-integrated popular
SaaS apps and self-service integration via
templates
Connect and sync on-premises directories
with Azure
Easily publish on-premises web apps via
Application Proxy + custom apps
Microsoft Azure
DMZ
https://appX-contoso.msappproxy.net/
1000s OF APPS, 1 IDENTITY
Single Sign-on to on-premises applications
Application
Proxy
User
Azure or 3rd Party IaaS
connector
connectorconnector
Microsoft AzureActive Directory
connector
app app app app
DMZ
https://appX-contoso.msappproxy.net/
1000s OF APPS, 1 IDENTITY
Access even more on-premises web applications
Application
Proxy
User
Azure or 3rd Party IaaS
connector
connectorconnector
Microsoft AzureActive Directory
connector
app app app appOther LoBapps
A mobile authenticator application for all platforms
1000s OF APPS, 1 IDENTITY
Converges the existing Azure Authenticator and all
consumer Authenticator applications.
MFA for any account, enterprise or consumer and
3rd party : Push Notifications/OTP
Device Registration (workplace join)
SSO to native mobile apps - Certificate-based SSO
Future: Sign in to a device (Windows Hello), app, or
website without a password
AzureActive Directory
Lift-and-shift on-premises
apps to Azure IaaS
On-premises
Azure AD Connect
Windows Server Active Directory
Your Azure IaaS workloads/apps
Azure AD
Domain Services
Your virtual network
Azure
1000s OF APPS, 1 IDENTITY
Your domain controller as a service for lift-and-shift scenarios
Kerberos
NTLM
LDAP
Group Policy
Enable business without borders
“We give them a username and
password, and they’re able to reset
their own passwords through Azure
Active Directory. This is important,
because we have such a small IT staff.”
- Scott Bentzel
Director of IT
Better connect with
your consumers and
partners
Ease of use
for end users
Anytime,
anywhere
productivity
“The company also chose Azure Active Directory to simplify identity management for vendors and employees. With Azure Active Directory, the company provides fast, highly secure access to external vendors, cutting onboarding time from months to less than a week..”
- Johan KrebbersIT Chief Technology Officer, Royal Dutch Shell
“…because we’re now able to give employees their own accounts, we can safely and securely send human resources documents in digitized form even if they are highly confidential, which eliminates traditional mailing.
- Ryuji KatayamaDepartment Manager of the IT Planning Department, Corporate Strategy Division, Village Vanguard
“We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.”
Manage your account, apps, and groups
Company-branded, personalized application Access Panel:
http://myapps.microsoft.com
+ iOS and Android Mobile Apps
Integrated end user experiences
Self-service password reset
Application access requests
Integrated Office 365 app launching
ENABLE BUSINESS WITHOUT BORDERS
ENABLE BUSINESS WITHOUT BORDERS
Microsoft AzureActive Directory
Collaborate with partners: B2B collaboration
Share without complex
configuration or duplicate users
Partners
of all sizesYou manage
access
“We needed to quickly & cost effectively stand up new IT infrastructure, including extranet applications
for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and
secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.” 3,000+ partners
Intune/MDM
auto-enrollment
Azure Active Directory Join makes it possible
to connect work-owned Windows 10 devices
to your company’s Azure Active Directory
Enterprise-compliant services
SSO from the desktop to cloud and
on-premises applications with no VPN
Support for hybrid environments
MDM auto-enrollmentWindows 10 Azure AD
joined devices
ENABLE BUSINESS WITHOUT BORDERS
Enterprise State Roaming
Superior economics
Identity experience engine
Consumer identity and access management in the cloud
Cross-platform
Identity management for consumers
“By using Azure Active Directory B2C we were able to build a fully
customized login page without having to build custom code.
Additionally, with a Microsoft solution in place, we alleviated all
our concerns about security, data breaches, and scalability."
- Rafael de los Santos, Head of Digital, Real Madrid
ENABLE BUSINESS WITHOUT BORDERS
Without Azure Active Directory
integrated with our 2,100 customers’
AD databases, we simply could not
manage all the passwords and logon
activities of the many hundreds of
thousands of teachers and students
who make up our customer base.”
