Level 300 Microsoft Advanced Threat Analytics...
-
Upload
duongtuyen -
Category
Documents
-
view
219 -
download
4
Transcript of Level 300 Microsoft Advanced Threat Analytics...
Azure Active Directory
Features Free edition Basic edition Premium edition
Directory as a service <500K objects
No limit
No limit
User and group management using UI or Windows PowerShell cmdlets
Device registration
Access Panel portal for SSO-based user access to SaaS and custom applications 10 apps / user
10 apps / user
No app limit
User-based application access management and provisioning
Self-service password change for cloud users
Azure AD Connect – For syncing between on-premises directories and Azure Active Directory
Standard security reports
High availability SLA uptime (99.9%)
Group-based application access management and provisioning
Customization of company logo and colours to the Sign In and Access Panel pages
Self-service password reset for cloud users
Application Proxy: Secure Remote Access and SSO to on-premises web applications
Advanced application usage reporting
Self-service group management for cloud users
Self-service password reset with on-premises write-back
Microsoft Identity Manager (MIM) user licenses – For on-premises identity and access mgmt
Advanced anomaly security reports (machine learning-based)
Cloud app discovery
Multi-Factor Authentication service for cloud users
Multi-Factor Authentication server for on-premises users
Azure Active Directory Connect Health to monitor the health of on-premises Active Directory infrastructure, and get usage analytics.
Azure AD
AD FS
Active Directory Domain Services
DirSync
Google Apps SalesForce.com
User attributes are synchronized including the password hash, Authentication can be completed against eitherAzure or Windows Server Active Directory
User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory
Synchronization
Federation
AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication
*Write back of attributes to support cloud first and co-existence
Microsoft
Azure
Microsoft
Azure
See Install the Azure AD Sync Service
https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx
https://msdn.microsoft.com/en-us/library/azure/dn783462.aspx
Source Anchor
Features Azure AD (Free) Azure AD Basic Azure AD
Premium
Directory as a Service Up to 500k objects No object limit No object limit
User and group management using UI or Windows PowerShell
Cmdlets
Yes Yes Yes
Access Panel portal for SSO-based user access to SaaS and
custom applications
10 applications per
user
10 applications per
user
No limit
User-based application access management/provisioning Yes Yes Yes
Self-service password change for cloud users Yes Yes Yes
Directory synchronization tool – For syncing between on-
premises Active Directory and Azure Active Directory
Yes Yes Yes
Standard security reports Yes Yes Yes
High availability SLA uptime (99.9%) Yes Yes
Group-based application access management and provisioning Yes Yes
Company branding - customization of company logo and colors
to the Sign In and Access Panel pages
Yes Yes
Self-service password reset for cloud users Yes Yes
Features Azure AD
(Free)
Azure AD
Basic
Azure AD
Premium
Application Proxy Yes Yes
Self-service group management for cloud users Yes Yes
Self-service password reset with on-premises write-
back
Yes
Microsoft Identity Manager (MIM) server licenses –
For syncing between on-premises databases and/or
directories and Azure Active Directory
Yes
Advanced anomaly security reports (machine
learning-based)
Yes
Advanced usage reporting Yes
Multi-Factor Authentication service for cloud users Yes
Multi-Factor Authentication server for on-premises
users
Yes
AAD Editions https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx
Office365+AAD http://blogs.office.com/2015/02/17/sign-page-branding-cloud-user-self-service-password-reset-office-365/
Portal: manage.microsoft.com
• PowerShell
• Graph API
https://technet.microsoft.com/en-us/library/dn532270.aspx
https://technet.microsoft.com/en-us/library/dn532270.aspx
Desktop
Self Service Group Management (SSGM)
• SSGM also enables users to request membership in groups by clicking on the gear icon on the group and clicking join.
