Azure Active Directory (Azure AD) is driving adoption of Office 365 and other Microsoft cloud services. As more organizations migrate workloads to Office 365, they are also adopting Azure AD to manage user authentication and access. Azure AD serves as the central identity platform for all Microsoft online services. It currently has over 10 million tenants and authenticates over 1.3 billion logins per day. Office 365 adoption is causing more organizations to connect their on-premises Active Directory to Azure AD using Azure AD Connect in order to synchronize user accounts and passwords. Azure multi-factor authentication (MFA) and Azure B2B capabilities are also growing in importance as organizations expand into cloud-based workloads and need to securely manage user access and
Identity Management for Office 365 and Microsoft AzureSparkhound Inc.
Sparkhound Senior Infrastructure Consultant David Pechon discusses Identity Management for O365 and Azure at the 2015 SharePoint TechFest Dallas event held at the Irving Convention Center. Learn how Active Directory Federation Services and DirSync allow you to synchronize your organization’s Active Directory and use it to authenticate users to Office 365 applications, such as Exchange Online, OneDrive for Business and SharePoint Online.
Global Azure Bootcamp 2016 completed recently across the world with a great success and I got an opportunity to deliver a session on this great event hosted in Chennai, India. Uploaded the Session slide deck for you.
[Mustafa Toroman, Saša Kranjac] More and more services we use every day are moving to cloud. This creates many challenges, especially if we look at things from security point of view. Taking services out of our datacenter, opens our data and services to new kind of threats but fortunately new tools are available to protect us. See from both perspectives how attackers can try to exploit our journey to cloud and how can we detect threats and stop attacks before they occur. We will show examples how Red Team attacks our Cloud and how Blue Team can detect and stop Red Team.
Identity Management for Office 365 and Microsoft AzureSparkhound Inc.
Sparkhound Senior Infrastructure Consultant David Pechon discusses Identity Management for O365 and Azure at the 2015 SharePoint TechFest Dallas event held at the Irving Convention Center. Learn how Active Directory Federation Services and DirSync allow you to synchronize your organization’s Active Directory and use it to authenticate users to Office 365 applications, such as Exchange Online, OneDrive for Business and SharePoint Online.
Global Azure Bootcamp 2016 completed recently across the world with a great success and I got an opportunity to deliver a session on this great event hosted in Chennai, India. Uploaded the Session slide deck for you.
[Mustafa Toroman, Saša Kranjac] More and more services we use every day are moving to cloud. This creates many challenges, especially if we look at things from security point of view. Taking services out of our datacenter, opens our data and services to new kind of threats but fortunately new tools are available to protect us. See from both perspectives how attackers can try to exploit our journey to cloud and how can we detect threats and stop attacks before they occur. We will show examples how Red Team attacks our Cloud and how Blue Team can detect and stop Red Team.
Discover the capabilities of Azure AD today. Learn how to set up a new AAD, synchronize it with an on-premise Active Directory and configure it as an identity service in greenfield applications.
Identity and Access (AD), Azure and Office 365: Building a Single Page Application (SPA) with ASP.NET Web API and Angular.js using Azure Active Directory to Log in Users
Windows Azure Active Directory: Identity Management in the CloudChris Dufour
Windows Azure Active Directory provides easy-to-use, multi-tenant identity management services for applications running in the cloud and on any device and any platform. Originally created to support Office 365 it is now available as an Azure service. On November 28th, 2012 Microsoft shared that Windows Azure Active Directory (AD) has processed 200 BILLION authentications.
“At Microsoft, we have been on a transformative journey to cloud computing and we have been working with customers every step of the way. Millions of customers have embraced the cloud and we are excited to share the news that we’ve reached a major milestone in cloud scale computing. Since the inception of the authentication service on the Windows Azure platform in 2010, we have now processed 200 BILLION authentications for 50 MILLION active user accounts. In an average week we receive 4.7 BILLION authentication requests for users in over 420 THOUSAND different domains. This is a massive workload when you consider others in the industry are attempting to process 7B logins per year, Azure processes close to that amount in a week.
