Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
David J. Rosenthal
CEO, Atidan
October 4, 2016
Microsoft MTC New York City
* Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Fe...
Is it possible to keep up?
Is it possible to stay secure?
Employees
Business partners
Customers
Apps
Devices
Data
Users
Da...
Is it possible to keep up?
Microsoft’s vision
Employees Business partners Customers
Access everything from everywhere
Mana...
Enterprise Mobility Suite
Microsoft Azure Active
Directory Premium
Microsoft Azure Rights
Management Premium
Advanced Thre...
The current reality
Single sign-on
Microsoft Azure Active Directory
Self-service
Simple connection
On-premises
Other
directories
Windows Serve...
1 trillion
Azure AD
authentications
since the release of
the service
>80k
third-party
applications used
with Azure AD
each...
Azure Active Directory. Identity at the core of your business
Identity and access management in the cloud
1000s of apps,
1...
Azure Active Directory Connect
and Connect Health
*
MIM
*
Microsoft Azure
Active Directory
HR apps
OTHER DIRECTORIES
Power...
1000s of apps, 1 identity
Web apps
(Azure Active Directory
Application Proxy)
Integrated
custom apps
SaaS apps
OTHER DIREC...
Microsoft Authenticator
A mobile authenticator application for all platforms
1000s OF APPS, 1 IDENTITY
Converges the exist...
Azure
Active Directory
Lift-and-shift on-premises
apps to Azure IaaS
On-premises
Azure AD Connect
Windows Server
Active Di...
Manage your account, apps and
groups
Company branded, personalized
application Access Panel:
http://myapps.microsoft.com
+...
“We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications
for thousands o...
Intune/MDM
auto-enrollment
Azure Active Directory Join makes it possible
to connect work-owned Windows 10 devices
to your ...
Superior economics
Identity experience engine
Connecting with
consumers: Azure
Active Directory B2C
Consumer identity and ...
Centralized access administration for
pre-integrated SaaS apps and other
cloud-based apps
Dynamic groups, device registrat...
Connect Health
MANAGE ACCESS AT SCALE
Monitor and gain insights into the identity infrastructure used
to extend on-premise...
Conditions
Allow access or
Block access
Actions
Enforce MFA per
user/per app
User, App sensitivity
Device state
LocationUs...
Azure Active Directory Identity Protection
CLOUD-POWERED PROTECTION
Identity Protection at its best
Risk severity calculat...
Azure Active Directory Identity Protection
CLOUD-POWERED PROTECTION
Use the power of Identity Protection in PowerBI, SIEM ...
Privileged Identity Management
CLOUD-POWERED PROTECTION
Discover, restrict, and monitor privileged identities
Enforce on-d...
Privileged Identity Management
CLOUD-POWERED PROTECTION
How time-limited activation of privileged roles works
MFA is enfor...
CLOUD-POWERED PROTECTION
Removes unneeded permanent
admin role assignments
Limits the time a user has admin
privileges
Ens...
Detect threats fast
with behavioral
analytics
Adapt as fast as
your enemies
Focus on what is
important fast using
the simp...
Introducing Microsoft Cloud App Security
CLOUD-POWERED PROTECTION
Extending visibility and control to
cloud apps
Create po...
Intune
Azure Rights
Management and
Secure Islands
Protect your users,
devices, and apps
Detect problems
early with visibil...
Customer Stories
TRANSPORTATION, LOGISTICS, OIL-GAS RETAIL, HOSPITALITY AND TRAVEL GOVERNMENT, BANKING, INSURANCE
CONSTRUC...
Identity and access management in the cloud
• Advanced user lifecycle
management
• Low IT overhead
• Monitor your identity...
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other
directories
Win...
FastTrack will:
Retain control of sensitive documents locally and
over email
Automatically protect mail containing privile...
Top ISV solutions in Identity & Access Management
Soha Cloud
Soha’s security service ensures that you can continue to deve...
© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered tr...
Appendix
Directory as a service 500,000 object limit No object limit No object limit
No object limit for Office
365 user accounts
U...
Microsoft Intune
Mobile device settings
management
Mobile application
management
Selective wipe
Microsoft Azure Active Dir...
