Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
David J. Rosenthal, VP & GM, Razor Technology
@AzureAD
Microsoft MTC, NYC
February, 14, 2017
Mobile-first, cloud-first reality
Data breaches
63% of confirmed data breaches
involve weak, default, or stolen
passwords....
Enterprise Mobility + Security
The Microsoft vision
Identity Driven Security
Managed Mobile Productivity
Comprehensive Sol...
Azure Active Directory as the control plane
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple ...
37 K
Azure AD
Premium/EMS
users
>110k
third-party
applications used
with Azure AD
>1.3
billion
authentications every
dayon...
Identity is the new control plane
Azure Active Directory at the core of your business
1000s of apps,
1 identity
Manage acc...
"Azure AD Premium makes life simpler
for the business and for employees.
It gives them access to enterprise
applications f...
"With Azure Active Directory
integrated into Smartsheet,
our employees don’t need to
remember another sign-in.
They can us...
Azure Active Directory Connect
and Connect Health
*
MIM
*
Microsoft Azure
Active Directory
HR apps
OTHER DIRECTORIES
Power...
1000s OF APPS, 1 IDENTITY
Web apps
(Azure Active Directory
Application Proxy)
Integrated
custom apps
SaaS apps
OTHER DIREC...
DMZ
https://appX-contoso.msappproxy.net/
1000s OF APPS, 1 IDENTITY
Single Sign-on to on-premises applications
Application
...
DMZ
https://appX-contoso.msappproxy.net/
1000s OF APPS, 1 IDENTITY
Access even more on-premises web applications
Applicati...
A mobile authenticator application for all platforms
1000s OF APPS, 1 IDENTITY
Converges the existing Azure Authenticator ...
Azure
Active Directory
Lift-and-shift on-premises
apps to Azure IaaS
On-premises
Azure AD Connect
Windows Server
Active Di...
Enable business
without borders
“We give them a username and
password, and they’re able to reset
their own passwords throu...
“The company also chose
Azure Active Directory to
simplify identity management
for vendors and employees.
With Azure Activ...
Manage your account, apps, and groups
Company-branded, personalized
application Access Panel:
http://myapps.microsoft.com
...
ENABLE BUSINESS WITHOUT BORDERS
Microsoft Azure
Active Directory
Collaborate with partners:
B2B collaboration
Share withou...
Intune/MDM
auto-enrollment
Azure Active Directory Join makes it possible
to connect work-owned Windows 10 devices
to your ...
Superior economics
Identity experience engine
Consumer identity and access
management in the cloud
Cross-platform
Identity...
Without Azure Active Directory
integrated with our 2,100 customers’
AD databases, we simply could not
manage all the passw...
“Without Azure Active
Directory integrated with our
2,100 customers’ AD
databases, we simply could
not manage all the pass...
Centralized access administration for pre-integrated
SaaS apps and other cloud-based apps
Dynamic groups, device registrat...
MANAGE ACCESS AT SCALE
Monitor and gain insights into the identity infrastructure used
to extend on-premises identities to...
Cloud-powered
protection
Protect against
advanced threats
Conditional access
to resources
Compliance Reporting
Mitigate
ad...
“By deploying Azure MFA the
bank secured access to corporate
data. Also there is no need for the
end user to receive any t...
Conditions
Allow access or
Block access
Actions
Enforce MFA per
user/per app
User, App sensitivity
Device state
LocationUs...
CLOUD-POWERED PROTECTION
Text
messages
Phone
calls
Mobile
apps
CLOUD-POWERED PROTECTION
Identity Protection at its best
Risk severity calculation
Remediation recommendations
Risk-based ...
CLOUD-POWERED PROTECTION
Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools
Security/Monitor...
CLOUD-POWERED PROTECTION
Discover, restrict, and monitor privileged identities
Enforce on-demand,just-in-timeadministrativ...
CLOUD-POWERED PROTECTION
How time-limited activation of privileged roles works
MFA is enforced during the activation proce...
CLOUD-POWERED PROTECTION
Removes unneeded permanent
admin role assignments
Limits the time a user has admin
privileges
Ens...
Microsoft Advanced Threat Analytics
brings the behavioral analytics concept
to IT and the organization’s users.
An on-prem...
Discovery
Gain complete visibility and
context for cloud usage and
shadow IT—no agents required
Data control
Shape your cl...
Azure Information
Protection
Protect your data,
everywhere
Microsoft Cloud App Security
Azure Active Directory
Detect thre...
Transportation, Logistics, Oil-Gas Retail, Hospitality and Travel
HealthConstruction, Professional Services
Government, Ba...
• Advanced user lifecycle
management
• Low IT overhead
• Monitor your identity bridge
• Cloud-connected seamless
authentic...
Azure Active Directory as the control plane
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple ...
Razor will:
Retain control of sensitive documents locally and
over email
Automatically protect mail containing privileged
...
David.Rosenthal@razor-tech.com
Appendix
L300 – more detailed slides
Identity as the control plane
On-premises
Windows Server
Active Directory
Identity as the control plane
On-premises
Windows Server
Active Directory
VPN
BYO
SaaS
Azure
Cloud
Public
cloud
Customers
...
Identity as the control plane
On-premises
Windows Server
Active Directory
VPN
BYO
Microsoft Azure Active Directory
Azure
C...
Customers
Azure AD as the control plane
On-premises
Partners
Azure
Cloud
Public
cloud
Microsoft Azure Active Directory
BYO...
