Active Directory is Microsoft's directory service that allows centralized management of user access and policies. It provides a single location for user information and authentication. Using Active Directory provides benefits such as simpler administration, security, scalability, and standardization. Active Directory can integrate with other Microsoft services like Exchange, SharePoint, and Lync to enable single sign-on and easy profile management across services. Windows Server Active Directory also supports identity and access management in the cloud and hybrid environments through integration with Azure Active Directory. It allows extending on-premises Active Directory to the cloud and provides single sign-on for cloud applications.
1. March 16, 2015
Identity and Access Management using
Windows Server Active Directory Service
MJ Ferdous
Account Technology Strategist
Microsoft Bangladesh
Phone: +8801715015093
Email: a-mjferd@microsoft.com
Ziaul Hoque Mallick
Corporate Accounts Lead
Microsoft Bangladesh
Phone: +8801755501612
Email: zimallic@microsoft.com
2. 2 Proposal for Active Directory
Identity and Access Management on
Windows Server Active Directory
Active Directory is Microsoft's directory service that allows administrators to assign policies,
deploy software, and apply updates for an entire organization. AD also allows users to store all
information in a central location, where it is backed up.
First enterprise-class directory service
Active Directory is the first enterprise-class directory service that is scalable, built from the ground up using
Internet-standard technologies, and fully integrated with the operating system.
Benefits of using Active Directory:
• It makes the task of network administration simpler by maintaining a central repository of information.
• It provides a single destination to look out for information.
• Highly secured access to data through the usage of security policies. Thereby it improves the management of
data.
• Easily scalable. Supports millions of objects in a single domain.
• Unified access to resources by supporting a uniform naming convention.
• Lookup of names, addresses, phone numbers and other “white pages” information is standardized
• Lookup of network resources like printers, servers, certificates and other “ yellow pages” information is
standardized
• Centralizing the management of the system will increase reliability and make it easier to keep it up to date
Benefits of AD with Integrated Service or Software:
• Single Sign On with all AD integrated application
• User Profile automatically sync with exchange, Lync & SharePoint
• Update user Information from SharePoint such as Profile Picture
• Automatically sync or update in all application when any user information update in AD
• User can view their profile information from Lync or SharePoint
• User can easily find their colleague easily from Lync, Exchange SharePoint
• User can connect to call, voice or chat directly from outlook contact or Lync
• Find contact list easily from outlook, Lync or SharePoint
3. 3 Proposal for Active Directory
Active Directory Domain Controller
Architecture
Every Domain may have group policies or individual/separate group policies as per user group
requirement.
Domain Controller (DC) Logical Components
The logical components of Domain Controller do not directly relate to any type of physical topology such as the
layout of the network, but instead are used to organize objects within the directory according to the
administrative and security requirements.
These logical DC components include:
• Forests,
• Domains
• Organizational Units (OUs).
Additionally, as mentioned the two other major constructs are
• Identity Provisioning
• Identity Federation
In order to provide the underlying infrastructure for the implementation for an authentication and management
Directory Service, the future state need to consider several key components.
These components include the following
Unified Domain Controller Environment –This directory service will then be used to facilitate authentication,
authorization and directory capabilities for common corporate applications, services, and centralized
management of identities.
Delegated Data Management – For business groups to manage their users, groups, workstations, printers, and
servers in the most efficient management for their group and that can be different for each domain users and
their groups or operational units.
Organizational Integrity - Logical directory structure must support the application and maintenance of
permissions and policy.
Replication Integrity - All Domain Controllers must be dependably synchronizing with the same objects and
attributes
Standardized Format/Attributes - Predictable data and attributes for each directory object
Single Identity - Single identity object for each user in Domain Controller
4. 4 Proposal for Active Directory
Identity and Access Management on
Premise and in the Cloud
From personal devices to various identity providers, granting user access to cloud applications
is becoming more complex and costly for organizations to manage. With Microsoft’s
Windows Azure Active Directory, Allegion gets enterprise-level identity services that help
streamline directory and access management in the cloud, provides a seamless sign-in, self-
service password reset experience to cloud resources and enhances security with Multi-Factor
Authentication.
