Azure AD IAM for Hybrid Enterprises -EBC Final May

8/10/2019 Azure AD IAM for Hybrid Enterprises -EBC Final May

1/20

MICROSOFT CONFIDENTIAL

Keith BrintzenhofeGroup Program ManagerAzure AD Identity & Access Management

Azure Active Directoryfor the Hybrid Enterprise


2/20

Windows Azure

Agenda

Azure AD and the Hybrid EnterpriseAzure AD Identity & Access Management ScenariAzure AD Premium

Q&A


3/20

Azure Active Directory: The Vision

A modern, cloud based identity management serviceproviding federation, directory services, device

registration, user provisioning, application accesscontrol & data protection.

A natural extension to on premises directories, thecombination of Windows Server AD and WindowsAzure AD lets you secure todays hybrid enterprise.

On-premises and cloud Active Directorymanaged as one Consistent identities for on-premises and cloud

applications Easy end user experience with single sign on

and self-service features


4/20

Azure Active Directory and the Hybrid Enterprise

Azure Active Directory

On-premises and private cloud

Other apps

Other Directories

Self-Service

Identity Management

Windows ServerActive Directory

Sync

HR

Active Directory Federation Services

Other Directories

Devices


5/20

Windows Azure

Azure AD Identity and Access Management Scena

Simplify access and control of SaaS applicationsReduce IT burden with self-service IAMImprove security posture with cloud services

Easily meet reporting requirementsRapidly develop and deploy new enterprise capabi


6/20

Azure AD directorymanagement

Manage users in your cloud directory Management portal PowerShell Programmatic Graph API

Assign familiar user names in domains yourorganization already uses

Self-service verification of your domains

Integrate with existing directories Sync users into your cloud directory from a Windows

Server AD, LDAP, or other existing directory Users can access their cloud resources with their

Windows Server AD username and password


7/20

Cloud App Discovery

Fortune 500 company with 60,000+ international employees Worried about corporate data leakage

Departments are adopting multiple subscriptions to SaaS appswithout IT involvement

Need inventory of applications to begin gaining control and toenable SSO

Features used Endpoint agent for application discovery with ability to distribute

using SCCM

Interactive dashboard:

View total number of SaaS apps in use

View number of users using SaaS apps

View top SaaS apps with categories in use

See usage graphs for SaaS apps that can be pivoted on users,web requests or volume of data exchanged with the

application

Drill down into specific applications for targeted information

Easily integrate an application with Azure Active Directory

Discover all SaaS apps in use within your orga


8/20

Simplify access and control of SaaS applicatioSaaS App Management Professional services company, 4500

employees Interested in Office 365, Workday, Salesforce,

Yammer and other SaaS applications Needs centralized management of employee

access to SaaS applications

Features used

Windows Azure AD single sign on (SSO) for SaaSapplications Automated user provisioning and de-provisioning

to SaaS applications Access Panel at myapps.microsoft.com Company-branded sign-in and app access

experience


9/20

SaaS App User Provisioning

Fortune 500 company with 100,000+international employees

Needed automated user provisioning anddeprovisioning to SaaS apps includingServiceNow

ServiceNow also requires group objects

Features used Synchronize across on-premises data sources

and into Windows Azure AD Windows Azure AD provides user and group

provisioning to ServiceNow and other SaaSapps

Simplify access and control of SaaS applicatio


10/20

Simplify access and control of SaaS applicatio

Windows Azure AD Connector Fortune 500 company with 100,000+

international employees Multiple data sources on-premises Need to provision users and groups to Windows

Azure AD for control of SaaS

Features used Synchronize on-premises data sources to

Windows Azure AD Group-based application assignment in WAAD Incorporate users from HR sources such as SAP,

