This document provides an overview of Azure Active Directory and its capabilities for identity and access management. It discusses key use cases such as providing secure access to applications, protecting access to resources from threats, automating user lifecycle management, and complying with regulations. It describes Azure AD features for conditional access, multi-factor authentication, application management, user provisioning, privileged identity management, and more. The document also compares Azure AD and Azure AD B2C and their suitability for business and consumer-facing applications respectively.

1. Ajay Kakkar
Experience: 20K+ Hrs.
Enterprise Architecture
Cloud Infrastructure
Unified Communication
Blog: https://insidemstech.com
LinkedIn: https://www.linkedin.com/in/ajkakkar/
Facebook: https://www.facebook.com/ajaykakkar88
Twitter: @Kakkaraj

2. Session objectives and takeaways
Courtesy : Microsoft (Presentation slides has been taken from Microsoft Ignite)
Azure Active Directory

3. On-premises /
Private cloud

4. Windows Server
Active Directory
Identity as the Control Plane
Azure
Public cloud
Microsoft Azure
Active Directory
Commercial
IdPs
Consumer
IdPs
Partners
Customers
Azure AD
Connect

5. Access ReviewsConditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
ProtectionAzure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
DeprovisioningAzure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Governance
HR App
Integration
B2B
collaboration
Azure AD
B2CSSO to SaaS
Microsoft
Authenticator -
Password-less
Access
Azure Active Directory in the Marketplace
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
272K 90%56K950M12.8M
+30%
YoY
+45%
YoY
+74%
YoY
+200%
YoY

6. I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers, partners, and users to
access the apps they need from everywhere
and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
[dev use case]
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection lawsAzure Active Directory
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access

7. Azure Active Directory
(B2B collaboration capabilities)
Azure Active Directory B2C
(Stand-alone offering)
Intended for: Organizations that want to provide access to corporate data,
resources and applications to users from any other organization, using any
identity of their choice.
Intended for: Customer facing mobile and web apps that target your customers -
individual, citizens and institutional or organizational customers (not your
employees or external collaborators)– using any identity of their choice.
Identities supported: Employees with work or school accounts, partners with
work or school accounts or any email address. Soon to support direct federation.
Identities supported: Consumer users with local application accounts (any email
address or user name) or any supported Social identity with direct federation.
Which directory are the partner users in: Partner users from the external
organization are managed in the same directory as employees, but annotated
specially. These external users can be managed the same way as employees, can
be added to the same groups, etc.
Which directory are the customer user entities in: In the application directory.
Managed separately from the organization’s employee and partner directory (if
any).
SSO to All Azure AD connected apps (including On Prem apps) is supported, ex.
Office 365 and other first party and third party SaaS apps (like Salesforce, Box,
Workday, etc.).
SSO to customer owned apps within the Azure AD B2C tenants are supported.
SSO to Office 365 and other first party and third party SaaS apps is not supported.
Partner lifecycle: Managed by the host/inviting organization. Customer lifecycle: Self-serve or managed by the application.
Security Policy and Compliance: Managed by the host/inviting organization. Security, Policy and compliance: Managed by the application.
Branding: Host/inviting organization’s brand is used. Branding: Managed by application. Typically tends to be product branded, with
the organization fading into the background.
More info: Blog Post, Documentation More info: Product Page, Documentation

8. Identity and Access
Management
Use Cases
I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers and partners
to access the apps they need from
everywhere and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
I want to write applications that work with my
corporate identities in Azure Active Directory
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access
1
2
3
4
5
6

9. Identity and Access Management
Use Cases
Microsoft Azure
Active Directory
Remote Access
to on-premises
apps
Azure AD
Connect
SSO to SaaS
Access
Panel/MyApps
Self-Service
capabilities
Azure AD DS
Microsoft
Authenticator -
Password-less
Access
Office 365 App
Launcher
Conditional
Access
Multi-Factor
Authentication
Azure AD
Connect
On-
premises
I want to provide my employees secure
and easy access to every application
from any location and any device
1

10. Pass-through authentication is Generally Available
Identity synchronization + Pass-through authentication with Seamless SSO
Identity synchronization
using Azure AD Connect
On-
premises
Password validation requests are sent to
Windows Server Active Directory via
Pass-through authentication
Pass-through
authentication
Microsoft Azure
Active Directory
Pass-through
authentication agent
Office 365, SaaS, and LoB apps

11. Zscaler Two
Canvas
Workplace by Facebook
Clever
SuccessFactors
ServiceNow
Workday
Salesforce
Cornerstone OnDemand
Google Apps3rd party apps
and Azure AD
Active applications
272,000