These numbers sound big right? They are. To put it into perspective, in the 2 minutes it takes to brew yourself a single cup of coffee, Windows Azure Active Directory (AD) has already processed just over 1 MILLION authentications from many different devices and users around the world. Not only are we processing a huge number of authentications but we’re doing it really fast! We respond to 9,000 requests per second and in the U.S. the average authentication takes less than 0.7 seconds. That’s faster than you can get your coffee from your cup and into your mouth! (Do not attempt this at home :-))!”
In this session we will take a tour of Windows Azure Active Directory to learn about its capabilities, interfaces and supported scenarios, and understand how you can take advantage of the features in your application.
Azure Active Directory (AD) is a directory as a service on Microsoft Azure. More than the cloud identity Azure AD provides a platform to build cloud applications with multi tenancy support. A flexible authentication systems which enables developers to leverage the cloud identity model and develop applications at ease. The session will walk you through on the basics of Azure AD and how to develop .NET applications using Azure AD.
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUGRoy Kim
A presentation at a technology meetup.
Roy Kim will walk through various access scenarios and capabilities using Azure AD services and features to access SharePoint 2013/2016 server. This will include a comparison between AD Connect + Azure Application Proxy to publish an internal SharePoint application and 3rd Party Auth0 to assist in federating Azure AD and SSO integration. And also the recently supported Azure AD SAML 1.1 Token.
Roy will go through a demo, its architecture, and commentary of pros and cons. At the end you will have a good understanding of the technology capabilities to determine supporting access and user management scenarios.
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...Morgan Simonsen
The modern, mobile enterprise has brought with it the need to protect our data outside the traditional perimeter. The cloud based Azure Rights Management Service (RMS) made that type of protection a reality for many organizations. But RMS has now been supercharged with new features to become Azure Information Protection. We will give you an introduction to cloud based information protection and take you on a tour of the new features.
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITProceed
Active Directory Federation Services (AD FS) is the Microsoft technology to bridge your on-premises Identity systems towards cloud Identity providers like Azure Active Directory. Colleagues depend on a reliable, yet cost effective deployment of AD FS and it’s our jobs as IT Pros to make it happen. This session covers the 10 most common mistakes we see in the field In organizations that have deployed AD FS and performed a hybrid identity deployment. Learn from their mistakes, so you don’t have to make them.
DIO Consulting Presentation for Corporate & Large Organizationsdioconsulting
This presentation is for medium and large organizations, who wish to create more value from their existing infrastructure and to prepare themselves to take the next step in business expansion.
Discover the capabilities of Azure AD today. Learn how to set up a new AAD, synchronize it with an on-premise Active Directory and configure it as an identity service in greenfield applications.
Identity and Access (AD), Azure and Office 365: Building a Single Page Application (SPA) with ASP.NET Web API and Angular.js using Azure Active Directory to Log in Users
Windows Azure Active Directory: Identity Management in the CloudChris Dufour
Windows Azure Active Directory provides easy-to-use, multi-tenant identity management services for applications running in the cloud and on any device and any platform. Originally created to support Office 365 it is now available as an Azure service. On November 28th, 2012 Microsoft shared that Windows Azure Active Directory (AD) has processed 200 BILLION authentications.
“At Microsoft, we have been on a transformative journey to cloud computing and we have been working with customers every step of the way. Millions of customers have embraced the cloud and we are excited to share the news that we’ve reached a major milestone in cloud scale computing. Since the inception of the authentication service on the Windows Azure platform in 2010, we have now processed 200 BILLION authentications for 50 MILLION active user accounts. In an average week we receive 4.7 BILLION authentication requests for users in over 420 THOUSAND different domains. This is a massive workload when you consider others in the industry are attempting to process 7B logins per year, Azure processes close to that amount in a week.