Directory as a service 500,000 object limit No object limit No object limit
No object limit for Office
365 user accounts
U...
Cloud-powered
protection
Manage access
at scale
1000s of apps,
1 identity
Enable business
without borders
• Advanced user ...
A comprehensive identity and
access management cloud
solution for your employees,
partners, and customers.
It combines dir...
Azure Active
Directory Connect
ADFS
Sync engine
1000s OF APPS, 1 IDENTITY
Azure Active Directory Connect
Consolidated depl...
1000s OF APPS, 1 IDENTITY
1st option: Identity + Password (Hash) synchronization
Identity +
Password Hash
synchronization
...
1000s OF APPS, 1 IDENTITY
2nd option: Identity synchronization + ADFS
Identity
synchronization
ADFSAuthentication passed t...
1000s OF APPS, 1 IDENTITY
New option: Identity synchronization + Pass-through authentication with Seamless SSO
Identity
sy...
1000s OF APPS, 1 IDENTITY
Seamless SSO is now enabled for the 1st option, too: Identity + Password (Hash) synchronization
...
Identity
Synchronization
+ ADFS
1000s OF APPS, 1 IDENTITY
More options than ever!
User
Identity
synchronization
Identity S...
User
Contoso Corpnet
Connector
1000s OF APPS, 1 IDENTITY
How it works
User Name
and password
Connector notified
of request...
Contoso Corpnet
5 User sends ticket to Azure AD STS
1000s OF APPS, 1 IDENTITY
How seamless SSO works with Pass-through aut...
Corporate
network
Microsoft Azure
Active Directory
Connectors are deployed usually on
corpnet next to resources
Multiple c...
1000s OF APPS, 1 IDENTITY
“We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications
for thousands o...
ENABLE BUSINESS WITHOUT BORDERS
“I need to let my partners access my company’s apps using their own credentials”
ENABLE BUSINESS WITHOUT BORDERS
Partner
ENABLE BUSINESS WITHOUT BORDERS
Partners use their own
credentials to access your
org
Users lose access when
they leave th...
CLOUD-POWERED PROTECTION
Built-in security
features
Security reporting that
tracks inconsistent
access patterns,
analytics...
Microsoft Azure Active Directory
Cloud app discovery
Source: Help Net Security 2014
as many Cloud apps are in use
than IT ...
Security reporting that tracks inconsistent
access patterns, analytics, and alerts
Reporting API
Built-in security feature...
CLOUD-POWERED PROTECTION
A standalone Azure identity and access
management service, also included in
Azure Active Director...
CLOUD-POWERED PROTECTION
Text
messages
Phone
calls
Mobile
apps
Users sign in from any device using
their existing username/password.
1
On-premises apps
RADIUS
LDAP
IIS
RDS/VDI
Windows S...
CLOUD-POWERED PROTECTION
MFA for Office 365/Azure
Administrators
Azure Multi-Factor
Authentication
Administrators can enab...
Analyze1
DETECT ATTACKS BEFORE THEY CAUSE DAMAGE
ATA Analyzes all Active
Directory-related traffic and
collects relevant e...
CLOUD-POWERED PROTECTION
Reduce risks of excessive access to your organization’s data
Dashboards with insights
Policy driv...
World of devices
EMPOWER USERS
HR system
LDAP
Oracle DB
Finance
Web apps
Windows Server
Active Directory
Hybrid
identity
User identities from
multiple re...
Microsoft’s IAM solution
Apps in
Azure
Third-party
apps &
cloudsMicrosoft Cloud
Microsoft Identity
Manager
Apps on-
premis...
MANAGE EVERYTHING
Cloud-ready
identities
Powerful user
self-service
Enhanced
security
Automatic preparation of
Active Dire...
MANAGE EVERYTHING
Cloud-ready
identities
Powerful user
self-service
Enhanced
security
• Standardized Active Directory attr...
MANAGE EVERYTHING
ON-PREMISES HYBRID CLOUD
Managed: Microsoft System
Center Configuration
Manager
On-premises LOB
applicat...
MANAGE EVERYTHING
MIM
Microsoft Identity
Manager 2016
Azure AD App
Proxy
Azure AD Connect
IAM
On-premises
applications
Mic...
Username
?
Forgot your password?
User
Cloud
On-premises
applications
•••••••••••••
IT
User’s identity
Self-service
experie...
Microsoft Identity Manager 2016
Collapse directories
Map multiple identities
Transform usernames and
other attributes
UserExisting apps
Existing FIM
Existing AD
forests
WS 2003 or later
User: PRIVJenAdmin
Groups: CORPResource Admins
Refresh...
Deep dive: DirSync, Azure AD, and MIM Sync
DirSync
Azure Active Directory Sync
FIM Sync
(+ Azure Active Directory
Connecto...
Connect and sync on-
premises directories with
Azure
Azure Active
Directory Connect
Microsoft Azure
Active Directory
Other...
Azure Active Directory Microsoft Identity Manager
Password reset/management YES YES
Group management YES, not dynamic YES
...
Microsoft Identity Manager 2016 is also included with Azure Active Directory Premium, which is
part of the Enterprise Mobi...
Demo
Cloud-ready
identities
Powerful user
self-service
Enhanced
security
Automatic preparation of
Active Directory identities f...
Cloud-ready
identities
Powerful user
self-service
Enhanced
security
• Standardized Active Directory attributes
and values
...
