Ondřej Výšek

Sales Lead, Microsoft MVP

vysek@kpcs.cz

Azure Active Directory

Features Free edition Basic edition Premium edition

Directory as a service <500K objects

No limit

No limit

User and group management using UI or Windows PowerShell cmdlets

Device registration

Access Panel portal for SSO-based user access to SaaS and custom applications 10 apps / user

10 apps / user

No app limit

User-based application access management and provisioning

Self-service password change for cloud users

Azure AD Connect – For syncing between on-premises directories and Azure Active Directory

Standard security reports

High availability SLA uptime (99.9%)

Group-based application access management and provisioning

Customization of company logo and colours to the Sign In and Access Panel pages

Self-service password reset for cloud users

Application Proxy: Secure Remote Access and SSO to on-premises web applications

Advanced application usage reporting

Self-service group management for cloud users

Self-service password reset with on-premises write-back

Microsoft Identity Manager (MIM) user licenses – For on-premises identity and access mgmt

Advanced anomaly security reports (machine learning-based)

Cloud app discovery

Multi-Factor Authentication service for cloud users

Multi-Factor Authentication server for on-premises users

Azure Active Directory Connect Health to monitor the health of on-premises Active Directory infrastructure, and get usage analytics.

Azure AD

AD FS

Active Directory Domain Services

DirSync

Google Apps SalesForce.com

User attributes are synchronized including the password hash, Authentication can be completed against eitherAzure or Windows Server Active Directory

User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory

Synchronization

Federation

AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication

*Write back of attributes to support cloud first and co-existence

Microsoft

Azure

Microsoft

Azure

See Install the Azure AD Sync Service

https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx

https://msdn.microsoft.com/en-us/library/azure/dn783462.aspx

Source Anchor

Features Azure AD (Free) Azure AD Basic Azure AD

Premium

Directory as a Service Up to 500k objects No object limit No object limit

User and group management using UI or Windows PowerShell

Cmdlets

Yes Yes Yes

Access Panel portal for SSO-based user access to SaaS and

custom applications

10 applications per

user

10 applications per

user

No limit

User-based application access management/provisioning Yes Yes Yes

Self-service password change for cloud users Yes Yes Yes

Directory synchronization tool – For syncing between on-

premises Active Directory and Azure Active Directory

Yes Yes Yes

Standard security reports Yes Yes Yes

High availability SLA uptime (99.9%) Yes Yes

Group-based application access management and provisioning Yes Yes

Company branding - customization of company logo and colors

to the Sign In and Access Panel pages

Yes Yes

Self-service password reset for cloud users Yes Yes

Features Azure AD

(Free)

Azure AD

Basic

Azure AD

Premium

Application Proxy Yes Yes

Self-service group management for cloud users Yes Yes

Self-service password reset with on-premises write-

back

Yes

Microsoft Identity Manager (MIM) server licenses –

For syncing between on-premises databases and/or

directories and Azure Active Directory

Yes

Advanced anomaly security reports (machine

learning-based)

Yes

Advanced usage reporting Yes

Multi-Factor Authentication service for cloud users Yes

Multi-Factor Authentication server for on-premises

users

Yes

AAD Editions https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

Office365+AAD http://blogs.office.com/2015/02/17/sign-page-branding-cloud-user-self-service-password-reset-office-365/

Portal: manage.microsoft.com

• PowerShell

• Graph API

https://technet.microsoft.com/en-us/library/dn532270.aspx

https://technet.microsoft.com/en-us/library/dn532270.aspx

Desktop

Self Service Group Management (SSGM)

• SSGM also enables users to request membership in groups by clicking on the gear icon on the group and clicking join.

https://msdn.microsoft.com/en-us/library/azure/dn913807.aspx

Azure AD Application Integration

https://msdn.microsoft.com/library/azure/dn308588.aspx#bkmk_passwordsso

https://msdn.microsoft.com/en-us/library/azure/dn893637.aspx

https://msdn.microsoft.com/en-us/library/azure/dn308593.aspx

https://myapps.microsoft.com

contoso.com

Read more…

Azure AD Premium Security Reports

MultiFactorAuthentication (MFA)