- Evan Clark
Founder & CEO
Manage access at scale
Advanced
user
lifecycle
managementMonitor your
identity bridge
Low IT
overhead
“Without Azure Active Directory integrated with our 2,100 customers’ AD databases, we simply could not manage all the passwords and logon activities of the many hundreds of thousands of teachers and students who make up our customer base.”
- Evan ClarkFounder & CEO, ClickView
“We want to ensure that we’re keeping our operating costs as low as possible to focus our budget on more productive areas of the business. With the help of Azure Active Directory Premium, I’m managing ten times the number of SaaS applications with the same size team. “Daniel Birmingham: Identity Solutions ArchitectWhole Foods Market
“We will be able to walk in with the computers, connect them to the Internet, and be done. User identity, SaaS access management, mobile device management—all accessible with a few clicks on a web-based console.”
- Arvid JohanssonCIO, SATS ELIXIA
Centralized access administration for pre-integrated SaaS apps and other cloud-based apps
Dynamic groups, device registration, secure business processes with advanced access management capabilities
Comprehensive identity and access management console
MANAGE ACCESS AT SCALE
IT professional
Provisioning and deprovisioning with customization options
MANAGE ACCESS AT SCALE
Monitor and gain insights into the identity infrastructure used
to extend on-premises identities to Azure Active Directory and
Office 365.
Monitor:
• The Azure AD Connect sync engine health
• ADFS infrastructure health
• On-premises AD Domain Services health
Cloud-powered protection
Protect against
advanced threatsConditional access
to resources
Compliance Reporting
Mitigate
administrative
risks
Identity is the new firewall of the future. We can’t
continue to use our old way of controlling
application access, because business isn’t
happening exclusively in our network anymore.
With Azure Active Directory Premium, we can
stay in control, no matter where our users roam.
Will Lamb: Infrastructure Coordinator
Whole Foods Market
“By deploying Azure MFA the bank secured access to corporate data. Also there is no need for the end user to receive any trainings or carry additional components with them, such as tokens. “It was important for us to increase security without sacrificing end user experience. We could achieve this thanks to Azure MFA.”
Fikri Bülent ÇelikTechnology and Infrastructure Department Manager, TKFB
With Azure AD Premium, Bristow Group
now has the capabilities for multifactor
authentication; access control
(dependent upon device health and user
location); holistic security reports; audits;
and alerts. Azure Active Directory makes
the work of a busy and mobile workforce
easier, secures data and protects access
to the company’s assets both in the cloud
and on-premises.
- Kapil Mehta
Productivity & Directory Services Manager, Bristow
Group Inc.
“Vetco uses Microsoft Azure Active Directory Premium (part of the Microsoft Enterprise Mobility Suite) to help safeguard access to data through multifactor authentication.”
Conditions
Allow access or
Block access
Actions
Enforce MFA per
user/per app
User, App sensitivity
Device state
LocationUser
NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES
CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT
MFA
IDENTITY PROTECTION
Risk
CLOUD-POWERED PROTECTION
CLOUD-POWERED PROTECTION
Identity Protection at its best
Risk severity calculation
Remediation recommendations
Risk-based conditional access automatically protects against suspicious logins and compromised credentials
Gain insights from a consolidated view of machine learning based threat detection
Leaked credentials
Infected devices Configuration
vulnerabilities Risk-based
policies
MFA Challenge Risky Logins
Block attacks
Change bad credentials
Machine-Learning Engine
Brute force attacks
Suspicious sign-in activities
CLOUD-POWERED PROTECTION
Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools
Security/Monitoring/Reporting SolutionsNotifications
Data Extracts/Downloads
Reporting APIs
Apply Microsoft learnings to your existing security tools
Microsoft machine - learning engine
Leaked credentials
Infected devices Configuration
vulnerabilities Brute force
attacksSuspicious sign-
in activities
CLOUD-POWERED PROTECTION
Discover, restrict, and monitor privileged identities
