Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Azure AD and Office 365 - Deja Vu All Over Again

663 views

Published on

What's going on in Azure Active Directory and Office 365

Published in: Technology
  • Be the first to comment

Azure AD and Office 365 - Deja Vu All Over Again

  1. 1. Azure AD and Office 365 déjà vu all over again Mark Diodati Research VP/IAM Agenda Manager mark.diodati@gartner.com @mark_diodati Sean Deuby Solutions Architect Sean.deuby@edgile.com @shorinsean
  2. 2. 62% of Gartner clients Have or will migrate to Office 365 80% of the Global 500 65% of the Fortune 1000
  3. 3. A Tail Wagging a Very Large Dog Office 365 is driving Azure AD adoption • As Exchange drove Active Directory adoption • If you want the app, you must have the platform • 3rd party IDaaS from Okta, Centrify, Ping Identity and others work with Azure AD Azure AD > authentication service for Office 365 • Identity platform for all Microsoft Online Services • Full blown IDaaS (SaaS SSO, on-premises app publishing, MFA, on-prem integration)
  4. 4. It’s a Big Dog • 10 million Azure AD tenants • Mostly < 500 accounts, cloud only • More than half a billion users • 1.3 billion logins per day • Detects and mitigates 10 million attacks per day • 4 billion in the last 12 months • 100K organizations synching on- premises Active Directory with Azure AD
  5. 5. Magic Quadrant for Identity and Access Management http://gtnr.it/1UeQJ4a
  6. 6. Trend: customer expectations for IAM capabilities in multi-platform offerings Azure AD wins on identity IaaS EMM Virtualization AWS wins on IaaS
  7. 7. Azure B2B Hybrid Identity MFA
  8. 8. Azure B2B Hybrid Identity MFA
  9. 9. Questions “How do we connect our enterprise users to Office 365 and other Azure AD-protected applications?” Connecting users requires • Admin-time actions: Users must be provisioned/managed into Azure AD’s identity store • Runtime actions: Users must authenticate to Azure AD before accessing resources (SAML or password)
  10. 10. Use IGA and AD Connect Begin User Management Selection Use IGA Product Strategic IGA Product Deployed? IGA Product Supports AzureAD? Is Password Syncor Mgmt Important? Yes No IAMfor SaaS Apps Exclusively via Azure AD? No Use AD Connect Yes No Reevaluate Directory Sync Requirements Yes Is Single-Vendor Solution Important? Use 3rd Party Directory Sync Use 3rd Party Directory Sync and AD Connect Yes No No Yes Use IGA and AD Connect Begin User Management Selection Use IGA Product Strategic IGA Product Deployed? IGA Product Supports AzureAD? Is Password Syncor Mgmt Important? Yes No IAMfor SaaS Apps Exclusively via Azure AD? No Use AD Connect Yes No Reevaluate Directory Sync Requirements Yes Is Single-Vendor Solution Important? Use 3rd Party Directory Sync Use 3rd Party Directory Sync and AD Connect Yes No No Yes User Management
  11. 11. Use 3rd Party Directory Sync Use IGA and AD Connect Use AD Connect Use IGA Product Use 3rd Party Directory Sync and AD Connect User Management Options
  12. 12. Directory Sync AD Azure AD Identity Bridge Change DetectionCRUD
  13. 13. AD Connect Password Management* Azure AD AD Encrypted Change Attempt Azure AD Connect * Other IDaaS vendors can do this, too.* Other IDaaS vendors can do this, too.
  14. 14. AD Connect Password Hash Sync* Azure AD Connect Azure AD AD 8743b52063cd84097a65d1633f5c74f5 Hash Hash * Unique to Azure AD and AD Connect.* Unique to Azure AD and AD Connect.
  15. 15. Mark’s Recommendations
  16. 16. Use AD Connect No On-PremIAM to SaaS Apps? IsPassword Syncor AzureAD DS Important?
  17. 17. IGA Product Doesn t Support Azure AD | Pw Sync / AAD DS? Strategic IGA Product Deployed? Use IGA Product Use IGA and AD Connect Yes
  18. 18. Password Sync / AAD DS Important? On-Premises Provisioning to SaaS Apps? Use 3rd Party Directory Sync Use 3rd Party Sync and AD Connect yes
  19. 19. Use IGA and AD Connect Begin User Management Selection Use IGA Product Strategic IGA Product Deployed? IGA Product Supports AzureAD? Is Password Syncor Mgmt Important? Yes No IAMfor SaaS Apps Exclusively via Azure AD? No Use AD Connect Yes No Reevaluate Directory Sync Requirements Yes Is Single-Vendor Solution Important? Use 3rd Party Directory Sync Use 3rd Party Directory Sync and AD Connect Yes No No Yes User Authentication Use 3rd Party Federation Use AD FS Begin Authentication Selection Federation to Azure AD Only? Yes Yes No Yes No Yes No No Many On-Premises Connections to SaaS Apps? Federated SP Required? SP for Windows and SAML Apps Only? Use AD Connect SSO Requirement? Low Assurance Requirement? No Yes Yes No