Identity and Access Management from Microsoft and Razor Technology
Upcoming SlideShare
Loading in …5
×

Identity and Access Management from Microsoft and Razor Technology

1,223 views

Published on

63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 Data Breach Report)
More than 80% of employees admit using non-approved SaaS apps for work purposes (Stratecast, December 2013)
0.6% global IT spend increase. http://www.gartner.com/newsroom/id/3186517

IT cannot afford to live in the past. Successful businesses of today (and tomorrow) realize the power of mobility to support employee productivity and collaboration. You need to prepare to mitigate the risks of providing freedom and space to your employees. You need to meet compliance and regulatory standards, maintain company security policies and requirements, and detect threats — all the while giving workers a better and more productive experience, so that they’re motivated to follow protocol. You need an enterprise mobility partner that can help you achieve all of this, so that everyone is a winner, and your business stays out of the headlines.

Microsoft’s vision includes management and protection across four key layers: users, device, app, and data – for both your employees, business partners, and customers.

Our strategy is to ensure management across these layers while ensuring your employees, business partners, and customers by providing access to everything they need from everything; protecting corporate data across email and collaboration apps all while integrating these new capabilities with what customers already have like Active Directory and System Center.

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Identity and Access Management from Microsoft and Razor Technology

  1. 1. David J. Rosenthal, VP & GM, Razor Technology @AzureAD Microsoft MTC, NYC February, 14, 2017
  2. 2. Mobile-first, cloud-first reality Data breaches 63% of confirmed data breaches involve weak, default, or stolen passwords. 63% 0.6% IT Budget growth Gartner predicts global IT spend will grow only 0.6% in 2016. Shadow IT More than 80 percent of employees admit to using non-approved software as a service (SaaS) applications in their jobs. 80%
  3. 3. Enterprise Mobility + Security The Microsoft vision Identity Driven Security Managed Mobile Productivity Comprehensive Solution AppsDevices DataUsers
  4. 4. Azure Active Directory as the control plane Identity as the core of enterprise mobility Single sign-onSelf-service Simple connection On-premises Other directories Windows Server Active Directory SaaSAzure Public cloud CloudMicrosoft Azure Active Directory Customers Partners
  5. 5. 37 K Azure AD Premium/EMS users >110k third-party applications used with Azure AD >1.3 billion authentications every dayonAzureAD More than 750 M user accounts on Azure AD Azure AD Directories >10 M >85% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Every Office 365 and Microsoft Azure customer uses Azure Active Directory Microsoft’s “Identity Management as a Service (IDaaS)” for organizations. Millions of independent identity systems controlled by enterprise and government “tenants.” Information is owned and used by the controlling organization—not by Microsoft. Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B).
  6. 6. Identity is the new control plane Azure Active Directory at the core of your business 1000s of apps, 1 identity Manage access at scale Cloud-powered protection Enable business without borders
  7. 7. "Azure AD Premium makes life simpler for the business and for employees. It gives them access to enterprise applications from any device with a single sign-on that is secure and reliable. That is fundamental in increasing the adoption of cloud technology.” - Kapil Mehta, Productivity & Directory Services Manager 1000s of apps, 1 identity Single sign-on for SaaS apps Single sign-on for mobile apps Support for lift-and-shift of traditional apps to the cloud Secure remote access to on-premises app Connect your on-premises identities to the cloud
  8. 8. "With Azure Active Directory integrated into Smartsheet, our employees don’t need to remember another sign-in. They can use one credential to get to all their applications.” - Mike Kirkpatrick Director of Marketing, Ontario Division, Canadian Cancer Society “The company uses Microsoft Azure Active Directory Premium, another part of Microsoft EMS, to manage the authentication of all 1,600 employees to all company applications. It used Azure AD Premium to provide SSO access to a wide number of applications, including Concur, Oracle, ADP, and Meraki, with more to come.” “We were surprised to see that 90 percent of the SaaS apps in use at Mattamy were already endorsed for single sign-on within Azure Active Directory Premium” - Aaron Pais Vice President of ITl, Mattamy Homes
  9. 9. Azure Active Directory Connect and Connect Health * MIM * Microsoft Azure Active Directory HR apps OTHER DIRECTORIES PowerShell SQL (ODBC) LDAP v3 Web Services ( SOAP, JAVA, REST) Connect and sync on-premises directories with Azure Active Directory 1000s OF APPS, 1 IDENTITY
  10. 10. 1000s OF APPS, 1 IDENTITY Web apps (Azure Active Directory Application Proxy) Integrated custom apps SaaS apps OTHER DIRECTORIES 2700+ pre-integrated popular SaaS apps and self-service integration via templates Connect and sync on-premises directories with Azure Easily publish on-premises web apps via Application Proxy + custom apps Microsoft Azure
  11. 11. DMZ https://appX-contoso.msappproxy.net/ 1000s OF APPS, 1 IDENTITY Single Sign-on to on-premises applications Application Proxy User Azure or 3rd Party IaaS connector connectorconnector Microsoft Azure Active Directory connector app app app app
  12. 12. DMZ https://appX-contoso.msappproxy.net/ 1000s OF APPS, 1 IDENTITY Access even more on-premises web applications Application Proxy User Azure or 3rd Party IaaS connector connectorconnector Microsoft Azure Active Directory connector app app app app Other LoB apps
  13. 13. A mobile authenticator application for all platforms 1000s OF APPS, 1 IDENTITY Converges the existing Azure Authenticator and all consumer Authenticator applications. MFA for any account, enterprise or consumer and 3rd party : Push Notifications/OTP Device Registration (workplace join) SSO to native mobile apps - Certificate-based SSO Future: Sign in to a device (Windows Hello), app, or website without a password
  14. 14. Azure Active Directory Lift-and-shift on-premises apps to Azure IaaS On-premises Azure AD Connect Windows Server Active Directory Your Azure IaaS workloads/apps Azure AD Domain Services Your virtual network Azure 1000s OF APPS, 1 IDENTITY Your domain controller as a service for lift-and-shift scenarios Kerberos NTLM LDAP Group Policy
  15. 15. Enable business without borders “We give them a username and password, and they’re able to reset their own passwords through Azure Active Directory. This is important, because we have such a small IT staff.” - Scott Bentzel Director of IT Better connect with your consumers and partners Ease of use for end users Anytime, anywhere productivity
  16. 16. “The company also chose Azure Active Directory to simplify identity management for vendors and employees. With Azure Active Directory, the company provides fast, highly secure access to external vendors, cutting onboarding time from months to less than a week..” - Johan Krebbers IT Chief Technology Officer, Royal Dutch Shell “…because we’re now able to give employees their own accounts, we can safely and securely send human resources documents in digitized form even if they are highly confidential, which eliminates traditional mailing. - Ryuji Katayama Department Manager of the IT Planning Department, Corporate Strategy Division, Village Vanguard “We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.”