Enforce on-demand, just-in-time administrative access when needed
Provides more visibility through alerts, audit reports and access reviews
Global Administrator
Billing Administrator
Exchange Administrator
User Administrator
Password Administrator
CLOUD-POWERED PROTECTION
How time-limited activation of privileged roles works
MFA is enforced during the activation process
Alerts inform administrators about out-of-band changes
Users need to activate their privileges to perform a task
Users will retain their privileges for a pre-configured amount of time
Security admins can discover all privileged identities, view audit reports and review everyone who has is eligible to activate via access reviews
Audit
SECURITY ADMIN
Configure Privileged
Identity Management
USER
PRIVILEGED IDENTITY MANAGEMENT
Identity
verificationMonitor
Access reports
MFA
ALERT
Read only
ADMIN PROFILES
Billing Admin
Global Admin
Service Admin
CLOUD-POWERED PROTECTION
Removes unneeded permanent
admin role assignments
Limits the time a user has admin
privileges
Ensures MFA validation prior to
admin role activation
Reduces exposure to attacks targeting admins
Separates role administration
from other tasks
Adds roles for read-only views
of reports and history
Asks users to review and justify
continued need for admin role
Simplifies delegation
Enables least privilege role
assignments
Alerts on users who haven’t
used their role assignments
Simplifies reporting on admin
activity
Increases visibility and finer-grained control
Microsoft Advanced Threat Analytics
brings the behavioral analytics concept
to IT and the organization’s users.
An on-premises platform to identify advanced security attacks and insider threats before they cause damage
DETECT ATTACKS BEFORE THEY CAUSE DAMAGE
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection
DiscoveryGain complete visibility and
context for cloud usage and
shadow IT—no agents required
Data controlShape your cloud environment with
granular controls and policy setting
for access, data sharing, and DLP
Threat protectionIdentify high-risk usage and security
incidents, detect abnormal user
behavior, and prevent threats
Integrate with existing security, mobility, and encryption solutions
Azure Information
Protection
Protect your data, everywhere
Microsoft Cloud App Security
Azure Active Directory
Detect threats early with visibility and threat analytics
Advanced
Threat Analytics
Extend enterprise-grade
security to your cloud
and SaaS apps
Intune
Protect your users, devices, and apps
Manage identity with hybrid
integration to protect application
access from identity attacks
Enterprise Mobility +SecurityThe Microsoft solution
Transportation, Logistics, Oil-Gas Retail, Hospitality and Travel
HealthConstruction, Professional Services
Government, Banking, Insurance
Education, Nonprofit
• Advanced user lifecycle
management
• Low IT overhead
• Monitor your identity bridge
• Cloud-connected seamless
authentication experience
• Single sign-on to 1000s pre-
integrated apps/ Your own apps
• Secure remote access to on-premises
apps
• SSO to mobile apps
• Support for lift-and-shift to the
cloud
• Control access to resources
• Safeguard user authentication
• Respond to advanced threats with
risk-based policies and monitoring
• Mitigate administrative risks
• Governance of on-premises and
cloud identities
• Ease of use for end users
/Integration with Office
• Cross-organization collaboration
• Any time, any place productivity
with Windows 10
• Support for consumer facing
applications
1000s of apps, 1 identity
Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps
Manage access at scale
Manage identities and access at scale in the cloud
and on-premises
Cloud-powered protection
Ensure user and admin accountability with better security and governance
Enable business without borders
Stay productive with universal
access to every app and
collaboration capability
Azure Active Directory as the control plane
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
CloudMicrosoft Azure Active Directory
CustomersPartners
Razor will:
Retain control of sensitive documents locally and
over email
Automatically protect mail containing privileged
information
Ensure files stored in SharePoint are rights
protected
Razor’s Fast Deployment for Enterprise Mobility Suite provides remote deployment assistance for Azure
Active Directory Premium, Intune, and Azure Rights Management Premium.