These numbers sound big right? They are. To put it into perspective, in the 2 minutes it takes to brew yourself a single cup of coffee, Windows Azure Active Directory (AD) has already processed just over 1 MILLION authentications from many different devices and users around the world. Not only are we processing a huge number of authentications but we’re doing it really fast! We respond to 9,000 requests per second and in the U.S. the average authentication takes less than 0.7 seconds. That’s faster than you can get your coffee from your cup and into your mouth! (Do not attempt this at home :-))!”
In this session we will take a tour of Windows Azure Active Directory to learn about its capabilities, interfaces and supported scenarios, and understand how you can take advantage of the features in your application.
Azure Active Directory (AD) is a directory as a service on Microsoft Azure. More than the cloud identity Azure AD provides a platform to build cloud applications with multi tenancy support. A flexible authentication systems which enables developers to leverage the cloud identity model and develop applications at ease. The session will walk you through on the basics of Azure AD and how to develop .NET applications using Azure AD.
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUGRoy Kim
A presentation at a technology meetup.
Roy Kim will walk through various access scenarios and capabilities using Azure AD services and features to access SharePoint 2013/2016 server. This will include a comparison between AD Connect + Azure Application Proxy to publish an internal SharePoint application and 3rd Party Auth0 to assist in federating Azure AD and SSO integration. And also the recently supported Azure AD SAML 1.1 Token.
Roy will go through a demo, its architecture, and commentary of pros and cons. At the end you will have a good understanding of the technology capabilities to determine supporting access and user management scenarios.
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...Morgan Simonsen
The modern, mobile enterprise has brought with it the need to protect our data outside the traditional perimeter. The cloud based Azure Rights Management Service (RMS) made that type of protection a reality for many organizations. But RMS has now been supercharged with new features to become Azure Information Protection. We will give you an introduction to cloud based information protection and take you on a tour of the new features.
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITProceed
Active Directory Federation Services (AD FS) is the Microsoft technology to bridge your on-premises Identity systems towards cloud Identity providers like Azure Active Directory. Colleagues depend on a reliable, yet cost effective deployment of AD FS and it’s our jobs as IT Pros to make it happen. This session covers the 10 most common mistakes we see in the field In organizations that have deployed AD FS and performed a hybrid identity deployment. Learn from their mistakes, so you don’t have to make them.
DIO Consulting Presentation for Corporate & Large Organizationsdioconsulting
This presentation is for medium and large organizations, who wish to create more value from their existing infrastructure and to prepare themselves to take the next step in business expansion.
Mitigating Risk in a Complex Hybrid Directory EnvironmentQuest
Webcast discussion on our Hybrid Active Directory Security story. Any defense is only as strong as its weakest point. Office 365 and its Azure Active Directory underpinnings are highly security focused, with features like conditional access, multi-factor authentication, and best-in-class identity security reporting. But if you have a hybrid identity architecture in which your Active Directory users and groups are projected into the cloud, your weakest link isn't the cloud--it's your Active Directory.
IDM365 is developed for medium and large-scaled businesses, the user-centric interface allows business critical decisions to be made right where the knowledge and information is while keeping IT and Management in control.
The IDM365 Identity and Access Management backend can connect to almost any system or application on the market and provides the flexibility to adapt to each client's business. We have developed tools which allow us to speed up the implementation process, ensuring minimum costs while maintaining maximum accuracy and control.
www.idm365.com
When companies endeavor to move their applications and services to the cloud, they tend to worry more about security up front. Interestingly, platforms such as Azure provide an even more secure environment than most self-managed co-location facilities can hope to offer, not to mention the plethora of features on the platform that help you secure your solutions end to end. In this session Michele will review the mini-avalanche that comprises Azure security across features. Taking the architect's view of the platform (with demos) she’ll cover best practices for securing Azure solutions end to end and discuss the tangential benefits of moving to Azure and how it can help you with checking the boxes on those pesky security surveys.
