How AD has been reengineered to extend to the
Cloud
Philippe Beraud, @philberd
Architect | Office of CTO | Microsoft Franc...
A Brief History
Over the years, there main models have emerged and coexist
1. Identity model of the "firewall age"
• Conce...
A Brief History (cont’d)
Over the years, there main model have emerged
and coexist
3. First generation of the identity eco...
About Windows Server Active Directory
(AD)
Windows Server Active Directory (AD) represents an
illustration of products and...
Towards a New Identity Model
Identity (and Access) Management as a Service (IdMaaS)
•

Commodities accessible to EVERYONE
...
Projecting Identities in the Cloud with

Windows Azure Active
Directory
Windows Azure Active Directory (AAD)
AAD is NOT on-premises Windows Server AD in the Cloud
AAD is an enterprise-class IdMa...
AAD Design Principles (cont’d)
Such a Cloud-based service requires specific capabilities
• Optimization of availability, c...
AAD Design Principles (cont’d)
AAD aims at maximizing the reach in terms of platforms
and devices
•

AAD uses http/web/RES...
Demo 1

Graph Explorer browser based
query tool
http://graphexplorer.cloudapp.net
AAD Design Principles (cont’d)
AAD is not AD or LDAP in the cloud BUT there are four aspects to
LDAP:
•

LDAP – network co...
AAD Key Scenarios
Many
applications,
one identity
repository.

Manage
access to
cloud
applications.

SaaS apps

Monitor an...
Many applications, one identity
repository
Connect and sync
Windows Server
Active Directory (or
other (LDAP)
identity
infr...
Demo 2

One identity repository for the best UX
Deliver a seamless user authentication
experience
Multi-Factor
Authentication can be
configured through
Windows Azure
Wind...
Synchronize the identities with LDAPbased directories
The FIM 2010 R2 synchronization engine can be leveraged
•

AAD Conne...
SaaS apps

Manage access to many cloud
applications

Comprehensive identity
and
access management
console.
Centralized acc...
Demo 3

Windows Azure Management
Portal
Demo 4

Application Access Enhancements
for Windows Azure Active
Directory
Demo 5

Granting Access for a SaaS multitenant apps
Monitor and protect access to
enterprise apps

Built-in security
features.
Security reporting
that tracks
inconsistent acc...
Demo 6

Windows Azure Multi-Factor
Authentication
Personalized access to my
applications
All assigned SaaS
apps in one web
page: The Access
Panel.
Single Sign On
experience...
Demo 7
User Access Panel
Identities everywhere, accessing
everything
Microsoft apps

Windows Server Active
Directory (or other (LDAP)
identity infr...
Manage
access to
cloud
applications.

Many
applications,
one identity
repository.
•

•

•

IdMaaS
directory on
Windows
Azu...
SaaS apps

Manage
access to
cloud
applications.

Many
applications,
one identity
repository.
•

IdMaaS
directory on
Window...
In GA since April, 2013
Sign-up for your free AAD tenant and trial Windows
Azure account
•

https://account.windowsazure.c...
To Go Beyond
Places to start
• http://www.windowsazure.com/en-us/solutions/identity/
• http://channel9.msdn.com/search?ter...
Whitepapers and Step-by-step Guides
Active Directory from the
on-premises to the Cloud
Office 365 Single Sign-On
with AD F...
Additional Resources
Windows Azure Trust
Center
•

A single location where
are aggregated
information on
security, privacy...
Additional Resources (cont’d)
http://www.microsoft.com/op
enness

http://msopentech.com
Thank you!
Upcoming SlideShare
Loading in...5
×

How AD has been re-engineered to extend to the cloud

1,389

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,389
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