Challenge: identities live in too many places
HR system
LDAP
Oracle DB
Finance
Web apps
Windows Server
Active Directory
Hy...
Microsoft’s IAM solution
Apps in
Azure
Third-party
apps &
cloudsMicrosoft Cloud
Microsoft Identity
Manager
Apps on-
premis...
Introducing Microsoft Identity Manager 2016
MANAGE EVERYTHING
Cloud-ready
identities
Powerful user
self-service
Enhanced
s...
Microsoft Identity Manager 2016 features
MANAGE EVERYTHING
Cloud-ready
identities
Powerful user
self-service
Enhanced
secu...
IAM evolution
MANAGE EVERYTHING
ON-PREMISES HYBRID CLOUD
Managed: Microsoft System
Center Configuration
Manager
On-premise...
Architecture: hybrid identity with MIM
MANAGE EVERYTHING
MIM
Microsoft Identity
Manager 2016
Azure AD App
Proxy
Azure AD C...
Scenario: self-service password reset
Username
?
Forgot your password?
User
Cloud
On-premises
applications
•••••••••••••
I...
Scenario: Collapse multi-forest Active Directory
into one Active Directory
Microsoft Identity Manager 2016
Collapse direct...
Scenario: Implement privileged access
management
UserExisting apps
Existing FIM
Existing AD
forests
WS 2003 or later
User:...
Deep dive: DirSync, Azure AD, and MIM Sync
DirSync
Azure Active Directory Sync
FIM Sync
(+ Azure Active Directory
Connecto...
Deep dive: migrate to Azure Active Directory
Connect and sync on-
premises directories with
Azure
Azure Active
Directory C...
Azure Active Directory Microsoft Identity Manager
Password reset/management YES YES
Group management YES, not dynamic YES
...
Microsoft Identity Manager 2016 is also included with Azure Active Directory Premium, which is
part of the Enterprise Mobi...
Introducing Microsoft Identity Manager 2016
Cloud-ready
identities
Powerful user
self-service
Enhanced
security
Automatic ...
Microsoft Identity Manager 2016 features
Cloud-ready
identities
Powerful user
self-service
Enhanced
security
• Standardize...
Upcoming SlideShare
Loading in …5
×

Identity And Access Management Presented by Microsoft and Atidan

1,256 views

Published on

There are a couple of mega trends that have been changing the world of work as we know it. The place where people actually get their work done is no longer exclusively a traditional office or workplace. People now work from home, cafes, customer sites, on the road, in the air. In fact, people can—and do—work from just about anywhere. Even when they’re in the office, people don’t expect to be sitting at their desk in order to be productive. We are in an era where mobility really is the new normal.

The cloud-first, mobile-first world is here. People expect to have the ability to work where, when, and how they choose—using the devices they love and the apps they are familiar with. Just look at the story told by some of these stats: 52% of information workers across 17 countries report using three or more devices for work. 90% of enterprises will have two or more mobile operating systems to support in 2017. More than 80% of employees admit to using non-approved software-as-a-service (SaaS) applications in their jobs.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Identity And Access Management Presented by Microsoft and Atidan

  1. 1. David J. Rosenthal CEO, Atidan October 4, 2016 Microsoft MTC New York City
  2. 2. * Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21, 2013 ** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report *** Verizon 2013 data breach investigation report 61 percent of workers mix personal and work tasks in their devices* 61% >70% >70 percent of network intrusions exploited weak or stolen credentials *** >80 percent of employees admit to using non-approved software-as-a-service (SaaS) applications in their jobs** >80% Mobile and cloud: challenging security paradigms
  3. 3. Is it possible to keep up? Is it possible to stay secure? Employees Business partners Customers Apps Devices Data Users Data leaks Lost device Compromised identity Stolen credentials
  4. 4. Is it possible to keep up? Microsoft’s vision Employees Business partners Customers Access everything from everywhere Manage and secure productivity Integrate with what you have Apps Devices Data Users
  5. 5. Enterprise Mobility Suite Microsoft Azure Active Directory Premium Microsoft Azure Rights Management Premium Advanced Threat Analytics Single sign-on to 1000s of cloud and on-premises applications. Identity protection with notifications, analysis, recommended remediation, & risk-based conditional access. Leverage PC management, MDM, and MAM to protect corporate apps and data on almost any device. Encryption, identity, and authorization to secure corporate files and email across phones, tablets, and PCs. Identify suspicious activities and advanced threats in near real time with simple, actionable reporting. Behavior-based threat analytics Information protection Identity and access management Device and app management Microsoft Intune System Center Configuration Manager
  6. 6. The current reality
  7. 7. Single sign-on Microsoft Azure Active Directory Self-service Simple connection On-premises Other directories Windows Server Active Directory SaaSAzure Public cloud Cloud Identity as the core of enterprise mobility
  8. 8. 1 trillion Azure AD authentications since the release of the service >80k third-party applications used with Azure AD each month >1.3 billion authentications every dayonAzureAD More than 600 M user accounts on Azure AD Azure AD Directories >9 M 86% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Every Office 365 and Microsoft Azure customer uses Azure Active Directory Azure Active Directory Microsoft’s “Identity Management as a Service (IDaaS)” for organizations. Millions of independent identity systems controlled by enterprise and government “tenants.” Information is owned and used by the controlling organization—not by Microsoft. Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B).
