The document outlines the importance of identity and access management in cloud environments, highlighting approaches to secure access for both internal users and external partners. It discusses Azure AD's capabilities, including B2B and B2C features, which facilitate secure user management, self-service sign-ups, and customized user experiences while ensuring privacy and security. The content emphasizes handling complexities and risks associated with external user access and the need for policy-driven identity management frameworks.

1. Protect your business with
identity and access
management in the cloud
Stefan van der Wiele
Enterprise Mobility + Security Black Belt TSP

3. Our Vision: Identity As A Secure Control Plane

4. __!__
_____(_)_____
! ! !

6. On-premises and private cloud
Enabling users
(Active Directory) Federation Services
SaaS
apps
Custom
appsWindows Server
Active Directory
Other apps
Core Identity Management
HR
Other Directories
Sync
Other Directories

8. Conditions
Allow access
Or
Block access
Actions
Enforce MFA per
user/per app
Location (IP range)
Device state
User groupUser
NOTIFICATIONS, ANALYSIS, REMEDIATION,
RISK-BASED POLICIES
CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT
MFA
IDENTITY
PROTECTION
Risk

9. Every day we:

10. https://aka.ms/azureadidentityprotectionplaybook

13. Approach 1: Federate with each partner
Security
No user level visibility
Unknown partner security posture
Expense
Small partners can’t afford the infrastructure
Small partners don’t have the expertise
Complexity
Complexity grows with each new partner
Complexity grows on partner side as well
Approach 2: Manage partner identities
Security
Access continues after external user terminated
Exploited external user puts whole org at risk
Too much default access
Expense
Signup process
Password management
Identity cleanup
Overhead of running a separate directory
Complexity
Partner user needs to manage new set of creds

18. • Designed with Azure AD privacy, security,
availability, and scalability for
customer/citizen IDM
• Adds B2C features to Azure AD
• Social IdPs and “application local accounts”
• Self-service sign up, password reset, profile
management
• Customizable user journeys
• Based on standardized protocols like OAuth2 and
OpenIdConnect, SAML (future)
• 100% Policy driven
• Policies encode the relationships of trust and authority
inside a trust framework
• Policies define user journeys and enforce data flows and
privacy
Azure AD B2C: “IDaaS for Customers and Citizens”

19. Copyright (c) 2015 Microsoft Corporation20
Features – B2C Basic
Self-service signup
Sign in with social accounts or local accounts
Self-service profile management, with password
resets
Flexible policy framework
Unified view of the consumer (profile, sign up, SSO)
Optional MFA
UI and UX customization
Bulk migration (via Graph API now)
Reporting & auditing APIs (at GA)

20. B2E vs. B2B vs. B2C

22. ▪
▪
▪
▪
▪
▪
▪
▪
▪

24. Consider this product...
Azure AD multi-tenant
SaaS app
Azure AD B2B
collaboration
Azure AD B2C
If I need to provide... a service to businesses
partner access to my
apps
a service to consumers
And I am similar to... Pharma distributor Imaging company Sports franchise
Deploying an app for... Practice management Supplier extranet Soccer fans
Targeting... Doctor’s offices
Approved business
partners
Anyone with email
Accessible when...
Customer admin
consents
My admin invites The consumer signs up
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-compare-external-identities/