  17. 17. Manage your account, apps, and groups Company-branded, personalized application Access Panel: http://myapps.microsoft.com + iOS and Android Mobile Apps Integrated end user experiences Self-service password reset Application access requests Integrated Office 365 app launching ENABLE BUSINESS WITHOUT BORDERS
  18. 18. ENABLE BUSINESS WITHOUT BORDERS Microsoft Azure Active Directory Collaborate with partners: B2B collaboration Share without complex configuration or duplicate users Partners of all sizes You manage access “We needed to quickly & cost effectively stand up new IT infrastructure, including extranet applications for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.”3,000+ partners
  19. 19. Intune/MDM auto-enrollment Azure Active Directory Join makes it possible to connect work-owned Windows 10 devices to your company’s Azure Active Directory Enterprise-compliant services SSO from the desktop to cloud and on-premises applications with no VPN Support for hybrid environments MDM auto-enrollment Windows 10 Azure AD joined devices ENABLE BUSINESS WITHOUT BORDERS Enterprise State Roaming
  20. 20. Superior economics Identity experience engine Consumer identity and access management in the cloud Cross-platform Identity management for consumers “By using Azure Active Directory B2C we were able to build a fully customized login page without having to build custom code. Additionally, with a Microsoft solution in place, we alleviated all our concerns about security, data breaches, and scalability." - Rafael de los Santos, Head of Digital, Real Madrid ENABLE BUSINESS WITHOUT BORDERS
  21. 21. Without Azure Active Directory integrated with our 2,100 customers’ AD databases, we simply could not manage all the passwords and logon activities of the many hundreds of thousands of teachers and students who make up our customer base.” - Evan Clark Founder & CEO Manage access at scale Advanced user lifecycle management Monitor your identity bridge Low IT overhead
  22. 22. “Without Azure Active Directory integrated with our 2,100 customers’ AD databases, we simply could not manage all the passwords and logon activities of the many hundreds of thousands of teachers and students who make up our customer base.” - Evan Clark Founder & CEO, ClickView “We want to ensure that we’re keeping our operating costs as low as possible to focus our budget on more productive areas of the business. With the help of Azure Active Directory Premium, I’m managing ten times the number of SaaS applications with the same size team. “ Daniel Birmingham: Identity Solutions Architect Whole Foods Market “We will be able to walk in with the computers, connect them to the Internet, and be done. User identity, SaaS access management, mobile device management—all accessible with a few clicks on a web-based console.” - Arvid Johansson CIO, SATS ELIXIA
  23. 23. Centralized access administration for pre-integrated SaaS apps and other cloud-based apps Dynamic groups, device registration, secure business processes with advanced access management capabilities Comprehensive identity and access management console MANAGE ACCESS AT SCALE IT professional Provisioning and deprovisioning with customization options
  24. 24. MANAGE ACCESS AT SCALE Monitor and gain insights into the identity infrastructure used to extend on-premises identities to Azure Active Directory and Office 365. Monitor: • The Azure AD Connect sync engine health • ADFS infrastructure health • On-premises AD Domain Services health
  25. 25. Cloud-powered protection Protect against advanced threats Conditional access to resources Compliance Reporting Mitigate administrative risks Identity is the new firewall of the future. We can’t continue to use our old way of controlling application access, because business isn’t happening exclusively in our network anymore. With Azure Active Directory Premium, we can stay in control, no matter where our users roam. Will Lamb: Infrastructure Coordinator Whole Foods Market
  26. 26. “By deploying Azure MFA the bank secured access to corporate data. Also there is no need for the end user to receive any trainings or carry additional components with them, such as tokens. “It was important for us to increase security without sacrificing end user experience. We could achieve this thanks to Azure MFA.” Fikri Bülent Çelik Technology and Infrastructure Department Manager, TKFB With Azure AD Premium, Bristow Group now has the capabilities for multifactor authentication; access control (dependent upon device health and user location); holistic security reports; audits; and alerts. Azure Active Directory makes the work of a busy and mobile workforce easier, secures data and protects access to the company’s assets both in the cloud and on-premises. - Kapil Mehta Productivity & Directory Services Manager, Bristow Group Inc. “Vetco uses Microsoft Azure Active Directory Premium (part of the Microsoft Enterprise Mobility Suite) to help safeguard access to data through multifactor authentication.”