Azure Rights Management Premium
Razor will:
Set up users and groups
Enable management of test devices
Optionally connect on-premises Microsoft
System Center Configuration Manager to Intune
for a single pane management experience
Razor will:
Get organizational identities to the cloud
Set up single sign-on for test apps (including
Azure Active Directory Application Proxy apps)
Configure self-service options like password
reset and Azure Multi-Factor Authentication in
the MyApps site
Razor Technology for EMS: Deploy it RightNow included with all EMS services
Azure Active Directory Premium
Microsoft Intune
Identity as the control plane
On-premises
Windows ServerActive Directory
VPN
BYO
SaaSAzure
Cloud
Publiccloud
Customers
Partners
Identity as the control plane
On-premises
Windows ServerActive Directory
VPN
BYO
Microsoft Azure Active Directory
Azure
Cloud
Publiccloud
Customers
Partners
Customers
Azure AD as the control plane
On-premises
Partners
Azure
Cloud
Publiccloud
Microsoft Azure Active Directory
BYO
Windows ServerActive Directory
Directory as a service 500,000 object limit No object limit No object limitNo object limit for Office
365 user accounts
User/group management (add/update/delete)/user-based provisioning, device
registration, User-based access management/provisioning, Basic Security/usage reportsYes Yes Yes Yes
Singe Sign On
10 apps per user (pre-
integrated SaaS and
developer-integrated
apps)
10 apps per user(free
tier + Application proxy
apps)
No limit (free, Basic
tiers +Self-Service
App Integration
templates 1)
10 apps per user (pre-
integrated SaaS and
developer-integrated apps)
Self-service password change for cloud users Yes Yes Yes
Connect (sync engine that extends on-premises directories to Azure Active Directory) Yes Yes Yes
Premium
+ basic
features
Group-based access management/provisioning – Provisioning customization Yes Yes
Self-service password reset for cloud users Yes Yes Yes
Company branding (logon pages/access panel customization) Yes Yes Yes
Application Proxy Yes Yes
SLA Yes Yes Yes
Premium
features
Self-Service Group and app Management/Self-Service application additions/ Dynamic
Groups
P1,P2
Self-service password reset/change/account unlock with on-premises write-back P1,P2
Advanced usage reporting P1,P2
Multi-factor authentication (cloud and on-premises (MFA server)) P1,P2Limited cloud only for Office
365 apps
MIM CAL + MIM server P1,P2
Cloud app discovery P1,P2
Automated password rollover P1,P2
Connect Health P1,P2
Conditional Access (User, Application, Location, Device rules) P1,P2
Identity Protection P2
Privileged Identity Management P2
Yes Yes Yes Yes
MDM auto-enrolment, Self-Service Bitlocker recovery, Additional local administrators
to Windows 10 devices via Azure AD Join, Enterprise State RoamingYes
Cloud-powered
protection
Manage access
at scale
1000s of apps,
1 identity
Enable business
without borders
• Advanced user lifecycle
management
• Low IT overhead
• Monitor your identity bridge
• Cloud-connected seamless
authentication experience
• Single sign-on
• Bring your own apps
• Secure remote access to on-
premises apps
• Support for lift-and-shift to
the cloud
• Control access to resources
• Safeguard user authentication
• Respond to advanced threats with
risk-based policies and monitoring
• Mitigate administrative risks
• Governance of on-premises and
cloud identities
• Ease of use for end users
• Cross-organization collaboration
• Any time, any place productivity
with Windows 10
• Support for consumer facing
applications
A comprehensive identity and
access management cloud
solution for your employees,
partners, and customers.
It combines directory services,
advanced identity governance,
application access management,
and a rich standards-based
platform for developers. B2E B2B B2C
Azure Active Directory Connect
ADFS
Sync engine
1000s OF APPS, 1 IDENTITY
Azure Active Directory Connect
Consolidated deployment assistant for your identity bridge components.
All currently available sync engines will be replaced by the sync engine included in the Connect tool.
Assisted deployment of ADFS will be available through Azure Active Directory Connect.
ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios.