Simplify access, centralize control
Windows Azure Active Directory is a comprehensive identity and access management cloud solution. It combines
core directory services, advanced identity governance, security and application access management. Windows
Azure Active Directory also offers to developers an identity management platform based on centralized policy
and rules.
Use Windows Azure Active Directory to:
Effectively manage users and access to cloud resources. Manage user account and attributes through the
Windows Azure management portal. Centrally manage users’ access to Windows Azure and other Microsoft
online services like Microsoft Office 365 and a world of non-Microsoft SaaS applications.
Extend your on-premises Active Directory to the cloud. Extend your on-premises directory to Windows Azure
Active Directory so that users can authenticate with one set of corporate credentials to their cloud-based resources.
Provide single sign-on & self-service password reset capabilities across your on premise cloud applications.
Deliver a seamless, single sign-on experience to your users across Microsoft online services, applications built on
Windows Azure and hundreds of popular non-Microsoft cloud applications.
Offers Multi-Factor authentication. Windows Azure Multi-Factor reduces organizational risk and helps enable
regulatory compliance by providing an extra layer of authentication, in addition to a user’s account credentials, to
secure employee, customer, and partner access.
How it works
Third party
apps
Your
apps
Dynamics CRM
Office 365
SAP, BOX, WorkDay
Salesforce, Oracle, etc
5. 5 Proposal for Active Directory
Turn it on for Windows Server Active Directory
Use Multi-Factor Authentication to secure access to on premise applications and Windows Server, Microsoft
Online Services like Office 365 and SharePoint, as well as third party cloud services that integrate Windows Server
Active Directory.
Windows Server Active Directory and Multi-Factor Authentication offer you a way to:
• Enable single sign on: Synch your on premise identity with Office 365 and SharePoint using Windows Server
Active Directory to enable single-sign on to Office 365 , SAP, Oracle, SalesForce and over 500+ SaaS
applications and growing.
• Help secure access: Can be part of a solution that complies with NIST 800-63 Level 3, HIPAA, PCI DSS, and
other regulatory requirements.
Provides persistent protection. Rights Management persists protection of file data when at rest and in
motion. Once information is locked, only trusted entities that were granted usage rights under the specified
conditions (if any) can unlock or decrypt the information.
Supports closer management of usage rights and conditions. Organizations and individuals can assign
usage rights and conditions using rights management that define how a specific trusted entity can use rights-
protected content. Examples of usage rights are permission to read, copy, print, save, forward, and edit. Usage
rights can be accompanied by conditions, such as when those rights expire.
Get security and convenience
Windows Server Multi-Factor Authentication, helps reduce
organizational risk and enable regulatory compliance by providing an
extra layer of authentication, in addition to a user’s account credentials,
to help secure employee, customer and partner access.
The service is enterprise ready and features integration with remote
access VPNs, web applications, virtual desktops, single sign-on systems
and cloud applications. It synchronizes with existing user directories for
centralized user management and automated enrollment.
Add it to on premise applications
Windows Server Active Directory and Multi-Factor Authentication also extend beyond only Microsoft cloud-
based applications like Office 365 and SharePoint. With Windows Server Active Directory, you can apply your
customized on premise Active Directory to all your cloud-based applications or even let users log in to
non-Microsoft based applications using identities from Facebook, Google, and other identity providers.
Windows Server Multi-Factor
Authentication & Rights
Management Data Protection
With escalating IT security threats and a growing number of users, applications, and devices,
multi-factor authentication has become the new standard for securing access. Regulatory
agencies agree and have mandated its use across a broad range of industries.
Multi-Factor Authentication
can be rapidly enabled for
large, geographically diverse
user groups – offering
convenience, scale, and security.