12. Azure Active Directory Application Proxy
Single Sign-on to on premises applications
DMZ
https://appX-contoso.msappproxy.net/
connectorconnector
Microsoft Azure
Active Directory
connector
app app app app
connector
Application
Proxy
Azure or
3rd Party IaaS

13. PingAccess for Azure Active Directory
PingAccess
Azure Active
Directory

14. Azure Active Directory Application Proxy + PingAccess
Access even more on premises web applications
DMZ
https://appX-contoso.msappproxy.net/
connectorconnector
Microsoft Azure
Active Directory
connector
app app app app
connector
Application
Proxy
Azure or
3rd Party IaaS
Custom app

15. Identity and Access
Management
Use Cases
I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers and partners
to access the apps they need from
everywhere and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
I want to write applications that work with my
corporate identities in Azure Active Directory
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access
2
3
4
5
6

16. Identity and Access Management Use Cases
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
Remote Access
to on-premises
apps
Azure AD
Connect
SSO to SaaS
Access
Panel/MyApps
Self-Service
capabilities
Provisioning-
Deprovisioning
Dynamic Groups
MDM-auto
enrollment /
Enterprise State
Roaming
Conditional
Access
Multi-Factor
Authentication
Group-Based
Licensing
Microsoft
Authenticator -
Password-less
Access
Access Reviews
HR App
Integration
2
Dynamic groups
Microsoft Azure
Active Directory
On-
premises
HR app

17. Microsoft Azure
Active Directory
Access
panel
Dynamic groups
On-
premises
Office 365 SharePoint Online
Kronos
Box
Workplace by Facebook
HR app

18. Identity and Access
Management
Use Cases
I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers and partners
to access the apps they need from
everywhere and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
I want to write applications that work with my
corporate identities in Azure Active Directory
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access
4
5
6
3

19. SharePoint Online
& Office 365 apps
Identity and Access Management
Use Cases
Remote Access
to on-premises
apps
Azure AD
Connect
SSO to SaaS
Access
Panel/MyApps
Self-Service
capabilities
B2B
collaboration
Dynamic Groups
Office 365 App
Launcher
Conditional
Access
Multi-Factor
Authentication
Assign B2B users access
to any app or service
your organization owns
Add B2B users
with accounts in
other Azure AD
organizations
3
I need my customers and partners
to access the apps they need from
everywhere and collaborate seamlessly
Microsoft Azure
Active Directory
Other
organizations
Add B2B users with MSA, Google, or
other Identity Provider accounts
Other Identity
Providers*
Google ID* Microsoft
Account
On-
premises

20. Azure Active Directory B2C
Securely authenticate your customers using their preferred identity provider
Capture login, preference, and conversion data for customers
Provide branded (white-label) registration and login experiences
Microsoft Azure
Active Directory
Social IDs
Business &
Government IDscontoso
Any SAML
provider
Apps
Analytics

21. Friction-free customer experience
Customer-centric and flexible
Match your identity experience to your
application branding
User-friendly self-service sign-in
and sign-up experience
“Bring-your-own-identity” using social ID
or create a new, local account set of credentials
Enhance account records with media
and detailed metadata
Self-service profile management/password reset
Sign in with Google
Sign in with Facebook
Sign in with Twitter
Sign in with email

23. Identity and Access
management
use cases
I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers and partners
to access the apps they need from
everywhere and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
I want to write applications that work with my
corporate identities in Azure Active Directory
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access
4
5
6

24. On-premises
applications
Identity and Access management
use cases
Block access
Wipe device
Enforce
MFA
Conditions
MFA
Location
(IP range)
Device
state
Risk
User
group
Allow access
Multi-Factor
Authentication
Conditional
Access
Privileged
Identity
Management
Identity
Protection
Remote Access
to on-premises
apps
SSO to SaaS
Security
Reporting
I want to protect access to my
resources from advanced threats4
Cloud apps
On-
premises

25. Bing
Xbox Live
OneDrive
Microsoft Digital
Crimes Unit
Microsoft Cyber Defense
Operations Center
Azure
Microsoft
Accounts
Skype Enterprise Mobility
+ Security
Azure Active Directory
Microsoft Intelligent
Security Graph
Office365

26. Require MFA
Allow access
Deny access
Force
password reset******
Limit access
Controls
On-premises apps
Web apps
Users
Devices
Location
Apps
Conditions
Machine
learning
Policies
Real time
Evaluation
Engine
Session
Risk
3
10TB
Effective
policy