How AD has been re-engineered to extend to the cloud

  1. 1. How AD has been reengineered to extend to the Cloud Philippe Beraud, @philberd Architect | Office of CTO | Microsoft France
  2. 2. A Brief History Over the years, there main models have emerged and coexist 1. Identity model of the "firewall age" • Concept of security and administrative domains/realms • Collection of resources tightly integrated under a single and closed administration • Age of organization’s directory services and NOS but also the beginning of metadirectories and other virtual directories to manage multiple identities silos 2. Identity model against the age of the Internet • Consideration of suppliers, customers, and partners as a different category of objects BUT still in the same "administrative domain" • Declaration of these objects in various repositories while having the need for a unified management
  3. 3. A Brief History (cont’d) Over the years, there main model have emerged and coexist 3. First generation of the identity ecosystem model • Concept of the so-called extended enterprise for collaboration with suppliers and partners as well as the interaction with customers • Age of Web SSO, of identity federation with a HUGE step crossed BUT ALSO a lot of complexities, of burdens, etc.
  4. 4. About Windows Server Active Directory (AD) Windows Server Active Directory (AD) represents an illustration of products and technologies that sustain these three models • AD is an on-premises LDAP v3 (RFC 4510 compliant) Directory Service • Active Directory Domain Services (AD DS) • Active Directory Lightweight Domain Services (AD LDS) • With complementary services • Active Directory Federation Services (AD FS) • Active Directory Certificate Services (AD CS) • Active Directory Rights Management Services (AD RMS) • Forefront Identity Management (FIM)
  5. 5. Towards a New Identity Model Identity (and Access) Management as a Service (IdMaaS) • Commodities accessible to EVERYONE • "Organization-owned" identity provider for applications wherever they run, whatever they are on any platform, on any device • Central "hub" to provision/de-provision/manage users and their common devices • Consolidation with the on-premises environment, the SaaS/multi-tenant applications, etc. • Seamless federation and synchronization with on-premises directory services • Multi-factor authentication • Replace the today complexity at the application level by an IdMaaS feature • Combine the most advanced capabilities with operations externalization to achieve a reduction in risk, effort and cost • Control or even reduce costs by taking full advantage of the efficiency of the Cloud and automation
  6. 6. Projecting Identities in the Cloud with Windows Azure Active Directory
  7. 7. Windows Azure Active Directory (AAD) AAD is NOT on-premises Windows Server AD in the Cloud AAD is an enterprise-class IdMaaS cloud-based solution • AAD offers a large set of features at NO cost AAD is the Directory Service for Microsoft’s Online services • Office 365, Dynamics CRM Online, Windows Intune, and now the Windows Azure Portal Microsoft Account (Live ID) is yet ANOTHER identity infrastructure
  8. 8. AAD Design Principles (cont’d) Such a Cloud-based service requires specific capabilities • Optimization of availability, consistent performances, scalability, geo-redundancy, etc. but NOT only AAD is a multi-tenant environment • "Organization-owned“ tenant - The customer organization owns the data of their directory, NOT Microsoft AAD relies on a schema • For the semi-structured information on entities and their relationships AAD does not allow for custom schema AAD will however provide the ability for attribute extensions, links to (external) resources, etc. • As per Windows Azure Graph Store capabilities (Preview)
  9. 9. AAD Design Principles (cont’d) AAD aims at maximizing the reach in terms of platforms and devices • AAD uses http/web/REST-based modern protocols for identity and access management AAD provides RESTful interface for CRUD operations • Directory Graph API provides a programmatic access to directory typed objects and their relationships • GET, POST, PATCH, DELETE are used to create, read, update, and delete • • Response supports JSON, XML, standard HTTP status codes Compatible with OASIS OData • Directory Graph API supports OAuth 2.0 for authentication role-based assignment for apps and user authorization • Operations are scoped to individual tenant context
  10. 10. Demo 1 Graph Explorer browser based query tool http://graphexplorer.cloudapp.net
  11. 11. AAD Design Principles (cont’d) AAD is not AD or LDAP in the cloud BUT there are four aspects to LDAP: • LDAP – network communications protocol (389/636) • AAD supports a RESTful-based Directory Graph API over HTTP/S (and PowerShell) (w/OAuth2) instead of LDAP or Kerberos http://msdn.microsoft.com/en-us/library/windowsazure/hh974476.aspx • LDAP – object data model with inheritance • AAD supports the Graph Entity Data model with inheritance http://msdn.microsoft.com/en-us/library/ee382825.aspx • LDAP – layout (namespace) is hierarchical (i.e. ou=) • AAD is a flat name space, that includes groups and abstract containers, in a multi-tenant environment http://msdn.microsoft.com/en-us/library/ee382835(v=vs.110).aspx • LDAP – distribution model aka replication • AAD is a manage service with geo-redundancy
  12. 12. AAD Key Scenarios Many applications, one identity repository. Manage access to cloud applications. SaaS apps Monitor and protect access to enterprise applications. Personalized access to my applications.
  13. 13. Many applications, one identity repository Connect and sync Windows Server Active Directory (or other (LDAP) identity infrastructure) with an AAD tenant. Preintegrated popular SaaS apps. Easily add custom cloud-based apps. Facilitate developers with identity management. Windows Server Active Directory (or other (LDAP) identity infrastructure) SaaS apps LOB & custom apps Identities and applications in one place. Consumer identity providers