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
The IDaaS (identity as a service) market segment continues to grow in popularity, and the scope of its vendor's capabilities continue to grow as well. It's still not a match for everyone, however. Join identity architect Sean Deuby for an overview of the most popular IDaaS deployment scenarios, scenarios where IDaaS has a tougher time meeting customer requirements, and whether your company is likely to find its perfect IDaaS mate.
To work effectively with Office 365 you need to understand how to manage and configure identity for your environment. This presentation gives you an overview.
SYDSP - Office 365 and Cloud Identity - What does it mean for me?Scott Hoag
Office 365 brings a host of productivity options, but one of the most overlooked components is how we'll authenticate to The Cloud™. With Microsoft Azure Active Directory driving access and authentication to our Office 365 tenants, it is important to understand how we can interact with it. Join us as we explore Cloud Identity, identity federation, directory synchronisation, and most importantly Azure and its impacts on user experience and access Office 365. Throughout this session, we'll answer the questions that impact you and how your decisions around identity shape your Office 365 experience.
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365Scott Hoag
Looking to reduce the number of post-it notes you see stuck around the office? Seeking to automate your user creation processes for Office 365? Or maybe you’re interested in single sign-on for everything you host in the cloud? Are you questioning what a cloud identity is? This session will take you through the basics of identity in the Microsoft Cloud and show you how to set up and configure Office 365 with Azure Active Directory using the Azure Active Directory Synchronization Connect tools.
Análisis de riesgos en Azure y protección de la informaciónPlain Concepts
Charla impartida en evento Protección y seguridad en entornos de Cloud Hibrida con Azure y O365 sobre Análisis de riesgos en Azure y protección de la información by Plain Concepts
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?Scott Hoag
Office 365 brings a host of productivity options, but one of the most overlooked components is how we'll authenticate to The Cloud™. With Microsoft Azure Active Directory driving access and authentication to our Office 365 tenants, it is important to understand how we can interact with it. Join us as we explore Cloud Identity, identity federation, directory synchronisation, and most importantly Azure and its impacts on user experience and access Office 365. Throughout this session, we'll answer the questions that impact you and how your decisions around identity shape your Office 365 experience.
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018Chris Gillum
"Easy Auth" is the Authentication / Authorization platform for Microsoft's Azure App Service and Azure Functions. This presentation covers the major scenarios that Easy Auth enables for cloud app developers.
Overview of Azure AD
Deployment lessons from the real world
Outline items that can accelerate your deployment
Avoid things that can slow you down
Deep Dive on common technical challenges and how to overcome them
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019Kumton Suttiraksiri
การเพิ่มความปลอดภัยของการ Authentication ในรูปแบบต่างๆ โดย Azure Active Directory (AAD)
เช่น MFA (Multi Factor Authentication), Conditional Access and Windows Hello for Business
โดยคุณธัญพล ษณะนาคินทร์
Microsoft MVP (Azure)
Mark Diodati, Ping Identity
An exploration of three specific trends—the inevitability of adaptive identity (and its impact on APIs), requirements for enterprise-grade IDaaS, and the great challenges of hybrid identity governance—along with recommendations for enterprises that are leaning into modern identity
Similar to Azure AD and Office 365 - Deja Vu All Over Again (20)
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Neuro-symbolic is not enough, we need neuro-*semantic*
Azure AD and Office 365 - Deja Vu All Over Again
1.