  9. 9. Azure Active Directory. Identity at the core of your business Identity and access management in the cloud 1000s of apps, 1 identity Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps Manage access at scale Manage identities and access at scale in the cloud and on-premises Cloud-powered protection Ensure user and admin accountability with better security and governance Enable business without borders Stay productive with universal access to every app and collaboration capability
  10. 10. Azure Active Directory Connect and Connect Health * MIM * Microsoft Azure Active Directory HR apps OTHER DIRECTORIES PowerShell SQL (ODBC) LDAP v3 Web Services ( SOAP, JAVA, REST) 1000s of apps, 1 identity Connect and sync on-premises directories with Azure
  11. 11. 1000s of apps, 1 identity Web apps (Azure Active Directory Application Proxy) Integrated custom apps SaaS apps OTHER DIRECTORIES 2500+ pre-integrated popular SaaS apps and self-service integration via templates Connect and sync on-premises directories with Azure Easily publish on-premises web apps via Application Proxy + custom apps Microsoft Azure
  12. 12. Microsoft Authenticator A mobile authenticator application for all platforms 1000s OF APPS, 1 IDENTITY Converges the existing Azure Authenticator and all consumer Authenticator applications. MFA for any account, enterprise or consumer and 3rd party : Push Notifications/OTP Device Registration (workplace join) SSO to native mobile apps - Certificate-based SSO Sign in to a device (Windows Hello), app, or website without a password
  13. 13. Azure Active Directory Lift-and-shift on-premises apps to Azure IaaS On-premises Azure AD Connect Windows Server Active Directory Your Azure IaaS workloads/apps Azure AD Domain Services Your virtual network Azure Azure Active Directory Domain Services 1000s OF APPS, 1 IDENTITY Your domain controller as a service Kerberos NTLM LDAP Group Policy
  14. 14. Manage your account, apps and groups Company branded, personalized application Access Panel: http://myapps.microsoft.com + iOS and Android Mobile Apps Self-service password reset Application access requests Integrated Office 365 app launching Making the lives of users (and IT) easier ENABLE BUSINESS WITHOUT BORDERS
  15. 15. “We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.” 3000+ partners Collaborate with partners: B2B collaboration Share without complex configuration or duplicate users Partners use their own credentials to access your org Users lose access when leaving the partner org No external directories No per partner federation You manage access You control partner access in your directory: • app assignment • group membership • custom attributes Partners of all sizes Bulk invite 1000s at a time Partners with Azure Active Directory sign in to accept invite Other partners simply sign up to accept invite ENABLE BUSINESS WITHOUT BORDERS
  16. 16. Intune/MDM auto-enrollment Azure Active Directory Join makes it possible to connect work-owned Windows 10 devices to your company’s Azure Active Directory Enterprise-compliant services SSO from the desktop to cloud and on-premises applications with no VPN Support for hybrid environments MDM auto-enrollment Windows 10 Azure AD joined devices Enabling anytime, anywhere productivity: Azure Active Directory Join for Windows 10 ENABLE BUSINESS WITHOUT BORDERS
  17. 17. Superior economics Identity experience engine Connecting with consumers: Azure Active Directory B2C Consumer identity and access management in the cloud Cross-platform Identity management for consumers “By using Azure Active Directory B2C we were able to build a fully customized login page without having to build custom code. Additionally, with a Microsoft solution in place, we alleviated all our concerns about security, data breaches, and scalability." - Rafael de los Santos, Head of Digital, Real Madrid ENABLE BUSINESS WITHOUT BORDERS
  18. 18. Centralized access administration for pre-integrated SaaS apps and other cloud-based apps Dynamic groups, device registration, secure business processes with advanced access management capabilities Comprehensive identity and access management console IT professional Managing identities MANAGE ACCESS AT SCALE
  19. 19. Connect Health MANAGE ACCESS AT SCALE Monitor and gain insights into the identity infrastructure used to extend on-premises identities to Azure Active Directory and Office 365. Monitor: The Azure AD Connect sync engine health ADFS infrastructure health On-premises AD DS health
