This document outlines Microsoft's Enterprise Mobility + Security (EMS) solution. EMS provides identity and access management, extends identity to the cloud, protects identities with multi-factor authentication and single sign-on, secures devices and applications with mobile device management, and secures data with classification, encryption, and rights management. The full solution brings together identity protection, conditional access, privileged identity management, data control, and threat prevention to manage access to corporate resources across devices and applications.

1. Enterprise Mobility +
Security
The EMS story whiteboard

2. Previous / Current State
Active Directory
Active Directory
Federation Services
DMZ
WAP WWW
HR System
Member servers
File, print, database, email, etc..
Reverse
Proxy

3. Identity and Access Management
Metaverse
Microsoft Identity Manager
Active Directory
Active Directory
Federation Services
DMZ
WAP WWW
HR System
Member servers
File, print, database, email, etc..
Reverse
Proxy
Common identity
Simplify identity lifecycle management with automated
workflows, business rules and easy integration with
heterogeneous platforms.
Enable users
Allow users to self-remediate identity issues, including
group membership, smart card and password reset
functions.
Protect data
Discover and map permissions across multiple systems
to individual, assignable roles.
Unify access
Reduce the number of usernames and passwords
needed to login. Just-in-time administration with
privileged access management.

4. Extending identity and
access management
Azure AD Premium
Metaverse
Microsoft Identity Manager
Active Directory
Azure
AD Connect
Active Directory
Federation Services
AD
to
AAD
identitysynchronization
DMZ
WAP WWW
HR System
Member servers
File, print, database, email, etc..
Reverse
Proxy
Easily extend Active Directory to the cloud
Connect Active Directory and other on-
premises directories to Azure Active
Directory in just a few clicks and maintain a
consistent set of users, groups, passwords,
and devices across both environments.
This allows you to provide a common
identity for your users for Office 365, Azure,
and SaaS applications integrated with Azure
AD.

5. Protecting the identity
Azure AD Premium
MFA
Metaverse
Microsoft Identity Manager
Active Directory
Azure
AD Connect
Active Directory
Federation Services
AD
to
AAD
identitysynchronization
DMZ
WAP WWW
Self service password reset
Multi-factor authentication
Single sign-on (SSO)
Azure AD Connect Health
Azure App Proxy
Advanced security reporting
Passw
ord
w
ritebackto
AD
HR System
Member servers
File, print, database, email, etc..
Single sign-on to any cloud and on-premises web app
Azure Active Directory provides secure single sign-on to
cloud and on-premises applications including Microsoft
Office 365 and thousands of SaaS applications.
Protect on-premises web applications
Access and protect your on-premises web applications
with multi-factor authentication, conditional access
policies, and group-based access management.
Protect sensitive data and applications
Take advantage of advanced security reports,
notifications, remediation recommendations and risk-
based policies to protect your business from current
and future threats.
Reduce costs and enhance security with self-service
Providing self-service application access and password
management through verification steps can reduce
helpdesk calls and enhance security.

6. Protecting the identity
advanced threats
Azure AD Premium
MFA
Metaverse
Microsoft Identity Manager
Active Directory
Azure
AD Connect
Active Directory
Federation Services
AD
to
AAD
identitysynchronization
DMZ
WAP WWW
Self service password reset
Multi-factor authentication
Single sign-on (SSO)
Azure AD Connect Health
Azure App Proxy
Advanced security reporting
Passw
ord
w
ritebackto
AD
Behavioral analytics
Detection of known attacks
Alerts for security risks
HR System
Member servers
File, print, database, email, etc..
ATA
Center
ATA
Gateway
Detect threats fast with behavioral analytics
Pinpoint suspicious activities in your systems by
profiling and knowing what to look for. Advanced
Threat Analytics also identifies known advanced
persistent threats and security issues.
Adapt as quickly as malicious hackers
ATA continuously learns from the behavior of users,
devices, and resources. ATA uses behavioral analytics to
adapt and respond.
Zero in on the right alerts
The attack timeline is a clear, efficient, and convenient
feed. ATA also provides recommendations for
investigation and remediation for each activity.
Reduce false positive fatigue
Suspicious activities are contextually aggregated with
other behaviors in the interaction path to give you
clear, accurate alerts.