PeopleSoft and Oracle


11/20

Understand the ROI on SaaS applications

Usage and Business reporting Large multi-national enterprise

Seeking to evaluate application usageand access patterns

Features used Application dashboard

Cross company application usage

Detailed usage for specific apps


12/20

Self-service identity and access management

Self-Service Password Reset for Users

University with 20k current students Existing on-premises password reset

solution in place does not coveralumni and is difficult to manage

Features used Reset of on-premises passwords from

the cloud (pwd. writeback to WSAD) Phone and email verification methods End-user registration of contact

methods Customization of helpdesk URL and

branding of Password Reset Portalwith universitys logo


13/20

Custom Branding Financial services firm with 200+ offices

Needs consistent look-and-feel acrossauthentication experiences

Already using Office365 and ActiveDirectory

Features used Sign-in page branded with company

logo and illustration Customized help text on sign-in page Access Panel for end-users customized

with company logo



14/20


Self-Service Group Management Large multi-national enterprise

Enable distributed group creation andmanagement

Delegated group management End users can create groups, assign users Owner can delegate ownership

Self-service group management Users can search for groups and request to

join Owner approves requests Groups can be set to auto-approve


15/20

Multi-Factor Authentication Local government agency

Protect access to sensitive applications Avoid end user lock out using multiple MFA

methods: (Phone App, Call or SMS Mobile,Office, or alternate phone)

Features used Targeted MFA for sensitive accounts

Customization of MFA greetings, fraud alerts,one time bypass capabilities End-user self-service enrollment Audit reports for MFA activity Whitelisting IP Addresses to bypass MFA from

Corpnet Remember this device feature to require MFA

only from un-trusted devices

Improve security posture with cloud services


16/20

Security and Usage Reporting

Large multi-national enterprise

Frequent target of attempts to gain

unauthorized access to employeeaccounts

Features used

Anomaly detection:credential sharingcredential misuse/lossbrute force attacksaccess from behind anonymizers

Machine learning

Detection of attacks spanningorganizations

Investigate sign in activity and devices

Admin Notifications

Download data for offline analysis

Improve security posture with cloud services


17/20

Rapidly develop and deploy new enterprise capab Write custom LOB applications that integrate with Windows Azure AD

Website applications, web APIs, and native client applications

Users sign in to AD-integrated applications with their cloud identities Single sign-on with Office 365 and other services that use Windows Azure AD

AD-integrated applications can access Office 365 and other web APIs Write powerful applications that access email, calendar, contacts, files, etc. in

Office 365 and other applications

Applications can extend Windows Azure AD schema Read & write attributes which are useful to other applications in the organization

Cross-platform support Web applications and web APIs can run on Windows Azure or other infrastructure Native client applications can run on iOS, Android, and Windows

Open Standards SAML, OAuth 2.0, OpenID Connect, Odata 3.0


18/20

Azure Active Directory features comparisonAAD Free AAD Premium Mu

Directory as a Service Yes - up to 500K Objects Yes - No Limit

User/Group Management Yes Yes

SSO to pre-integrated SAAS Applications /Custom Apps Yes Yes

Directory Synchronization Tool (WSAD Extension) Yes YesUser-Based access management/provisioning Yes Yes

Group-based access management/provisioning Yes

Self-Service Group Management for cloud users Yes

Self-Service Change Password for cloud users Yes Yes

Self-Service Reset Password for cloud users Yes

Security Reports Yes Yes

Advanced Security Reporting (machine learning-based) Yes

Usage Reporting Yes

Custom Branding (Logon/Access Panel customization) Yes

MFA (All available features on Windows Azure and on premises) Yes

SLA Yes

FIM CAL + FIM Server Yes


19/20

Discussion and Next Steps Learn More about Azure Active Directory:

http://azure.microsoft.com/en-us/solutions/identity/ Get started with Cloud App Discovery at

https://appdiscovery.azure.com/ Give us feedback via the forums at http://aka.ms/aadforum

My contact info [email protected]
http://azure.microsoft.com/en-us/solutions/identity/https://appdiscovery.azure.com/http://aka.ms/aadforummailto:[email protected]:[email protected]://aka.ms/aadforumhttps://appdiscovery.azure.com/http://azure.microsoft.com/en-us/solutions/identity/http://azure.microsoft.com/en-us/solutions/identity/http://azure.microsoft.com/en-us/solutions/identity/http://azure.microsoft.com/en-us/solutions/identity/


20/20

MICROSOFT CONFIDENTIAL

Azure AD IAM for Hybrid Enterprises -EBC Final May

Documents

Transcript of Azure AD IAM for Hybrid Enterprises -EBC Final May