  20. 20. Conditions Allow access or Block access Actions Enforce MFA per user/per app User, App sensitivity Device state LocationUser NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT MFA IDENTITY PROTECTION Risk Identity-driven security CLOUD-POWERED PROTECTION
  21. 21. Azure Active Directory Identity Protection CLOUD-POWERED PROTECTION Identity Protection at its best Risk severity calculation Remediation recommendations Risk-based conditional access automatically protects against suspicious logins and compromised credentials Gain insights from a consolidated view of machine learning based threat detection Leaked credentials Infected devices Configuration vulnerabilities Risk-based policies MFA Challenge Risky Logins Block attacks Change bad credentials Machine-Learning Engine Brute force attacks Suspicious sign- in activities
  22. 22. Azure Active Directory Identity Protection CLOUD-POWERED PROTECTION Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools Security/Monitoring/Reporting SolutionsNotifications Data Extracts/Downloads Reporting APIs Apply Microsoft learnings to your existing security tools Microsoft machine - learning engine Leaked credentials Infected devices Configuration vulnerabilities Brute force attacks Suspicious sign- in activities
  23. 23. Privileged Identity Management CLOUD-POWERED PROTECTION Discover, restrict, and monitor privileged identities Enforce on-demand,just-in-timeadministrativeaccess when needed Use Alert, Audit Reports and Access Review Global Administrator Billing Administrator Service Administrator User Administrator Password Administrator
  24. 24. Privileged Identity Management CLOUD-POWERED PROTECTION How time-limited activation of privileged roles works MFA is enforced during the activation process Alerts inform administrators about out-of-band changes Users need to activate their privileges to perform a task Users will retain their privileges for a pre- configured amount of time Security admins can discover all privileged identities, view audit reports and review everyone who has is eligible to activate via access reviews Audit SECURITY ADMIN Configure Privileged Identity Management USER PRIVILEGED IDENTITY MANAGEMENT Identity verification Monitor Access reports MFA ALERT Read only ADMIN PROFILES Billing Admin Global Admin Service Admin
  25. 25. CLOUD-POWERED PROTECTION Removes unneeded permanent admin role assignments Limits the time a user has admin privileges Ensures MFA validation prior to admin role activation Reduces exposure to attacks targeting admins Separates role administration from other tasks Adds roles for read-only views of reports and history Asks users to review and justify continued need for admin role Simplifies delegation Enables least privilege role assignments Alerts on users who haven’t used their role assignments Simplifies reporting on admin activity Increases visibility and finer-grained control Benefits: Privileged Identity Management
  26. 26. Detect threats fast with behavioral analytics Adapt as fast as your enemies Focus on what is important fast using the simple attack timeline Reduce the fatigue of false positives No need to create rules or policies, deploy agents, or monitor a flood of security reports. The intelligence needed is ready to analyze and is continuously learning. ATA continuously learns from the organizational entity behavior (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly evolving enterprise. The attack timeline is a clear, efficient, and convenient feed that surfaces the right things on a timeline, giving you the power of perspective on the “who, what, when, and how” of your enterprise. It also provides recommendations for next steps. Alerts only happen once suspicious activities are contextually aggregated; not only comparing the entity’s behavior to its own behavior, but also to the profiles of other entities in its interaction path. Microsoft Advanced Threat Analytics CLOUD-POWERED PROTECTION
  27. 27. Introducing Microsoft Cloud App Security CLOUD-POWERED PROTECTION Extending visibility and control to cloud apps Create policies for access, activities, and data sharing Automatically identify risky activities, abnormal behaviors, and threats Prevent data leakage (DLP) Minimize risk and automated threat prevention and policy enforcement