1 4 5 6 7 6

21

MFA for Office 365 Azure Multi-Factor

Authentication

Administrators can Enable/Enforce MFA to end-users Yes Yes

Use Mobile app (online and OTP) as second authentication factor Yes Yes

Use Phone call as second authentication factor Yes Yes

Use SMS as second authentication factor Yes Yes

Application passwords for non-browser clients (e.g. Outlook, Lync) Yes Yes

Default Microsoft greetings during authentication phone calls Yes Yes

Custom greetings during authentication phone calls Yes

Fraud alert Yes

MFA SDK Yes

Security Reports Yes

MFA for on-premises applications/ MFA Server. Yes

One-Time Bypass Yes

Block/Unblock Users Yes

Customizable caller ID for authentication phone calls Yes

Event Confirmation Yes

What are you trying to secure? Cloud Multi-Factor

Authentication

Multi-Factor Authentication

Server

First party Microsoft apps ● ●

SaaS apps in the app gallery ● ●

IIS applications published

through CWAP

● ●

IIS applications not published

through CWAP

●

Remote access systems such as

VPN, RDG

●

User Location Solution

Azure Active Directory Cloud Multi-Factor Authentication

Azure AD and on-premises AD using

federation with AD FS

Both Cloud Multi-Factor Authentication and

Multi-Factor Authentication are available options

Azure AD and on-premises AD using DirSync,

Azure AD Sync, Azure AD Connect – no

password sync

Both Cloud Multi-Factor Authentication and

Multi-Factor Authentication are available options

Azure AD and on-premises AD using DirSync,

Azure AD Sync, Azure AD Connect – with

password sync

Cloud Multi-Factor Authentication

On-premises Active Directory Multi-Factor Authentication Server

Multi-Factor Authentication for Office 365

(Included in Office 365 SKUs)

Multi-Factor Authentication for

Azure Administrators (Included

with Azure Subscription)

Azure Multi-Factor Authentication

(Included in Azure AD Premium and

EMS)

Administrators can protect accounts with MFA ● ● (Available only for Azure

Administrator accounts)

●

Mobile app as a second factor ● ● ●

Phone call as second factor ● ● ●

SMS as second factor ● ● ●

App passwords for clients that don’t support MFA ● ● ●

Admin control over authentication methods ●

PIN mode ●

Fraud alert ●

MFA Reports ●

One-Time Bypass ●

Custom greetings for phone calls ●

Customizable caller ID for phone calls ●

Event Confirmation ●

Trusted IPs ●

Suspend MFA for remembered devices (Public

Preview)

● ● ●

MFA SDK ●

MFA for on-premises applications using MFA

Server

●

MFA Versions – Feature Comparison

Cloud Multi-Factor

Authentication

Multi-Factor Authentication Server

Mobile app notification as a second factor ● ●

Mobile app verification code as a second factor ● ●

Phone call as second factor ● ●

One-way SMS as second factor ● ●

Two-way SMS as second factor ●

Hardware Tokens as second factor ●

App passwords for clients that don’t support MFA ●

Admin control over authentication methods ●

PIN mode ●

Fraud alert ● ●

MFA Reports ● ●

One-Time Bypass ● ●

Custom greetings for phone calls ● ●

Customizable caller ID for phone calls ● ●

Trusted IPs ● ●

Suspend MFA for remembered devices (Public Preview) ●

Conditional access ● ●

Cache ● ●

MFA Versions – Cloud vs. Server feature comparison

Azure AD-Integrated

MFA for Federated IdentitiesText Message [One-way]

Web AppAzure MFAAzure ADAD FS

AD FS-Integrated Azure MFAText Message [Two-way]

Azure MFA Server

Web AppAzure MFAAzure ADAD FS

Self Service Password Reset (SSPR)

http://aka.ms/ssprsetup

http://myapps.microsoft.com

http://aka.ms/ssprsetup

Azure AD Application Proxy

http://channel9.msdn.com/events/Ignite/2015/BRK3864

Forefront UAG/TMG

Web Application Proxy

+

AD FS

Azure Active Directory

On-Premises Applications

Remote Access as a ServiceEasily publish your on-prem applications to users outside the corporate network

Extend Azure AD to on-premUtilize Azure AD as a central management point for all your apps