2. Azure AD and Office 365
déjà vu all over again
Mark Diodati
Research VP/IAM Agenda Manager
mark.diodati@gartner.com
@mark_diodati
Sean Deuby
Solutions Architect
Sean.deuby@edgile.com
@shorinsean
3. 62% of Gartner clients
Have or will migrate
to Office 365
80% of the Global 500
65% of the Fortune 1000
4. A Tail Wagging a Very Large Dog
Office 365 is driving Azure AD adoption
• As Exchange drove Active Directory adoption
• If you want the app, you must have the platform
• 3rd party IDaaS from Okta, Centrify, Ping Identity
and others work with Azure AD
Azure AD > authentication service for Office 365
• Identity platform for all Microsoft Online Services
• Full blown IDaaS (SaaS SSO, on-premises app
publishing, MFA, on-prem integration)
5. It’s a Big Dog
• 10 million Azure AD tenants
• Mostly < 500 accounts, cloud only
• More than half a billion users
• 1.3 billion logins per day
• Detects and mitigates 10 million
attacks per day
• 4 billion in the last 12 months
• 100K organizations synching on-
premises Active Directory with
Azure AD
10. Questions
“How do we connect our enterprise users to Office 365 and
other Azure AD-protected applications?”
Connecting users requires
• Admin-time actions: Users must be provisioned/managed into Azure
AD’s identity store
• Runtime actions: Users must authenticate to Azure AD before
accessing resources (SAML or password)
11. Use IGA and AD Connect
Begin User Management
Selection
Use IGA Product
Strategic IGA Product
Deployed?
IGA Product Supports
AzureAD?
Is Password Syncor
Mgmt Important?
Yes
No
IAMfor SaaS Apps
Exclusively via Azure
AD?
No
Use AD Connect
Yes
No
Reevaluate Directory Sync
Requirements
Yes
Is Single-Vendor
Solution Important?
Use 3rd
Party Directory Sync
Use 3rd
Party Directory Sync
and AD Connect
Yes
No
No
Yes
Use IGA and AD Connect
Begin User Management
Selection
Use IGA Product
Strategic IGA Product
Deployed?
IGA Product Supports
AzureAD?
Is Password Syncor
Mgmt Important?
Yes
No
IAMfor SaaS Apps
Exclusively via Azure
AD?
No
Use AD Connect
Yes
No
Reevaluate Directory Sync
Requirements
Yes
Is Single-Vendor
Solution Important?
Use 3rd
Party Directory Sync
Use 3rd
Party Directory Sync
and AD Connect
Yes
No
No
Yes
User
Management
12. Use 3rd
Party Directory Sync
Use IGA and AD Connect
Use AD Connect
Use IGA Product
Use 3rd
Party Directory Sync
and AD Connect
User Management Options
14. AD Connect Password Management*
Azure
AD
AD
Encrypted Change Attempt
Azure AD Connect
* Other IDaaS vendors can do this, too.* Other IDaaS vendors can do this, too.
15. AD Connect Password Hash Sync*
Azure AD Connect
Azure
AD
AD
8743b52063cd84097a65d1633f5c74f5
Hash Hash
* Unique to Azure AD and AD Connect.* Unique to Azure AD and AD Connect.
17. Use AD Connect
No On-PremIAM to
SaaS Apps?
IsPassword Syncor
AzureAD DS
Important?
18. IGA Product Doesn t
Support Azure AD |
Pw Sync / AAD DS?
Strategic IGA Product
Deployed?
Use IGA Product
Use IGA and AD Connect
Yes
19. Password Sync /
AAD DS Important?
On-Premises
Provisioning to SaaS
Apps?
Use 3rd
Party Directory Sync
Use 3rd
Party Sync and AD
Connect
yes
20. Use IGA and AD Connect
Begin User Management
Selection
Use IGA Product
Strategic IGA Product
Deployed?
IGA Product Supports
AzureAD?
Is Password Syncor
Mgmt Important?
Yes
No
IAMfor SaaS Apps
Exclusively via Azure
AD?
No
Use AD Connect
Yes
No
Reevaluate Directory Sync
Requirements
Yes
Is Single-Vendor
Solution Important?
Use 3rd
Party Directory Sync
Use 3rd
Party Directory Sync
and AD Connect
Yes
No
No
Yes
User
Authentication
Use 3rd
Party Federation
Use AD FS
Begin Authentication
Selection
Federation to Azure AD
Only?