https://msdn.microsoft.com/en-us/library/azure/dn913807.aspx
Azure AD Application Integration
https://msdn.microsoft.com/library/azure/dn308588.aspx#bkmk_passwordsso
https://msdn.microsoft.com/en-us/library/azure/dn893637.aspx
https://msdn.microsoft.com/en-us/library/azure/dn308593.aspx
https://myapps.microsoft.com
contoso.com
Read more…
Azure AD Premium Security Reports
MultiFactorAuthentication (MFA)
1 4 5 6 7 6
21
MFA for Office 365 Azure Multi-Factor
Authentication
Administrators can Enable/Enforce MFA to end-users Yes Yes
Use Mobile app (online and OTP) as second authentication factor Yes Yes
Use Phone call as second authentication factor Yes Yes
Use SMS as second authentication factor Yes Yes
Application passwords for non-browser clients (e.g. Outlook, Lync) Yes Yes
Default Microsoft greetings during authentication phone calls Yes Yes
Custom greetings during authentication phone calls Yes
Fraud alert Yes
MFA SDK Yes
Security Reports Yes
MFA for on-premises applications/ MFA Server. Yes
One-Time Bypass Yes
Block/Unblock Users Yes
Customizable caller ID for authentication phone calls Yes
Event Confirmation Yes
What are you trying to secure? Cloud Multi-Factor
Authentication
Multi-Factor Authentication
Server
First party Microsoft apps ● ●
SaaS apps in the app gallery ● ●
IIS applications published
through CWAP
● ●
IIS applications not published
through CWAP
●
Remote access systems such as
VPN, RDG
●
User Location Solution
Azure Active Directory Cloud Multi-Factor Authentication
Azure AD and on-premises AD using
federation with AD FS
Both Cloud Multi-Factor Authentication and
Multi-Factor Authentication are available options
Azure AD and on-premises AD using DirSync,
Azure AD Sync, Azure AD Connect – no
password sync
Both Cloud Multi-Factor Authentication and
Multi-Factor Authentication are available options
Azure AD and on-premises AD using DirSync,
Azure AD Sync, Azure AD Connect – with
password sync
Cloud Multi-Factor Authentication
On-premises Active Directory Multi-Factor Authentication Server
Multi-Factor Authentication for Office 365
(Included in Office 365 SKUs)
Multi-Factor Authentication for
Azure Administrators (Included
with Azure Subscription)
Azure Multi-Factor Authentication
(Included in Azure AD Premium and
EMS)
Administrators can protect accounts with MFA ● ● (Available only for Azure
Administrator accounts)
●
Mobile app as a second factor ● ● ●
Phone call as second factor ● ● ●
SMS as second factor ● ● ●
App passwords for clients that don’t support MFA ● ● ●
Admin control over authentication methods ●
PIN mode ●
Fraud alert ●
MFA Reports ●
One-Time Bypass ●
Custom greetings for phone calls ●
Customizable caller ID for phone calls ●
Event Confirmation ●
Trusted IPs ●
Suspend MFA for remembered devices (Public
Preview)
● ● ●
MFA SDK ●
MFA for on-premises applications using MFA
Server
●
MFA Versions – Feature Comparison
Cloud Multi-Factor
Authentication
Multi-Factor Authentication Server
Mobile app notification as a second factor ● ●
Mobile app verification code as a second factor ● ●
Phone call as second factor ● ●
One-way SMS as second factor ● ●
Two-way SMS as second factor ●
Hardware Tokens as second factor ●
App passwords for clients that don’t support MFA ●
Admin control over authentication methods ●
PIN mode ●
Fraud alert ● ●
MFA Reports ● ●
One-Time Bypass ● ●
Custom greetings for phone calls ● ●
Customizable caller ID for phone calls ● ●
Trusted IPs ● ●
Suspend MFA for remembered devices (Public Preview) ●
Conditional access ● ●
Cache ● ●
MFA Versions – Cloud vs. Server feature comparison
Azure AD-Integrated
MFA for Federated IdentitiesText Message [One-way]
Web AppAzure MFAAzure ADAD FS
AD FS-Integrated Azure MFAText Message [Two-way]
Azure MFA Server
Web AppAzure MFAAzure ADAD FS
Self Service Password Reset (SSPR)
http://aka.ms/ssprsetup
http://myapps.microsoft.com
http://aka.ms/ssprsetup
Azure AD Application Proxy
http://channel9.msdn.com/events/Ignite/2015/BRK3864
Forefront UAG/TMG
Web Application Proxy
+
AD FS
Azure Active Directory
On-Premises Applications
Remote Access as a ServiceEasily publish your on-prem applications to users outside the corporate network