  27. 27. Conditions Allow access or Block access Actions Enforce MFA per user/per app User, App sensitivity Device state LocationUser NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT MFA IDENTITY PROTECTION Risk CLOUD-POWERED PROTECTION
  28. 28. CLOUD-POWERED PROTECTION Text messages Phone calls Mobile apps
  29. 29. CLOUD-POWERED PROTECTION Identity Protection at its best Risk severity calculation Remediation recommendations Risk-based conditional access automatically protects against suspicious logins and compromised credentials Gain insights from a consolidated view of machine learning based threat detection Leaked credentials Infected devices Configuration vulnerabilities Risk-based policies MFA Challenge Risky Logins Block attacks Change bad credentials Machine-Learning Engine Brute force attacks Suspicious sign- in activities
  30. 30. CLOUD-POWERED PROTECTION Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools Security/Monitoring/Reporting SolutionsNotifications Data Extracts/Downloads Reporting APIs Apply Microsoft learnings to your existing security tools Microsoft machine - learning engine Leaked credentials Infected devices Configuration vulnerabilities Brute force attacks Suspicious sign- in activities
  31. 31. CLOUD-POWERED PROTECTION Discover, restrict, and monitor privileged identities Enforce on-demand,just-in-timeadministrativeaccess when needed Provides more visibilitythrough alerts, auditreports and access reviews Global Administrator Billing Administrator Exchange Administrator User Administrator Password Administrator
  32. 32. CLOUD-POWERED PROTECTION How time-limited activation of privileged roles works MFA is enforced during the activation process Alerts inform administrators about out-of-band changes Users need to activate their privileges to perform a task Users will retain their privileges for a pre- configured amount of time Security admins can discover all privileged identities, view audit reports and review everyone who has is eligible to activate via access reviews Audit SECURITY ADMIN Configure Privileged Identity Management USER PRIVILEGED IDENTITY MANAGEMENT Identity verification Monitor Access reports MFA ALERT Read only ADMIN PROFILES Billing Admin Global Admin Service Admin
  33. 33. CLOUD-POWERED PROTECTION Removes unneeded permanent admin role assignments Limits the time a user has admin privileges Ensures MFA validation prior to admin role activation Reduces exposure to attacks targeting admins Separates role administration from other tasks Adds roles for read-only views of reports and history Asks users to review and justify continued need for admin role Simplifies delegation Enables least privilege role assignments Alerts on users who haven’t used their role assignments Simplifies reporting on admin activity Increases visibility and finer-grained control
  34. 34. Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization’s users. An on-premises platform to identify advanced security attacks and insider threats before they cause damage DETECT ATTACKS BEFORE THEY CAUSE DAMAGE Behavioral Analytics Detection of advanced attacks and security risks Advanced Threat Detection
  35. 35. Discovery Gain complete visibility and context for cloud usage and shadow IT—no agents required Data control Shape your cloud environment with granular controls and policy setting for access, data sharing, and DLP Threat protection Identify high-risk usage and security incidents, detect abnormal user behavior, and prevent threats Integrate with existing security, mobility, and encryption solutions
  36. 36. Azure Information Protection Protect your data, everywhere Microsoft Cloud App Security Azure Active Directory Detect threats early with visibility and threat analytics Advanced Threat Analytics Extend enterprise-grade security to your cloud and SaaS apps Intune Protect your users, devices, and apps Manage identity with hybrid integration to protect application access from identity attacks Enterprise Mobility +Security The Microsoft solution
  37. 37. Transportation, Logistics, Oil-Gas Retail, Hospitality and Travel HealthConstruction, Professional Services Government, Banking, Insurance Education, Nonprofit
  38. 38. • Advanced user lifecycle management • Low IT overhead • Monitor your identity bridge • Cloud-connected seamless authentication experience • Single sign-on to 1000s pre- integrated apps/ Your own apps • Secure remote access to on-premises apps • SSO to mobile apps • Support for lift-and-shift to the cloud • Control access to resources • Safeguard user authentication • Respond to advanced threats with risk-based policies and monitoring • Mitigate administrative risks • Governance of on-premises and cloud identities • Ease of use for end users /Integration with Office • Cross-organization collaboration • Any time, any place productivity with Windows 10 • Support for consumer facing applications 1000s of apps, 1 identity Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps Manage access at scale Manage identities and access at scale in the cloud and on-premises Cloud-powered protection Ensure user and admin accountability with better security and governance Enable business without borders Stay productive with universal access to every app and collaboration capability
  39. 39. Azure Active Directory as the control plane Identity as the core of enterprise mobility Single sign-onSelf-service Simple connection On-premises Other directories Windows Server Active Directory SaaSAzure Public cloud CloudMicrosoft Azure Active Directory Customers Partners