Yes
Yes No Yes
No Yes No
No
Many On-Premises
Connections to SaaS
Apps?
Federated SP Required?
SP for Windows and
SAML Apps Only?
Use AD Connect
SSO Requirement?
Low Assurance
Requirement?
No
Yes
Yes
No
27. Azure MFA
• Second factor authentication for all
Azure AD-integrated resources
• Originally acquired from
PhoneFactor
• Focuses on phone
• Smart (voice, SMS, app)
• Feature (voice, SMS)
• Landline (voice)
• Soft token in the app
Azure
Active Directory
28. Azure MFA vs. MFA Server
• Azure MFA service
• Protects Azure AD-integrated
resources
• MFA Server
• Hybrid solution
• On-premises server(s)
• Protects on-premises services
• VPN, Remote Desktop, IIS apps
• Can protect Azure AD resources
(with AD FS)
Azure
Active Directory
29. Which Type Of MFA Do I Need?
It’s (mostly) about where
the IdP is
• Microsoft cloud (Azure
AD): Azure MFA
• On premises (AD FS):
MFA Server or 3rd party
Resource Protected Azure MFA MFA Server
Azure AD IdP
Azure AD native AuthN X
Office 365 X X (if AD FS)
Azure AD-integrated SaaS apps (per app basis) X
On-premises apps published to Azure AD via Azure
App Proxy
X
On-premises (e.g. AD DS) IdP
Azure AD AuthN (via AD FS) X
VPN access to corpnet X
Remote Desktop to corpnet X
IIS applications X
SP-initiated SaaS login via AD FS X
30. Directions & Recommendations
• Where is this hybrid product going?
• Overall solution will incrementally gain capabilities
• Azure MFA is the strategic service
• MFA Server is stable but not being enhanced
• Capabilities are being picked up by other services
• AD FS 2016 built-in Azure MFA adapter
• Prediction: Connector tech (like AAD App Proxy) to replace other capabilities
• Recommendations
• Azure MFA very smartphone focused
• Bundling with other services makes pricing attractive
• Only option for fine-grained MFA in Microsoft Online Services
33. Microsoft’s B2B Model
• 10 Million organizations in Azure AD
today…
• …Why not use Azure AD for the B2B
infrastructure?
• B2BaaS
• If you aren’t in Azure AD…we’ll add
you automagically
• Partner org identities made available
to you
• You control access
• They control their identities
34. Azure B2B Access Model
• Creates CSV
file of
invited
partner
employees
• Uploads to
Azure –
invites are
sent
Invite
• Invitee
accepts
invitation
• If in Azure AD:
Sign in
• Not in Azure
AD: Sign up /
viral tenant
created
Accept
• Invitee
created as
external
user in
inviter’s
directory
• Access
granted to
user
Access
35. Strengths
• B2B infrastructure is handled for you
• Scalable to many partners
• You control access without managing their identities
• Supports
• SaaS apps
• Azure services
• Other claims-aware apps
• Essentially free to Azure AD-using organizations
36. Current Flat Spots
• External user is copied from partner directory, not linked
• Outside of identity lifecycle management
• User authenticates against their home directory
• Can delete
• No attestation yet
• CSV file
• PowerShell, invite API not yet supported
• Does not support social email providers yet (e.g. gmail)
37. Stuff We Didn’t Get To
• Azure AD Domain Services
• Graph API for provisioning
• Adaptive/Conditional Access
• OpenID Connect
• SSO to On-Premises Applications (App Proxy)
The more observant of you may have noted that my esteemed co-presenter, Mark Diodati of Gartner, is not here.
He had to cancel at the last minute, thanks to a careless cyclist on the wrong side of the bike trail, and had surgery on his shoulder yesterday, so send him your best wishes..
As a result, I’ll be presenting Mark’s material. Unfortunately I didn’t have time to come up with one of Mark’s trademark sweater vests!