DirSync
Azure Active Directory Sync
FIM+Azure Active Directory Connector
ADFS
1000s OF APPS, 1 IDENTITY
1st option: Identity + Password (Hash) synchronization
Identity +
Password Hash synchronization
Azure Active Directoryauthenticates user
User
Microsoft AzureActive Directory
1000s OF APPS, 1 IDENTITY
2nd option: Identity synchronization + ADFS
Identitysynchronization
ADFSAuthentication passed toWindows Server Active Directory
via ADFS
User
Microsoft AzureActive Directory
1000s OF APPS, 1 IDENTITY
New option: Identity synchronization + Pass-through authentication with Seamless SSO
Identitysynchronization
Authentication passed toWindows Server Active Directoryvia Pass-through authentication
User
Pass-throughauthentication
Microsoft AzureActive Directory
Seamless SSO
Pass-through authentication agent
1000s OF APPS, 1 IDENTITY
Seamless SSO is now enabled for the 1st option, too: Identity + Password (Hash) synchronization
Identity +
Password Hash synchronization
Azure Active Directoryauthenticates user
User
Microsoft AzureActive Directory
Seamless SSO
Identity Synchronization+ ADFS
1000s OF APPS, 1 IDENTITY
More options than ever!
User
Identitysynchronization
Identity Synchronization + Pass-through Authentication + Seamless SSO
ADFS
Microsoft AzureActive Directory
Identitysynchronization Seamless
SSO
Identity +
Password Hash synchronization
Identity Synchronization + Password Hash Synchronization+
Seamless SSO
Seamless SSO
Pass-throughAuthentication
User
Contoso Corpnet
Connector
1000s OF APPS, 1 IDENTITY
How it works
User Name
and passwordConnector notified
of request
Connector
validates the
credentials
against AD
Token returned to the
user or further proofs
(MFA) are initiated
1 2
34
5
DC returns
result
Connector returns
result
6
Security Token Service
Microsoft AzureActive Directory
Contoso Corpnet
5 User sends ticket to Azure AD STS
1000s OF APPS, 1 IDENTITY
How seamless SSO works with Pass-through authentication and Password hash synchronization
User enters their username1 401 response to get a Kerberos ticket2
User requests a Kerberos ticket3
6 Token returned to the user or further proofs (MFA) are initiated
4 AD returns Kerberos ticket
Security Token
Service
Microsoft AzureActive Directory
User
Co
rpo
rate
n
etw
ork
Microsoft AzureActive Directory
Connectors are deployed usually on corpnet next to resources
Multiple connectors can be deployed for redundancy, scale, multiple sites, and different resources
Users connect to the cloud service that routes their traffic to resources via the connectors
A connector that auto-connects to the cloud service
1000s OF APPS, 1 IDENTITY
DM
Z
https://app1-
contoso.msappproxy.net/Application Proxy
http://app1
“We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications
for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and
secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.”
3000+ partners
ENABLE BUSINESS WITHOUT BORDERS
Share without complex
configuration or duplicate users
Partners use their own credentials to access
your org
Users lose access when leaving the
partner org
No external directories
No per partner federation
You manage
access
You control partner access in your
directory:
• app assignment
• group membership
• custom attributes
Partners of
all sizes
Bulk invite 1000s at a time
Partners with Azure Active Directory sign
in to accept invite
Other partners simply sign up to
accept invite
ENABLE BUSINESS WITHOUT BORDERS
“I need to let my partners access my company’s apps using their own credentials”
ENABLE BUSINESS WITHOUT BORDERS
Partners use their own
credentials to access your
org
Users lose access when
they leave the partner org
No external directories
No per-partner federation
Partners manage their own credentials
You control partner access
in your directory:
• app assignment
• group membership
• custom attributes
Organizations manage access
Thousands of bulk invites at
a time
Partners with Azure Active
Directory sign in to accept
invite
Other partners simply sign
up to accept invite
Partners of all sizes
CLOUD-POWERED PROTECTION
Built-in security
features
Security reporting that
tracks inconsistent
access patterns,
analytics, and alerts
Reporting API
Microsoft Azure Active Directory Cloud app discovery
Source: Help Net Security 2014
as many Cloud apps are in use than IT estimates
• SaaS app category
• Number of users
• Utilization volume
Comprehensivereporting
Discover all SaaS apps in use within your organization
CLOUD-POWERED PROTECTION
Security reporting that tracks inconsistent access patterns, analytics, and alerts
Reporting API
Built-in security features
CLOUD-POWERED PROTECTION
Step up to Multi-Factor Authentication
X X X X X
X X X X X
X X X X X
CLOUD-POWERED PROTECTION
A standalone Azure identity and access
management service, also included in
Azure Active Directory Premium
Prevents unauthorized access to both
on-premises and cloud applications by
providing an additional level of
authentication
Trusted by thousands of enterprises
to authenticate employee, customer,
and partner access
Users sign in from any device using their existing username/password.