  40. 40. Razor will: Retain control of sensitive documents locally and over email Automatically protect mail containing privileged information Ensure files stored in SharePoint are rights protected Razor’s Fast Deployment for Enterprise Mobility Suite provides remote deployment assistance for Azure Active Directory Premium, Intune, and Azure Rights Management Premium. Azure Rights Management Premium Razor will: Set up users and groups Enable management of test devices Optionally connect on-premises Microsoft System Center Configuration Manager to Intune for a single pane management experience Razor will: Get organizational identities to the cloud Set up single sign-on for test apps (including Azure Active Directory Application Proxy apps) Configure self-service options like password reset and Azure Multi-Factor Authentication in the MyApps site Razor Technology for EMS: Deploy it Right Now included with all EMS services Azure Active Directory Premium Microsoft Intune
  41. 41. David.Rosenthal@razor-tech.com
  42. 42. Appendix L300 – more detailed slides
  43. 43. Identity as the control plane On-premises Windows Server Active Directory
  44. 44. Identity as the control plane On-premises Windows Server Active Directory VPN BYO SaaS Azure Cloud Public cloud Customers Partners
  45. 45. Identity as the control plane On-premises Windows Server Active Directory VPN BYO Microsoft Azure Active Directory Azure Cloud Public cloud Customers Partners
  46. 46. Customers Azure AD as the control plane On-premises Partners Azure Cloud Public cloud Microsoft Azure Active Directory BYO Windows Server Active Directory
  47. 47. Directory as a service 500,000 object limit No object limit No object limit No object limit for Office 365 user accounts User/group management (add/update/delete)/user-based provisioning, device registration, User-based access management/provisioning, Basic Security/usage reports Yes Yes Yes Yes Singe Sign On 10 apps per user (pre- integrated SaaS and developer-integrated apps) 10 apps per user(free tier + Application proxy apps) No limit (free, Basic tiers +Self-Service App Integration templates 1) 10 apps per user (pre- integrated SaaS and developer-integrated apps) Self-service password change for cloud users Yes Yes Yes Connect (sync engine that extends on-premises directories to Azure Active Directory) Yes Yes Yes Premium + basic features Group-based access management/provisioning – Provisioning customization Yes Yes Self-service password reset for cloud users Yes Yes Yes Company branding (logon pages/access panel customization) Yes Yes Yes Application Proxy Yes Yes SLA Yes Yes Yes Premium features Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups P1,P2 Self-service password reset/change/account unlock with on-premises write-back P1,P2 Advanced usage reporting P1,P2 Multi-factor authentication (cloud and on-premises (MFA server)) P1,P2 Limited cloud only for Office 365 apps MIM CAL + MIM server P1,P2 Cloud app discovery P1,P2 Automated password rollover P1,P2 Connect Health P1,P2 Conditional Access (User, Application, Location, Device rules) P1,P2 Identity Protection P2 Privileged Identity Management P2 Yes Yes Yes Yes MDM auto-enrolment, Self-Service Bitlocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join, Enterprise State Roaming Yes
  48. 48. Cloud-powered protection Manage access at scale 1000s of apps, 1 identity Enable business without borders • Advanced user lifecycle management • Low IT overhead • Monitor your identity bridge • Cloud-connected seamless authentication experience • Single sign-on • Bring your own apps • Secure remote access to on- premises apps • Support for lift-and-shift to the cloud • Control access to resources • Safeguard user authentication • Respond to advanced threats with risk-based policies and monitoring • Mitigate administrative risks • Governance of on-premises and cloud identities • Ease of use for end users • Cross-organization collaboration • Any time, any place productivity with Windows 10 • Support for consumer facing applications
  49. 49. A comprehensive identity and access management cloud solution for your employees, partners, and customers. It combines directory services, advanced identity governance, application access management, and a rich standards-based platform for developers. B2E B2B B2C
  50. 50. Azure Active Directory Connect ADFS Sync engine 1000s OF APPS, 1 IDENTITY Azure Active Directory Connect Consolidated deployment assistant for your identity bridge components. All currently available sync engines will be replaced by the sync engine included in the Connect tool. Assisted deployment of ADFS will be available through Azure Active Directory Connect. ADFS is an optional component for authentication in hybrid implementation. Password sync can replace ADFS for more scenarios. DirSync Azure Active Directory Sync FIM+Azure Active Directory Connector ADFS
  51. 51. 1000s OF APPS, 1 IDENTITY 1st option: Identity + Password (Hash) synchronization Identity + Password Hash synchronization Azure Active Directory authenticates user User Microsoft Azure Active Directory
  52. 52. 1000s OF APPS, 1 IDENTITY 2nd option: Identity synchronization + ADFS Identity synchronization ADFSAuthentication passed to Windows Server Active Directory via ADFS User Microsoft Azure Active Directory
  53. 53. 1000s OF APPS, 1 IDENTITY New option: Identity synchronization + Pass-through authentication with Seamless SSO Identity synchronization Authentication passed to Windows Server Active Directory via Pass-through authentication User Pass-through authentication Microsoft Azure Active Directory Seamless SSO Pass-through authentication agent
  54. 54. 1000s OF APPS, 1 IDENTITY Seamless SSO is now enabled for the 1st option, too: Identity + Password (Hash) synchronization Identity + Password Hash synchronization Azure Active Directory authenticates user User Microsoft Azure Active Directory Seamless SSO
  55. 55. Identity Synchronization + ADFS 1000s OF APPS, 1 IDENTITY More options than ever! User Identity synchronization Identity Synchronization + Pass-through Authentication + Seamless SSO ADFS Microsoft Azure Active Directory Identity synchronizationSeamless SSO Identity + Password Hash synchronization Identity Synchronization + Password Hash Synchronization+ Seamless SSO Seamless SSO Pass-through Authentication