He does give his best regards to all and wishes he could be here. I’ve done my part to make him feel included < show photo > so if you have any questions I can’t answer, I’ll just pretend that’s Mark’s material so you can talk to the photo!
It’s impossible to survey Azure AD and o365
https://blogs.technet.microsoft.com/enterprisemobility/2016/01/05/best-way-to-connect-to-office-365-and-azure-ad-latest-data-azure-ad-connect-momentum/
Big: https://blogs.technet.microsoft.com/ad/2016/05/05/major-coolness-microsoft-security-intelligence-report-20-highlights-azuread-identity-protection/
100K customers syncing: https://blogs.technet.microsoft.com/ad/2016/04/13/100000-customers-are-syncing-on-premises-directories-with-azure-ad/
Large tenants make up 91% of all users
Gartner’s forward-thinking clients are starting to look at IAM not as a pure service into itself any more, but built into an IaaS. This speaks well for Azure AD for its IAM capabilities such as Azure AD domain services.
AWS doesn’t have an identity store with real users, doesn’t have an Openid Connect or SAML provider (it’s a SAML service provider but not an identity provider).
Duopology that’s emerging is that Azure AD wins on identity features, but AWS wins on IaaS features because of its depth and breadth of services
A very common question from Gartner customers is…
Must have users in local identity store because there’s no way that Azure AD is going to reach back into your on-premises AD at run time because they’d be on the hook for YOUR availability, e.g. firewall, network connectivity, DC availability, against their SLA. All SaaS providers work this way.
Okta and Centrify can do this too.
Password hash sync is a capability that no other identity bridge provider can do, because of Microsoft’s ownership of on-premises AD and Azure AD. Synching the AD password hash – it can be captured and written into the Azure AD credentials cash to provide a consistent sign on (not single) experience
If a third party wanted to do this, you’d have to force users through their portal where the password could be captured, or install filters on every DC in the domain. Possible, but very difficult.
If you aren’t connecting to SaaS apps from on-premises, only from Azure AD, AD Connect is fine because it only syncs to Azure AD.
If you’re doing local connections you need a more fully-featured synchronizer.
If you’re happy with your IGA system, and it has a connector to provision to Azure AD , use it
If it doesn’t provision, use iga to manage on-premises in conjunction with AD Connect to sync with Azure AD
Radiant Logic, PingFed
17:00
If you’re provisioning to an existing set of apps, aint br
What’s new in AD FS 2016: https://technet.microsoft.com/en-us/library/mt617220.aspx
What’s the need for B2B?
Companies collaborating with other companies
Getting the talent
Spreading the risk
Supply chain networks
Partners
The need
Cross org collaboration with clear security between what allowed and what’s not
Traditional B2B access control models have a number of shortcomings
inter-org federation partnerships
require sophisticated infra for the (perhaps small) partner
Complexity grows linearly, gets unwieldy for large corporations
Very limited partner user level visibility (just what’s in the security token)
Internally managed partner directories
More creds for partners to remember, lose, get stolen
Typically not managed as closely as employee accounts = attack vector
Not connected to partner’s identity lifecycle, thus not kept current (zombies)
“The hackers that carried out the massive data breach at Target Corp. appear to have gained access via a refrigeration contractor in Pittsburgh that connected to the retailer's systems to do electronic billing.”
– Wall Street Journal
“Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network.”
– Home Depot
"If I want to attack Fort Knox and I know they have locks and guards and strong security, it is easier to attack one of their providers who already have access to the gold.“
– James Christiansen, VP, Accuvant
Invitation: Azure AD > Users > Add Users > Users in partner companies > upload file > click on link for batch status report as invitiations are sent out
External user management and limitations: https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users-external/#external-user-management-and-limitations
CSV file is source for invitations
Apps and groups partner user are assigned to are stored in list as AppPrincipalID and ObjectIDs which must be looked up via PowerShell