1
On-premises apps
RADIUSLDAP
IIS RDS/VDI
Windows Server Active Directory or other LDAP
Users must also authenticate using their phone or mobile device before access is granted
2
Microsoft AzureActive Directory
Multi-factor
authenticationserver
Multi-factor
authenticationserver
MONITOR AND PROTECT
User
Cloud apps
CLOUD-POWERED PROTECTION
MFA for Office 365/Azure
Administrators
Azure Multi-Factor
Authentication
Administrators can enable/enforce MFA to end users Yes Yes
Use mobile app (online and OTP) as second authentication factor Yes Yes
Use phone call as second authentication factor Yes Yes
Use SMS as second authentication factor Yes Yes
Application passwords for non-browser clients (e.g., Outlook, Lync) Yes Yes
Default Microsoft greetings during authentication phone calls Yes Yes
Suspend MFA from known devices Yes Yes
Custom greetings during authentication phone calls Yes
Fraud alert Yes
MFA SDK Yes
Security reports Yes
MFA for on-premises applications/ MFA server Yes
One-time bypass Yes
Block/Unblock users Yes
Customizable caller ID for authentication phone calls Yes
Event confirmation Yes
Trusted IPs Yes
Analyze1
DETECT ATTACKS BEFORE THEY CAUSE DAMAGE
ATA Analyzes all Active
Directory-related traffic and
collects relevant events from
SIEM
ATA Builds the organizational security
graph, detects abnormal behavior,
protocol attacks and weaknesses and
constructs an attack timeline
ATA automatically learns all entities’
behaviors
Learn2 Detect3
CLOUD-POWERED PROTECTION
Reduce risks of excessive access to your organization’s data
Dashboards with insights
Policy driven review workflows for governance decisions
Richer auditing to address compliance reporting needs
Decisions at the business level (self-service)
Apps in
Azure
Third-
party apps
& clouds
Apps on-
premises
HR system
LDAP
Oracle DB
Finance
Web apps
Windows Server Active Directory Hybrid
identity
User identities from
multiple repositories
LDAP v3
Windows
PowerShell
Web services
(SOAP, Java,
REST)
Generic SQL
via ODBC
Windows Server Active Directory
Microsoft Azure
Active Directory
VS.
Microsoft’s IAM solution
Apps in
Azure
Third-party
apps &
cloudsMicrosoft Cloud
Microsoft Identity
ManagerApps on-
premises
AAD App
Proxy
Spans cloud and on-premises
Provides full spectrum of services
• Federation
• Identity management
• Device registration
• User provisioning
• Application access control
• Data protection
Modern identity management system
The combination of Windows Server Active
Directory, Microsoft Identity Manager, and
Microsoft Azure Active Directory enables
better security for today’s hybrid enterprise.
Microsoft AzureActive Directory
MANAGE EVERYTHING
Cloud-ready
identitiesPowerful user
self-service
Enhanced
security
Automatic preparation of
Active Directory identities for
synchronization with Azure
Active Directory
Password reset with Azure Multi-
Factor Authentication
Dynamic groups with approvals and
redesigned certificate management
Hybrid reporting and privileged
access management to protect
administrator accounts
Support for new security protocols
MANAGE EVERYTHING
Cloud-ready
identitiesPowerful user
self-service
Enhanced
security
• Standardized Active Directory attributes
and values
• Partitioned identities for synchronization
to the cloud
• Easier-to-deploy reporting connected to
Azure Active Directory
• Preparation of user profiles for Microsoft
Office 365
• Self-service password reset with Multi-
Factor Authentication
• New REST-based APIs for AuthN/AuthZ
• Self-service account unlock
• Certificate management support for multi-
forest and modern apps
• Privileged user and account discovery
• New Windows PowerShell support and
REST-based API
• Workflow management: elevated just-in-
time administrator access
• Reporting and auditing specific to
privileged access management
MANAGE EVERYTHING
ON-PREMISES HYBRID CLOUD
Managed: Microsoft System
Center Configuration
Manager
On-premises LOB
applications, traditional
productivity
iOS, Android, Windows
Phone, BYOD
Mobile apps, shadow IT SaaS
solutions
Managed: Microsoft Intune
connected to System Center
Configuration Manager
On-premises LOB applications,
managed SaaS, Office 365
hybrid deployment, Azure
Active Directory
implementation
Deployment of cloud-enabled
rich clients
Managed cloud identities with
Multi-Factor Authentication
Managed by EMS:
Combination of mobile clients
(iOS, Android) and cloud-
enabled clients (Windows 10)
Managed SaaS and Office 365
Enterprise, full Azure IAM
Event - Mobility Event-Win 8.x/10
Microsoft Identity Manager 2016
MANAGE EVERYTHING
MIM
Microsoft Identity Manager 2016
Azure AD App Proxy
Azure AD Connect
IAM
On-premises applications
Microsoft AzureActive Directory
Microsoft Azure
Username
?