  56. 56. User Contoso Corpnet Connector 1000s OF APPS, 1 IDENTITY How it works User Name and password Connector notified of request Connector validates the credentials against AD Token returned to the user or further proofs (MFA) are initiated 1 2 34 5 DC returns result Connector returns result 6 Security Token Service Microsoft Azure Active Directory
  57. 57. Contoso Corpnet 5 User sends ticket to Azure AD STS 1000s OF APPS, 1 IDENTITY How seamless SSO works with Pass-through authentication and Password hash synchronization User enters their username1 401 response to get a Kerberos ticket2 User requests a Kerberos ticket3 6 Token returned to the user or further proofs (MFA) are initiated 4 AD returns Kerberos ticket Security Token Service Microsoft Azure Active Directory User
  58. 58. Corporate network Microsoft Azure Active Directory Connectors are deployed usually on corpnet next to resources Multiple connectors can be deployed for redundancy, scale, multiple sites, and different resources Users connect to the cloud service that routes their traffic to resources via the connectors A connector that auto-connects to the cloud service 1000s OF APPS, 1 IDENTITY DMZ https://app1- contoso.msappproxy.net/ Application Proxy http://app1
  59. 59. 1000s OF APPS, 1 IDENTITY
  60. 60. “We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.” 3000+ partners ENABLE BUSINESS WITHOUT BORDERS Share without complex configuration or duplicate users Partners use their own credentials to access your org Users lose access when leaving the partner org No external directories No per partner federation You manage access You control partner access in your directory: • app assignment • group membership • custom attributes Partners of all sizes Bulk invite 1000s at a time Partners with Azure Active Directory sign in to accept invite Other partners simply sign up to accept invite
  61. 61. ENABLE BUSINESS WITHOUT BORDERS “I need to let my partners access my company’s apps using their own credentials”
  62. 62. ENABLE BUSINESS WITHOUT BORDERS Partner
  63. 63. ENABLE BUSINESS WITHOUT BORDERS Partners use their own credentials to access your org Users lose access when they leave the partner org No external directories No per-partner federation Partners manage their own credentials You control partner access in your directory: • app assignment • group membership • custom attributes Organizations manage access Thousands of bulk invites at a time Partners with Azure Active Directory sign in to accept invite Other partners simply sign up to accept invite Partners of all sizes
  64. 64. CLOUD-POWERED PROTECTION Built-in security features Security reporting that tracks inconsistent access patterns, analytics, and alerts Reporting API
  65. 65. Microsoft Azure Active Directory Cloud app discovery Source: Help Net Security 2014 as many Cloud apps are in use than IT estimates • SaaS app category • Number of users • Utilization volume Comprehensive reporting Discover all SaaS apps in use within your organization CLOUD-POWERED PROTECTION
  66. 66. Security reporting that tracks inconsistent access patterns, analytics, and alerts Reporting API Built-in security features CLOUD-POWERED PROTECTION Step up to Multi-Factor Authentication X X X X X X X X X X X X X X X
  67. 67. CLOUD-POWERED PROTECTION A standalone Azure identity and access management service, also included in Azure Active Directory Premium Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication Trusted by thousands of enterprises to authenticate employee, customer, and partner access
  68. 68. CLOUD-POWERED PROTECTION Text messages Phone calls Mobile apps
  69. 69. Users sign in from any device using their existing username/password. 1 On-premises apps RADIUS LDAP IIS RDS/VDI Windows Server Active Directory or other LDAP Users must also authenticate using their phone or mobile device before access is granted 2 Microsoft Azure Active Directory Multi-factor authentication server Multi-factor authentication server MONITOR AND PROTECT User Cloud apps
  70. 70. CLOUD-POWERED PROTECTION MFA for Office 365/Azure Administrators Azure Multi-Factor Authentication Administrators can enable/enforce MFA to end users Yes Yes Use mobile app (online and OTP) as second authentication factor Yes Yes Use phone call as second authentication factor Yes Yes Use SMS as second authentication factor Yes Yes Application passwords for non-browser clients (e.g., Outlook, Lync) Yes Yes Default Microsoft greetings during authentication phone calls Yes Yes Suspend MFA from known devices Yes Yes Custom greetings during authentication phone calls Yes Fraud alert Yes MFA SDK Yes Security reports Yes MFA for on-premises applications/ MFA server Yes One-time bypass Yes Block/Unblock users Yes Customizable caller ID for authentication phone calls Yes Event confirmation Yes Trusted IPs Yes
  71. 71. Analyze1 DETECT ATTACKS BEFORE THEY CAUSE DAMAGE ATA Analyzes all Active Directory-related traffic and collects relevant events from SIEM ATA Builds the organizational security graph, detects abnormal behavior, protocol attacks and weaknesses and constructs an attack timeline ATA automatically learns all entities’ behaviors Learn2 Detect3
  72. 72. CLOUD-POWERED PROTECTION Reduce risks of excessive access to your organization’s data Dashboards with insights Policy driven review workflows for governance decisions Richer auditing to address compliance reporting needs Decisions at the business level (self-service) Apps in Azure Third- party apps & clouds Apps on- premises
  73. 73. World of devices
  74. 74. EMPOWER USERS
  75. 75. HR system LDAP Oracle DB Finance Web apps Windows Server Active Directory Hybrid identity User identities from multiple repositories LDAP v3 Windows PowerShell Web services (SOAP, Java, REST) Generic SQL via ODBC Windows Server Active Directory Microsoft Azure Active Directory VS.