7. Securing the device
and application
Azure AD Premium
MFA
Metaverse
Microsoft Identity Manager
Active Directory
Azure
AD Connect
Active Directory
Federation Services
AD
to
AAD
identitysynchronization
DMZ
WAP WWW
Self service password reset
Multi-factor authentication
Single sign-on (SSO)
Azure AD Connect Health
Azure App Proxy
Advanced security reporting
Passw
ord
w
ritebackto
AD
Behavioral analytics
Detection of known attacks
Alerts for security risks
Mobile device management (MDM)
Mobile application management (MAM)
PC management
HR System
Member servers
File, print, database, email, etc..
ATA
Center
ATA
Gateway
Manage all the devices in your mobile ecosystem
With support for iOS, Android, Windows, Windows
Mobile and Mac OS X devices.
Management choice
Utilize Mobile Application Management (MAM)
without requiring the device to be enrolled for
management.
Data protection
Secure corporate data, including Exchange email,
Outlook email, and OneDrive for Business documents,
to managed and compliant devices.
Unparalleled management of Office mobile apps
Maximize mobile productivity for your employees with
access to corporate resources on Office mobile apps.
Keep your corporate data safe by preventing leakage of
company data all without intruding on user’s personal
devices.

8. Securing the Data
Azure AD Premium
MFA
Metaverse
Microsoft Identity Manager
Active Directory
Azure
AD Connect
Active Directory
Federation Services
AD
to
AAD
identitysynchronization
DMZ
WAP WWW
Self service password reset
Multi-factor authentication
Single sign-on (SSO)
Azure AD Connect Health
Azure App Proxy
Advanced security reporting
Passw
ord
w
ritebackto
AD
Behavioral analytics
Detection of known attacks
Alerts for security risks
Mobile device management (MDM)
Mobile application management (MAM)
PC management
Classification and labeling
Encryption and rights management
Detailed tracking and reporting
Protected corporate data
HR System
Member servers
File, print, database, email, etc..
ATA
Center
ATA
Gateway
Classify your data based on sensitivity
Policies classify and label data at time of creation or
modification based on source, context, and content.
Protect your data at all times
Embed classification and protection information for
persistent protection that follows your data.
Add visibility and control
Track activities on shared data and revoke access if
necessary. Powerful logging and reporting to
monitor and analyze wherever it goes.
Collaborate more securely with others
Share data safely with coworkers as well as your
customers and partners. Define who can access
data and what they can do with it—such as allowing
to view and edit files but not print or forward.

9. Enterprise Mobility + Security Solution
Azure AD Premium
MFA
Metaverse
Microsoft Identity Manager
Active Directory
Azure
AD Connect
Active Directory
Federation Services
AD
to
AAD
identitysynchronization
DMZ
WAP WWW
Self service password reset
Multi-factor authentication
Single sign-on (SSO)
Azure AD Connect Health
Azure App Proxy
Advanced security reporting
Passw
ord
w
ritebackto
AD
Behavioral analytics
Detection of known attacks
Alerts for security risks
Mobile device management (MDM)
Mobile application management (MAM)
PC management
Classification and labeling
Encryption and rights management
Detailed tracking and reporting
Protected corporate data
Identity risk protection
Risk based conditional access
Privileged identity management
Just-in-time administration
Advanced alerting and reporting
Data control
Data loss prevention
Identification of high risk usage
Abnormal user behavior
Threat prevention
Protected corporate data
Automatic classification
and labeling
CAS
Log Collector
HR System
Member servers
File, print, database, email, etc..
ATA
Center
ATA
Gateway