Extend Azure AD to on-premUtilize Azure AD as a central management point for all your apps
Azure Active Directory
Co
rpo
rate
N
etw
ork
DM
Z
https://sales-contoso.msappproxy.net
http://sales
https://sales.contoso.com
RMS
•
•
•
•
•
•
•
•
•
Side by side: AD RMS vs. Azure RMS
Azure
AD
AD
AD RMS
Exchange
SharePoint
Windows
Server FCI
Office 2007
Office 2010
Office 2013
New mobile
REST endpoints
Azure
RMS
Azure
AD
Office 2007
Office 2010
Office 2013
EXO
SPO
Operating in 3-Geos
NA, EU, AP
Azure
KMS
Exchange
SharePoint
Windows
Server FCI
KMSP
(HSM)
•
•
•
•
•
•
•
•
•
•
•
Microsoft InTune
Enroll• Provide a self-service Company
Portal for users to enroll devices
• Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple
Configurator, DEP or service
account
• Restrict access to Exchange
email or SharePoint if a device is
not enrolled
Retire• Revoke access to corporate
resources
• Perform selective wipe
• Audit lost and stolen devices
Provision• Deploy device security policy
settings
• Deploy certificates, email, VPN,
and WiFi profiles
• Install mandatory apps
• Deploy app restriction policies
• Deploy data protection policies
Manage and Protect• Restrict access to corporate
resources if policies are violated
(e.g., jailbroken device)
• Protect corporate data by
restricting actions such as
copy/cut/paste/save outside of
managed app ecosystem
• Report on device and app
compliance
User IT
Mobile devices and PCs Mobile devices
System Center Configuration
Manager
Domain joined PCs
Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)
IT IT
Intune web console Configuration Manager console
Manage and Protect
• No existing infrastructure necessary
• No existing Configuration Manager
deployment required
• Simplified policy control
• Simple web-based administration console
• Faster cadence of updates
• Always up-to-date
Devices Supported
• Windows PCs (x86/64, Intel SoC)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
Mobile devices and PCs
Intune standalone (cloud only)
IT
Intune web console
System Center 2012 R2 Configuration
Manager SP1 with Microsoft Intune
• Build on existing Configuration Manager
deployment
• Full PC management (OS deployment, endpoint
protection, application delivery control, custom
reporting)
• Deep policy control requirements
• Large scale
• Extensible administration tools (RBA, PowerShell,
SQL reporting services)
Devices Supported
• Windows PCs
(x86/64, Intel SoC)
• Windows to Go
• Windows Server
• Linux/UNIX server
• Mac OS X
• Windows RT
• Windows Phone
• iOS
• Android
Windows Phone, iOS, Android
System Center Configuration
Manager
Windows PC & Server, Mac, Linux
IT
Configuration Manager console
• Trial or existing Intune tenant?
• Existing Office 365 tenant?
• Azure AD only or on-premises AD Synchronization with Azure AD?
• Deployment option (Standalone or Hybrid)?
• Certificates and Keys to enable device platform management
• Azure AD Directory Synchronization Tool (Optional)
• Exchange Connector (Optional)
• SCEP Infrastructure (Optional)
• Microsoft Intune supports iOS 7.1+, Android 4.0+, Windows 8.1 and Windows Phone 8+, and Windows 10.
• Apple ID required for APNs certificate.
• If sideloading Apps on Windows 8.1 and Windows Phone 8.1, Code signing certificates and sideloading keys are required.
• Can limit the number of devices a user can enroll (default is 5).
• User enrolls a device via the Intune Company Portal App.
CA
Mobile DeviceExternal Firewall
Internal Firewall
Intune,
O365, Azure AD
Internet
Reverse Proxy
AD/ADFS Azure AD Connect(Optional)
Exchange 2010/2013
ADFS Proxy
Exchange Connector( -
DMZ
Identity Management Exchange SCEP
Internal Network
(On-Prem Exchange only)NDES/NDES Connector(Cert Enrollment Only)
Settings Management
Comprehensive security policies are enforced on each platform
Reporting available on
each setting whether it is
applicable, conformant or
has an error
Extensive configuration settings are available for each platform
Policies can be applied to user and device groups
User
• List of complete settings
OMA-URI Settings
Configurator Profile
OMA-URI Settings
OMA-URI Settings