Azure Active Directory

Co

rpo

rate

N

etw

ork

DM

Z

https://sales-contoso.msappproxy.net

http://sales

https://sales.contoso.com

RMS

•

•

•

•

•

•

•

•

•

Side by side: AD RMS vs. Azure RMS

Azure

AD

AD

AD RMS

Exchange

SharePoint

Windows

Server FCI

Office 2007

Office 2010

Office 2013

New mobile

REST endpoints

Azure

RMS

Azure

AD

Office 2007

Office 2010

Office 2013

EXO

SPO

Operating in 3-Geos

NA, EU, AP

Azure

KMS

Exchange

SharePoint

Windows

Server FCI

KMSP

(HSM)

•

•

•

•

•

•

•

•

•

•

•

Microsoft InTune

Enroll• Provide a self-service Company

Portal for users to enroll devices

• Deliver custom terms and

conditions at enrollment

• Bulk enroll devices using Apple

Configurator, DEP or service

account

• Restrict access to Exchange

email or SharePoint if a device is

not enrolled

Retire• Revoke access to corporate

resources

• Perform selective wipe

• Audit lost and stolen devices

Provision• Deploy device security policy

settings

• Deploy certificates, email, VPN,

and WiFi profiles

• Install mandatory apps

• Deploy app restriction policies

• Deploy data protection policies

Manage and Protect• Restrict access to corporate

resources if policies are violated

(e.g., jailbroken device)

• Protect corporate data by

restricting actions such as

copy/cut/paste/save outside of

managed app ecosystem

• Report on device and app

compliance

User IT

Mobile devices and PCs Mobile devices

System Center Configuration

Manager

Domain joined PCs

Configuration Manager integrated with Intune (hybrid)Intune standalone (cloud only)

IT IT

Intune web console Configuration Manager console

Manage and Protect

• No existing infrastructure necessary

• No existing Configuration Manager

deployment required

• Simplified policy control

• Simple web-based administration console

• Faster cadence of updates

• Always up-to-date

Devices Supported

• Windows PCs (x86/64, Intel SoC)

• Windows RT

• Windows Phone 8.x

• iOS

• Android

Mobile devices and PCs

Intune standalone (cloud only)

IT

Intune web console

System Center 2012 R2 Configuration

Manager SP1 with Microsoft Intune

• Build on existing Configuration Manager

deployment

• Full PC management (OS deployment, endpoint

protection, application delivery control, custom

reporting)

• Deep policy control requirements

• Large scale

• Extensible administration tools (RBA, PowerShell,

SQL reporting services)

Devices Supported

• Windows PCs

(x86/64, Intel SoC)

• Windows to Go

• Windows Server

• Linux/UNIX server

• Mac OS X

• Windows RT

• Windows Phone

• iOS

• Android

Windows Phone, iOS, Android

System Center Configuration

Manager

Windows PC & Server, Mac, Linux

IT

Configuration Manager console

• Trial or existing Intune tenant?

• Existing Office 365 tenant?

• Azure AD only or on-premises AD Synchronization with Azure AD?

• Deployment option (Standalone or Hybrid)?

• Certificates and Keys to enable device platform management

• Azure AD Directory Synchronization Tool (Optional)

• Exchange Connector (Optional)

• SCEP Infrastructure (Optional)

• Microsoft Intune supports iOS 7.1+, Android 4.0+, Windows 8.1 and Windows Phone 8+, and Windows 10.

• Apple ID required for APNs certificate.

• If sideloading Apps on Windows 8.1 and Windows Phone 8.1, Code signing certificates and sideloading keys are required.

• Can limit the number of devices a user can enroll (default is 5).

• User enrolls a device via the Intune Company Portal App.

CA

Mobile DeviceExternal Firewall

Internal Firewall

Intune,

O365, Azure AD

Internet

Reverse Proxy

AD/ADFS Azure AD Connect(Optional)

Exchange 2010/2013

ADFS Proxy

Exchange Connector( -

DMZ

Identity Management Exchange SCEP

Internal Network

(On-Prem Exchange only)NDES/NDES Connector(Cert Enrollment Only)

Settings Management

Comprehensive security policies are enforced on each platform

Reporting available on

each setting whether it is

applicable, conformant or

has an error

Extensive configuration settings are available for each platform

Policies can be applied to user and device groups

User

• List of complete settings

OMA-URI Settings

Configurator Profile

OMA-URI Settings

OMA-URI Settings

dalibor.kacmar@microsoft.com