  28. 28. Intune Azure Rights Management and Secure Islands Protect your users, devices, and apps Detect problems early with visibility and threat analytics Protect your data, everywhere Extend enterprise-grade security to your cloud and SaaS apps Manage identity with hybrid integration to protect application access from identity attacks Enterprise mobility + security Advanced Threat Analytics Microsoft Cloud App Security Azure Active Directory Identity Protection
  29. 29. Customer Stories TRANSPORTATION, LOGISTICS, OIL-GAS RETAIL, HOSPITALITY AND TRAVEL GOVERNMENT, BANKING, INSURANCE CONSTRUCTION, PROFESSIONAL SERVICES EDUCATION – NONPROFIT HEALTH
  30. 30. Identity and access management in the cloud • Advanced user lifecycle management • Low IT overhead • Monitor your identity bridge • Cloud-connected seamless authentication experience • Single sign-on to 1000s pre- integrated apps/ Your own apps • Secure remote access to on-premises apps • SSO to mobile apps • Support for lift-and-shift to the cloud • Control access to resources • Safeguard user authentication • Respond to advanced threats with risk-based policies and monitoring • Mitigate administrative risks • Governance of on-premises and cloud identities • Ease of use for end users /Integration with Office • Cross-organization collaboration • Any time, any place productivity with Windows 10 • Support for consumer facing applications 1000s of apps, 1 identity Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps Manage access at scale Manage identities and access at scale in the cloud and on-premises Cloud-powered protection Ensure user and admin accountability with better security and governance Enable business without borders Stay productive with universal access to every app and collaboration capability
  31. 31. Identity as the core of enterprise mobility Single sign-onSelf-service Simple connection On-premises Other directories Windows Server Active Directory SaaSAzure Public cloud CloudMicrosoft Azure Active Directory
  32. 32. FastTrack will: Retain control of sensitive documents locally and over email Automatically protect mail containing privileged information Ensure files stored in SharePoint are rights protected Microsoft FastTrack for Enterprise Mobility Suite provides remote deployment assistance for Azure Active Directory Premium, Intune, and Azure Rights Management Premium. Azure Rights Management Premium FastTrack will: Set up users and groups Enable management of test devices Optionally connect on-premises Microsoft System Center Configuration Manager to Intune for a single pane management experience FastTrack will: Get organizational identities to the cloud Set up single sign-on for test apps (including Azure Active Directory Application Proxy apps) Configure self-service options like password reset and Azure Multi-Factor Authentication in the MyApps site Azure Active Directory Premium Microsoft Intune FastTrack for EMS: Deploy it Right Now included with all EMS services
  33. 33. Top ISV solutions in Identity & Access Management Soha Cloud Soha’s security service ensures that you can continue to develop, test and deploy applications on public clouds with maximum agility – while giving management the assurance they need. It provides the security missing in public cloud infrastructures. Key Use Cases/ Benefits • Eliminate VPNs, Whitelists, Access Lists and Security Groups • Enable micro-granular access to only the applications users are authorized to use – and nothing else • Simple to use – Easy and fast to deploy • Lower operating cost and no hardware or network changes required Availability: Global Average Deal Revenue: $5K/Quarter Link to AppCatalog Link to Marketplace Enterprise Random Password Manager Lieberman Software proactively mitigates cyber threats that bypass traditional enterprise defenses by delivering automated intrusion remediation in real time. Controls privilege access across data center and cloud assets by continuously changing privileged credentials and SSH keys. Deploy on-premises or as Azure Certified VMs (hybrid or cloud only). Key Use Cases/ Benefits • Proactive Cyber Defense • Simplified Compliance • Next Generation Privilege Management • Enhanced IT Ops. Security and Efficiency Availability: Global Average Deal Revenue: $45K Link to AppCatalog Link to Marketplace
  34. 34. © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Contact us for demonstration, briefing and deployment planning: microsoft@atidan.com 1-215-825-5045 x5001