  14. 14. Demo 2 One identity repository for the best UX
  15. 15. Deliver a seamless user authentication experience Multi-Factor Authentication can be configured through Windows Azure Windows Server Active Directory (or other (LDAP) identity infrastructure) Cloud Authentication Directory synchronization with password hash sync User attributes are synchronized including the password hash, authentication is completed against AAD Federated Authentication Windows Server Active Directory (or other (LDAP) identity infrastructure) Multi-Factor Authentication can be configured through the integration with Windows Azure or thanks to other capability Directory synchronizatio n On-premises Identity provider User attributes are synchronized, authentication is passed back through federation and completed against the on-premises identity federation infrastructure
  16. 16. Synchronize the identities with LDAPbased directories The FIM 2010 R2 synchronization engine can be leveraged • AAD Connector available on Microsoft Connect https://connect.microsoft.com/site433/FIM%20Sync%20Connectors • Generic LDAP v3 (RFC 4510 compliant) Connector Beta available on Microsoft Connect • Certain operations, such as delta import, are not specified in the IETF RFCs. Supported Directories for Delta import and Password : Open LDAP, Novell NDS • LDAP referrals between servers (RFC 4511/4.1.10) are not supported https://connect.microsoft.com/site433/FIM%20Sync%20Connectors • OpenLDAP Extensible Management Agent (XMA) available on Source Forge http://openldap-xma.sourceforge.net/
  17. 17. SaaS apps Manage access to many cloud applications Comprehensive identity and access management console. Centralized access administration for preintegrated SaaS apps and other Cloud-based apps. Secure business processes with advanced access management IT capabilities. professional SaaS apps Your cloud apps ready when you are.
  18. 18. Demo 3 Windows Azure Management Portal
  19. 19. Demo 4 Application Access Enhancements for Windows Azure Active Directory
  20. 20. Demo 5 Granting Access for a SaaS multitenant apps
  21. 21. Monitor and protect access to enterprise apps Built-in security features. Security reporting that tracks inconsistent access patterns. Step up to Multi-Factor authentication. X X X X X X X X X X X X X X X Ensure secure access and visibility on usage patterns for SaaS and cloud-hosted LOB applications.
  22. 22. Demo 6 Windows Azure Multi-Factor Authentication
  23. 23. Personalized access to my applications All assigned SaaS apps in one web page: The Access Panel. Single Sign On experience for all SaaS applications. Use Access Panel from all devices with your existing credentials. Users can easily access the SaaS apps they need, using their existing credentials.
  24. 24. Demo 7 User Access Panel
  25. 25. Identities everywhere, accessing everything Microsoft apps Windows Server Active Directory (or other (LDAP) identity infrastructure) Custom ISV/CSV LOB apps apps 3rd party clouds/hosting PCs and devices Consumer identity providers
  26. 26. Manage access to cloud applications. Many applications, one identity repository. • • • IdMaaS directory on Windows Azure. Connect/ synchronize on-premises directories with Windows Azure. Provide IdM to new apps (ACS, Graph API, SDKs). • • Manage Users. Add Cloudbased applications for SSO. Monitor and protect access to enterprise applications. • • • SaaS apps • Build-in security. Secure tools for synchronizat ion (DirSync, AAD connector). Block user access. Personalized access to my applications.
  27. 27. SaaS apps Manage access to cloud applications. Many applications, one identity repository. • IdMaaS directory on Windows Azure. • Connect/ synchronize on-premises directories with Windows Azure. • Provide IdM • Preintegrate to new apps d popular (ACS, Graph SaaS API, SDKs). application s (Preview). • • • • Manage Users. Add Cloudbased applications for SSO. Add preintegra ted SaaS apps from the gallery for SSO (Preview). Add/Remove users to top preintegra ted SaaS apps (Preview). Personalized access to my applications. Monitor and protect access to enterprise applications. • • • • • • Build-in security. Secure tools for synchronizat ion (DirSync, AAD connector, etc.). Block user Security access. reports Multi-factor (Preview). authentication. • • Single screen with assigned SaaS apps for every user: Access Panel (Preview). Single Sign on for SaaS apps from Access Panel (Preview).
  28. 28. In GA since April, 2013 Sign-up for your free AAD tenant and trial Windows Azure account • https://account.windowsazure.com/organization
  29. 29. To Go Beyond Places to start • http://www.windowsazure.com/en-us/solutions/identity/ • http://channel9.msdn.com/search?term=directory Microsoft T echNet Documentation • http://go.microsoft.com/fwlink/p/?linkid=290967 Microsoft MSDN Documentation • http://go.microsoft.com/fwlink/p/?linkid=290966 Microsoft Active Directory T eam Blog • http://blogs.msdn.com/b/active_directory_team_blog Windows Azure Active Directory Graph Team Blog • http://blogs.msdn.com/aadgraphteam
  30. 30. Whitepapers and Step-by-step Guides Active Directory from the on-premises to the Cloud Office 365 Single Sign-On with AD FS 2.0 Office 365 Single Sign-On with Shibboleth 2.0 Office 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure Available on the Microsoft Download Center
  31. 31. Additional Resources Windows Azure Trust Center • A single location where are aggregated information on security, privacy, and compliance http://www.windowsaz ure.com/enus/support/trustcenter/
  32. 32. Additional Resources (cont’d) http://www.microsoft.com/op enness http://msopentech.com
  33. 33. Thank you!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×