  20. 20. Mark’s Recommendations
  21. 21. Use AD Connect (Password Sync) Use 3rd Party Federation (SAML) Use AD FS (SAML)
  22. 22. Use AD Connect (Password Sync) Small ITStaff? Low Assurance Requirement? No SSO Requirements?No SSO Requirements?
  23. 23. Federation to Azure AD Only? Use AD FS SP for Windows and SAML Apps Only?
  24. 24. SP for Heterogeneous Apps? Use 3rd Party Federation Many On-Premises Connectionsto SaaS Apps?
  25. 25. Azure B2B Hybrid Identity MFA
  26. 26. Azure MFA • Second factor authentication for all Azure AD-integrated resources • Originally acquired from PhoneFactor • Focuses on phone • Smart (voice, SMS, app) • Feature (voice, SMS) • Landline (voice) • Soft token in the app Azure Active Directory
  27. 27. Azure MFA vs. MFA Server • Azure MFA service • Protects Azure AD-integrated resources • MFA Server • Hybrid solution • On-premises server(s) • Protects on-premises services • VPN, Remote Desktop, IIS apps • Can protect Azure AD resources (with AD FS) Azure Active Directory
  28. 28. Which Type Of MFA Do I Need? It’s (mostly) about where the IdP is • Microsoft cloud (Azure AD): Azure MFA • On premises (AD FS): MFA Server or 3rd party Resource Protected Azure MFA MFA Server Azure AD IdP Azure AD native AuthN X Office 365 X X (if AD FS) Azure AD-integrated SaaS apps (per app basis) X On-premises apps published to Azure AD via Azure App Proxy X On-premises (e.g. AD DS) IdP Azure AD AuthN (via AD FS) X VPN access to corpnet X Remote Desktop to corpnet X IIS applications X SP-initiated SaaS login via AD FS X
  29. 29. Directions & Recommendations • Where is this hybrid product going? • Overall solution will incrementally gain capabilities • Azure MFA is the strategic service • MFA Server is stable but not being enhanced • Capabilities are being picked up by other services • AD FS 2016 built-in Azure MFA adapter • Prediction: Connector tech (like AAD App Proxy) to replace other capabilities • Recommendations • Azure MFA very smartphone focused • Bundling with other services makes pricing attractive • Only option for fine-grained MFA in Microsoft Online Services
  30. 30. Azure B2B Hybrid Identity MFA
  31. 31. Shortcomings of Traditional B2B Models Federation partnerships • Infrastructure requirements • Scaling issues • Limited partner visibility Internal partner directories • Lifecycle management issues • Attack vector
  32. 32. Microsoft’s B2B Model • 10 Million organizations in Azure AD today… • …Why not use Azure AD for the B2B infrastructure? • B2BaaS • If you aren’t in Azure AD…we’ll add you automagically • Partner org identities made available to you • You control access • They control their identities
  33. 33. Azure B2B Access Model • Creates CSV file of invited partner employees • Uploads to Azure – invites are sent Invite • Invitee accepts invitation • If in Azure AD: Sign in • Not in Azure AD: Sign up / viral tenant created Accept • Invitee created as external user in inviter’s directory • Access granted to user Access
  34. 34. Strengths • B2B infrastructure is handled for you • Scalable to many partners • You control access without managing their identities • Supports • SaaS apps • Azure services • Other claims-aware apps • Essentially free to Azure AD-using organizations
  35. 35. Current Flat Spots • External user is copied from partner directory, not linked • Outside of identity lifecycle management • User authenticates against their home directory • Can delete • No attestation yet • CSV file • PowerShell, invite API not yet supported • Does not support social email providers yet (e.g. gmail)
  36. 36. Stuff We Didn’t Get To • Azure AD Domain Services • Graph API for provisioning • Adaptive/Conditional Access • OpenID Connect • SSO to On-Premises Applications (App Proxy)
  37. 37. Mark Diodati mark.diodati@gartner.com @mark_diodati Sean Deuby Sean.Deuby@edgile.com @shorinsean

×