  35. 35. Appendix
  36. 36. Directory as a service 500,000 object limit No object limit No object limit No object limit for Office 365 user accounts User/group management (add/update/delete)/user-based provisioning, device registration Yes Yes Yes Yes Singe Sign On 10 apps per user (pre- integrated SaaS and developer-integrated apps) 10 apps per user(free tier + Application proxy apps) No limit (free, Basic tiers +Self-Service App Integration templates 1) 10 apps per user (pre- integrated SaaS and developer-integrated apps) User-based access management/provisioning Yes Yes Yes Self-service password change for cloud users Yes Yes Yes Connect (sync engine that extends on-premises directories to Azure Active Directory) Yes Yes Yes Security reports/audit 3 basic reports 3 basic reports Advanced security reports 3 basic reports Premium + basic features Group-based access management/provisioning Yes Yes Self-service password reset for cloud users Yes Yes Yes Company branding (logon pages/access panel customization) Yes Yes Yes Application Proxy Yes Yes SLA Yes Yes Yes Premium features Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups Yes Self-service password reset/change/account unlock with on-premises write-back Yes Advanced usage reporting Yes Multi-factor authentication (cloud and on-premises (MFA server)) Yes Limited cloud only for Office 365 apps MIM CAL + MIM server Yes Cloud app discovery Yes Automated password rollover Yes Connect Health Yes Azure Active Directory editions GA feature comparison + Office 365 IAM features Yes Yes Yes Yes MDM auto-enrollment, Self-Service Bitlocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join Yes
  37. 37. Microsoft Intune Mobile device settings management Mobile application management Selective wipe Microsoft Azure Active Directory Premium + Microsoft Identity Manager Security reports, audit reports, Multi-Factor Authentication Self-service password reset and group management Connection between Active Directory and Azure Active Directory Microsoft Azure Rights Management Service Information protection Connection to on-premises assets Bring your own key Microsoft enterprise mobility management
  38. 38. Challenge: identities live in too many places HR system LDAP Oracle DB Finance Web apps Windows Server Active Directory Hybrid identity User identities from multiple repositories LDAP v3 Windows PowerShell Web services (SOAP, Java, REST) Generic SQL via ODBC Windows Server Active Directory Microsoft Azure Active Directory VS.
  39. 39. Microsoft’s IAM solution Apps in Azure Third-party apps & cloudsMicrosoft Cloud Microsoft Identity Manager Apps on- premises AAD App Proxy Spans cloud and on-premises Provides full spectrum of services • Federation • Identity management • Device registration • User provisioning • Application access control • Data protection Modern identity management system The combination of Windows Server Active Directory, Microsoft Identity Manager, and Microsoft Azure Active Directory enables better security for today’s hybrid enterprise. Microsoft Azure Active Directory
  40. 40. Introducing Microsoft Identity Manager 2016 MANAGE EVERYTHING Cloud-ready identities Powerful user self-service Enhanced security Automatic preparation of Active Directory identities for synchronization with Azure Active Directory Password reset with Azure Multi- Factor Authentication Dynamic groups with approvals and redesigned certificate management Hybrid reporting and privileged access management to protect administrator accounts Support for new security protocols
  41. 41. Microsoft Identity Manager 2016 features MANAGE EVERYTHING Cloud-ready identities Powerful user self-service Enhanced security • Standardized Active Directory attributes and values • Partitioned identities for synchronization to the cloud • Easier-to-deploy reporting connected to Azure Active Directory • Preparation of user profiles for Microsoft Office 365 • Self-service password reset with Multi- Factor Authentication • New REST-based APIs for AuthN/AuthZ • Self-service account unlock • Certificate management support for multi- forest and modern apps • Privileged user and account discovery • New Windows PowerShell support and REST-based API • Workflow management: elevated just-in- time administrator access • Reporting and auditing specific to privileged access management