Forgot your password?
User
Cloud
On-premises applications
•••••••••••••
IT
User’s identity
Self-service
experiences
Microsoft Identity Manager 2016
Collapse directories
Map multiple identities
Transform usernames and
other attributes
UserExisting apps
Existing FIM
Existing AD
forests
WS 2003 or later
User: PRIV\JenAdmin
Groups: CORP\Resource Admins
Refresh after: 60 minutesGroup “Resource Admins”
Privileged access management
AD DS
Microsoft Identity Manager
Configured for PAM
Group: Resource
Admins
Domain: CORP
Candidate: Jen
Time-based
memberships
User “JenAdmin”
Access
requests
Existing trust
Trust for admin access
Access
requests
Deep dive: DirSync, Azure AD, and MIM Sync
DirSync
Azure Active Directory Sync
FIM Sync(+ Azure Active Directory Connector)
Azure Active Directory
Connect
MIM Sync(+ Azure Active Directory Connector)
Azure Active Directory
Connect
Connect and sync on-premises directories with Azure
Azure Active Directory Connect
Microsoft AzureActive Directory
Other directories
PowerShell
LDAP v3
SQL (ODBC)
Web services (SOAP, Java, REST)
Azure Active Directory Microsoft Identity Manager
Password reset/management YES YES
Group management YES, not dynamic YES
Provisioning, deprovisioning NO YES
Certificate management NO YES
Role-based access control NO YES
Deep dive: IAM in MIM vs. Azure Active Directory
Microsoft Identity Manager 2016 is also included with Azure Active Directory Premium, which is
part of the Enterprise Mobility Suite.
Microsoft Enterprise Mobility Suite is the most cost-effective way to acquire all included cloud
services: Azure Active Directory Premium, Azure Rights Management, and Intune.
Purchasing
Microsoft Identity
Manager 2016
Licensed on a per-user basis
Client Access License (CAL) Required for each user whose identity is managed
Windows Server license with active
Software Assurance
Required to use the Microsoft Identity Manager 2016 server software as a
Windows Server add-on
Cloud-ready
identitiesPowerful user
self-service
Enhanced
security
Automatic preparation of
Active Directory identities for
synchronization with Azure
Active Directory
Password reset with Azure Multi-
Factor Authentication
Dynamic groups with approvals and
redesigned certificate management
Hybrid reporting and privileged
access management to protect
administrator accounts
Support for new security protocols
Cloud-ready
identitiesPowerful user
self-service
Enhanced
security
• Standardized Active Directory attributes
and values
• Partitioned identities for synchronization
to the cloud
• Easier-to-deploy reporting connected to
Azure Active Directory
• Preparation of user profiles for Microsoft
Office 365
• Self-service password reset with Multi-
Factor Authentication
• New REST-based APIs for AuthN/AuthZ
• Self-service account unlock
• Certificate management support for multi-
forest and modern apps
• Privileged user and account discovery
• New Windows PowerShell support and
REST-based API
• Workflow management: elevated just-in-
time administrator access
• Reporting and auditing specific to
privileged access management