  76. 76. Microsoft’s IAM solution Apps in Azure Third-party apps & cloudsMicrosoft Cloud Microsoft Identity Manager Apps on- premises AAD App Proxy Spans cloud and on-premises Provides full spectrum of services • Federation • Identity management • Device registration • User provisioning • Application access control • Data protection Modern identity management system The combination of Windows Server Active Directory, Microsoft Identity Manager, and Microsoft Azure Active Directory enables better security for today’s hybrid enterprise. Microsoft Azure Active Directory
  77. 77. MANAGE EVERYTHING Cloud-ready identities Powerful user self-service Enhanced security Automatic preparation of Active Directory identities for synchronization with Azure Active Directory Password reset with Azure Multi- Factor Authentication Dynamic groups with approvals and redesigned certificate management Hybrid reporting and privileged access management to protect administrator accounts Support for new security protocols
  78. 78. MANAGE EVERYTHING Cloud-ready identities Powerful user self-service Enhanced security • Standardized Active Directory attributes and values • Partitioned identities for synchronization to the cloud • Easier-to-deploy reporting connected to Azure Active Directory • Preparation of user profiles for Microsoft Office 365 • Self-service password reset with Multi- Factor Authentication • New REST-based APIs for AuthN/AuthZ • Self-service account unlock • Certificate management support for multi- forest and modern apps • Privileged user and account discovery • New Windows PowerShell support and REST-based API • Workflow management: elevated just-in- time administrator access • Reporting and auditing specific to privileged access management
  79. 79. MANAGE EVERYTHING ON-PREMISES HYBRID CLOUD Managed: Microsoft System Center Configuration Manager On-premises LOB applications, traditional productivity iOS, Android, Windows Phone, BYOD Mobile apps, shadow IT SaaS solutions Managed: Microsoft Intune connected to System Center Configuration Manager On-premises LOB applications, managed SaaS, Office 365 hybrid deployment, Azure Active Directory implementation Deployment of cloud-enabled rich clients Managed cloud identities with Multi-Factor Authentication Managed by EMS: Combination of mobile clients (iOS, Android) and cloud- enabled clients (Windows 10) Managed SaaS and Office 365 Enterprise, full Azure IAM Event - Mobility Event-Win 8.x/10 Microsoft Identity Manager 2016
  80. 80. MANAGE EVERYTHING MIM Microsoft Identity Manager 2016 Azure AD App Proxy Azure AD Connect IAM On-premises applications Microsoft Azure Active Directory Microsoft Azure
  81. 81. Username ? Forgot your password? User Cloud On-premises applications ••••••••••••• IT User’s identity Self-service experiences
  82. 82. Microsoft Identity Manager 2016 Collapse directories Map multiple identities Transform usernames and other attributes
  83. 83. UserExisting apps Existing FIM Existing AD forests WS 2003 or later User: PRIVJenAdmin Groups: CORPResource Admins Refresh after: 60 minutes Group “Resource Admins” Privileged access management AD DS Microsoft Identity Manager Configured for PAM Group: Resource Admins Domain: CORP Candidate: Jen Time-based memberships User “JenAdmin” Access requests Existing trust Trust for admin access Access requests
  84. 84. Deep dive: DirSync, Azure AD, and MIM Sync DirSync Azure Active Directory Sync FIM Sync (+ Azure Active Directory Connector) Azure Active Directory Connect MIM Sync (+ Azure Active Directory Connector) Azure Active Directory Connect
  85. 85. Connect and sync on- premises directories with Azure Azure Active Directory Connect Microsoft Azure Active Directory Other directories PowerShell LDAP v3 SQL (ODBC) Web services (SOAP, Java, REST)
  86. 86. Azure Active Directory Microsoft Identity Manager Password reset/management YES YES Group management YES, not dynamic YES Provisioning, deprovisioning NO YES Certificate management NO YES Role-based access control NO YES Deep dive: IAM in MIM vs. Azure Active Directory
  87. 87. Microsoft Identity Manager 2016 is also included with Azure Active Directory Premium, which is part of the Enterprise Mobility Suite. Microsoft Enterprise Mobility Suite is the most cost-effective way to acquire all included cloud services: Azure Active Directory Premium, Azure Rights Management, and Intune. Purchasing Microsoft Identity Manager 2016 Licensed on a per-user basis Client Access License (CAL) Required for each user whose identity is managed Windows Server license with active Software Assurance Required to use the Microsoft Identity Manager 2016 server software as a Windows Server add-on
  88. 88. Demo
  89. 89. Cloud-ready identities Powerful user self-service Enhanced security Automatic preparation of Active Directory identities for synchronization with Azure Active Directory Password reset with Azure Multi- Factor Authentication Dynamic groups with approvals and redesigned certificate management Hybrid reporting and privileged access management to protect administrator accounts Support for new security protocols
  90. 90. Cloud-ready identities Powerful user self-service Enhanced security • Standardized Active Directory attributes and values • Partitioned identities for synchronization to the cloud • Easier-to-deploy reporting connected to Azure Active Directory • Preparation of user profiles for Microsoft Office 365 • Self-service password reset with Multi- Factor Authentication • New REST-based APIs for AuthN/AuthZ • Self-service account unlock • Certificate management support for multi- forest and modern apps • Privileged user and account discovery • New Windows PowerShell support and REST-based API • Workflow management: elevated just-in- time administrator access • Reporting and auditing specific to privileged access management

×