  42. 42. IAM evolution MANAGE EVERYTHING ON-PREMISES HYBRID CLOUD Managed: Microsoft System Center Configuration Manager On-premises LOB applications, traditional productivity iOS, Android, Windows Phone, BYOD Mobile apps, shadow IT SaaS solutions Managed: Microsoft Intune connected to System Center Configuration Manager On-premises LOB applications, managed SaaS, Office 365 hybrid deployment, Azure Active Directory implementation Deployment of cloud-enabled rich clients Managed cloud identities with Multi-Factor Authentication Managed by EMS: Combination of mobile clients (iOS, Android) and cloud- enabled clients (Windows 10) Managed SaaS and Office 365 Enterprise, full Azure IAM Event - Mobility Event-Win 8.x/10 Microsoft Identity Manager 2016
  43. 43. Architecture: hybrid identity with MIM MANAGE EVERYTHING MIM Microsoft Identity Manager 2016 Azure AD App Proxy Azure AD Connect IAM On-premises applications Microsoft Azure Active Directory Microsoft Azure
  44. 44. Scenario: self-service password reset Username ? Forgot your password? User Cloud On-premises applications ••••••••••••• IT User’s identity Self-service experiences
  45. 45. Scenario: Collapse multi-forest Active Directory into one Active Directory Microsoft Identity Manager 2016 Collapse directories Map multiple identities Transform usernames and other attributes
  46. 46. Scenario: Implement privileged access management UserExisting apps Existing FIM Existing AD forests WS 2003 or later User: PRIVJenAdmin Groups: CORPResource Admins Refresh after: 60 minutes Group “Resource Admins” Privileged access management AD DS Microsoft Identity Manager Configured for PAM Group: Resource Admins Domain: CORP Candidate: Jen Time-based memberships User “JenAdmin” Access requests Existing trust Trust for admin access Access requests
  47. 47. Deep dive: DirSync, Azure AD, and MIM Sync DirSync Azure Active Directory Sync FIM Sync (+ Azure Active Directory Connector) Azure Active Directory Connect MIM Sync (+ Azure Active Directory Connector) Azure Active Directory Connect
  48. 48. Deep dive: migrate to Azure Active Directory Connect and sync on- premises directories with Azure Azure Active Directory Connect Microsoft Azure Active Directory Other directories PowerShell LDAP v3 SQL (ODBC) Web services (SOAP, Java, REST)
  49. 49. Azure Active Directory Microsoft Identity Manager Password reset/management YES YES Group management YES, not dynamic YES Provisioning, deprovisioning NO YES Certificate management NO YES Role-based access control NO YES Deep dive: IAM in MIM vs. Azure Active Directory
  50. 50. Microsoft Identity Manager 2016 is also included with Azure Active Directory Premium, which is part of the Enterprise Mobility Suite. Microsoft Enterprise Mobility Suite is the most cost-effective way to acquire all included cloud services: Azure Active Directory Premium, Azure Rights Management, and Intune. Purchasing Microsoft Identity Manager 2016 Licensed on a per-user basis Client Access License (CAL) Required for each user whose identity is managed Windows Server license with active Software Assurance Required to use the Microsoft Identity Manager 2016 server software as a Windows Server add-on
  51. 51. Introducing Microsoft Identity Manager 2016 Cloud-ready identities Powerful user self-service Enhanced security Automatic preparation of Active Directory identities for synchronization with Azure Active Directory Password reset with Azure Multi- Factor Authentication Dynamic groups with approvals and redesigned certificate management Hybrid reporting and privileged access management to protect administrator accounts Support for new security protocols
  52. 52. Microsoft Identity Manager 2016 features Cloud-ready identities Powerful user self-service Enhanced security • Standardized Active Directory attributes and values • Partitioned identities for synchronization to the cloud • Easier-to-deploy reporting connected to Azure Active Directory • Preparation of user profiles for Microsoft Office 365 • Self-service password reset with Multi- Factor Authentication • New REST-based APIs for AuthN/AuthZ • Self-service account unlock • Certificate management support for multi- forest and modern apps • Privileged user and account discovery • New Windows PowerShell support and REST-based API • Workflow management: elevated just-in- time administrator access • Reporting and auditing specific to privileged access management

×