27. New MFA partners

28. Azure AD MFA
Require MFA
Allow access
Deny access
Force
password reset******
Limit access
Controls
Users
Devices
Location
Apps
Conditions
Machine
learning
Policies
Real time
Evaluation
Engine
Session
Risk
3
10TB
Effective
policy

29. Privileged Identity Management
Enforce on-demand, just-in-time
administrative access when needed
Ensure policies are met with alerts,
audit reports and access reviews
Manage admins access in Azure AD and
also in Azure RBAC
User Administrator
Discover, restrict, and monitor privileged identities
UserAdministrator privileges
expire after a specified
interval

30. Identity and Access
Management
Use Cases
I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers and partners
to access the apps they need from
everywhere and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
I want to write applications that work with my
corporate identities in Azure Active Directory
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access
5
6

31. Identity and Access Management
Use Cases
Conditional
Access
Privileged
Identity
Management
Identity
Protection
Group-Based
Licensing
Access
Panel/MyApps
Provisioning-
Deprovisioning
Access Reviews
HR App
Integration
Resources
Apps
Groups
I need to comply with industry regulation
and national data protection laws
5
Now in public preview!
Access Reviews
Microsoft Azure
Active Directory

32. Governance partners

33. Password reset extension
Fine-grained lifecycle provisioning
Access request
Access certification
Policy-based workflow and approval
Compliance and audit reporting

35. Identity and Access
Management
Use Cases
I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers and partners
to access the apps they need from
everywhere and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
I want to write applications that work with my
corporate identities in Azure Active Directory
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access
6

36. OAuth
OpenID-Connect
SAML
SCIM
Microsoft Graph
Identity and Access Management Use Cases
Access Libraries
Microsoft Graph
Microsoft SDKs
on Github
6
Identity
Experience
Framework ADAL
MSAL
I want to write applications that work with my
corporate identities in Azure Active Directory
Microsoft Azure
Active Directory

37. Microsoft Graph
Single API that proxies multiple Microsoft services
Allows for easy traversal of objects and relationships
Eliminates the need to discovery endpoints
Only one OAuth access token needed
For both personal and work and school accounts
Exposing User data, Group data and Organizational data
HTTPS://GRAPH.MICROSOFT.COM
Azure AD Excel Intune Outlook OneDrive OneNote SharePoint Planner

38. With Microsoft Graph
profile
GET: /users/yina
{
"displayName": "Yina",
"jobTitle": "PRINCIPAL PM MANAGER"
}
GET: /users/yina/photo/$value
Stream image/jpeg
GET: /users/yina/manager
{"displayName": "Tristan", …}
GET: /users/yina/directReports
"value" : [
{"displayName": "Matt", …},
{"displayName": "Dmitry", …},
]
GET: /users/yina/memberOf
"value" : [
{"displayName": "Office engineering", …},
{"displayName": "Women in tech", …}
]
Tristan manager
Dmitry Matt Sudhi
directReports
Groups
memberOf

39. Identity and Access
Management
Use Cases
I want to provide my employees secure
and easy access to every application
from any location and any device
I need my customers and partners
to access the apps they need from
everywhere and collaborate seamlessly
I want to quickly deploy applications to
devices, do more with less and automate
Join/Move/Leave processes
I want to write applications that work with my
corporate identities in Azure Active Directory
I want to protect access to my
resources from advanced threats
I need to comply with industry regulation
and national data protection laws
Conditional
Access
Multi-Factor
Authentication
Addition of
custom cloud
apps
Remote Access
to on-premises
apps
Privileged
Identity
Management
Dynamic Groups
Identity
Protection
Azure AD DS
Office 365 App
Launcher
Group-Based
Licensing
Access
Panel/MyApps
Azure AD
Connect
Connect Health
Provisioning-
Deprovisioning
Azure AD Join
Self-Service
capabilities
MDM-auto
enrollment /
Enterprise State
Roaming
Security
Reporting
Access Reviews
HR App
Integration
B2B
collaboration
Azure AD
B2C
SSO to SaaS
Microsoft
Authenticator -
Password-less
Access

40. Customer stories
Transportation,Logistics,Oil-Gas Retail, Hospitalityand Travel
HealthConstruction, Professional Services
Government, Banking, Insurance
Education,Nonprofit

41. Get to production team
Fast Track
Expert partners and Microsoft Engineering
remote assistance to accelerate your
Azure AD deployment
Microsoft Engineers engage directly to get you
up and running with Azure Active Directory
Next steps
Try Azure Active Directory
today for free
Let our team help with
your implementation
Microsoft Azure
Active Directory